Address:

Website:

Email:     

Malmgren, Kandestobergade 10
DK-4200 Slagelse

www.TryWare.dk

Sales@TryWare.dk

Press Release

January 2003

Internal security-hole in Windows 2000/XP

Local administrator – Total power of documents on Your colleagues hard disk

Does Your Company have the security hole ?

Did You know, that You  - probably -  from Your own computer can open Your colleagues computer with Explorer, and that Your colleague can’t see, that it’s happening?

And that You  - if it works -  gains total power of any documents/files on Your colleagues hard disc ?

If You should (and can) install programs on Your own computer, when You are logged on Your Company’s network, then Your Company has opened for this internal security-hole in Windows 2000/XP, if it’s done with GlobalDomainGroups as member of the LocalAdministratorsGroup.

If it does, the security-hole can be more or less expanded on Your network. It depends of how Your IT-Administrator installed Windows 2000/XP on Your, and on the other computers in Your company.

There is no hot fix from Microsoft to solve this internal security-hole. And it will not come in the future. The cause is, that this isn’t a failure in Windows 2000/XP, but an un-lucky behavior of the use of the Local Admin Group on the hard disc.

If Your IT-Administrator knows this internal security-hole, he/she could until now, only choose to give You the right to install programs, or remove this right from You.

How to find out if Your Company has got the security hole

Either download W2kTotalPowerWhere.exe from Our Website www.TryWare.Dk
Choose English version / Download / W2kLocalGroupPolicy / Download

Or try Yourself right now:

1.      Left-click Start / Run …

2.      Input \\ComputerName\C$ and press ENTER

As ComputerName You should input the ComputerName of one of Your colleagues computer.

Dependent of how Your IT-Administrator did install Windows 2000/XP, You will now automatically get an open Explorer to Your colleagues hard disc. But please don’t do any disaster. Contact Your IT-Administrator to fix the problem. Otherwise Your colleagues can also access Your hard disc.

You don’t have to disturb Your colleague to find out the computer names in Your company. Just do the following on Your own pc:

1.      Left-click Start / Run …

2.      Input CMD and press ENTER

3.      Input NET VIEW

4.      Press ENTER

If there’s a lot of computers on Your network, the will roll away in the black window. If so, You can find the computer names this way:

1.      Left-click Start / Settings / Control Panel

2.      Left-click Administrative Tools

3.      Left-click Computer Management
Here is a lot of other interesting information’s about Your own computer.

4.      Left-click on the menu Action, and choose Connect to another computer …

5.      In Look in: Choose the DomainName You use, when You login to your own computer (after CTRL-ALT-DEL).
If there is more than 1 DomainName to choose among, and you don’t know, what Your own DomainName is, then look the next time You do Your login (CTRL-ALT-DEL). When You left-click on the button Options >>, Your DomainName are shown at Log on to:

6.      When You have choosed the DomainName, You can see all the ComputerNames.

Important: This is not a hacker’s manual to get un-authorized access to Your and Your colleague’s computer. It’s simply a part of how Microsoft has designed the Windows 2000/XP operating system. More information at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp

How to solve the problem, if You are IT-Administrator

TryWareDk has a program assuring You, that Your users automatically are made a member of the Local Admin Group on their own computer, with out gaining admin power on their colleague’s computers.

The program gives You many different possibilities to control, who automatically is made a member of the Local Admin Group, and who automatically is removed from the Local Admin Group. There are a number of reports about how the program secured Your installation.

When You input Your ConfigurationRules in the program, it only takes 1 simple line in all users loginscript to secure, that Your ConfigurationRules is carried out in the Local Admin Group on all computers, where the loginscript runs.

You can try the program free on 9 computers in 90 days. After the 90 days, the program is very cheap to buy:
1 US$ for each client-computer.

For more details visit our Website: www.TryWare.dk
Choose English version / Download / W2kLocalGroupPolicy

Enhanced technical explanation about the security-hole:

More and more programs are upgrading themselves while Your users are logged in, just think about the internet. You have maybe therefore decided, that Your users must be able to install programs on their Windows 2000/XP client-computer running on Your network, like they used to be able to do with Windows 95/98.

Installing programs on a Windows 95/98 client computer is no problem. Any of Your users could do that, because there are no restrictions in the operating system.

Installing programs on a Windows 2000/XP client computer is another matter. Because there are many different restrictions in the operation system, because of the Local Groups on the hard disk.

The important group is the LocalAdministratorsGroup. Members of this group can install programs, because the operating system automatically grants this group rights to save files in the C:\WINNT\SYSTEM32-folder and to change important parts of the registry.

