Vendor support security

TheMSsForum.com: The Microsoft Software Forum

The MSS Forum ‹ Security
- Archive
  - Biz
  - MCSE
  - CRM
  - Drivers
  - Framework
  - ADO
  - ASP
  - Compact
  - Forms
  - Dotnet
  - C#
  - VB
  - FontpageGen
  - Excel
  - WorkSheet
  - Exchange
  - Setup
  - Fox
  - Fontpage
  - ASP
  - IIS
  - Entourage
  - Money
  - Messanger
  - PocketPC
  - Powerpoint
  - Project
  - Publisher
  - Excel
  - VB
  - Security
  - Portal
  - Services
  - SQLServerDev
  - SVCS
  - SQLServer
  - VB
  - VC
  - MFC
  - ExcelGen

- Previous
  - 1
    - Service Log On Account Problem Hello. My problem concerns Windows Services. I want some of my services work with permissions of domain user or domain admin (not Local System account). Everything works OK till reboot server. After this services don't start automatically due to incorect password reason. I have to type password manualy and start service manualy. This domain account are local admins of server and are added in Local Security Settings\User Rights Assignment\Logon as a service. What is the reason of my problem? Thanks in advance. Pawel Tag: Vendor support security Tag: 75894
  - 2
    - Bypass Traverse Checking not working I am having trouble getting Bypass Traverse checking working on my Windows 2003 EE server in a Windows 2003 domain. I have set Bypass Traverse Checking to Authenticated Users via Group Policy. However I have a service account that can not delete a file in the C:\Temp folder. The service account has Modify permissions to the C:\Temp folder and no permissions to C:\ Theoretically it should traverse C:\ and be able to find C:\Temp If I give the Service account the NTFS permission of "Travers Folder \ Execute File" the service account can then delete the file in the C:\Temp folder. I do not understand this as Bypass Travers Checking should give the same results. The following TechNet article states "Traverse folder takes effect only when the group or user is not granted the Bypass traverse checking user right in the Group Policy snap-in". http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/e4be109f-5547-4df8-90f0-4d885dc302e7.mspx Any idea on why Bypass Travers Checking does to appear to be applied? Tag: Vendor support security Tag: 75890
  - 3
    - should administrator lock pages in memory? Dear, all. Windows 2003 default setting, nobody could lock pages in memory. But in microsoft recommend in high security organization, should define administrator have this right. Could you tell me the reason? Thanks. Frank Tag: Vendor support security Tag: 75887
  - 4
    - I can't get into my other account...... My friend tried to many times to get into my other msn account. Corrupt_by_silence@hotmail.com, so now I can't get into it eather. And he tried to many times to answer my secret question, so I can't do that eather. So now I can't get in at all. Tag: Vendor support security Tag: 75883
  - 5
    - unable to login into WinXP HE Hi, I don't relly know if I'm posting in the right area but anyway...I was getting rid of viruses/sayware off my computer and MS GIANT found 3 viruses, a trojan, a mediaticket and a 180 solutions. I was akedto reboot my PC due because one of the viruses was running so I did. When I had rebooted I tryed to log into my useer but it immediately logged me out...I have tried safe mode and other users but all unsuccessful. Is there a way to open msconfig, command prompt (safe mode with prompt doesn't work) without logging into a user. Yours, Duggles Tag: Vendor support security Tag: 75878
  - 6
    - questionable emails received when I open an email that is full of hidden statements, is this something that should be turned over to MSN or high authorities? Did not want to just delete should something be questionable and might lead to something serious. THanks Tag: Vendor support security Tag: 75876
  - 7
    - Security Flaw: Any website can read your clipboard text Web sites you visit can retrieve data from your clipboard depending on your security settings. Go to this page (www.clipboard.googlemyway.com) and see if anything shows up in the box. If you are using Firefox or Opera you probably won't see anything. However, if you are using Internet Explorer then chances are that whatever you last copied into your clipboard will be displayed. Tag: Vendor support security Tag: 75871
  - 8
