Mac the Knife
9th May 2004, 08:50
OK, so how many of you routinely run XP as a user with Administrator/root privileges?
All of you, right?
And you sorta know it's dangerous but you do it anyway, right? Even XP Pro is quite vague about privileges unless you really start to drill down and, particularly using the Simple File Sharing model, essentially makes you run either as a User (who can't do many of the routine things we all need to do) or as an Administrator (who can do too much).
Shamed my my Linux boxen, where I, like any *nix user, only run as /root or su to do essential rooty things, I though I'd better change things.
Okay, log on as Administrator (you can remember the password that you gabe when you created the Administrator account, can't you?) and change the name of the Administrator account to something less confusing (Administrator as one of the Administrator group ?!?!?) - I used root in deference to *nix, but you could also use a name less obvious to hackers. I gave my Administrator/root a nice red desktop background with a skull and crossbones.
Then I moved andrew from the Administrator group into the Power Users group and added a few privileges to the default, like changing network settings.
If there is only ONE member of the Administrators group (root in my case) then that member comes up on the login prompt, so it's easy to fast-switch users.
Sure, it's a bit inconvenient to have to login/switch to Administrator/root to do certain things but I feel a lot more secure. XP doesn't really have an su command, but Run as... works well for many things.
And I've changed from Simple File Sharing to Advanced Permissions
Okay, I don't really need it on my home network but I like the feeling of tighter control that it gives me and it's good practice for me as I mug up for my *nix certification and work on mixed networks. [NB: M$ have made the Services for Unix 3.5 available for download at http://www.microsoft.com/windows/sfu/downloads/default.asp if you're interested in using NFS (not that I've had much success with NFS shares mind you, SAMBA on *nix seems a lot easier!)]
Advanced Permissions is pretty complicated and it's possible to get all sorts of unexpected denials if you forget about inheritance. And "Deny" is best avoided unless you really know what you're doing (which I don't, but I'm learning...)
ToggleSharingOptions.vbs as a useful little prog. (Yes I know I'ts dangerous to have VB scripting turned on)
---------------------------------------------------------------
Option Explicit
Dim strOldForceGuestValue, WshShell
On Error Resume Next
Set WshShell = WScript.CreateObject("WScript.Shell")
strOldForceGuestValue = WshShell.RegRead("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\forc eguest")
If strOldForceGuestValue = "1" Then
WshShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\forc eguest", 0, "REG_DWORD"
WScript.Echo "Full permissions are now available"
Else
WshShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\forc eguest", 1, "REG_DWORD"
WScript.Echo "Simple sharing is now on"
End If
-------------------------------------------------------------------
Jeez, I'm a sad b@astard but it is getting into winter here now....
All of you, right?
And you sorta know it's dangerous but you do it anyway, right? Even XP Pro is quite vague about privileges unless you really start to drill down and, particularly using the Simple File Sharing model, essentially makes you run either as a User (who can't do many of the routine things we all need to do) or as an Administrator (who can do too much).
Shamed my my Linux boxen, where I, like any *nix user, only run as /root or su to do essential rooty things, I though I'd better change things.
Okay, log on as Administrator (you can remember the password that you gabe when you created the Administrator account, can't you?) and change the name of the Administrator account to something less confusing (Administrator as one of the Administrator group ?!?!?) - I used root in deference to *nix, but you could also use a name less obvious to hackers. I gave my Administrator/root a nice red desktop background with a skull and crossbones.
Then I moved andrew from the Administrator group into the Power Users group and added a few privileges to the default, like changing network settings.
If there is only ONE member of the Administrators group (root in my case) then that member comes up on the login prompt, so it's easy to fast-switch users.
Sure, it's a bit inconvenient to have to login/switch to Administrator/root to do certain things but I feel a lot more secure. XP doesn't really have an su command, but Run as... works well for many things.
And I've changed from Simple File Sharing to Advanced Permissions
Okay, I don't really need it on my home network but I like the feeling of tighter control that it gives me and it's good practice for me as I mug up for my *nix certification and work on mixed networks. [NB: M$ have made the Services for Unix 3.5 available for download at http://www.microsoft.com/windows/sfu/downloads/default.asp if you're interested in using NFS (not that I've had much success with NFS shares mind you, SAMBA on *nix seems a lot easier!)]
Advanced Permissions is pretty complicated and it's possible to get all sorts of unexpected denials if you forget about inheritance. And "Deny" is best avoided unless you really know what you're doing (which I don't, but I'm learning...)
ToggleSharingOptions.vbs as a useful little prog. (Yes I know I'ts dangerous to have VB scripting turned on)
---------------------------------------------------------------
Option Explicit
Dim strOldForceGuestValue, WshShell
On Error Resume Next
Set WshShell = WScript.CreateObject("WScript.Shell")
strOldForceGuestValue = WshShell.RegRead("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\forc eguest")
If strOldForceGuestValue = "1" Then
WshShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\forc eguest", 0, "REG_DWORD"
WScript.Echo "Full permissions are now available"
Else
WshShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\forc eguest", 1, "REG_DWORD"
WScript.Echo "Simple sharing is now on"
End If
-------------------------------------------------------------------
Jeez, I'm a sad b@astard but it is getting into winter here now....