bypassing win2k security.
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: bypassing win2k security.

  1. #1

    Exclamation bypassing win2k security.

    Hi, I am requesting some help.

    My company doesnt want some of my lower-level techs to have access to admin rights on company computers.

    So I must find a way to install a device (such as a camera, etc.) on a windows 2000 pro box that doesnt have admin access rights. (in other words the user isnt conventionally aloud to install using the device manager) Now I heard rumors of a program called "DMC" that allows you to install devices to win2k from the command prompt. (I will probably need to create a custom installer for every device) If I dont figure this out im TOAST! Anyone who can tell me how to do this.. i will be in dept to you. (probably send ya $100)

    Ill be checking on this forum constantly

    Help me guys!!!!!


    --The EvilSeed!!
    ------------EViLSEED
    Hackers are impervious. Resistant is futile.


  2. #2
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Well, a little more info as to what you mean by "install a device" might be usefull in helping you.

    If you only mean loading drivers, you can modify who is allowed to do so in the security policies (Control panel -> local security settings -> security settings -> local policies -> user rights assignments -> Load and unload device drivers

    These settings can also be distributed via group policies in active directory if you use it.

    As for other options, like I said, a better explanation of you current setup would be usefull:
    Running win2k servers?
    running active directory?
    What kind of "administrative capabilities" do you want to delegate?
    What do you mean exactly by "installing devices"?

    Ammo
    Credit travels up, blame travels down -- The Boss

  3. #3
    The Iceman Cometh
    Join Date
    Aug 2001
    Posts
    1,209
    Why not just ask the Admin for rights?!?! Problem solved. If you already have admin rights, install the hardware for the lower-level techs and you won't have to worry about given them any more access.

    AJ

  4. #4
    Senior Member The Old Man's Avatar
    Join Date
    Aug 2001
    Posts
    364
    Can't see a problem, ES, if nobody else answers your question i'll be back tomorrow after i find a new wheel seal for my boat trailer, but am too tired tonight. If you control the system, you got no problem. Don't be toast.

  5. #5
    Nt4 servers running the domains PDC and BDC.. win2kpro workstations.
    Now lets say I need to walk up to one of the workstations and install a program (photoshop), or a device (such as a digital camera, or a scanner) now I know the RUNAS command can update drivers. And I know i could SU admin rights temporarily (using a installer or something), but that would leave the system to big of a security hole I am told. So I need to find out how I can do this. And no I am unable to change the users profiles. I manage lowerlevel techs and helpdesk. So i need to find a workaround. Like I said before someone told me of a program called DMC if you find out what all registry keys and files a out of the box installer does then u can use DMC to do it. I dont know but its a rumor ive heard.. please guys.. help me figure this one out.

    I dont think we have active directory.
    ------------EViLSEED
    Hackers are impervious. Resistant is futile.


  6. #6
    Senior Member SodaMoca5's Avatar
    Join Date
    Mar 2002
    Posts
    236
    How would loading using the "as user" setting leave a security hole. Once you are finished you quit being that account. Then you are returned to a lower level of access. So the camera can be used by the account but it cannot be reloaded, troubleshot etc. The only way this leaves a hole is if you have to tell the user what the password is.

    So you can either go to the machine and set it up yourself or use a remote access tool (PC Anywhere is the most common) to take control of their machine remotely, put in the password which is encrypted and make the changes then make sure they are returned to their lower security level and the device works for them.

    Now if the problem is that you or your techs are not going to be granted these privileges then the real problem is with the overall policies. Your "higher level techs" could easily set your team up a user account that allows you enough access to load the drivers without giving you full admin privileges. Win2K pro has a ton of tweakable security settings (be very careful of deny settings). If they are unwilling to do this then the problem is not with the method to accomplish this but the support you are receiving for your team. In that case you might want to take this to management and try to explain to them, in small words with lots of pictures, why you cannot install software and hardware without the proper permissions.

    One final thing, if you do not have the permissions in the windows arena a DOS tool will still not be able to modify the registery or write the proper drivers to the proper locations. Win2K is not built on a DOS shell the same way the Win9x was. DOS runs as a shell over the NT kernel and therefore permissions in the NT kernal are inherently obeyed by the DOS shell.
    SodaMoca5
    \"We are pressing through the sphincter of assholiness\"

  7. #7
    Senior Member
    Join Date
    Aug 2002
    Posts
    651
    Moca is right evil seed. It will not leave a security hole if you use the "run as" option to install the hardware/software under your credentials, provided you have the proper rights to the local machine. Just don't let the user see your password when you execute the command - this is obvious, of course. You may, however, again, as Moca already stated, have a problem with the level of support that you are receiving from the various higher-ups in your company/department if this is not the problem.
    Opinions are like holes - everybody\'s got\'em.

    Smile

  8. #8
    Member
    Join Date
    Jan 2002
    Posts
    82
    I dont think we have active directory.
    Active directory will only work on a win2k controlled network!
    As for the run as, just watch out for keyloggers!

  9. #9
    Member
    Join Date
    Apr 2002
    Posts
    45
    Originally posted here by DeadCr0w

    As for the run as, just watch out for keyloggers!
    Just as info ! Keyloggers are not always software made ! Check for hardware keyloggers to !

    (man... I sure don't thrust users... !!!)

  10. #10
    Senior Member The Old Man's Avatar
    Join Date
    Aug 2001
    Posts
    364
    Got to thinking about this later last night.... Seems to me this "problem" should belong to the senior SysOp, not the help-desk / lower-level-tech personnel supervisor. Unless the upper-level techies and bosses have promoted themselves beyond their capabilities and trying to blame problems on a mid-level worker. Or..... Nawwwww, this ain't just a cleverly worded question from someone trying to figure out how to get admin rights, or find a rogue program to bypass the W2K security levels. (there, just slapped my keyboard hands for even thinking of that!)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •