Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SECURING PRIVATE ACCOUNTS FROM ADMINISTRATIVE RIGHST


  • Please log in to reply
11 replies to this topic

#1 rittenhouse

rittenhouse

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 AM

Posted 08 June 2017 - 04:25 PM

Not really sure if that made sense, but let me explain.Just recently found out that the administrative sign on owner also has the rights to open all user accounts, even those that they allow others to use. I do not want access to other computer account (or to be held  responsible for any problems. )How do I deny the administrator the rights or ability to open up other user accounts.  For example  Mr. Blue is the owner of the computer with administrative rights and passwords, Mr. green has a separate sign on with his own password. How do I deny mr. Blue and anyone else the ability to gain access or to bypass the password. i noticed under USERS that Mr. Blue could have permanent access to all other accounts just by clicking on and agreeing to accept such a privilege. is this a case of allowing sharing or do other security measure need to be installed?Am  I mistaken by accepting the rights, does he still need to know the password?



BC AdBot (Login to Remove)

 


#2 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 PM

Posted 08 June 2017 - 06:09 PM

The Administrator would need to know the user's password in order to log in as that user.

 

However, the Admimistrator could gain access to the user's files, without logging in.

 

It sounds like there is a trust issue with Mr. Blue, so you might wish to set up an account for him that does not have full admin privileges.

 

Least privileges necessary to do your job.



#3 rittenhouse

rittenhouse
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 AM

Posted 08 June 2017 - 07:52 PM

The Administrator would need to know the user's password in order to log in as that user.

 

However, the Admimistrator could gain access to the user's files, without logging in.

 

It sounds like there is a trust issue with Mr. Blue, so you might wish to set up an account for him that does not have full admin privileges.

 

Least privileges necessary to do your job.

That is the problem and the issue.In my windows 7. I have more than one account on my computer. One for business, one for web one for storing files. I never even noticed that the main user or Administrator simply has to scroll down to users.. find the other names listed there having accounts and open right into them.. without even using the password sign on .. How  do you prohibit this? Does Mr. Green (The sub account ) have the ability to block out the other accounts?) Does windows encryption actually do anything?  How do you make the sub accounts feel secure in knowing that no one else can search within their user account..not even the owner of the machine.?



#4 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 PM

Posted 08 June 2017 - 08:15 PM

You might take a look at the fundamentals here...

 

https://www.howtogeek.com/school/windows-network-sharing/lesson1/all/

 

If autologon is being used, it should be turned off. See step 4 in this article...

 

https://www.sevenforums.com/tutorials/377-log-automatically-startup.html


Edited by jwoods301, 08 June 2017 - 08:22 PM.


#5 Kilroy

Kilroy

  • BC Advisor
  • 3,408 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:11:28 PM

Posted 09 June 2017 - 10:39 AM

It cannot be done.  While you can make it appear like you cannot access something as the administrator you can give yourself access.

 

With the local administrator information you can connect to the drive remotely and do whatever you want.  I use this all of the time to push software installs to the C:\Temp folder.  I open up the Users directory to verify I'm connected to the correct machine.

 

@ECHO OFF
CLS
NET USE O: /D
SET /P MACHINE="Enter Machine Name: " %=%
NET USE O: \\%MACHINE%\C$ /USER:%MACHINE%\Administrator ADMINPASSWORD
EXPLORER.EXE O:\Users


#6 rittenhouse

rittenhouse
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 AM

Posted 09 June 2017 - 01:48 PM

I THINK people are missing the point. I do not want access to any of the sub accounts on job related machines. I do not want to be held responsible for any "stuff" that may come up. What other people are doing on shared devices is none of my buisness and i will not be held for any destruction of personal files or held accountable for the activities of others. If I remove the administrative rights associated with my account, dosnt that allow someone else to then assume that title or can more than one person automatically give himself administrative rights.? What is all the point of public  folders and libraries? is anything safe and secure in the computer world. Chaos seems to be everywhere.. I want several people to be allowed to use a single machine, but no one of the group can gain access to any other sub accounts.if i decline to  be the administrator, does that allow someone else to assume that title? I do not want any sub accounts to be able to intercept any other accounts.



#7 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 PM

Posted 09 June 2017 - 02:00 PM

I THINK people are missing the point. I do not want access to any of the sub accounts on job related machines. I do not want to be held responsible for any "stuff" that may come up. What other people are doing on shared devices is none of my buisness and i will not be held for any destruction of personal files or held accountable for the activities of others. If I remove the administrative rights associated with my account, dosnt that allow someone else to then assume that title or can more than one person automatically give himself administrative rights.? What is all the point of public  folders and libraries? is anything safe and secure in the computer world. Chaos seems to be everywhere.. I want several people to be allowed to use a single machine, but no one of the group can gain access to any other sub accounts.if i decline to  be the administrator, does that allow someone else to assume that title? I do not want any sub accounts to be able to intercept any other accounts.

