Permissions in Guest Account ( Windows XP)

[dkace]

I have this problem:
Normally Guest account doesn't have permissions to install any program, change its logo icon, change each password etc.
Is there a way to give these permissions?
I would appreciate your help on this matter,
D.

 

[KB]

I think you need to rethink want you are trying to do. The purpose of the guest account is for people aren't supposed to make changes. Otherwise they would be given a login. Why not just create an account and have the machine auto-login with that account?

But what you are asking should be possible. You could either remove the guest account from the guest group and add it to the local administrators, or you could give full ntfs permissions to the guest account to the root of C:\ and subfolders and full permissions to the registry. I haven't tried this and I don't think you should do it, but it should work.

 

[dkace]

Thanks KB, that solves my problems - short off.
I will be more specific: I am administrating a small office network. That isn't my real job in there, but I was kind of auto assigned to this task since there was no support.
There is a guy that messing with the computers all the time and I wanted to restrain him by making a guest account.
Today I found out the following:
1. Guest account could actually install programms
2. Guest account could see hidden folders of the administrator account
3. Guest account could change its icon
4. Guest account could still not burn a CD or have other prvilages as administrators do.
5. Guest acount could run the REGEDIT command and mess with the registry
I checked that the account was in Guests group and that there were no previlages given further than topic access.
Dince this is not my job, I need a help in order to restrain this guy before reporting him ...It is the only way to save his job and leave me alone !!!
So Please any advise is welcomed,
Thanks
D.

 

[Slikkster]

Why don't you tell him you know what he's been doing, and to knock it off, first of all. That ought to scare him, if he's not totally stupid.

Secondly, anyone with physical access to the machine can easily use a linux-based CD to reset the administrator password and gain full admin rights. So, if he has physical access to the box, you have an issue there. You'd have to set a bios-level admin password on the machine itself, and set it NOT to boot from CD to prevent that. That way, he would actually need to clear the bios itself to get around that, but even that isn't foolproof.

I would warn him outright that you're on to his poking around and that it's job-threatening.

 

[RebateMonger]

It sounds like the owner should consider outsourcing the IT management to someone with experience in managing networks and security. That'll allow you to spend time on the job you were originally hired to do, and will spare your company from disaster. For a few hours a month labor, a professional can keep your systems safe, patched, and ensure that appropriate offsite backups are being done.

 

[mechBgon]

Keep in mind that the Guest account could be a member of the Guests group and also other groups. It does sound like you need to

1) fire that guy

2) get your employer to get a specialist in there who's not going to have to grope for the solutions on the IntarWeb (no offense )

3) ???

4) Profit!

 

[dkace]

Ok, guys,
thanks for the tips, although most of them where focused in the stupidity of the guy not the problem itself.
I think that the correct answer was that " nothing is foolproof"!!!
I have my ways to deal with this kind of people, but I was wondering if there is something more I can do to encrease security in this particular PC.
Of course I have scared him, as a matter of fact, I have done this a lot, but as said before foolproof systems doesn't exist.
Thanks, anyway
D.

 

[Slikkster]

With all due respect, I would disagree with your analysis of "the problem". It's pretty apparent that it's not the limitations of pc security. It's the limitations (or lack) of enforcement and punishment. But, that's your call. You say you've scared him "a lot". I'd tend to think that if he was truly scared, it wouldn't be a repeating issue. At my company, it would be a simple matter of "this is why we're letting you go", as they have security escorting you out the door. Good luck.

 

[dkace]

Slikkster,
I understand your mendality on the subject, but there are more issues that are not to be discussed here, concerning the managment of an SME, the relations between the personnel and finally and most important who is calling the shots.
I don't believe in firing even the most incopetent person, because I am on the side of the boat that says that people can change given the appropriate opportunities and guidance.
As I said, it is not a matter we can discuss now.
What I am asking, is a way to make sure that several "security" holes are filled and there is no way to remove them without exposing him self. The rest I can deal with.

So, to summurize, I have done the following ( let's use it as a list of things to do for securing a PC)

1. Password protected accounts for:
a. Administrator ( F8--> safe mode)
b. Company user ( Administrator group)
c. BIOS Password
2. Hidden: System Files, Program Files, other files that we don't want Guest account to have access to.
3. Change boot up sequence; No boot up from CD-ROM, Floppy, other booting Device.
4. Disable USB controlers and ports ( PC doesn't need them in Guest mode)

If there is something more you can contribute, please do by numbering it up. Maybe something good can come out of it..

Thanks,

D.

 

[Slikkster]

First of all, please rethink using the "Guest" account. The Guest account should be disabled.

Instead, create account or accounts for each authorized user on the standalone pc. Make sure they are NOT administrator accounts, but rather "limited" accounts.

Then, get to know the Local Group Policy Editor. This will allow you to allow/deny many, many options for that user on a given pc.

Read the following site, and follow each page by clicking "Next" when done with a given page to see the next part of the tutorial.

http://www.theeldergeek.com/group_policy_for_windows_xp_prof.htm

Also, make sure you have NTFS vs. Fat32 on this pc.

I would suggest a locking case that can't be opened by a spying user.