    - Diamond CS And Possible Name Change ??? Heck, I asked for a refund from Diamond over two months ago for their now defunct TDS program and thus far have heard nothing. I checked in on this board and their site about a month and a half ago and heard proclamations that an exciting new site with great new programs was "just around the corner" (where did I hear THAT expression before?!?!?), but alas, here we are 6 weeks later and it looks like all is status-quo. I could not find any new site, nor could I find any new products, nor did I ever find any information from Diamond CS regarding my (numerous) requests for a refund. Maybe they should change the name from Diamond CS to Diamond "BS"--- that seems to be what they specialize in! Tag: Vendor support security Tag: 75868
  - 9
    - Limit domain user logon to a unique workstation Hi there, I would like to know the procedure to restrict a domain user account(AD user) to logon to a single workstation (and no other PC, only that particular one) without creating a local user account on the machine. Is this feasible? Can someone help? Thanks in advance, Tag: Vendor support security Tag: 75867
  - 10
    - IE Flaw Puts Windows XP SP2 At Risk "CNET is reporting that a new flaw has been discovered in Internet Explorer that could enable a remote attack on systems running Windows XP with Service Pack 2, eEye Digital Security has warned. The discovery of this IE flaw comes just over a month after Microsoft issued a cumulative patch addressing three vulnerabilities for IE. The new IE flaw also adds to another vulnerability, discovered last month, that affects systems using Windows XP SP2." http://news.com.com/IE+flaw+puts+Windows+XP+SP2+at+risk/2100-1002_3-5868867.html?tag=nefd.top Imhotep Tag: Vendor support security Tag: 75863
  - 11
    - VPN and/or remote access Plug-Ins A number of companies are now using plug-ins to allow client desktop control for support/troubleshooting. QUESTIONS: 1) After the remote session is terminated, is there anyway to identify and locate the plugin installed by the support organization? 2) Is it possible to force the plugin to be installed into a specific directory/folder where the file system has permissions (NTFS assumed here since I don't believe FAT32 has folder permissions)? 3) If #2 is possible, will this contain the viewer from going outside (accessing or viewing) beyond the folder? 4) If not, is it possible for the client to contain the area where browsing can take place -- if so how? Thanks David Tag: Vendor support security Tag: 75860
  - 12
    - who could lock pages in memory Dear, all. Windows 2003 local security settings\user rights assignment\lock pages in memory, the default setting is: none is defined here. Could this mean nobody have right to lock pages in memory, or all body have this right? Thanks. Frank Tag: Vendor support security Tag: 75858
  - 13
    - CreateEvent fails with ERROR_INVALID_OWNER We're calling the Win32, CreateEvent, and it's failing with ERROR_INVALID_OWNER = "this security ID may not be assigned as the owner of this object". Here's the setup. We have a .NET class library (called .CAL) that calls into an unmanaged C-callable DLL (OMDAPI.DLL). The class library is hosted in a Web page. The Web page is running in IIS with anonymous access turned off. The web.config contains these entries: <authentication mode="Windows" /> <identity impersonate="true" userName="" password="" /> Therefore, we're trying to have the Web page impersonate the client browser's user. When OMDAPI.DLL connects to the ASPNET_WP process, during the DLL_PROCESS_ATTACH, it creates a static CSecurityDescriptor (from ATL). It calls InitializeFromThreadToken() on that CSecurityDescriptor. The DACL is null for this CSecurityDescriptor. The first user connects to the page, which calls into the class library which calls into the DLL. The DLL calls CreateEvent with a unique name and a SECURITY_ATTRIBUTES structure. The event name is generated from the username and some other data. Therefore, for each user, we're generating a different event name. The SECURITY_ATTRIBUTES structure is filled in with the CSecurityDesriptor (m_pSD) that was created during DLL_PROCESS_ATTACH. The first user's call to CreateEvent succeeds. I'm not 100% sure, but I believe this is the first time this security descriptor is actually used. The second user that logs in fails with ERROR_INVALID_OWNER. The second user is coming in from a different machine since we're using impersonation, it must be from a different user. It's been seen, sometimes on Windows Server 2003, that the second user gets in OK, but the third user fails. So basically, it fails after at most 3 users. The primary test platform has been Windows 2000. Now, OMDAPI.DLL has been around for a long time (6-7 years) and works fine in stand-alone, multi-threaded Windows applications. It has only started failing now that we're hosting this in a Web page. I've tried giving the ASPNET user account these privileges but they don't work: - administrator privileges - "act as part of the operating system" I haven't verified this, but it seems likely that each user is coming in on a different thread. The first user gets in and grabs ownership of that security descriptor. Then when the second user comes in on the second thread, it fails because it's already owned by the first thread/user. Does that sound reasonable? Some other things: - it's not in our class library because someone else wrote their own class library and called into OMDAPI.DLL and they get the same problem. - We're not trying to recreate the event name because it's different for each user. Any help as to why we're getting this ERROR_INVALID_OWNER would be greatly appreciated. Thanks in advance. Tag: Vendor support security Tag: 75852
  - 14
    - Error loading Roaming Profile - System detected a security comprom Getting this error when attempting to log in to a domain. Domain Controller is running Windows 2000 Server. ============ Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator. DETAIL - The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you. ============ I am able to authenticate after logging in for functions such as internet browsing. Tried removing the computer from the domain and deleting the computer from AD, and reconnecting everything with no success. Tag: Vendor support security Tag: 75851
  - 15
    - Accoona Blockage of IE6 I have Windows 98 and IE6. Accoona has taken over my search engines and displays itself on all ads. I've tried removing it from the Add / Remove Software screen but it's not listed. I've searched Explorer to no avail. How do I get rid of this thing and how do I block it in the future? Help! Greg Tag: Vendor support security Tag: 75847
  - 16
    - child's account I have set up my childs account and want to do my other child, but you require a credit card to verify that I as the adult I ok the account. I do not have a credit card, becasue I do not want one. So how do I ok my childs account without one? Tag: Vendor support security Tag: 75846
  - 17
    - S/MIME signatures for internal email only? Hello all. I'm a newbie at setting up S/MIME on Exchange 2000. I am using an internal corporate Certification Authority that distribute= s = certificates for encryption and signing email. Is there a way to sign and/or encrypt only email that is internal only, = traveling within the organisation? Thank you for any suggestion on how this can be done. Dmitry. -- = Using Opera's revolutionary e-mail client: http://www.opera.com/mail/ Tag: Vendor support security Tag: 75840
  - 18
    - Passwords Hi. I have been given an Excel document from a friend, it works ok but it is protected. I want to change it because the text does not centre; it is all over the place, some it centres others it aligns left or right. Very messy and unprofessional. He cannot remember the protection. Does anyone know if I can bypass the protection so I would be able to change the way text is written in the document? Many thanks. Tag: Vendor support security Tag: 75835
  - 19
    - Training Hey folks, fist post. I have taken on the job duties at my company as the network security administrator. My company wants to send me to some training to help me get off on the right track. Can anyone suggest a good training session? Or in your opinion what is the best out there? I am not worried about certifications at this point just needing to get a week training session under my belt. I am moderately knowledgable on Network Security and thats about it.. Something entry level to mod. would be cool. Thank you for your time in advance! Tag: Vendor support security Tag: 75831
  - 20
    - Open File - Security Warning I have several Windows 2003 Server SP1 and Windows XP SP2 systems attempting to run the various programs from a network share. I have been able to modify the Internet Explorer security settings to allow the local Intranet sites but a Security Center error appears each time a user attempts to open the program: Open File - Security Warning The publisher could not be verified. Are you sure you want to run this software? This file does not have a digital signature that verifies its publisher. You should only run software from publishers your trust. How can I disable this error? I have already tried allowing full access to the Intranet via Intranet and Trusted Sites Security Zones and disabling CheckExeSignatures in the registry. This is occurring with almost every network-run application we have installed. Tag: Vendor support security Tag: 75830
  - 21
    - Changing Cert template in Win2k3 Enterprise PKI CA Greetings, I wasn't sure where to post this as there wasn't a PKI/MS-CA forum. But here goes: We deployed Enterprise CA on Windows 2000 and recently upgraded the domain to Windows 2003 Enterprise (schema, native mode, etc.) The User Certificates issued are still based on the v1 template "user". we want to change the certificate lifespan from 1 to 4 years. The same with computer certificates. Can I replace the v1 user template with a v2 template so that is editable? Can I edit the v1 template somehow? The v1 templates are mostly greyed out in CertTempl.msc Help. Mike -- --- Mike Ruiz Network and Enterprise Systems Engineer Hobart and William Smith Colleges Tag: Vendor support security Tag: 75827
  - 22
    - RPC Server Unavailable When Requesting Computer Certificate Hi, I'm trying to set up a machine for use with our VPN. We will be using L2TP & smartcards, so I need to request a computer certificate. Up till now I've been able to configure most computer when people are in the office, connected to the domain, using automatic certificate deployment via group policy. However we have 1 user who is not going to be in the office, but needs VPN access. So I've changed the VPN access to allow PPTP temporarily, and asked him to connect, then I've used remote assistance to terminal service into his machine. From there I've managed to use the web based enrollment to download the CA certificate, and tried to use the certificates MMC snap in to request a computer certificate. However I get the initial screen up, asking which certificate I'd like, common name etc, but when I press finish, the system hangs for about 10 seconds, then errors with "RPC Server is unavailable". At first I thought this might be a firewall issue, as he was running windows firewall, as well as Symantec firewall. So I disabled both, and also the firewall on his 3com router. However after trying again, with a number of reboots, it still errors. I can ping the CA, the domain, and other computers. Does anyone have any ideas as to how I can successfully request a computer certificate? Is there another way of doing it? I notice there is no computer certificate option in the web enrollment form, even though the template has been added to the CA. We're using ISA 2004 as the VPN server, and it's allowing all protocols through from VPN > internal, and Internal > VPN. The DC is windows 2003 server, and the client machine is Windows XP pro SP2. Many thanks Ben Tag: Vendor support security Tag: 75819
  - 23
    - Initial post on windowsxp.help_and_support This is a multi-part message in MIME format. --------------040301030109070307020802 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Didn't saw any answer yet. --------------040301030109070307020802 Content-Type: message/rfc822; name="win98se vs. winXPsp2 file sharing problems.eml" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="win98se vs. winXPsp2 file sharing problems.eml" Date: Fri, 16 Sep 2005 00:30:14 +0300 From: Paul Grecu <paul.grecu@dacris.net> Organization: DACRIS User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 Subject: win98se vs. winXPsp2 file sharing problems Content-Type: multipart/mixed; boundary="------------050707030809020704070601" Message-ID: <ubmblyjuFHA.3752@TK2MSFTNGP09.phx.gbl> Newsgroups: microsoft.public.windowsxp.help_and_support NNTP-Posting-Host: 82.77.83.97 Path: TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl Xref: TK2MSFTNGP08.phx.gbl microsoft.public.windowsxp.help_and_support:594846 This is a multi-part message in MIME format. --------------050707030809020704070601 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi, everyone! I just don't understand why is not working as it supposed to. I want my XP box to behave like a 9x one. I mean no matter which user or password I use to logon into network (let's say a simple workgroup) onto the win9x box, it should be able to