Solved

Unable to Properly Restrict User Privileges on Windows XP Pro

Posted on 2010-11-18
13
379 Views
Last Modified: 2012-05-10
We have a pretty simple setup. A Dell server running  Windows Server 2003 Standard Edition w/ SP2 and 3 Dell workstations all running Windows XP Pro SP3.

We recently had problems with malware attacks, so I went ahead and removed Administrator rights from the workstations.

However, one of the workstations still seems to be have administrator rights. If I go to this workstation and click on Users in the Control Panel, it shows this account as being a restricted "User" account, not Admin. Yet, I can still install programs and do pretty much anything I want under this account, so clearly the privileges are still at the Admin level for this account.

How can I properly restrict this workstation? Does this need to be done on the Server, the workstation, or both?
0
Comment
Question by:anuneznyc
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 11

Expert Comment

by:louisreeves
Comment Utility
GPMC IS how rights can be controlled and policy is not a hard as they say.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en

you can google how to controll alot of thing using GPMC. Another way to go is with ISA server. These are nice tools but you want to know what you are doing when you use them

ISA SERVER IS good and this guy is all over the place with his ISA knowledge:

http://www.isaserver.org/tutorials/Configuring-ISA-Firewalls-ISA-2006-RC-Support-User-Certificate-Authentication-using-Constrained-Delegation-Part2.html
0
 
LVL 6

Expert Comment

by:thiagotietze
Comment Utility
lol.... Just don't understood why that much information on the last comment...

It seems pretty simple:

1 - Which are the groups that this user becomes part? it is an Active directory user? Local user?
2 - The user is explicitely listed at the groups in the machine (administrative tools --> computer management)? At Active directory, the user are member of any group that have admin access to the machine?
3 - After changed permissions, the user were logged of?
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
Assuming you have been through the AD side of things, I would rename the local profile, and have him log in again, and see if it remains......

Definately check for nested groups as well as the above references....
0
 

Author Comment

by:anuneznyc
Comment Utility
Thanks for the feedback guys. Sorry I was AWOL for over a week. I need to get back on this system this weekend to check out the settings.

How can I verify whether this particular account is local or on the AD? Is it possible to be both? If so, then how do I determine whether the rights are being controlled/set by the local machine or the AD?

Thanks.
0
 
LVL 6

Assisted Solution

by:thiagotietze
thiagotietze earned 150 total points
Comment Utility
You can check the user by, (when logged at the account) run CMD, then type "set u"
It will show you some information about the user, and the user will be shown as:
DOMAINNAME\username or MACHINENAME\username

This can tell you the information..

And no, a computer, user account is a computer user account, and a domain user account is a Domain user account.
0
 

Author Comment

by:anuneznyc
Comment Utility
Thanks for that, thiagotietze.
Running net u @ command prompt shows this user as being part of the domain, so that means the rights are controlled by the AD on the server.

On the server when I open up the AD, I see this user is part of a group called "Domain Admins" under an AD folder called domain.foo. net/Users.

I will take him out of this "Domain Admins" group.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 66

Accepted Solution

by:
johnb6767 earned 250 total points
Comment Utility
"Running net u @ command prompt shows this user as being part of the domain, so that means the rights are controlled by the AD on the server."

Not exactly... Depending on what LOCAL groups this user is a member of, dictates what rights the user has on the box. If they are not a member of the local Admins group, they cant install stuff... Now, with that said, if they are in a Domain Admin group, those rights can get filtered to the local box because the Domain Admins group is a member of the Local Admins group on the box.

Go to start>run>lusrmgr.msc, and look in the Admins group. Is this user listed as "username" or "domain\username"?

If it is just "username", is there also a user listed there under the Users category? If so, might be your problem.....

0
 

Author Comment

by:anuneznyc
Comment Utility
Thanks johnb6767. Running lusrmgr.msc shows this particular user correctly in the 'Users' group and NOT in the 'Administrators' group. Which is exactly how I need it to be.

No trying to run devmgmt.msc results in a message that the user does not have sufficient rights to change device properties. So perfect! Now this user seems pretty locked down unless he logs in under a different admin account. So now if they get slammed by another malware attack, the damage should be minimal or even null.

Thanks for the good advice!
0
 
LVL 6

Expert Comment

by:thiagotietze
Comment Utility
Yes, the above information is right too. The SET U is a command to quick know where your user reside.

If the user was a Domain Admin, this "Domain Group" was added to the Administrators "Local Group" in the machine (this is a default for windows), so, the problem were explained.

As a best practice, just add users to Domain Admins group, if it is a ADMIN-ONLY account.
Normally, Domain Admin accounts are not supposed to be logged on to Desktops everyday.
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
"So now if they get slammed by another malware attack, the damage should be minimal or even null."

Good news and bad news with that.....

Viruses that write to protected areas of the system, yea youre fairly safe. But the majority of the rogues write to the user profile, which by default a limited user has 99% control over..... So it will be minimal  but not foolproof.....
0
 

Author Comment

by:anuneznyc
Comment Utility
Good point JB. The problem has been that this user has (on 2 different occasions) managed to get infected w/ malware that hijacked his email address in Outlook 2003 and starting sending Spam messages by the thousands, to which the email hosting company would respond by blacklisting/locking his email address and then of course he couldn't send any messages at all.

That was a real nuisance, so I'm hoping the change in user rights will prevent this kind of attack?
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
It should help quite a bit.. Just wont stop 100% of infections......

I would start looking at disciplinary actions myself.....

Wanna find out where he is going, for proof??

IEHistoryView
http://www.nirsoft.net/utils/iehv.html

MyLastSearch
http://www.nirsoft.net/utils/my_last_search.html

Can do it from your machine to get proof. When you present that to the employee, usually has a tendency to make them become a safer Web Surfer....  :)

0
 

Author Comment

by:anuneznyc
Comment Utility
Good idea. Thanks.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now