dyonysus

hi all,
i have just a question for you:
is it possible to have or/and to create an account on windows OS and don't
allow to anyone to login with this account, except the administrator user?
thank you in advance

Dyonysus

john bean

The administrator creates the account and doesn't tell
anyone else the password...

Have I missed something in your question?

--
John Bean

dyonysus

sure, if i would know that around wouldn't be hackers and programs like Jena
and Cain.....
the problem is:
i need such accounts, different from Administrator, because of some
applications.
But at the same time i wouldn't anyone can log in with this accounts on
local or from Active directory on my server...
i hope it's a little more clear this time...

Thanx

Dyonysus


"John Bean" <waterfoot@gmail.com> ha scritto nel messaggio
news:l854g39dio4db5kp450h33ma1ned90m0cr@4ax.com...

john bean

I'm afraid it's still clear as mud. If they don't have a
password for the account or have admin rights on the PC in
question how can they log in?
--
John Bean

dyonysus

they who?
hackers don't need to know password, they brute force the passwords....so to
prevent it you should monitor all the accounts on every server ...and you
know..it costs money!
i would keep under control only administrator account...


Dyonysus


"John Bean" <waterfoot@gmail.com> ha scritto nel messaggio
news:fjp4g3l4a87o7ltgpcdcmrnvdrr7f4pns4@4ax.com...

john bean

If you're administering lots of servers and have to ask a
question like this you're well out of your depth.

Best of luck.

--
John Bean

dyonysus

....
well...i thought that someone better than me could help me in this
depth...but as i see i still didn't find this one....

thanx the same

"John Bean" <waterfoot@gmail.com> ha scritto nel messaggio
news:nrq4g31d52894b4oap7afk2acf31gdmj0p@4ax.com...

philip herlihy

It would help if you told us what resources these accounts needed to
have access to, and why they need to be separate accounts.

Phil, London

dyonysus

are you preparing a penetration test?
=)))
well...i have a software that makes orchestration and throught it we should
log in on the machine.
for security i would allow to log in by it only with administrator user...
but i must have also other users, for applications needs....but at the same
time i don't want that someone could log in in local with those users:
people must log in throught the orchestration software....

thanx

Dyonysus

"Philip Herlihy" <thiswillbounceback@you.com> ha scritto nel messaggio
news:fdtrc5$82s$1$8302bc10@news.demon.co.uk...

philip herlihy

You can control the privileges of individual accounts or groups using
Local Security Policy, which is in Control Panel under Administrative
Tools (XP), or Start, Run "secpol.msc". If you're working with a domain
(Active Directory) look also at the Group Policy Editor (gpedit.msc).

Have a look at the "Deny Logon Locally" option. To find this setting,
open Local Security Policy, Security Settings, Local Policies, User
Rights Assignment. See:
http://technet.microsoft.com/en-us/library/bb457125.aspx
Be careful, or you can lock yourself (or even everyone) out of the machine!

More generally...

I'm not very clear about what you are trying to do (what do you mean by
orchestration?). If you are building an application which manages
access to Windows (so that users log on through your application and
cannot do anything else) you have a lot of security problems as
experienced Windows users will find ways to get around it.

Otherwise, I assume users will log onto Windows first and then run your
application. In that case it will be simpler to assign user accounts to
groups, and then manage access to your application by setting file
permissions for those groups. Within your application code you could
also test to see if the current user is a member of a particular group.

So, I would look into setting file permissions for users by groups
first, and then investigate Local Security Policy and Group Policy if
you need further controls.


Phil, London