browse the shares on the XP box anonymousely aka using guest account. Now I'm gonna tell you what I've already tryed out: 9x Box XP Box ~~~~~~ ~~~~~~ user: test simple file sharing = on pass: test guest account = on (but deny logon locally) \\xpbox\fullshare result: \\xpbox is not accessible user: test simple file sharing = off pass: test guest unchanged (see above) NTFS: everyone = full control SHARE: everyone = full control GPO: Limit local account use of blank password to console logon only = Disabled Do not allow anonymous enumeration of SAM accounts and shares = Disabled Sharing and security model for local accounts = Classic result: \\xpbox is not accessible user: guest nothing changed pass: result: everything is ok --------------050707030809020704070601 Content-Type: text/x-vcard; charset=utf-8; name="paul.grecu.vcf" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="paul.grecu.vcf" begin:vcard fn:Paul Grecu n:Grecu;Paul org:Dacris Impex Srl;IT Department adr:;;;Constanta;;8700;Romania email;internet:paul.grecu@dacris.net title:Network Administrator x-mozilla-html:FALSE url:http://www.dacris.net version:2.1 end:vcard --------------050707030809020704070601-- --------------040301030109070307020802 Content-Type: text/x-vcard; charset=utf-8; name="paul.grecu.vcf" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="paul.grecu.vcf" begin:vcard fn:Paul Grecu n:Grecu;Paul org:Dacris Impex Srl;IT Department adr:;;;Constanta;;8700;Romania email;internet:paul.grecu@dacris.net title:Network Administrator x-mozilla-html:FALSE url:http://www.dacris.net version:2.1 end:vcard --------------040301030109070307020802-- Tag: Vendor support security Tag: 75817
  - 24
    - Windows 2003 server SP1 Hello, I have installed windows 2003 enterprise edition on standalone system, i installed SP1 also, but found that system became a bit slower and also MY CD burning application stopped working after SP1 installation. I had to unistall SP1 to make nero work. What applications get affected after installing SP1 on windows 2003 server. how to rectify it. Pls Advise Tag: Vendor support security Tag: 75804
  - 25
    - Suspicious processes!!!! hi all, after researching processes running in my task manager i came across this process, wuauclt.exe - This is used by the automatic update tool in Windows ME to check the Windows Update site every so often to see if any updates need to be installed. it also said, The original wuauclt.exe from Microsoft gets placed in the Located at C:\WINDOWS\System32\wuauclt.exe . If you find it anywhere else then you should be suspicious for sure. So i did a file search on my c:\ and found 4 files, here they are, WUAUCLT, in, c:\1386, 137kb, application, date modified 8/29/2002 WUAUCLT.exe-1360D60A, in, c:\WINDOWS\prefetch, 25kb, pf file, date modified 9/15/2005 wuauclt, in, c:\WINDOWS\SYSTEM32, 122kb, application, date modified 5/26/2005 wuauclt, in, c:\WINDOWS\servicepackfiles\i386, 109kb, application, date modified 8/4/2004. could one of these be a virus/trojan? if so, how do i determine which one? I also have 5 svchost.exe using 51,000k between them, this cant be right surely!I have scanned with AVG, spybot s&d and ad-aware (all updated) and found nothing. please help, thank you. lee. xp sp2 Tag: Vendor support security Tag: 75800
- Next
  - 1
    - IPSEC with non-domain Server Hi All I am trying to add some additional security to a IIS server not in our Domain (Stand alone). I would like to use IPSEC to control who has access to this box and have been successful with IPSEC using the Preshared Key on the Server and Client. Microsoft does not recommend Pre Shared Keys, but what else is available with a non domain server and no PKI infrastructure? Thanks Mike Tag: Vendor support security Tag: 75794
  - 2
    - Malicious software removal tool I want to know if it is possible for some systems to experience negative effects as a result of the malicious software removal tool. I play on the MSN gaming zone fairly regularly. Tuesday night for no apparent reason an assortment of MSN zone pages are corrupt. They appear to be not downloading correctly/completely. I have XP Pro, Asus K8V SE deluxe with an Athlon 64 processor. The web pages are the same this morning. Other than this removal tool I can't think of anything else. Sept 13 would be the first download of the tool for me since I have only had this system for a short time. Tag: Vendor support security Tag: 75783
  - 3