 

Then you personally would need to have a Standard Account.

 

No one with a Standard Account can give themselves Administrator privileges.

 

There is always at least one Administrator in-house to do critical functions that a standard user cannot do.

 

If the company trusts the person's skill set and integrity to be an Administrartor, then it is what it is.



#8 Kilroy

Kilroy

  • BC Advisor
  • 3,408 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:11:28 PM

Posted 09 June 2017 - 02:11 PM

There MUST be at least one Administrator account, there can be more, but not less than one.

 

There is no way to block an Administrator from anything on a computer.  While it can look like the Administrator is blocked the Administrator can over ride this block.  A good example is if you try to install software as the Administrator that is stored on the user's Desktop or in their Download folder.

 

Only an Administrator can grant or remove Administrative rights.

 

Public folders allow everyone who logs into the machine to access the information stored in the Public profile.  However, what you can do with the information is limited.  For instance a standard user cannot delete an icon that is on the Public Desktop.

 

Anything can be made safe and secure in the computer world.  It takes time and understanding how all of the pieces fit together.

 

Normally the set up would be a standard Administrator account on each machine with the password known to the Support Staff.  All users should be created as Standard Users.  This prevents them from installing software and accessing other people's personal information. (Provided the information is stored in their profile)

 

Setting up file permissions and user access is easily a four hour class to understand how things work and how things should be configured.



#9 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,628 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:12:28 AM

Posted 09 June 2017 - 04:53 PM

And I hasten to add that this is in no way limited, as a concept, to Windows.

 

Any OS that supports multiple users on a single machine has to have someone who is "the grand poobah".  Under Linux/Unix that user is generally root (or other user(s) who've been granted root privileges),  under Windows that's any user that's classed as an administrator, and the list goes on.  There has to be someone who has the power to do anything on a given multi-user system, including creating and removing user accounts that may or may not have root/administrator/whatever the OS in question calls it privileges.

 

There's nothing wrong with not wanting to be in the position of administrator yourself, but someone in any given organization has to be, and usually there are at least two people who are for any given machine since backup is necessary if one person is out sick, etc.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#10 rittenhouse

rittenhouse
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 AM

Posted 10 June 2017 - 12:01 PM

And I hasten to add that this is in no way limited, as a concept, to Windows.

 

Any OS that supports multiple users on a single machine has to have someone who is "the grand poobah".  Under Linux/Unix that user is generally root (or other user(s) who've been granted root privileges),  under Windows that's any user that's classed as an administrator, and the list goes on.  There has to be someone who has the power to do anything on a given multi-user system, including creating and removing user accounts that may or may not have root/administrator/whatever the OS in question calls it privileges.

 

There's nothing wrong with not wanting to be in the position of administrator yourself, but someone in any given organization has to be, and usually there are at least two people who are for any given machine since backup is necessary if one person is out sick, etc.

One of the sub accounts downloaded and installed CHROME in his account. Now all of the other accounts are tied into  chrome . I can see every web page that they visit.None of the sub accounts has administrator rights, yet they managed to do this. This is the reason for the spread of malware and viruses. Each account must be entirely into its own protected zone without any  variance or ability to interact with other accounts.Doesn't MICROSOFT realize this when they created this program windows 10.they seem indifferent to the real world of cyber crime.All versions of Windows must have this fault which no doubt they do not see as a fault but only a convenience. so do the criminals



#11 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 PM

Posted 10 June 2017 - 05:34 PM

It's not a fault, it's by design.

 

Many ways to restrict what users do...account management, Group Policy, etc.

 

The goal should be to give the user(s) the least amount of privilege to do their jobs.

 

Sounds like your company needs a solid security policy... and enforcement.

 

Unless you're a decision-maker with the company, all you can do is recommend.



#12 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,628 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:12:28 AM

Posted 10 June 2017 - 06:01 PM

If anyone is capable of installing something, they have administrator privileges (unless someone has rigged a lot of special group policies, which given all the background is highly unlikely).

 

You really need to read up on, and understand, what the default Windows account types allow a user to do.

 

You cannot install software as a standard user, even for yourself.   If you are an administrator you can install software, and many installations let you choose whether it's only for you or for all users.   When it is for all users, those individual users have individual profiles.   There is absolutely no way that all users on a machine have a shared profile for Chrome (or any other web browser) by default.  Period.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users