bypassing win2k security.

[evilseed]

Hi, I am requesting some help.

My company doesnt want some of my lower-level techs to have access to admin rights on company computers.

So I must find a way to install a device (such as a camera, etc.) on a windows 2000 pro box that doesnt have admin access rights. (in other words the user isnt conventionally aloud to install using the device manager) Now I heard rumors of a program called "DMC" that allows you to install devices to win2k from the command prompt. (I will probably need to create a custom installer for every device) If I dont figure this out im TOAST! Anyone who can tell me how to do this.. i will be in dept to you. (probably send ya $100)

Ill be checking on this forum constantly

Help me guys!!!!!


--The EvilSeed!!

[ammo]

Well, a little more info as to what you mean by "install a device" might be usefull in helping you.

If you only mean loading drivers, you can modify who is allowed to do so in the security policies (Control panel -> local security settings -> security settings -> local policies -> user rights assignments -> Load and unload device drivers

These settings can also be distributed via group policies in active directory if you use it.

As for other options, like I said, a better explanation of you current setup would be usefull:
Running win2k servers?
running active directory?
What kind of "administrative capabilities" do you want to delegate?
What do you mean exactly by "installing devices"?

Ammo

[avdven]

Why not just ask the Admin for rights?!?! Problem solved. If you already have admin rights, install the hardware for the lower-level techs and you won't have to worry about given them any more access.

AJ

[The Old Man]

Can't see a problem, ES, if nobody else answers your question i'll be back tomorrow after i find a new wheel seal for my boat trailer, but am too tired tonight. If you control the system, you got no problem. Don't be toast.

[evilseed]

Nt4 servers running the domains PDC and BDC.. win2kpro workstations.
Now lets say I need to walk up to one of the workstations and install a program (photoshop), or a device (such as a digital camera, or a scanner) now I know the RUNAS command can update drivers. And I know i could SU admin rights temporarily (using a installer or something), but that would leave the system to big of a security hole I am told. So I need to find out how I can do this. And no I am unable to change the users profiles. I manage lowerlevel techs and helpdesk. So i need to find a workaround. Like I said before someone told me of a program called DMC if you find out what all registry keys and files a out of the box installer does then u can use DMC to do it. I dont know but its a rumor ive heard.. please guys.. help me figure this one out.

I dont think we have active directory.

[SodaMoca5]

How would loading using the "as user" setting leave a security hole. Once you are finished you quit being that account. Then you are returned to a lower level of access. So the camera can be used by the account but it cannot be reloaded, troubleshot etc. The only way this leaves a hole is if you have to tell the user what the password is.

So you can either go to the machine and set it up yourself or use a remote access tool (PC Anywhere is the most common) to take control of their machine remotely, put in the password which is encrypted and make the changes then make sure they are returned to their lower security level and the device works for them.

Now if the problem is that you or your techs are not going to be granted these privileges then the real problem is with the overall policies. Your "higher level techs" could easily set your team up a user account that allows you enough access to load the drivers without giving you full admin privileges. Win2K pro has a ton of tweakable security settings (be very careful of deny settings). If they are unwilling to do this then the problem is not with the method to accomplish this but the support you are receiving for your team. In that case you might want to take this to management and try to explain to them, in small words with lots of pictures, why you cannot install software and hardware without the proper permissions.

One final thing, if you do not have the permissions in the windows arena a DOS tool will still not be able to modify the registery or write the proper drivers to the proper locations. Win2K is not built on a DOS shell the same way the Win9x was. DOS runs as a shell over the NT kernel and therefore permissions in the NT kernal are inherently obeyed by the DOS shell.

[t2k2]

Moca is right evil seed. It will not leave a security hole if you use the "run as" option to install the hardware/software under your credentials, provided you have the proper rights to the local machine. Just don't let the user see your password when you execute the command - this is obvious, of course. You may, however, again, as Moca already stated, have a problem with the level of support that you are receiving from the various higher-ups in your company/department if this is not the problem.

[DeadCr0w]

I dont think we have active directory.

Active directory will only work on a win2k controlled network!
As for the run as, just watch out for keyloggers!

[DBEAUCHAMP]

Originally posted here by DeadCr0w

As for the run as, just watch out for keyloggers!

Just as info ! Keyloggers are not always software made ! Check for hardware keyloggers to !

(man... I sure don't thrust users... !!!)

[The Old Man]

Got to thinking about this later last night.... Seems to me this "problem" should belong to the senior SysOp, not the help-desk / lower-level-tech personnel supervisor. Unless the upper-level techies and bosses have promoted themselves beyond their capabilities and trying to blame problems on a mid-level worker. Or..... Nawwwww, this ain't just a cleverly worded question from someone trying to figure out how to get admin rights, or find a rogue program to bypass the W2K security levels. (there, just slapped my keyboard hands for even thinking of that!)