    - restricting admin access to network I need to figure out a way to prevent the network admins from promoting themselves to enterprise/schema admins. I have already set up the restricted group, but they can still add themselves to these groups to bypass this. Questions: -1) How can I set the permissions so only enterprise admin can edit all GPOâ??s? I will then delegate specific policies to specific people. 2) Can I modify the default domain GPO ACL to only have enterprise admin edit it? I see in the GPMC that I can remove the delegation to domain admins. Is this how I go about this? 3) MOST IMPORTANTLY: I have tried removing domain admin permissions from my guys, but then it gets really hard for them to do their work on client PCâ??s since they have to log in as local admin. What can I do to ease this pain and remove domain admin for a few more guys? I have added them to the administrators group in AD but that did not seem to help. 4) Right now the group â??domain adminsâ?? is added to the remote tab of the system tab. Should I replace this with the â??Remote Desktop Usersâ?? group? I am also considering customizing this per server, is this safe? I realize that I am not doing things the right way and that none of use should log onto every/any PC as a domain admin, but I do not have a more efficient method yet. TIA Tag: Vendor support security Tag: 75781
  - 4
    - Meta data and showaccs.exe Would like to know what the following permission set is after using showaccs. exe. Following folders (+XWRD[f]{d]), files (+xwrd) for Everyone, Global Group. -- Message posted via WinServerKB.com http://www.winserverkb.com/Uwe/Forums.aspx/windows-security/200509/1 Tag: Vendor support security Tag: 75775
  - 5
    - How to tell if a firewall alert is suspicious or not How can I tell if a Sygate firewall alert is suspicious or not? For example, I received this message from Sygate just now: Sygate Personal Firewall: Firefox (firefox.exe) is being contacted from a remote machine [206.13.28.12] using local port 1258 (OPENNL - Open Network Library). Do you want to allow this program to access the network? How can I tell if this is suspicious or not? Tag: Vendor support security Tag: 75769
  - 6
    - could not upgrade file %1 from %2 %1: %2 kb896727 I run ME. It automatically downloads this fix, but it will not load at startup. It gives me the above message. Any suggestions? -- thanks, Steve Tag: Vendor support security Tag: 75764
  - 7
    - Need logon and Logoff data for 30 days Hi, I have about 600 remote users that logon through 10 Citrix servers. Upon request, I need to be able to provide when a perticular user logged on and off for the last 30 days. I curently have set our default domain policy to "audit account logon events" but it is logging a ton of stuff and constantly fills our security log before 30 days is up. Anyway, any suggestions would be greatly appreciated. 2003 AD TIA, Shay Tag: Vendor support security Tag: 75755
  - 8
    - anti-spyware vs antivirus vs firewall I know what all three are used for ( anti-spyware, antivirus, firewall), but I would like an explanation of the grey areas where they overlap. For example, I think a firewall will stop a worm from infecting a computer, but will a real-time antivirus also do this? Is there any overlap in the pests an antivirus and antispyware will take care of? Is there a website on the latest trends of security software? Tag: Vendor support security Tag: 75748
  - 9
    - Spybot and ISA SERVER Hi I am having an issue with spybot - it will not update whatever I do. We are running an ISA server using authentication. Therefore u can't browse or even get to the web without your username being authenticated. This is done between the browser and ISA but it seems Spybot can not deal with this. Can anyone help me ????? I've entered the login details into spybot but still not luck..... Please help. Tag: Vendor support security Tag: 75745
  - 10
    - MSN Contacts Recently when i try to block and delete a contact i am getting an error message 'gggg@hotmail.com can not be blocked. Please try again later' I have uninstalled and the reinstalled verstion7.0 Any suggestions Tag: Vendor support security Tag: 75744
  - 11
    - Active X files blocked Active X files are blocked on my computer making it impossible to use the MS Update Site or to download McAfee anti-virus and firewall. The suggested fixes from Microsoft and McAfee have done nothing. Any ideas? Tag: Vendor support security Tag: 75743
