Prevent Your colleguages from gaining total power of Your pc from their own pc

Does Your colleague have total power of Your pc from his own Windows 2000 pc?

Yes - If You can install programs or can run defrag (drfg.msc) on Your own computer.

[color red]And You donÆt see anything, while Your colleague from his own computer, can read/delete/modify/create files and documents and anything else with all of Your hard disc in his own Explorer.[/color]

Why is it so?

If Your Company uses Windows 2000 on a NT-network, and Your IT-System administrator have given You permission to install programs on Your own hard disc, then anybody of Your colleagues can do what they like with Your hard disc, and it happens from their own computer, and You donÆt see anything, while it happens.

And You can do anything You like with Your colleagues hard discÆs.

Do You believe it?
Is it a security hole in Windows?
Coming any hotfix from Microsoft?
Can Your IT- System administrator fix this with policy?
Can Your IT- System administrator fix this by allowing a DomainUser 2 hours in GlobalDomainGroups while they install programs?

The answer to these questions is NO!

HOW TO DO if YouÆre not an IT-System administrator:
1. Choose Start / Run
2. Input \\ComputerName\C$ and press ENTER
3. As ComputerName You must choose on of Your colleagues ComputerName
4. Exit Explorer (without doing anything), and contact Your IT-System administrator.

HOW TO DO if You donÆt know Your colleagues ComputerNames:
Choose Start / Run
Input CMD and press ENTER
Input NET VIEW and press ENTER
Input EXIT and press ENTER

Please donÆt destroy anything on Your colleagues hard disc, it could happen to Yourself. Please contact Your IT-System administrator, and ask him to solve this problem.

HOW TO DO if You are the IT-System-administrator (2 choices):

1. Remove every other than Local Administrator and Domain Admins from Local Admin Group, and make different passwords on Local Administrator on each computer on Your network. Make sure to lock Your list of these passwords in Your safety box, making it possible to logon the computer, if the network fails on the computer.
Then add the Domain User, who daily uses each computer, to Local Admin Group, and make sure, that he is not in any other Local Admin Group on a computer in Your CompanyÆs network.
Make sure, if a colleague suddenly has to use the computer, that You removes the first Domain User, and adds the new Domain User (who has to logon 2 times before it works), and remove the new Domain User from the Local Admin Group on the other computer, he uses each day.

You must pay attention on all computers on Your network. Remember to check all Local Admin Group's a couple of times each year.

With this annoying work from You, Your users can install programs and defrag their hard disc, without being able to gain access to each others hard discÆs.

2. Remove every other than Local Administrator and Domain Admins from Local Admin Group, and make different passwords on Local Administrator on each computer on Your network. Make sure to lock Your list of these passwords in Your safety box, making it possible to logon the computer, if the network fails on the computer.
Make sure to remove all Domain Groups on all Local Admin Groups (but not the Domain Admins Group), if You had some, to grant to Domain Users for som hours, while they install programs.

With this annoying work from You, Your users cannot install programs and cannot defrag their hard disc, and the cannot gain access to each others hard discÆs.

You must install all programs on each computer on Your network, as Your users time to another must have installed. And You must defrag all the computers on Your network, when itÆs necessary.

All this is a problem because Microsoft created the Windows 2000 operating system this way. Read more about one of the reasons on http://support.microsoft.com/?kbid=182734

If You choose to follow MicrosoftÆs recommendations, it the same as choosing my second explanation above.

Many Regards

Jorgen Malmgren
IT-supervisor
Denmark