I've noticed a slight security flaw in our win2k server and winxp client network setup.
Our XP clients are locked down but domain user accounts have local admin rights in order to run logon scripts and run certain applications (pretty standard setup i believe).
Obviously they have no access to the command prompt or run or C:\ drive (using nodrives). However they can create a simple batch file and execute it from a network share. One example was when a student created a v. simple batch file using the net send command. Yep, you guessed it "xxxxx rulez" messages from computer x to all computers on the domain. Annoying more than harmful, but theres nothing to stop someone from runnig slightly more sophisticated file operations to delete stuff off the local drive. Obviously they have no domain admin rights, so they can't do much damage to our server or other machines...Or can they?
Any suggestions or own experiences on this subject
MA
Our XP clients are locked down but domain user accounts have local admin rights in order to run logon scripts and run certain applications (pretty standard setup i believe).
Obviously they have no access to the command prompt or run or C:\ drive (using nodrives). However they can create a simple batch file and execute it from a network share. One example was when a student created a v. simple batch file using the net send command. Yep, you guessed it "xxxxx rulez" messages from computer x to all computers on the domain. Annoying more than harmful, but theres nothing to stop someone from runnig slightly more sophisticated file operations to delete stuff off the local drive. Obviously they have no domain admin rights, so they can't do much damage to our server or other machines...Or can they?
Any suggestions or own experiences on this subject
MA