  - 12
    - Server Client not Talking to WSUS Dear all My environment is a Windows 2003/2000 server environment with around 40 Workstations: - - WSUS server is a Windows 2003 server - Test Client Server is a Windows 2000 server I have around 40 Workstations and they are all talking to the WSUS Server and updates are being downloaded to each workstation fine. I have read the WSUS documentation and understand that Windows Server 2000 OS is supported by WSUS. I have moved the server to a OU with the WSUS Policy enabled. I have executed the wuauclt.exe /detectnow command I have also executed a 'gpresult' command to see whether the Server has inherited the WSUS policy, it has fine. Any Recommendations or Advice Would be much appreciated. Regards Bruno Tag: Vendor support security Tag: 75741
  - 13
    - IPSEC VPN I have an IPSEC tunnel created between 2 Servgate firewalls. Everything was working fine until I recently installed updates on my Windows Server 2003, these updates included SP1. Since then I have been experiencing access difficulties. The headquarters can access the remote network but the remote PC's can no longer access headquarters. They can ping PC's on the network, but they can not access the network drives or remote desktop into the server. I can see at the firewall that the tunnel has been created and is running. Does anyone know of any new secutiry settings on Win2k3 that could be preventing access. Thanks. Tag: Vendor support security Tag: 75740
  - 14
    - Microsoft windows update Hello I have application and critical servers, I Want to stop all traffic Internet for these servers and keep only microsoft windows update to automatically receive updates. It is implemented into pix, hardware firewall with ACL like this: stop all internet traffic ans keep only for Windows update site IP address. firewall administratos said that microsoft update site has a lot of random adress IP is it true?, if no what is the exact address ip ? if yes how can implement this security? -- Salutations Tag: Vendor support security Tag: 75738
  - 15
    - telling which security groups are on which folder Hi there, I have a question. In Our organisation we have a lot of junk from our old servers and with that junk came a lot of security groups. Does anybody know a good (free) application that can tell which security group is used on which folder? I hope somebody knows such a programm Thank you all :) Maarten Tag: Vendor support security Tag: 75734
  - 16
    - No entries in Security Event Log I run XP Pro + all patches (except SP2). I do not use ICF. I have never seen an entry in the Security Event Log. Do I need to set something to enable logging? Tag: Vendor support security Tag: 75730
  - 17
    - min rights for access Hello. I must published an mmc for the support team with the snapin for the shares and open files for an win2003 server. now i search the minimal right for the support team group to used this mmc. itÂ´s not the solution to make the group member of the power user. has anyone an idea? thx marko Tag: Vendor support security Tag: 75729
  - 18
    - using ICF on 2003 server in domain? Dear, all. Is someone using ICF on 2003 server in domain envierenmnet? Is all functions, for example, ad replication, works well? Thanks. Frank Tag: Vendor support security Tag: 75727
  - 19
    - Blocking Downloads Is there a program that will allow me to block my kids from downloading programs and or music from the web. I don't want them to be able to download or install anything without some type of authorization process. Thanks ! Tag: Vendor support security Tag: 75714
  - 20
    - Directory access Hi, Here is my problem. I'm working on the Group Policy in Windows 2003. All users on my domain (excepts Administrator) have a restricted access to their "C:"-->read only on their XP computer(I didn't do anything for that). There is a user groupe that needs to write in a subfolder of "C:\Program files". Is there a way to change the access of that specific folder without having to modify the access on each XP computer? Thanks Mathieu Tag: Vendor support security Tag: 75713
  - 21
    - MRU Hi- I use ad-aware. After each scan, it lists MRU (& other spwares if found)- Can I safely place a check each time to remove these MRU's as well. what are these MRU's. thank you ! Tag: Vendor support security Tag: 75708
  - 22
