[Full-Disclosure] RE: Giving Admin rights to local users in Win2k
daniels at ponderosatel.com
Mon Nov 3 20:03:59 GMT 2003
From: "Exibar" <exibar at thelair.com>
To: "James Exim" <security at exim.dyndns.org>,
<full-disclosure at lists.netsys.com>
Subject: Re: [Full-Disclosure] W2k users, local admin rights and GPOs
Date: Wed, 29 Oct 2003 10:54:49 -0500
It's actually very easy to prevent any policies from coming down to your
system if you have local admin rights. What you do is first, delete the
policies from the registry, then deny everyone (except for a locally
user) access to the policy key. You'll see the failures in the event
when a new policy attempts to get written. Viola! no more policies....
Easy as pie....
Do not give local users admin rights. Do not use software that requires
this(Vendors will tell you that their packages do because they are too
lazy or too cheap to find out
What administrative rights are needed. They also write a lot of crap
Requires ADMIN rights. Guess those offshore programers aren't too
worried about this issue.
So the answer is don't do this, it's an open invitation for pernicious
browser based trojans to install themselves anyway. We have had more
than one user call and ask what it means to have an install program that
they weren't supposed to be running fail with insufficient rights. Makes
my day every time it happens.
Full-Disclosure is hosted and sponsored by Secunia.