Security question

Posted on 2004-04-01
Medium Priority
Last Modified: 2013-12-04
I have a question about a problem we are having and need rectified.  I am NOT a sysadmin, I am a programmer/DBA, so I will try to give you as much information about this as I can.  I apologize in advance if I miss something.

We need a generic login to one computer, with rights assigned to one program, one printer and 3 folders.  Our sysadmin is fighting this for some reason (I was not part of the conversation), but we are the only IT people in the building and I was asked for a solution for this.  

The OS for that particular computer is Windows 2000 Professional.  We also have XP licenses available.  We are running Windows Server 2000.  My solution was to assign static IP address to that computer, limit username/password to that computer only, and restrict user access to the program ande those files.  Does anyone here have a better solution?  Are there problems with mine?  How can this hurt us from a security standpoint? (This will ONLY be accessed internally).  Being that I am not an expert in hardware/networking, I appreciate all the help you can give me.

Thanks.  Please let me know if you have any questions.

Question by:iptrader
  • 5
  • 2
  • 2
  • +1
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10734603
Well you could leave the machine off the domain completely if security was an issue......or like you said restrict the user account to only being able to log onto that machine (as well as removing it from the Domain Users group)
LVL 12

Expert Comment

ID: 10734756
Well it is a security risk, because even if the computer is inside the company's firewall, virus/spyware/trojans/backdoor and other malware could attack the computer through the firewall on port 80 (http-usage on internet connections).

Automatic Logon to Windows NT, 2000 and XP

Plugging Custom Security into Windows 2000

Enhancing the Security of a Windows CE Device

Many Regards
Jorgen Malmgren

:o) Your brain is like a parachute. It works best when it's open

LVL 12

Expert Comment

ID: 10734757
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

LVL 12

Expert Comment

ID: 10734765
List of known Trojan/Backdoors and the TCP/UDP ports on which they operate

List of known Trojan/Backdoors and the TCP/UDP ports on which they operate

Internet Storm Center - Input portnumber and press GO

IPEye is a freeware TCP port scanner

IIS-vulnerability MS03-007
      Here's Microsoft's warning - Impact of vulnerability: RUN CODE OF ATTACKERS CHOICE:

      But they only talks about IIS (Internet Information Server). Here some more stuff about this problem:

      As you can see, they warn about this for every Windows 2000 workstation and server, even if the don't run IIS. Problem is, that attacker can run code through port 80 that you use to gain access to internet.
      If you can afford it, you can get an url-scanning engine installed on a server with workstation, server-, email and url-scanning engine from http://www.trendmicro.com/en/products/global/enterprise.htm

The Distributed Reflection DoS Attack

Sygate free scanning your security: quick, stealth, trojan, tcp, udp, icmp

One Usage of the HACKYOURSELF scan: TCP Scan (65534 ports),UDP scan (800+ ports), and Netbios Scan

Shields UP! quickly checks the SECURITY of YOUR computer's connection to the Internet.

Port scan.. Get an instant security analysis now. You dont even need to know your own IP address!

How to recover an already compromised system, visit the CERT Coordination Center:

LVL 12

Expert Comment

ID: 10734772
Downloading and Using the Security Configuration Manager Tool:

Stress Tools to Test Your Web Server:

WebCast: Using the Microsoft Security Tool Kit to Get and Stay Secure

Microsoft Baseline Security Analyzer

Maximum Windows 2000 Security

LVL 38

Expert Comment

by:Rich Rumble
ID: 10735998
If this is the question...
1 user needs access to 1 program, 1 printer and a few folders. Place the account in the "Users" group or "Guests" group.
Use NTFS folder permissions to lock down the folders the account can access. If this account only needs to run certain programs, that are installed already
then Guest or User privledges should do the trick. The IP whether static or dhcp, makes no security difference.
The printer can also have permissions assinged to it, to only allow this one account access. This account could be a local account or domain. Local will
assure that it can't be used on another computer, if it is a domain, then you'll have to do as you have done, restrict the pc's it can be used on, and maybe even the hours
it can be used.

There is nothing wrong with the way you have it now. There are always best practices to follow:
Patch your system's regularly, schedule  AV updates daily, and scan's daily. Do not run as an administrator all the time. Use RunAs to temporarily "up" your privs. Runas
is just like sudo in Unix systems. Audit your event log's and change your passwords often.

Reguardless of if the PC is part of a domain or not, as long as it's on your lan, it is a risk to some degree. You could lock the PC down even further with group policies or local policies, but making
that login in the  guest or "users" group will limit THAT ACCOUNT's ability to do much else on that PC. Don't join it to the domain if it's truly standalone, but if the printer is shared off of the
domain contoller or server, besure to give your account the rights to access it.
LVL 12

Expert Comment

ID: 10736197
LVL 24

Expert Comment

ID: 10736254
For internal use only, you have no need for TCP/IP, and NetBios is fine. The easiest thing to do is ensure everyone has same ID and password on that system as they normally use, things work out better that way.  Have the machine boot up standalone, and don't bother to expire passwords, let users coordinate that part with their other machines.

> We need a generic login to one computer

Generic has problem of being both too easy to guess, and to leak, and leaves no trackability. You each should still like to know and be accountable for what you each to, so imo still to unique IDs, it'll also help a debug process if only one of you has a particular problem, and in meantime, no one should be able to trick the machine to do something different, such as generic email, or printing 'strange' hardcopy from generic ID. Make sure the queue list can properly help you identify your own stuff, (and identify which of your peers is the real hog without having to pay a visit to output tray and wait for them to show up).

Don't let anyone else use the computer, and I think just lifting any existing restrictions from program should do the trick for you.  While admin may think I disagree, I probably agree more with them than you. Possibly, it will work better by placing the few of you into a select group of 'power user' and only let members of that group access the subdirectories required. That should satisfy protecting of strangers. Do NOT succumb to temptation of putting up shares, that is all too easy to fail some vulnerability.
LVL 24

Accepted Solution

SunBow earned 1200 total points
ID: 10736615
richrumble> Use NTFS folder permissions

> then Guest or User privledges should do the trick.

probably not guest, but something close to it could work, yet my reservations precede. Why not power user among friends

> The IP whether static or dhcp, makes no security difference

agreed, but as above, I don't think IP is needed either

>  if it is a domain

I'd leave it out of domain

> You could lock the PC down even further

probably more trouble than is worth, aside from group restictions

> There is nothing wrong with the way you have it now.

This part I miss. What is the current method, if any, was less clear to me
LVL 38

Expert Comment

by:Rich Rumble
ID: 10752096
Iptrader stated:
My solution was to assign static IP address to that computer, limit username/password to that computer only, and restrict user access to the program ande those files.

Probably done with UserManager for domains, or AD policy. Then NTFS is how the restrictions were added.  (assumed)
Placing the account in the Guests group, would work if the permissions were set correctly for the folders and programs needed to run.
Agreed, locking down the PC further would be a more trouble than it's worth, hence the Guests group recomendation, as it's locked down pretty good to begin with.

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question