By default only the LocalAdministrator user is granted membership of the LocalAdministratorsGroup.

So when installing Windows 2000/XP on a computer, You have to decide who can be members of the LocalAdministratorsGroup. There are different possibilities, ranging from adding GlobalDomainGroups to the LocalAdministratorsGroup or to release the LocalAdministrator’s password, when Your users must install programs.

Any of these solutions makes the security hole work!

If You have many client computers it is a hard work for You if You want to stop the security hole.

The only way until now, is to remove everybody but the LocalAdministrator and GlobalDomainAdminsGroup, and only add the one and only DomainUser who uses the computer.

Do You have computer used by more than one user? Do You have users using other than their own computer?

If You have given this problem deep reflection, maybe You have prepared some GlobalDomainGroups with the same names ready on every computer, being member of the LocalAdministratorsGroup on every computers hard disc.

And then if it’s necessary, You can temporarily add the DomainUser to this GlobalDomainGroup, and the user can install programs until You remove the DomainUser again after maybe 2 days?

This solution also makes the security hole work!

While the user (for 2 days) is a member of this GlobalDomainGroup, the DomainUser at once gains total admin power on every computer on Your network, simply by typing \\ComputerName\C$ in Explorer. Certainly when You remove the DomainUser from one of these GlobalDomainGroups again, the DomainUser will not have total admin power on the other computers anymore.

BUT while the DomainUser is a member of this GlobalDomainGroup, he/she can make a new local user on every computer on the network, and grant this local user membership of the Local Admin Group on every computer.

And the DomainUser can do it from his/hers own computer without anyone seeing anything about it.

So - if You have such a DomainUser, he/she will retain the total admin power every computer on Your network, even after You have removed the DomainUser from one of the above mentioned GlobalDomainGroups

Another problem is releasing the password for the LocalAdministrator. You have probably set the same password for the LocalAdministrator to the same on all Your computers. Otherwise You can’t support/rescue these computers, if You don’t know the password.

But releasing the password to an DomainUser, when Your user must install programs, or having a DomainUser guessing/hacking the password, he/she will gain TOTAL control over all of the other Windows 2000/XP computers, from his/hers own computer, even if no other that the LocalAdministrator is a member of the LocalAdministratorsGroup!

Because of this security-hole, all Your LocalAdministrator’s passwords should be different. This shouldn't give You any problems, if You remember to add the GlobalDomainAdminsGroup as a member of the LocalAdministratorsGroup on each computer.

So there is a lot of work running from computer to computer if You want to stop this security hole.

If You want to do all this from Your own Windows 2000/XP computer, You should consider trying Our program free on 9 computers for 90 days.

Especially because it’s not only with Explorer, that You can open the colleagues hard disc, but being a member of the LocalAdministratorsGroup on all the computers, You can also:

Please don’t manipulate Your colleagues registry-settings:

1.      Left-click Start / Run …

2.      Input REGEDIT and press ENTER

3.      Choose the menu Registry / Connect Network Registry …

4.      Input one of Your colleagues ComputerName, or choose Browse … / My Network Places / Entire Network / Microsoft Windows Network / DomainName / ComputerName

Please don’t manipulate Your colleagues Computers Device Manager:

1.      Left-click Start / Settings / Control Panel

2.      Left-click Administrative Tools

3.      Left-click Computer Management
Here is a lot of other interesting information’s about Your own computer.

4.      Left-click on the menu Action, and choose Connect to another computer …

5.      In Look in: Choose the DomainName You use, when You login to your own computer (after CTRL-ALT-DEL).
If there is more than 1 DomainName to choose among, and you don’t know, what Your own DomainName is, then look the next time You do Your login (CTRL-ALT-DEL). When You left-click on the button Options >>, Your DomainName are shown at Log on to:

6.      In Name: Input Your colleague’s ComputerName and press ENTER

7.      Choose System Tools / Device Manager

Please don’t add or remove LocalUsers on Your colleagues Computer:

1.      Start Computer Management on Your colleague’s computer as described above.

2.      Choose System Tools / Local Users and Groups

Please don’t manipulate Your colleagues Computers hard disc:

1.      Start Computer Management on Your colleague’s computer as described above.

2.      Choose Storage / Disk Management

Please don’t start or stop services on Your colleagues Computer:

1.      Start Computer Management on Your colleague’s computer as described above.

2.      Choose Services and Applications / Services

Important: This is not a hacker’s manual to get un-authorized access to Your and Your colleague’s computer. It’s simply a part of how Microsoft has designed the Windows 2000/XP operating system. More information at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/howto/2prohow.asp