Security Vulnerability? or just an IT Admin oversight?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

A place I work has about 1,000 computers and 95% of us use the same user ID
to log into a domain, with no password used. The login user id is extremely
restricted(group policy?) BUT by simply using calculator and going to Help,
then Help Topics, then Options and Selecting Home, it brings me to the Help &
Support link which from there I can then get Full Administrative access to
the PC.

When normally logging into the domain we have a heavily modified start menu,
with nothing but modified versions of IE, Calculator and a few office program
viewers...excel viewer....etc.

Is there a way to secure the company's PCs without disabling the Help &
Support feature? I tried disabling the Help & Support service on the
client(once I gained administrator access) but it still loaded it up when I
logged out and then logged in under the domain.....does it need to be
disabled on the server for it to prevent the client from loading the Help &
Support menu options? Is there another way to prevent users from gaining full
control of the system through Help & Support? perhaps setting our logins to
limited accounts? Haven't tested that yet myself.
 
Arcalyn121 said:
A place I work has about 1,000 computers and 95% of us use the same user ID
to log into a domain, with no password used. The login user id is
extremely
restricted(group policy?) BUT by simply using calculator and going to
Help,
then Help Topics, then Options and Selecting Home, it brings me to the
Help &
Support link which from there I can then get Full Administrative access to
the PC.

When normally logging into the domain we have a heavily modified start
menu,
with nothing but modified versions of IE, Calculator and a few office
program
viewers...excel viewer....etc.

Is there a way to secure the company's PCs without disabling the Help &
Support feature? I tried disabling the Help & Support service on the
client(once I gained administrator access) but it still loaded it up when
I
logged out and then logged in under the domain.....does it need to be
disabled on the server for it to prevent the client from loading the Help
&
Support menu options? Is there another way to prevent users from gaining
full
control of the system through Help & Support? perhaps setting our logins
to
limited accounts? Haven't tested that yet myself.
Click to expand...

What do you mean by "full admin access" ?? What can you do after going into
Help and Support that you couldn't do before?

PS: this does seem like an odd way of running a network... 1 user ID that
most users use.
 
Arcalyn121 said:
A place I work has about 1,000 computers and 95% of us use the same user ID
to log into a domain, with no password used. The login user id is
extremely
restricted(group policy?) BUT by simply using calculator and going to
Help,
then Help Topics, then Options and Selecting Home, it brings me to the
Help &
Support link which from there I can then get Full Administrative access to
the PC.

When normally logging into the domain we have a heavily modified start
menu,
with nothing but modified versions of IE, Calculator and a few office
program
viewers...excel viewer....etc.

Is there a way to secure the company's PCs without disabling the Help &
Support feature? I tried disabling the Help & Support service on the
client(once I gained administrator access) but it still loaded it up when
I
logged out and then logged in under the domain.....does it need to be
disabled on the server for it to prevent the client from loading the Help
&
Support menu options? Is there another way to prevent users from gaining
full
control of the system through Help & Support? perhaps setting our logins
to
limited accounts? Haven't tested that yet myself.
Click to expand...

Once you get the Help and Support system up - you can ONLY do tasks that
your account has permissions to perform.
So if there are items on the Help and Support menu that you do not want
users to perform then you have not set the appropriate permissions/group
memberships etc for that user account.
It is not sufficient to just hide the tools from the user through
controlling the user environment via group policy. You must also set the
user account to have only the correct permissions and rights that it
requires to do its job.

So in short - no not a security vulnerability, it IS an IT Admin
oversight/configuration issue.
--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups
 
What do you mean by "full admin access" ?? What can you do after going into
Help and Support that you couldn't do before?
Click to expand...

Before using help & support, I had No priviledges on the PC. Everything was
locked out and disabled from loading or displaying. I couldn't change screen
resolutions, couldn't browse the local comp's hd nor the network, couldn't
get msconfig to load, and my start menu had log off, modified IE, calculator,
prietary software and that was it. So before I got administrative access to
the computer I couldn't do much, but simply using the Tools in the Help &
Support center allowed me to over-ride all policy settings for the local
machine's access.
 
Arcalyn121 said:
Before using help & support, I had No priviledges on the PC. Everything
was
locked out and disabled from loading or displaying. I couldn't change
screen
resolutions, couldn't browse the local comp's hd nor the network, couldn't
get msconfig to load, and my start menu had log off, modified IE,
calculator,
prietary software and that was it. So before I got administrative access
to
the computer I couldn't do much, but simply using the Tools in the Help &
Support center allowed me to over-ride all policy settings for the local
machine's access.
Click to expand...

Yes, because they had just hidden the tools - your account still had
permissions to do these things if you can get to the tools via another route
(such as the taks sin the Help and Support).
So this is not really a secured setup - your Admins needs to also limit the
rights and permissions of the accounts to prevent them doing things they
should not. Hiding the tools is not sufficient to secure the environment.

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups
 
Back
Top