    - Account lockouts help We have a few users in our org that continually get locked out. Every 5 minutes, their accounts go into the lockout state. They are locked down by a GPO but only for folder redirection. Any ideas??? Thx. Jon Tag: Vendor support security Tag: 75706
  - 23
    - How to resrict administrative access Hi everybody, Here is a classic situation. A Windows 2003 domain with 10000+ users. We need to restrict administrative logons to one particular source IP subnet or some specific workstations. The goal is to mitigate the risk of stolen administrator credentials'. Does anyone have an elegant solution for that problem? Tag: Vendor support security Tag: 75704
  - 24
    - Standalone Root- Standalone Sub I am trying to determing what advantage I will get by implementing a Standalone Subordinate CA to issue certificates to clients. I do not have an AD domain and I just need to issue certificates to a few hundred external vendors. Would it be necessary to have a subordinate CA or would I be just as well off with a Stand Alone Root CA issuing the client certs? It would also save me the cost of another server. >From what I can tell, I don't get any extra redundancy by having the sub CA, so what is its intended purpose. Can anyone give an example of how a sub ca could make sense in my environment? Thanks! Travis Tag: Vendor support security Tag: 75703
  - 25
    - Maximum Users allowed in a Share This is the problem I have been having. We have shares setup on a Windows 2000 server. We have the share mapped as a netwrok drive. I have users who complain that their drive is disconnecting and that they lose connection with their email pst's. I tried increasing the time for the server autodisconnect. It did not work. I turned off the autodisconnect, and we still have a problem. I tried deactivating the license server in case it might not be configured properly, we still had the problem. Does anyone know what the maximum amount of users is for a share? We are trying to increase the number of people who have access to the share (set the limit vs. taking the default which is maximum). Please let me know so we can get this problem taken care of. Thanks, Tag: Vendor support security Tag: 75701

Hi all,
Can anyone tell me or point me to a document to back me up on dos and don'ts
when allowing vendor support connections. Does anyone have a policy that I
can go by on this?

We have setup a vpn (pptp) connection using pcanywhere, allow webex,
and have a dialup modem using pcanywhere connections. The vendor still has
a problem with me using group policy security and windows xp security. All
my users do NOT have administrators rights to their workstation. The vendor
insists that that is needed in order for him to connection with webex and fix
a problem. The software is installed on an SQL server where he has a vpn
connection and can connect with webex to have full control of the software.
The only thing installed on the workstation is the SQL client which I
installed and can maintain.
Just would like to see other network/security administrators' policies on
this.
Thanks in advance for any help on this.
Sher

Top

Re: Vendor support security by Robert

Robert
Mon Sep 19 15:55:06 CDT 2005

Sher wrote:
> Hi all,
> Can anyone tell me or point me to a document to back me up on dos and
> don'ts when allowing vendor support connections. Does anyone have a
> policy that I can go by on this?
>
> We have setup a vpn (pptp) connection using pcanywhere, allow webex,
> and have a dialup modem using pcanywhere connections. The vendor
> still has a problem with me using group policy security and windows
> xp security. All my users do NOT have administrators rights to their
> workstation. The vendor insists that that is needed in order for him
> to connection with webex and fix a problem. The software is
> installed on an SQL server where he has a vpn connection and can
> connect with webex to have full control of the software. The only
> thing installed on the workstation is the SQL client which I
> installed and can maintain. Just would like to see other
> network/security administrators' policies on this.

Our policy is that we will create a VPN account for a vendor, with terminal
services login on the minimum amount of boxes at the minimum security level
needed to run their admin tasks - we don't allow anything like webex or
pcanywhere or anything else. By limiting the amount of tools used and making
them ones that we "own" we've made it possible to manage as many risks as
possible from the connections.

Top