Re: Permissions

[Nexus <nexus06 () drxlabs com>]

The NT and Win2k Files permission Model is different, NT is more lose 
and the /WINNT directory and such give users more permissions.

goto sysinternals.com there are lots of good tools there that when run 
before you run an app will tell you what it is accessing, including reg 
keys dll , etc...

The default prems in a win2k install(or evenNT4 worksation)  gives the 
users only what they need, the more access you give USERS the more 
trouble your in for later the SYSTEM group is for the Operating system, 
giving it change or full 'sometimes' will solve those oddball issues, 
and sometimes not.

use the tools at sysinternals to  find out what keys and dll's 
directorys said app is using, test it on a test machine, then
create a domain gobal group.

apply that group to all the places with the level you tested. (test 
using the SYSTEM, and NETWORK type groups first)

the from there you just add and subtract users from the gobal groups to 
be able to access said apps....

The whole idea of a user having only user type perms and not being able 
to install or chnage anything is to make the systems and network run 
smooth...
if you give all your 'users'  massive perms then you just asking for 
trouble becuase of a few reasons.

it makes it easyer for an attacker to take over your network as he as 
more accounts to target.
and more users with more perms means you will be alot busyer then if you 
had a more well setup network.

another group you can utizile is authencated users, this group  will 
make sure a user is 'authencated'
this group is in leiu of the 'everyone' group.

ps: MS office needs the 'everyone group' in the profiles so becarful 
there....

Hope this Helps?

let me know if  you need more ?

-Nexus






Chris Berry wrote:

> > From: Nexus <nexus06 () drxlabs com>
> > That is way to much,
> > With that much access, users / attackers can have almost full control 
> > over the machine.
>
>
> Only if they have an authenticated user account, at which point, 
> you're pretty much hosed anyways, right?
>
> > What i would do is create a group for each type of program,
> > and  place that group in the image(if you have standard images) .
> > then just setup the access that program needs, with said group. this 
> > way ONLY users with a valid need get access to programs they are 
> > suppose to have.
>
>
> Most programs run under the USERS permissions, how would you put a 
> program in a group?
>
> > i have a few programs like that, what i did is hunt down every 
> > registry key it used and apply premissions to that key in a standard 
> > image on an as needed basis along with file prems. (with domian groups)
> > also sometimes giving the SYSTEM group more access or adding it fixs 
> > some issues so try that also.
>
>
> I had alot of trouble finding the necessary permissions most programs, 
> alot of them assume you are admin, or running on win9x  Kept having 
> wierd errors all the time, very frustrating.
>
> > trust me, in the long run its better to have it setup correctly then 
> > >to have a hay wired setup.
>
>
> I totally agree with that, or I wouldn't have posted the question in 
> the first place.
>
> Chris Berry
> compjma () hotmail com
> Systems Administrator
> JM Associates
>
> "Live dangerously, overclock your servers."
>
> _________________________________________________________________
> Add photos to your messages with MSN 8. Get 2 months FREE*. 
> http://join.msn.com/?page=features/featuredemail