Results 1 to 3 of 3

Thread: Issues with "Admin"and "Limited" Rights Users?

  1. #1
    just_randy Guest

    Default Issues with "Admin"and "Limited" Rights Users?

    Was just getting ready to install ZoneAlarm v6.1 (Freeware) and was wondering how well it handled both "Admin"and "Limited" Rights Users?
    I know install and configuration changes will be made under the admin user, but will accept/deny alert responses be accepted and saved if made by a limited user account?
    Any other issues/tips for a newbie ZA user? Any good user's guides?

    Operating System:Windows XP Home Edition
    Product Name:ZoneAlarm (Free)
    Software Version:4.x

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Issues with "Admin"and "Limited" Rights Users?

    Hi Just-Randy
    Have no idea about Admin/User question. Two nice sites to look up:


    http://www.donhoover.net/

    and

    http://www.markusjansson.net/eza.html


    Take care,
    Oldsod
    Best regards.
    oldsod

  3. #3

    Default Re: Issues with "Admin"and "Limited" Rights Users?

    As I understand it Zonealarm firewall control panel will be visible to anyone who logs into the operating system. In Zonealarm Pro If you want to limit who may alter security settings in the firewall you can set up a password . Open the control panel for the firewall and go to the Overview>Preferences tab and create a password. Any changes to the firewall or responses to security alerts will require entering the password to be accepted. However this function is not available in Zonealarm free.I think that administrators can set up the operating system to require an installation password so that only the administrator can have access to all functions in Zonealarm. But that would be done in the operating system environment not the firewall. Here is windowxp help topic on this matter..
    Privileges

    To ease the task of user account administration, you should assign privileges primarily to group accounts, rather than to individual user accounts. When you assign privileges to a group account, users are automatically assigned those privileges when they become a member of that group. This method of administering privileges is far easier than assigning individual privileges to each user account when the account is created.

    The following table lists and describes the privileges that can be granted to a user.PrivilegeDescriptionAct as part of the operating system

    Allows a process to authenticate like a user and thus gain access to the same resources as a user. Only low-level authentication services should require this privilege. Note that potential access is not limited to what is associated with the user by default; the calling process might request that arbitrary additional privileges be added to the access token. The calling process might also build an access token that does not provide a primary identity for tracking events in the audit log.

    Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned.

    Default setting: No oneAdd workstations to a domain

    Allows the user to add a computer to a specific domain. For the privilege to be effective, it must be assigned to the user as part of the Default Domain Controllers Policy for the domain. A user who has this privilege can add up to 10 workstations to the domain.

    Users can also be allowed to join a computer to a domain by giving them Create Computer Objects permission for an organizational unit or for the Computers container in Active Directory. Users who have the Create Computer Objects permission can add an unlimited number of computers to the domain, regardless of whether they have been assigned the Add workstations to a domain privilege.

    Default setting: No oneAdjust memory quotas for a processDetermines which accounts can use a process with Write Property access to another process to increase the processor quota assigned to the other process.

    This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

    Default setting: AdministratorsBack up files and directories

    Allows the user to circumvent file and directory permissions to back up the system. The privilege is selected only when an application attempts access through the NTFS backup application programming interface (API). Otherwise, normal file and directory permissions apply.

    Default setting: Administrators and Backup Operators.Bypass traverse checking

    Allows the user to pass through folders to which the user otherwise has no access while navigating an object path in the NTFS file system or in the registry. This privilege does not allow the user to list the contents of a folder; it allows the user only to traverse its directories.

    Default setting: Administrators, Backup Operators, Power Users, Users, and Everyone on member servers and workstations. On domain controllers, it is assigned to Administrators, Authenticated Users, and Everyone.Change the system time

    Allows the user to set the time for the internal clock of the computer.

    Default setting: Administrators, Power Users, LocalService, and NetworkService on member servers and workstations. On domain controllers, it is assigned to Administrators, Server Operators, LocalService, and NetworkService.Create a token object

    Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.

    It is recommended that processes requiring this privilege use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned

    Default setting: No oneCreate a pagefile

    Allows the user to create and change the size of a pagefile. This is done by specifying a paging file size for a particular drive under Performance Options on the Advanced tab of System Properties.

    Default setting: AdministratorsCreate permanent shared objects

    Allows a process to create a directory object in the Windows
    XP Professional object manager. This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege.


    Default setting: No oneDebug programsAllows the user to attach a debugger to any process. This privilege provides powerful access to sensitive and critical operating system components.

