?
Solved

Win 2000 security not liking application

Posted on 2003-03-10
11
Medium Priority
?
291 Views
Last Modified: 2010-04-11
hey, quick question:

i set up a 2k network in a classroom at my school, 2k server and 2kpro workstations. i am having difficulties running applicaitons in any user other than administrator, leaving me no other option other than to set the student accounts as admin so the apps may be used. as you can imagine this causes alot of hastle. i have tried installing the apps on a network drive, but with 35 machines, that is more drive space than i have and, there has to be a better way.
 i have some security in place on the workstations. i dont allow access to the C:\ drive in the GP and deny all access besides list directory on each workstation. the programs are all installed in a directory with full control for everyone so i dont think the denial of access to C would affect them much.

is there a way to run just the application as an administrator? i know you can do it and enter your password every time, but that isnt practical for this application.

Thanks in advance for yor help

~Dan
0
Comment
Question by:PyroPhin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 5

Expert Comment

by:rrhunt28
ID: 8104823
Unfortunatly some applications require admin rights.  If you had them sign on and off at least you would have a record if someone scrued something up.  
0
 

Expert Comment

by:WinXPFixR
ID: 8105243
DENY takes precidence over ALLOW... so by explicitly denying "everyone" access, there is no way they will have access.  If you dont want them to have access to a file, just make sure the user accounts they are using are not listed in the security properties, nor any of the groups they belong too, this includes the "everyone" group.  

Hope this helps.
0
 
LVL 2

Expert Comment

by:NEOsporin
ID: 8111191
PowerUsers can do a lot, I have not run into many app's that can't be run as an PowerUser. Setup's and install's do need admin rights, especially if they need to modify the registry. RunAs can give you admin rights, below are two links you should read. By holding Shift and right-clicking an Icon you'll see the RunAs in the list of options. Type in your username/pass and domain (unless you have a local account you'll be using) then click ok. RunAs can also be run from the cmd line.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/proddocs/runas.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/server/lsm_overview_01.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/server/lsm_local_groups.asp

PowerUser's are able to install Program updates like those from a virus program, like mcafee or norton.
There aren't many trivial things that they can't do. Most of the big stuff like installs, and registry modification's are minimum.
-NEO
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 2

Expert Comment

by:NEOsporin
ID: 8111284
And WinXPFixR is right- you may be being too strict. Or if your remove the everyone- be sure to add the users that are using that app, no matter what group they'd be in. That should save you some headache- also a little premptive note- do not remove the SYSTEM account from the drive where your Pagefile.sys file resides- that account is needed to properly create the page file.
GL
-NEO
0
 

Expert Comment

by:aelhajj
ID: 8113577
  I agree with WinXpFixr.  you don't want to explicity Deny access to C.  What I suggest is make sure your students have read and execute on C:\  Also, give your users limited accounts on the workstations (or It will be easier for you to install the active directory and have a domain inside your classroom then set all your users to domain users that way they may have local acocunts on each machine without administrator access).
   I hope that helps.
0
 
LVL 12

Accepted Solution

by:
trywaredk earned 150 total points
ID: 8150715
PYROPHIN... Some applications require membership of Local Power Users, some applications require membership of Local admin group.

This problem is increasing, and You are totally right, when saying "leaving me no other option other than to set the student accounts as admin so the apps may be used. as you can imagine this causes alot of hastle."

But it does'nt matter that You "have some security in place on the workstations. i dont allow access to the C:\ drive in the GP and deny all access besides list directory on each workstation."

Because being member of the local admin group means what it says. Users can do anything the like with anything on the hard disc.

But You have another problem, so PLEASE READ THIS CAREFULLY:

You must NEVER NEVER add a Domain User Group to the Local Admin Group on each workstation.

And You must NEVER add the same Domain User to the Local Admin Group on more than his/hers own workstation

If You add a Domain Group membership to the Local Admin Group, everyone being member gets unlimited REMOTE access power of all simular workstations on Your network.

The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)


IF YOU WANT TO KNOW MORE ABOUT THIS ISSUE:

http://www.experts-exchange.com/Security/Win_Security/Q_20506528.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734


IF YOU WANT TO TEST IT:
You have to add the Domain User Group to the Local Admin Group on BOTH test-workstations, and logout and logon again.

Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.

Please reply, when You have removed the Domain User Group from the Local Admin Group again!


Many Regards

Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open.
0
 

Expert Comment

by:softwareplugins
ID: 8188433
PyroPhin:

As an IT consulting firm, we have had the exact same problem with Payroll software, Accounting software, Tax programs, etc. at virtually every one of our clients. It seems that none of the programmers of these products grasps the concept of locked-down workstations, as when we talk to them they reply "just give them Admin rights".

We finally got fed up and created a product that solves the problem. <Edited by SpideyMod>
0
 

Expert Comment

by:SpideyMod
ID: 8220598
softwareplugins,
Promoting your company or it's products is against the membership agreement (http://www.experts-exchange.com/jsp/infoMemberAgreement.jsp ).  I have edited your comments.  At this point I need you to re-read the membership agreement and indicate that you understand within 72 hours.  Failing that, I have an obligation to turn your account over to site administration for review.

SpideyMod
Community Support Moderator @Experts Exchange
0
 
LVL 3

Expert Comment

by:ewall
ID: 8241990
The 'mantra' of locked-downed workstation security is: give them permission to do what they need to do, and no more. You really can create a liveable, workable world by making this your dogma.

I agree that denying file access to everything is likely to cause more than its share of problems, but thankfully  Win 2000 and XP systems give you a reasonable set of permissions to start with. (BTW, you can reset the perms with the Security Templates--I'd suggest "securews" for your environment, but "setup security" is okay, too.)

Here's a time-honored trick I've used and taught a thousand times. This is the 'quick version', so let me know if you want to know more:

1.) Get the free programs 'FileMon' and 'RegMon' from www.sysinternals.com

2.) Login as an unprivileged user, the use the 'runas' command to start the FileMon and RegMon programs

3.) Now run the program you're trying to fix--when you get the error(s), stop the monitoring programs and save the results

4.) Open the filemon.log and regmon.log in Excel and use features like "AutoFilter" to drill down to the "ACCESS DENIED" messages that the program is getting

5.) Open up permissions for CHANGE only to the files and/or Registry keys which got the access denied

6.) Now try it again... If you get more errors, you'll probably have to repeat the above steps until you get all the permissions ironed out.

7.) Don't forget to document what you found, and maybe make a script to fix the permissions 'cause someday you're sure to need them again!

Good luck!  ~ewall
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question