Security Issue with Computer management

  • Thread starter Thread starter Joseph K
  • Start date Start date
J

Joseph K

We are having a mixture of Windows 2000 with service
pack 4 and Windows 2003 servers.

Users can right click My Computer..Manage..right click
on computer management..connect to another computer and
specify the name of remote computer

Can easily get into another computer and play around with
shares amd other stuff.
Is it a security loop hole? or How can we restirct non
admin users from doing this. They can really damage the
system.

The Users are not in the local administrators group or any
other local group on the remote machine.
They can get into remote PC where they are not members of
any group and play around with shares, event viewer etc

I would expect this capability only for administrators
group on the remote machine.

How can I turn off access to non-admin users


Thanks in Advance
Kiran
 
have you really tried this? i just did and got appropriate 'access denied',
'insufficient permissions held' etc on things i wouldn't expect to have
access to... and i am an admin on my local machine, but not on the domain.
if your users can do things you don't want them to you should look for the
settings that give them too many permissions.
 
Thanks for the reply
This is the issue we are facing currently

The users can not access remote machine by any other
means as they are not members of any group but they can do
things they are not supposed to using the method I have
mentioned(Computer Management).
Is there a way to restrict only non-admin users and allow
admins.


Thanks
Joseph K
 
I would check your user group memberships. It is true that a user can navigate to
another computer and IF they are a member of the users group on that computer they
can VIEW certain information. However unless they are an administrator on the remote
computer they can not manage shares, etc. The next time you try this, go into
Computer Management/shared folders - sessions to see exactly how that remote user is
being authenticated on the computer and/or look in the security log for logon events
[ assuming you have it enabled] . You can disable the ability users to use Computer
Management [and many other mmc snapins] in Group Policy if you do not want them to
use it. --- Steve
 
Back
Top