    Default setting: AdministratorsEnable computer and user accounts to be trusted for delegationAllows the user to change the Trusted for Delegation setting on a user or computer object in Active Directory. The user or computer that is granted this privilege must also have write access to the account control flags on the object. Delegation of authentication is a capability that is used by multi-tier client/server applications. It allows a front-end service to use the credentials of a client in authenticating to a back-end service. For this to be possible, both client and server must be running under accounts that are trusted for delegation. Misuse of this privilege or the Trusted for Delegation settings can make the network vulnerable to sophisticated attacks on the system that use Trojan horse programs, which impersonate incoming clients and use their credentials to gain access to network resources.

    Default setting: This privilege is not assigned to anyone on member servers and workstations, as it has no meaning in those contexts. On domain controllers, it is assigned by default to Administrators.Force shutdown from a remote systemAllows a user to shut down a computer from a remote location on the network. See also the Shut Down the System privilege.

    Default setting: Administrators on member servers and workstations. On domain controllers, it is assigned to Adminstrators and Server Operators.Generate security auditsAllows a process to generate entries in the security log. The security log is used to trace unauthorized system access. See also the privilege Manage auditing and security log.

    Default setting: LocalService and NetworkService.Increase scheduling priorityAllows a process that has Write Property access to another process to increase the execution priority of the other process. A user with this privilege can change the scheduling priority of a process in Task Manager.

    Default setting: AdministratorsLoad and unload device driversAllows a user to install and uninstall Plug and Play device drivers. This privilege does not affect the ability to install drivers for devices that are not Plug and Play. Drivers for non-Plug and Play devices can be installed only by Administrators.

    Default setting: Administrators. It is recommended that you not assign this privilege to any other user. Device drivers run as trusted (or highly privileged) programs. A user who has the Load and Unload Device Drivers privilege could unintentionally misuse it by installing malicious code masquerading as a device driver. It is assumed that administrators will exercise greater care and install only drivers with verified digital signaturesLock pages in memoryAllows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Assigning this privilege can result in significant degradation of system performance.

    Default setting: Not assigned to anyone. Certain system processes have the privilege inherently.Manage auditing and security logAllows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and registry keys. Object access auditing is not actually performed unless you have enabled it in Audit Policy (under Security Settings, Local Policies). A user who has this privilege also can view and clear the security log from Event Viewer.

    A user with this privilege can also view and clear the security log from the Event Viewer.

    Default setting: AdministratorsModify firmware environment valuesAllows modification of system environment variables either by a process through an API or by a user through System Properties.

    Default setting: AdministratorsProfile a single processAllows a user to run Windows
    XP Professional performance-monitoring tools to monitor the performance of nonsystem processes.


    Default setting: Administrators and Power Users on member servers and workstations. On domain controllers, it is assigned only to AdministratorsProfile system performanceAllows a user to run performance-monitoring tools to monitor the performance of system processes.

    Default setting: AdministratorsRemove computer from docking stationAllows the user of a portable computer to undock the computer by clicking Eject PC on the Start menu.

    Default setting: Administrators, Power Users, and Users.Relace a process level tokenDetermines which user accounts can initiate a process to replace the default token associated with a started subprocess.

    This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.

    Default setting: Local Service and Network Service.Restore files and directoriesAllows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principal as the owner of an object. See also the Back up files and directories privilege.

    Default setting: Administrators and Backup Operators.Shut down the systemAllows a user to shut down the local computer.

    Default setting: Administrators, Backup Operators, Power Users, and Users on workstations. On member servers, it is assigned to Administrators, Power Users, and Backup Operators. On domain controllers, it is assigned to Administrators, Account Operators, Backup Operators, Print Operators, and Server Operators.Synchronize directory service dataAllows a process to provide directory synchronization services. This privilege is relevant only on domain controllers.

    Default setting: No oneTake ownership of files or other objectsAllows a user to take ownership of any securable object in the system, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads.

    Default setting: Administrators

    Some privileges can override permissions set on an object. For example, a user logged on to a domain account as a member of the Backup Operators group has the right to perform backup operations for all domain servers. However, this requires the ability to read all files on those servers, even files on which their owners have set permissions that explicitly deny access to all users, including members of the Backup Operators group. A user right, in this case, the right to perform a backup, takes precedence over all file and directory permissions.

    Related Topics







    Message Edited by ledoc on 05-27-200606:16 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •