N_Joshi
asked on
Disable taking ownership of hosts file
Hi Experts,
I am running win xp prof sp2 and have two accounts on the pc. One Admin and the other one Power User. I would like to protect the Power user from taking ownership of the "hosts" file.
The problem is that the power user can make another limited account within win xp and take ownership from there.
Is there any way at all whatsoever, in which i can protect taking ownership of the hosts file.
Note: I cannot give the power user lower level permissions on the pc?
Regards,
Neville
I am running win xp prof sp2 and have two accounts on the pc. One Admin and the other one Power User. I would like to protect the Power user from taking ownership of the "hosts" file.
The problem is that the power user can make another limited account within win xp and take ownership from there.
Is there any way at all whatsoever, in which i can protect taking ownership of the hosts file.
Note: I cannot give the power user lower level permissions on the pc?
Regards,
Neville
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The point value has been increased to 300
If you have not already done so Add Power Users to the Security Tab
Select the Power Users Group
Click Advanced and Select EDIT
Scroll to the bottom an DENY take ownership
Select the Power Users Group
Click Advanced and Select EDIT
Scroll to the bottom an DENY take ownership
ASKER
I have done all that and more, that is, from control panel > administrative tools> local security policy> user rights assignment> (last setting, "take ownership of files and other objects"), i have selected only the admin user.
But it still does not work.
I maybe wrong but I was thinking since a new user can be created from power users, the new user has no permissions assigned to it, and so this is like a free and new "limited" account which is not bound by permissions, when it has just been created. Unfortunately it seems that the "hosts" file gets affected with this loophole, even though the account is limited.
But it still does not work.
I maybe wrong but I was thinking since a new user can be created from power users, the new user has no permissions assigned to it, and so this is like a free and new "limited" account which is not bound by permissions, when it has just been created. Unfortunately it seems that the "hosts" file gets affected with this loophole, even though the account is limited.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I used Deny to prevent power users in advanced NTFS permissions but it did not work.
I could still create a limited user from the power user account and logon with limited user rights and take control of the Hosts file.
I have solved the problem by denying the Administrators, Power users and Users, access to the hosts file with the read only permissions and related advanced NTFS read only permissions, from the Admin mode.
This allows the admin to take control of the Hosts file and at the same time does not give the power user the ability to take control of the hosts file.
The reason for me posting in Vista is because if for some reason, win xp security cannot solve my problem, maybe some permission setting in Vista can. I had no idea Vista does not have Power users. Thanks for telling me. Anyway the problem is now solved.
I could still create a limited user from the power user account and logon with limited user rights and take control of the Hosts file.
I have solved the problem by denying the Administrators, Power users and Users, access to the hosts file with the read only permissions and related advanced NTFS read only permissions, from the Admin mode.
This allows the admin to take control of the Hosts file and at the same time does not give the power user the ability to take control of the hosts file.
The reason for me posting in Vista is because if for some reason, win xp security cannot solve my problem, maybe some permission setting in Vista can. I had no idea Vista does not have Power users. Thanks for telling me. Anyway the problem is now solved.
ASKER