Security question

Posted on 2004-04-01
Last Modified: 2013-12-04
I have a question about a problem we are having and need rectified.  I am NOT a sysadmin, I am a programmer/DBA, so I will try to give you as much information about this as I can.  I apologize in advance if I miss something.

We need a generic login to one computer, with rights assigned to one program, one printer and 3 folders.  Our sysadmin is fighting this for some reason (I was not part of the conversation), but we are the only IT people in the building and I was asked for a solution for this.  

The OS for that particular computer is Windows 2000 Professional.  We also have XP licenses available.  We are running Windows Server 2000.  My solution was to assign static IP address to that computer, limit username/password to that computer only, and restrict user access to the program ande those files.  Does anyone here have a better solution?  Are there problems with mine?  How can this hurt us from a security standpoint? (This will ONLY be accessed internally).  Being that I am not an expert in hardware/networking, I appreciate all the help you can give me.

Thanks.  Please let me know if you have any questions.

Question by:iptrader
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +1
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10734603
Well you could leave the machine off the domain completely if security was an issue......or like you said restrict the user account to only being able to log onto that machine (as well as removing it from the Domain Users group)
LVL 12

Expert Comment

ID: 10734756
Well it is a security risk, because even if the computer is inside the company's firewall, virus/spyware/trojans/backdoor and other malware could attack the computer through the firewall on port 80 (http-usage on internet connections).

Automatic Logon to Windows NT, 2000 and XP

Plugging Custom Security into Windows 2000

Enhancing the Security of a Windows CE Device

Many Regards
Jorgen Malmgren

:o) Your brain is like a parachute. It works best when it's open

LVL 12

Expert Comment

ID: 10734757
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

LVL 12

Expert Comment

ID: 10734765
List of known Trojan/Backdoors and the TCP/UDP ports on which they operate

List of known Trojan/Backdoors and the TCP/UDP ports on which they operate

Internet Storm Center - Input portnumber and press GO

IPEye is a freeware TCP port scanner

IIS-vulnerability MS03-007
      Here's Microsoft's warning - Impact of vulnerability: RUN CODE OF ATTACKERS CHOICE:

      But they only talks about IIS (Internet Information Server). Here some more stuff about this problem:

      As you can see, they warn about this for every Windows 2000 workstation and server, even if the don't run IIS. Problem is, that attacker can run code through port 80 that you use to gain access to internet.
      If you can afford it, you can get an url-scanning engine installed on a server with workstation, server-, email and url-scanning engine from

The Distributed Reflection DoS Attack

Sygate free scanning your security: quick, stealth, trojan, tcp, udp, icmp

One Usage of the HACKYOURSELF scan: TCP Scan (65534 ports),UDP scan (800+ ports), and Netbios Scan 

Shields UP! quickly checks the SECURITY of YOUR computer's connection to the Internet.

Port scan.. Get an instant security analysis now. You dont even need to know your own IP address!

How to recover an already compromised system, visit the CERT Coordination Center:

LVL 12

Expert Comment

ID: 10734772
Downloading and Using the Security Configuration Manager Tool:;en-us;245216

Stress Tools to Test Your Web Server:;en-us;231282

WebCast: Using the Microsoft Security Tool Kit to Get and Stay Secure;en-us;324892

Microsoft Baseline Security Analyzer

Maximum Windows 2000 Security

LVL 38

Expert Comment

by:Rich Rumble
ID: 10735998
If this is the question...
1 user needs access to 1 program, 1 printer and a few folders. Place the account in the "Users" group or "Guests" group.
Use NTFS folder permissions to lock down the folders the account can access. If this account only needs to run certain programs, that are installed already
then Guest or User privledges should do the trick. The IP whether static or dhcp, makes no security difference.
The printer can also have permissions assinged to it, to only allow this one account access. This account could be a local account or domain. Local will
assure that it can't be used on another computer, if it is a domain, then you'll have to do as you have done, restrict the pc's it can be used on, and maybe even the hours
it can be used.

There is nothing wrong with the way you have it now. There are always best practices to follow:
Patch your system's regularly, schedule  AV updates daily, and scan's daily. Do not run as an administrator all the time. Use RunAs to temporarily "up" your privs. Runas
is just like sudo in Unix systems. Audit your event log's and change your passwords often.

Reguardless of if the PC is part of a domain or not, as long as it's on your lan, it is a risk to some degree. You could lock the PC down even further with group policies or local policies, but making
that login in the  guest or "users" group will limit THAT ACCOUNT's ability to do much else on that PC. Don't join it to the domain if it's truly standalone, but if the printer is shared off of the
domain contoller or server, besure to give your account the rights to access it.
LVL 12

Expert Comment

ID: 10736197
LVL 24

Expert Comment

ID: 10736254
For internal use only, you have no need for TCP/IP, and NetBios is fine. The easiest thing to do is ensure everyone has same ID and password on that system as they normally use, things work out better that way.  Have the machine boot up standalone, and don't bother to expire passwords, let users coordinate that part with their other machines.

> We need a generic login to one computer

Generic has problem of being both too easy to guess, and to leak, and leaves no trackability. You each should still like to know and be accountable for what you each to, so imo still to unique IDs, it'll also help a debug process if only one of you has a particular problem, and in meantime, no one should be able to trick the machine to do something different, such as generic email, or printing 'strange' hardcopy from generic ID. Make sure the queue list can properly help you identify your own stuff, (and identify which of your peers is the real hog without having to pay a visit to output tray and wait for them to show up).

Don't let anyone else use the computer, and I think just lifting any existing restrictions from program should do the trick for you.  While admin may think I disagree, I probably agree more with them than you. Possibly, it will work better by placing the few of you into a select group of 'power user' and only let members of that group access the subdirectories required. That should satisfy protecting of strangers. Do NOT succumb to temptation of putting up shares, that is all too easy to fail some vulnerability.
LVL 24

Accepted Solution

SunBow earned 300 total points
ID: 10736615
richrumble> Use NTFS folder permissions

> then Guest or User privledges should do the trick.

probably not guest, but something close to it could work, yet my reservations precede. Why not power user among friends

> The IP whether static or dhcp, makes no security difference

agreed, but as above, I don't think IP is needed either

>  if it is a domain

I'd leave it out of domain

> You could lock the PC down even further

probably more trouble than is worth, aside from group restictions

> There is nothing wrong with the way you have it now.

This part I miss. What is the current method, if any, was less clear to me
LVL 38

Expert Comment

by:Rich Rumble
ID: 10752096
Iptrader stated:
My solution was to assign static IP address to that computer, limit username/password to that computer only, and restrict user access to the program ande those files.

Probably done with UserManager for domains, or AD policy. Then NTFS is how the restrictions were added.  (assumed)
Placing the account in the Guests group, would work if the permissions were set correctly for the folders and programs needed to run.
Agreed, locking down the PC further would be a more trouble than it's worth, hence the Guests group recomendation, as it's locked down pretty good to begin with.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question