Sign in with
Sign up | Sign in
Your question

process to allow Guest account to dial-up to the internet...

Last response: in Windows XP
Share
March 4, 2005 5:13:02 AM

Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)

using win xp pro sp2. this is my idea, in a nutshell. i've created an
account, in the Users group, say Internet, and provided instructions within
the Guest account to do the following:

1.) run an instance of the Command Prompt as the Internet user (the
instructions in the Guest account provide the username and password for the
Internet account)
2.) run "c:\documents and settings\all users\application
data\microsoft\network\connections\pbk\rasphone.pbk"

this pops up a window, allowing the user to connect to the internet via
dial-up networking. now there are obviously security risks involved with
this process, and that is what i am here for. first of all, this enables the
user to also create a new dial-up connection. is there a way to disable
this? (should users in the Users group even be allowed to create new dial-up
connections?) i have already removed the Internet user from the "welcome
screen". secondly, on to file permissions. i have denied the Internet user
full access to "C:\Program Files", and read-only access to their home
directory (c:\docume~1\internet) and they are automatically denied access to
the rest of c:\docume~1\*. i was hoping to be able to deny full access to
C:\WINDOWS, but i soon found out this was not possible if i wanted to run
this rasphone.pbk. so i was hoping we could figure out which
files/directories within C:\WINDOWS i would need to grant access in order to
use JUST this rasphone.pbk. i think WINDOWS\system32\services.exe and
WINDOWS\system32\rasphone.exe are at least needed, because i was receiving
failure audits for these when trying to run rasphone.pbk. i notice there are
a lot of files WINDOWS\system32\ras* as well as a directory
WINDOWS\system32\ras\ that are also probably related. i tried granting
"Traverse Folder/Execute File" & "List Folder/Read Data" rights for the
following:
- the directory C:\WINDOWS
- the directory C:\WINDOWS\system32\
- the directory C:\WINDOWS\system32\ras\
- the files C:\WINDOWS\system32\ras*

but still getting an "access is denied" when trying to run the rasphone.pbk.
i'm not sure if i need to be granting more rights to these files, or (more)
rights to more files within WINDOWS\, or what. but, i am really excited
about this! if we can figure out what needs to be granted access to and get
this working it would be an awesome hack! any input would be appreciated.
unfortunately, this computer is not readily available, so my replies will be
slow, but thanks in advance!
Anonymous
March 5, 2005 3:53:01 AM

Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)

so i've basically figured out what files/directories the Internet account
needs access to, and which rights need to be granted. i did this by auditing
the failures generated by the Internet user when trying the process i
described below. it only took 4 hours, but i got it working. now, my only
question is, what are the security risks, if any? by granting read & execute
rights to a very limited number of files/directories in C:\WINDOWS\*, i don't
see any security risks at the moment (except the ability to create new
dial-up connections. the button to create a new connection was available,
but i didn't try and complete the whole process of making a new dial-up
connection... maybe it would fail at the final step or something), but i
would like to be reassured. thanks in advance for any help.

"scar@EFnet.Org" wrote:

> using win xp pro sp2. this is my idea, in a nutshell. i've created an
> account, in the Users group, say Internet, and provided instructions within
> the Guest account to do the following:
>
> 1.) run an instance of the Command Prompt as the Internet user (the
> instructions in the Guest account provide the username and password for the
> Internet account)
> 2.) run "c:\documents and settings\all users\application
> data\microsoft\network\connections\pbk\rasphone.pbk"
>
> this pops up a window, allowing the user to connect to the internet via
> dial-up networking. now there are obviously security risks involved with
> this process, and that is what i am here for. first of all, this enables the
> user to also create a new dial-up connection. is there a way to disable
> this? (should users in the Users group even be allowed to create new dial-up
> connections?) i have already removed the Internet user from the "welcome
> screen". secondly, on to file permissions. i have denied the Internet user
> full access to "C:\Program Files", and read-only access to their home
> directory (c:\docume~1\internet) and they are automatically denied access to
> the rest of c:\docume~1\*. i was hoping to be able to deny full access to
> C:\WINDOWS, but i soon found out this was not possible if i wanted to run
> this rasphone.pbk. so i was hoping we could figure out which
> files/directories within C:\WINDOWS i would need to grant access in order to
> use JUST this rasphone.pbk. i think WINDOWS\system32\services.exe and
> WINDOWS\system32\rasphone.exe are at least needed, because i was receiving
> failure audits for these when trying to run rasphone.pbk. i notice there are
> a lot of files WINDOWS\system32\ras* as well as a directory
> WINDOWS\system32\ras\ that are also probably related. i tried granting
> "Traverse Folder/Execute File" & "List Folder/Read Data" rights for the
> following:
> - the directory C:\WINDOWS
> - the directory C:\WINDOWS\system32\
> - the directory C:\WINDOWS\system32\ras\
> - the files C:\WINDOWS\system32\ras*
>
> but still getting an "access is denied" when trying to run the rasphone.pbk.
> i'm not sure if i need to be granting more rights to these files, or (more)
> rights to more files within WINDOWS\, or what. but, i am really excited
> about this! if we can figure out what needs to be granted access to and get
> this working it would be an awesome hack! any input would be appreciated.
> unfortunately, this computer is not readily available, so my replies will be
> slow, but thanks in advance!
March 31, 2005 9:35:05 PM

Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)

i was hoping to receive some input regarding the possible security risks
involved with this process. isn't there anyone who can comment on it? i
would appreciate anything. thank you.
!