Security question

I have a question about a problem we are having and need rectified.  I am NOT a sysadmin, I am a programmer/DBA, so I will try to give you as much information about this as I can.  I apologize in advance if I miss something.

We need a generic login to one computer, with rights assigned to one program, one printer and 3 folders.  Our sysadmin is fighting this for some reason (I was not part of the conversation), but we are the only IT people in the building and I was asked for a solution for this.  

The OS for that particular computer is Windows 2000 Professional.  We also have XP licenses available.  We are running Windows Server 2000.  My solution was to assign static IP address to that computer, limit username/password to that computer only, and restrict user access to the program ande those files.  Does anyone here have a better solution?  Are there problems with mine?  How can this hurt us from a security standpoint? (This will ONLY be accessed internally).  Being that I am not an expert in hardware/networking, I appreciate all the help you can give me.

Thanks.  Please let me know if you have any questions.

Who is Participating?
SunBowConnect With a Mentor Commented:
richrumble> Use NTFS folder permissions

> then Guest or User privledges should do the trick.

probably not guest, but something close to it could work, yet my reservations precede. Why not power user among friends

> The IP whether static or dhcp, makes no security difference

agreed, but as above, I don't think IP is needed either

>  if it is a domain

I'd leave it out of domain

> You could lock the PC down even further

probably more trouble than is worth, aside from group restictions

> There is nothing wrong with the way you have it now.

This part I miss. What is the current method, if any, was less clear to me
Gareth GudgerCommented:
Well you could leave the machine off the domain completely if security was an issue......or like you said restrict the user account to only being able to log onto that machine (as well as removing it from the Domain Users group)
Well it is a security risk, because even if the computer is inside the company's firewall, virus/spyware/trojans/backdoor and other malware could attack the computer through the firewall on port 80 (http-usage on internet connections).

Automatic Logon to Windows NT, 2000 and XP

Plugging Custom Security into Windows 2000

Enhancing the Security of a Windows CE Device

Many Regards
Jorgen Malmgren

:o) Your brain is like a parachute. It works best when it's open

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

List of known Trojan/Backdoors and the TCP/UDP ports on which they operate

List of known Trojan/Backdoors and the TCP/UDP ports on which they operate

Internet Storm Center - Input portnumber and press GO

IPEye is a freeware TCP port scanner

IIS-vulnerability MS03-007
      Here's Microsoft's warning - Impact of vulnerability: RUN CODE OF ATTACKERS CHOICE:

      But they only talks about IIS (Internet Information Server). Here some more stuff about this problem:

      As you can see, they warn about this for every Windows 2000 workstation and server, even if the don't run IIS. Problem is, that attacker can run code through port 80 that you use to gain access to internet.
      If you can afford it, you can get an url-scanning engine installed on a server with workstation, server-, email and url-scanning engine from

The Distributed Reflection DoS Attack

Sygate free scanning your security: quick, stealth, trojan, tcp, udp, icmp

One Usage of the HACKYOURSELF scan: TCP Scan (65534 ports),UDP scan (800+ ports), and Netbios Scan 

Shields UP! quickly checks the SECURITY of YOUR computer's connection to the Internet.

Port scan.. Get an instant security analysis now. You dont even need to know your own IP address!

How to recover an already compromised system, visit the CERT Coordination Center:

Downloading and Using the Security Configuration Manager Tool:;en-us;245216

Stress Tools to Test Your Web Server:;en-us;231282

WebCast: Using the Microsoft Security Tool Kit to Get and Stay Secure;en-us;324892

Microsoft Baseline Security Analyzer

Maximum Windows 2000 Security

Rich RumbleSecurity SamuraiCommented:
If this is the question...
1 user needs access to 1 program, 1 printer and a few folders. Place the account in the "Users" group or "Guests" group.
Use NTFS folder permissions to lock down the folders the account can access. If this account only needs to run certain programs, that are installed already
then Guest or User privledges should do the trick. The IP whether static or dhcp, makes no security difference.
The printer can also have permissions assinged to it, to only allow this one account access. This account could be a local account or domain. Local will
assure that it can't be used on another computer, if it is a domain, then you'll have to do as you have done, restrict the pc's it can be used on, and maybe even the hours
it can be used.

There is nothing wrong with the way you have it now. There are always best practices to follow:
Patch your system's regularly, schedule  AV updates daily, and scan's daily. Do not run as an administrator all the time. Use RunAs to temporarily "up" your privs. Runas
is just like sudo in Unix systems. Audit your event log's and change your passwords often.

Reguardless of if the PC is part of a domain or not, as long as it's on your lan, it is a risk to some degree. You could lock the PC down even further with group policies or local policies, but making
that login in the  guest or "users" group will limit THAT ACCOUNT's ability to do much else on that PC. Don't join it to the domain if it's truly standalone, but if the printer is shared off of the
domain contoller or server, besure to give your account the rights to access it.
For internal use only, you have no need for TCP/IP, and NetBios is fine. The easiest thing to do is ensure everyone has same ID and password on that system as they normally use, things work out better that way.  Have the machine boot up standalone, and don't bother to expire passwords, let users coordinate that part with their other machines.

> We need a generic login to one computer

Generic has problem of being both too easy to guess, and to leak, and leaves no trackability. You each should still like to know and be accountable for what you each to, so imo still to unique IDs, it'll also help a debug process if only one of you has a particular problem, and in meantime, no one should be able to trick the machine to do something different, such as generic email, or printing 'strange' hardcopy from generic ID. Make sure the queue list can properly help you identify your own stuff, (and identify which of your peers is the real hog without having to pay a visit to output tray and wait for them to show up).

Don't let anyone else use the computer, and I think just lifting any existing restrictions from program should do the trick for you.  While admin may think I disagree, I probably agree more with them than you. Possibly, it will work better by placing the few of you into a select group of 'power user' and only let members of that group access the subdirectories required. That should satisfy protecting of strangers. Do NOT succumb to temptation of putting up shares, that is all too easy to fail some vulnerability.
Rich RumbleSecurity SamuraiCommented:
Iptrader stated:
My solution was to assign static IP address to that computer, limit username/password to that computer only, and restrict user access to the program ande those files.

Probably done with UserManager for domains, or AD policy. Then NTFS is how the restrictions were added.  (assumed)
Placing the account in the Guests group, would work if the permissions were set correctly for the folders and programs needed to run.
Agreed, locking down the PC further would be a more trouble than it's worth, hence the Guests group recomendation, as it's locked down pretty good to begin with.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.