Security Basics mailing list archives
Re: only read admin rights
From: Brad Arlt <arlt () cpsc ucalgary ca>
Date: Mon, 28 Oct 2002 14:01:43 -0700
On Fri, Oct 25, 2002 at 11:31:11PM -0000, christian mathieu wrote:
Hello, I would like to know if there is a way to create an account on a win2K machine, that has admin rights to be able to look anywhere in the machine, but could not modify anything. The goals is to allow some admins to look at how we secure the box without giving "real" admin passwords
You will have to make a user Administrator then hit the custom button, and start clicking. While I have never tried this, it should be possible. I have made a user with more access rights than Administrator, which says that Administrator is prevented from doing things; I'd argue why not just prevent it a little more? One thing I will point out is, if they can read anything and everything, they may be able to use that information to gain real Administrator access. Well, now that I think about... they *can* use this access to gain administrator. Explict action on their part would be needed, but that is all (IOW they can't do it by clicking to fast in MineSweeper). If this doesn't phase you, then go for it. ----------------------------------------------------------------------- __o Bradley Arlt Security Team Lead _ \<_ arlt () cpsc ucalgary ca University Of Calgary (_)/(_) I should be biking right now. Computer Science
Current thread:
- only read admin rights christian mathieu (Oct 28)
- Re: only read admin rights Brad Arlt (Oct 29)