Solved

Disable taking ownership of hosts file

Posted on 2007-04-11
10
703 Views
Last Modified: 2008-02-01
Hi Experts,

I am running win xp prof sp2 and have two accounts on the pc. One Admin and the other one Power User. I would like to protect the Power user from taking ownership of the "hosts" file.
The problem is that the power user can make another limited account within win xp and take ownership from there.

Is there any way at all whatsoever, in which i can protect taking ownership of the hosts file.
Note: I cannot give the power user lower level permissions on the pc?

Regards,
Neville
0
Comment
Question by:N_Joshi
  • 4
  • 2
10 Comments
 
LVL 22

Assisted Solution

by:Adam Leinss
Adam Leinss earned 35 total points
ID: 18891108
Just give the Users/Power Users group read rights, do not allow them to modify or write to the file, that should prevent them from taking ownership.
0
 

Author Comment

by:N_Joshi
ID: 18891209
I have set the "hosts" file permission in such a way from the admin account, that the power user cannot write, delete... the files. If this is what you mean, it does not work out.
0
 

Author Comment

by:N_Joshi
ID: 18891229
The point value has been increased to 300
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 70

Expert Comment

by:KCTS
ID: 18891275
If you have not already done so Add Power Users to the Security Tab
Select the Power Users Group
Click Advanced and Select EDIT
Scroll to the bottom an DENY take ownership
0
 

Author Comment

by:N_Joshi
ID: 18891348
I have done all that and more, that is, from control panel > administrative tools> local security policy> user rights assignment> (last setting, "take ownership of files and other objects"), i have selected only the admin user.

But it still does not work.

I maybe wrong but I was thinking since a new user can be created from power users, the new user has no permissions assigned to it, and so this is like a free and new "limited" account which is not bound by permissions, when it has just been created. Unfortunately it seems that the "hosts" file gets affected with this loophole, even though the account is limited.
0
 
LVL 70

Accepted Solution

by:
KCTS earned 100 total points
ID: 18891834
Use DENY to prevent power users in the ADVANCED NTFS PERMISSIONS - NOT with A GPO but on the hosts file itself.
0
 

Author Comment

by:N_Joshi
ID: 18895865
I used Deny to prevent power users in advanced NTFS permissions but it did not work.
I could still create a limited user from the power user account and logon with limited user rights and take control of the Hosts file.

I have solved the problem by denying the Administrators, Power users and Users, access to the hosts file with the read only permissions and related advanced NTFS read only permissions, from the Admin mode.
This allows the admin to take control of the Hosts file and at the same time does not give the power user the ability to take control of the hosts file.

The reason for me posting in Vista is because if for some reason, win xp security cannot solve my problem, maybe some permission setting in Vista can. I had no idea Vista does not have Power users. Thanks for telling me. Anyway the problem is now solved.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question