XP local security settings to allow routing changes.

[CJ]

I am trying to customize the XP user accounts where I work.
Under the XP "local security settings" but I don't see an option to
allow any routing changes on the host.

I want to allow a group to change the routing on the machine i.e.:
C:\>route add 207.17.0.0 mask 255.255.0.0 172.170.221.58
There are a couple of guys that need the permission to do this.

Using XP Pro,
Could someone tell me how to customize to allow this for an account
with otherwise limited access?

Thanks,
crzzy1

 

[Roger Abell]

I believe that the route command probably has
to be used by an administrator since it manipulates
machine-wide routing tables.

 

[CJ]

I thought giving limited admin abilities where what custom permissions
in XP was all about.

My Boss wants to have the machines locked down,
but we are really suffering as we need to run that command,
It does manipulate the machine wide tables but with our strange and
ever changing IP's and VIP's in my work environment necessitates that
these be modified for temporary purposes.

 

[Roger Abell]

Most "machine-wide" values that can impact usability
of the machine for all users are left to members of the
Administrators group.

 

[CJ]

What does that have to do with the price of beans in China.
I was asking how to give modified permissions to a specific group of users,
or limited Administrative permissions in order for people to do thier jobs.

It has never been a problem with the unix boxes to do this.

 

[Slobodan Brcin]

Somebody could write service and application to do that.
But purpose of such option is beyond my imagination, there are always other
approaches to do thing you desire.

One more absurd idea I have is to modify security attributes for some
network protocol drivers, but I don't know easy way to do that, or even if
that could be done.
So my advice to you is to give up and to think some other solution.

You can always look in other news groups that deal with networking, there
you should seek answer, this is wrong NG for this kind of question.


Best regards,
Slobodan

 

[CJ]

Somebody could write service and application to do that.
But purpose of such option is beyond my imagination, there are always other
approaches to do thing you desire.

One more absurd idea I have is to modify security attributes for some
network protocol drivers,

Absurd? That is almost the question I asked.
How do I do this in XP with a limited group of users?
It isn't really the drivers, but the routing table that I want to modify.
The access permission to that is in the XP registry.

but I don't know easy way to do that, or even if
that could be done.
So my advice to you is to give up and to think some other solution.

I'm all ears.
What's the solution?
That is why I am here.

You can always look in other news groups that deal with networking,

What other "XP" security newsgroup do you recommend.

you should seek answer, this is wrong NG for this kind of question.

Again I am all ears. but I haven't yet found a more appropriate NG

 

[Slobodan Brcin]

Absurd? That is almost the question I asked.
It was one of my crazy idea, not a solution.

How do I do this in XP with a limited group of users?
It isn't really the drivers, but the routing table that I want to modify.
The access permission to that is in the XP registry.

If you are programmer:

The CreateIpForwardEntry function creates a route in the local computer's IP
routing table.

route.exe use it, so can you.

In Platform SDK I see no privileges required, but I'm guessing that this is
not the thing that everybody could do.

I'm all ears.
What's the solution?

CreateIpForwardEntry

If you have sufficient privileges to call this function is should do the
work.

If you don't then you can.

1. Write your service to do job as commanded..

2. You could start some program as some Administrator account, but this I
don't recomend. Potential security risk.

3. Finding where about of routing tables, and giving access rights to
everyone, and then manualy modifying values. This is something that I
refered as Absurd idea. This is veeeery wrooong thing to do even on your
personal computer. Accessing registry is not the solution.

That is why I am here.

Like I said you are atleast in one wrong NG. This WindowsXP Embedded group
has nothing to do with routing and network programming.

What other "XP" security newsgroup do you recommend.

This NG I recomend are not security NG, but should help you. Use google to
search theam.

microsoft.public.win32.programmer.networks
microsoft.public.windowsnt.protocol.routing

These are good places to start with qustions.

Again I am all ears. but I haven't yet found a more appropriate NG

See above,

Hope this helps,
Slobodan

 

[Slobodan Brcin]

I must say that I'm confused about what you are trying to do.

Why can't you configure DHCP server to do this things?

Or some kind of remote administration?

Best regards,
Slobodan

 

[CJ]

I must say that I'm confused about what you are trying to do.

Why can't you configure DHCP server to do this things?

Or some kind of remote administration?

Best regards,
Slobodan

It's a strange setup where we work with various tunneling
technologies.
The IP's of the tunnels change from day to day or even during a
session for each machine.
sometimes we need to modify particular routes to go through.
other times we need to modify the routes to go around.
I have a simple script we run to accomplish the task.

Other than that there is no need to give full admin access to everyone
that wants to run the script.

Thanks BTW for the input on the previous post.
I like your Ideas.

 

[ChrisE]

Same Issue

Hi,

Did you ever find a fix for this? I've got the same requirement - we have an application that requires a temporary change to the routing table to work and I can't give the user local admin rights to do it. I also want to avoid using the "RUNAS" command.

If I could find the specific permissions needed to amend the routing table only, and give the user only access to that and nothing else, I would be a happy man.

Thanks,

Chris.