Rank: Unregistered

Hello,
I have been working with the system administrator at my school to help prevent the security loopholes in the systems.
they are running XP Professional.

Using mmc i have had the cmd, mmc and many other system utillities disabled for the restricted users group policy. unfortunatly after i did this i tried to get passed the restrictions on a restricted account and found that any of the utilities can be used by just creating a copy of the aplication and then renaming it. for example if a user tried to use the cmd. an alert would say "this aplication has been disabled by the administrator" but if i copy the cmd paste it and rename it "cmdcopy" the application would run; so far i dont think any of the students have found this loophole but, the windows savvy may come across this in the future.if u have a way to patch it please respond.

Rank: ? (1533)
Member #: 15283

 A.Coward writes...

they have my deepest sympathies. true.

Why waste time trying to fix something which was broken to begin with?

Why buy a versatile and easy to use tool and then try to make it less versatile and harder to use/abuse?
Only the "windoze savvy" will know the "work-around" as you say. The others won't.
So why not just monitor terminal usage and "flag" anyone "being naughty"? Watch the screens.
Do a bit of work instead of trying to rely
on some programmed process.

This will assist you to encourage these "savvy users"
to go furthur with their cumpooter literacy
and perhaps even start to do a little programming.
Their knowlege "unrestricts" their use of the system.
Why penalise them for being intelligent?
Rather than dumb and sheep-like?
Are you an American by any chance?

They should be encouraged and guided firmly in this search for solutions to problems and restrictions.
Good security begins at the bottom level, not the top level, -IMHO. Applaud them.
The students are the Clients of the school you know, -not the Enemy.
Monitor their usage of the XP system.
The Government does.

For every pat$h there is a hac}{.
ie: -every time someone builds a taller house,
someone else builds a taller ladder.

If you're even remotely serious about security, -then do NOT use Windo$e. Use Linux instead.
Otherwise relax and smile a little.
(Ever notice how fast computers run with Windoze? Neither do I.)
_B_

Rank: ? (4821)
Member #: 3416

have you considered removing read access to those files for the restricted users group, and then also removing write access for the entire hard disk? i suppose then they could still bring the program in on disk and run it...

i would consider this a loophole in your security policy rather than a loophole in windows xp professional itself.


this is a VERY good point. maybe instead of trying to lock everything down, you should keep a good disk image around and make sure you have an easy way to restore a computer that a student has accidentally (or purposely, i suppose) trashed. the command prompt is an incredibly useful tool--how are they to learn about it if you block access to it?

Rank: ? (1533)
Member #: 15283

 misterhaan writes...

Agreed. The M$ browser is a MUCH bigger loophole.

 misterhaan writes...

The entire purpose of ANY School is after all, -education.
(The promotion and nurture of Learning)
A little give and take cannot be a "bad" thing surely?
Yeah. That, and a comprehensive and efficient
monitored security protocol. _B_