 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Orchid XP v8 wrote:
> Riiiight. And, as you obviously realise, the article this is from is
> describing how to apply security to services using a *Group Policy*.
> And, as you also know, Group Policies DO NOT WORK WITH NT. :-P
>
>
http://blog.binaryfactory.ca/2008/05/windows-service-permissions-concerns-when-hardening-servers/
>
> Now, Mr Smarty, if you know how to actually do this *in Windows NT*,
> _then_ I'll be impressed. Cos I've spent all ****ing day trying to find
> it. :-(
I have only ever touched group policy in Windows XP.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Orchid XP v8 wrote:
> And now I'm wondering... maybe it's a "right" you can set? (As you may
> remember, permissions apply to resources, rights apply to users.) I
> wonder if I can either assign the "stop service" right to a user group,
> or else create a mini-admins group and somehow revoke the "kick people
> off" right?...
Apparently yes.
Apparently anybody who has the "load or unload a device driver" right
can also start and stop system services. (WTF?) So all I need to do is
create a suitable group and assign people to it and I'm done. Yay, me! :-D
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> And now I'm wondering... maybe it's a "right" you can set? (As you may
>> remember, permissions apply to resources, rights apply to users.) I
>> wonder if I can either assign the "stop service" right to a user group,
>> or else create a mini-admins group and somehow revoke the "kick people
>> off" right?...
>
> Apparently yes.
>
> Apparently anybody who has the "load or unload a device driver" right can
> also start and stop system services. (WTF?) So all I need to do is create
> a suitable group and assign people to it and I'm done. Yay, me! :-D
If you are worried enough that they will log off other users (either
accidentally or maliciously), then why aren't you worried that they will
start unloading device drivers? ;-)
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> Apparently yes.
>>
>> Apparently anybody who has the "load or unload a device driver" right
>> can also start and stop system services. (WTF?) So all I need to do is
>> create a suitable group and assign people to it and I'm done. Yay, me!
>> :-D
>
> If you are worried enough that they will log off other users (either
> accidentally or maliciously), then why aren't you worried that they will
> start unloading device drivers? ;-)
Well, if you do, you only mess your own stuff up. I'm not concerned
about people messing their own stuff up, only other people's stuff! :-D
(Basically, we have a new guy in the lab who is... uh... overly keen to
prove himself. Apparently it's been causing all sorts of problems. This
guy recently discovered that he could kick people off other computers,
and has been doing so extensively. [Not helped by the two morons in
charge of IT accidentally giving everybody at the UK sight administrator
access to every PC on the network - thanks, guys!] So I was told to
"fix" this - which I did. The trouble now is that you can't restart the
service for our flakey lab software, which you need to be able to do...)
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
> This guy recently discovered that he could kick people off other
> computers, and has been doing so extensively.
Geez, what sort of people have you got working there? Surely that sort of
behaviour demands some sort of official warning, it's not like you're at
school messing about.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
scott wrote:
>> This guy recently discovered that he could kick people off other
>> computers, and has been doing so extensively.
>
> Geez, what sort of people have you got working there? Surely that sort
> of behaviour demands some sort of official warning, it's not like you're
> at school messing about.
Probably. But that's not my department. From *my* chair, the issue is
that only certain individuals should even be able to do that in the
first place.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> Geez, what sort of people have you got working there? Surely that sort
>> of behaviour demands some sort of official warning, it's not like you're
>> at school messing about.
>
> Probably. But that's not my department. From *my* chair, the issue is that
> only certain individuals should even be able to do that in the first
> place.
Oh right, good luck, next you'll have to stop him from pressing the reset
button, then from turning the machine off at the mains, then from unplugging
the network cable etc. It quickly becomes impossible to stop someone who is
set on causing disruption, far better to give them an "incentive" not to do
it - like "oi stop this behaviour or you'll be sacked" :-).
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
scott wrote:
>>> Geez, what sort of people have you got working there? Surely that
>>> sort of behaviour demands some sort of official warning, it's not
>>> like you're at school messing about.
>>
>> Probably. But that's not my department. From *my* chair, the issue is
>> that only certain individuals should even be able to do that in the
>> first place.
>
> Oh right, good luck, next you'll have to stop him from pressing the
> reset button, then from turning the machine off at the mains, then from
> unplugging the network cable etc. It quickly becomes impossible to stop
> someone who is set on causing disruption, far better to give them an
> "incentive" not to do it - like "oi stop this behaviour or you'll be
> sacked" :-).
Well, AFAIK, the guy isn't *trying* to cause problems, he's just a bit
overkeen. He probably doesn't realise that logging somebody off actually
terminates any programs they might have running (e.g., the control
software for the robotics that inject the samples into the system).
Turning the PC off at the mains, however, is "obviously" a Bad Thing.
More importantly, it's a Bad Thing that I obviously have no power to
prevent - so if it happens, it won't be my problem! :-D
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
> overkeen. He probably doesn't realise that logging somebody off actually
> terminates any programs they might have running (e.g., the control
> software for the robotics that inject the samples into the system).
Can't you just tell him that then, instead of having to spend time locking
down your system. Maybe there is a situation one day where someone
genuinely needs to log off another user and you're not available?
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
scott wrote:
>> overkeen. He probably doesn't realise that logging somebody off
>> actually terminates any programs they might have running (e.g., the
>> control software for the robotics that inject the samples into the
>> system).
>
> Can't you just tell him that then, instead of having to spend time
> locking down your system. Maybe there is a situation one day where
> someone genuinely needs to log off another user and you're not available?
...which is why a small set of other people are "supposed" to have this
power in addition to me.
But the set of people needing to restart services is far larger than the
set of people who should have log-off powers.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
