Local Administrator

Archived from groups: microsoft.public.win2000.security (More info?)

We have an application that is giving me tons of issues when run under
a user in the local Users Group. I have asked the vendor for the
files/folders/registry entries permissions but they have not given them
to me. I could turn on auditing and find all the
files/folders/registry entries to give the local Users Group access to
but that may take a long time and I don't have that kind of time at the
moment.

Right now I'm using Group Policy to lockdown the PC so that the only
thing a user can run is the specified application. No right clicking,
no tray icons, no Start Menu items except that application, and no
internet access because we block all access to the internet with
Websense.

With all this in mind, what is my security risk for the local computer
and for the network? Can you think of any way to cause damage?
4 answers Last reply
More about local administrator
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    You might also want to look at the free tools called filemon and regmon from
    SysInternals that can help you track down where access is denied to a file
    or registry key. You could logon to the computer as a regular user and use
    runas to bring up filemon or regmon just before you try to run the
    application and then when it fails close the log for filemon/regmon, look
    for access denied entries, make permissions adjustment and try again. Even
    doing such not all applications can be made to run for a regular user by
    modifying file folder and registry permissions.

    The biggest risk with a user being local administrator is to the local
    computer mostly and to the network if the computer becomes infected with
    malware like a worm that wants to spread via your network. If a computer
    becomes infected while the logged on user is a local administrator then the
    malware will have administrator access to that computer and can write/modify
    anywhere on it. Good antivirus protection and not being able to use the
    internet will greatly reduce that risk.

    If a user is a local administrator they have the capability to do anything
    they want on the computer including undoing any current restrictions if they
    have the knowledge how to do such and the desire. Most users do not even
    understand the concept of an administrator account and probably will just
    live with things as they are but you always will have some curious users.
    The first think such a user could do would be to try to access the command
    prompt where a local administrator could then own the computer. The command
    prompt could be accessed in a number of ways including from within
    applications. A local administrator could also unjoin a computer from the
    domain, logon as a local account that is a local administrator to bypass
    domain Group Policy user configuration settings, rename executables to be
    what is on the white list to bypass restrictions, and run scripts.

    I am not saying that will happen in your network but it should be considered
    as a possibility if you allow a user to be local administrator. --- Steve


    <kylei@mvlhawaii.com> wrote in message
    news:1118201975.903870.289130@g47g2000cwa.googlegroups.com...
    > We have an application that is giving me tons of issues when run under
    > a user in the local Users Group. I have asked the vendor for the
    > files/folders/registry entries permissions but they have not given them
    > to me. I could turn on auditing and find all the
    > files/folders/registry entries to give the local Users Group access to
    > but that may take a long time and I don't have that kind of time at the
    > moment.
    >
    > Right now I'm using Group Policy to lockdown the PC so that the only
    > thing a user can run is the specified application. No right clicking,
    > no tray icons, no Start Menu items except that application, and no
    > internet access because we block all access to the internet with
    > Websense.
    >
    > With all this in mind, what is my security risk for the local computer
    > and for the network? Can you think of any way to cause damage?
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    If you are using Win 2k take a look at this:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;269259


    hth
    DDS W 2k MVP MCSE

    "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    news:uVOnNw%23aFHA.2420@TK2MSFTNGP15.phx.gbl...
    > You might also want to look at the free tools called filemon and regmon
    > from SysInternals that can help you track down where access is denied to a
    > file or registry key. You could logon to the computer as a regular user
    > and use runas to bring up filemon or regmon just before you try to run the
    > application and then when it fails close the log for filemon/regmon, look
    > for access denied entries, make permissions adjustment and try again. Even
    > doing such not all applications can be made to run for a regular user by
    > modifying file folder and registry permissions.
    >
    > The biggest risk with a user being local administrator is to the local
    > computer mostly and to the network if the computer becomes infected with
    > malware like a worm that wants to spread via your network. If a computer
    > becomes infected while the logged on user is a local administrator then
    > the malware will have administrator access to that computer and can
    > write/modify anywhere on it. Good antivirus protection and not being able
    > to use the internet will greatly reduce that risk.
    >
    > If a user is a local administrator they have the capability to do anything
    > they want on the computer including undoing any current restrictions if
    > they have the knowledge how to do such and the desire. Most users do not
    > even understand the concept of an administrator account and probably will
    > just live with things as they are but you always will have some curious
    > users. The first think such a user could do would be to try to access the
    > command prompt where a local administrator could then own the computer.
    > The command prompt could be accessed in a number of ways including from
    > within applications. A local administrator could also unjoin a computer
    > from the domain, logon as a local account that is a local administrator
    > to bypass domain Group Policy user configuration settings, rename
    > executables to be what is on the white list to bypass restrictions, and
    > run scripts.
    >
    > I am not saying that will happen in your network but it should be
    > considered as a possibility if you allow a user to be local
    > ministrator. --- Steve
    >
    >
    >
    > <kylei@mvlhawaii.com> wrote in message
    > news:1118201975.903870.289130@g47g2000cwa.googlegroups.com...
    >> We have an application that is giving me tons of issues when run under
    >> a user in the local Users Group. I have asked the vendor for the
    >> files/folders/registry entries permissions but they have not given them
    >> to me. I could turn on auditing and find all the
    >> files/folders/registry entries to give the local Users Group access to
    >> but that may take a long time and I don't have that kind of time at the
    >> moment.
    >>
    >> Right now I'm using Group Policy to lockdown the PC so that the only
    >> thing a user can run is the specified application. No right clicking,
    >> no tray icons, no Start Menu items except that application, and no
    >> internet access because we block all access to the internet with
    >> Websense.
    >>
    >> With all this in mind, what is my security risk for the local computer
    >> and for the network? Can you think of any way to cause damage?
    >>
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    I am interested in how malware would get on a computer that has no
    internet access and no USB or CD access?

    I'm also interested in knowing how a user can access the command prompt
    from within an application if the command prompt has been disabled?
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    If the floppy drive is available that can still be a way but if access to
    all external media [including floppy] is disabled and there is no internet
    access then the chance for malware is greatly reduced. If the computer has
    network connectivity to other computers then that is a possible avenue for
    access though again if that is tightly controlled the risk can be minimized.
    I don't know how your internet restrictions work but keep in mind that if it
    is by IP address or lack of default gateway a local administrator could
    possibly change the default gateway and IP address of their computer.

    If the command prompt is disable that will make it more difficult. Some
    applications allow access to the command prompt. Another thing to keep in
    mind is that if the user can access command.com then they still can access
    the command prompt. One way for instance could be to use Word and enter
    command.com into a blank document, save the file and select .txt extension,
    and then name the file prompt.bat. Then the user could try to use Explorer
    to open that .bat file and they will have a command prompt. The user could
    also simply enter command.com in the run box if that is available or open
    Explorer and click command.com. The user could also try to use Word,
    notepad, and word to create batch files or VB scripts to run on the
    computer. Many programs allow the user to save files other than native
    format such as to .txt files and the user can take advantage of such to
    write scripts which if the user can execute will run in the context of their
    user account. If I open Word and create a document that has " net localgroup
    administrators username /add " and save it as a .txt file named
    mybatchfile.bat, I can then try to run it to add a user account I created
    to the local administrators group.

    You can do a lot to lockdown any account in Windows 2000/XP Pro and the more
    you do the harder it will be for a user to overcome the barriers but a user
    that is local administrator with a high level of knowledge of the operating
    system and some scripting skills more than likely would find a way to
    eventually take control of the computer if they really wanted to. Not having
    any access to external media [access to tools, canned scripts, .reg files]
    and strict control of network access will make the task harder.

    Having said that security is all about managing risk - not trying to
    eliminate all risk. If allowing users to be local administrators makes
    business sense and the risk is minimal then it may be perfectly acceptable
    to your organization. Many times the main risk is increased support costs
    for users that screw up their computers. --- Steve


    <kylei@mvlhawaii.com> wrote in message
    news:1118257051.727947.21950@z14g2000cwz.googlegroups.com...
    >I am interested in how malware would get on a computer that has no
    > internet access and no USB or CD access?
    >
    > I'm also interested in knowing how a user can access the command prompt
    > from within an application if the command prompt has been disabled?
    >
Ask a new question

Read More

Security Windows