Posts

How to burn a disc in Windows 7 or Windows 8 when you're not an administrator

You may notice you cannot burn a disc with your non-administrator account in Windows 7 Windows 8 or Server 2008 or Server 2012.
You will still need the administrator password but while logged in as your normal account just simply do the following.
 
1.  Copy your ISO to the C: drive.  It will prompt for administrator credentials.
2.  Do a search in start for CMD.  Once it finds it in your start menu right click and say “run as administrator”.
3.  Now anything you do in the command prompt will be ran with administrator privileges.
4. Run the command isoburn followed by the path to your image file.  i.e. isoburn c:MyDisc.ISO

What are the effective permissions of Exchange roles

The Exchange Administration Delegation Wizards allows you to define roles at the organization level, or at the administrative group level. Where you define a role, combined with the role that you grant may create “effective” permissions. Effective permissions are permissions granted as a side-effect of a granted permission. For example, when you assign a group view-only permissions at the Organization level, the group will also have view-only permissions at the Administrative Group level. Thus, the effective, or actual, permissions of the group are view-only at both the Organization and Administrative Group levels.
More specifically, at the administrative group level:

  • Exchange Administrator includes Exchange View Only Administrator at the organization level.
  • Exchange Full Administrator includes both Exchange Administrator at the administrative group level and Exchange View Only Administrator at the organization level.
  • Exchange View Only Administrator at the organizational level.

Additionally, at the organization level:

  • Exchange View Only Administrator includes Exchange View Only Administrator at the administrative group level.
  • Exchange Administrator includes Exchange View Only Administrator at the organization level, which gives Exchange Administrator Exchange View Only Administrator at the administrative group level.
  • Exchange Full Administrator includes all other permissions at both the organization and administrative group levels.

The following table provides a summary of the effective permissions versus the granted permissions.

Effective permissions versus granted permissions

Granted Permissions AG: View AG: Admin AG: Full Admin ORG: View ORG: Admin ORG: Full Admin
AG: Exchange View Only Administrator Yes None None Yes None None
AG: Exchange Administrator Yes Yes* None Yes None None
AG: Exchange Full Administrator Yes Yes* Yes* Yes None None
ORG: Exchange View Only Administrator Yes None None Yes None None
ORG: Exchange Administrator Yes Yes None Yes Yes None
ORG: Exchange Full Administrator Yes Yes Yes Yes Yes Yes

* = Local administrative group only  AG = Administrative group level  ORG = Organization level

Should I rename my domain administrator account?

As I open the logs files on my honeypot server I see there multiple brute force attacks on my ftp server.  They are using administrator and every possible combination of letters and characters.   I sit for a a moment and think to myself.  What if I had not renamed my administrator account?  Would my FTP server have been compromised?
This question or questions bring me ultimately to answer the question of why you should rename your domain administrator account.  There are going to be certain servers like Microsoft FTP through IIS that do not allow you to set settings based on how my incorrect attempts before a user is locked out.  Regardless how can you lock out the one account that has access to your entire network?  First I will just say I don’t believe entirely in security through obsecurity.  However, it is definitely a mechanism you can put in place to further protect your network.  When hackers try to brute force your network you can almost ensure yourself they’re going to try to use “administrator” as their user. 
You might be asking at this point.  Ok so if I rename my domain administrator account how will I access items that require this permission.  This is a good question.  Basically what I would recommend is create an account named admin-username.  Username of course being your user name or any other users who need to manage your domain.  Once you have done this I would recommend renaming your domain administrator account to something obscure.   Then set the password and make it very long and difficult to brute force attack.  When that is complete save that password somewhere secure in case the day comes when you need it.
Since I’m on this note.  There is another very important security measure administrators should take.  NEVER use your domain admin account to login on a daily basis.  You should be logging in to your network just like every other user.  With an account that has absolutely no administrator permissions.  If you need to install new hardware or software or change system settings then do a runas.  Or simply log off and log back in as administrator.  I cannot tell you how many machines or networks get infected because users are logging in as administrator when they don’t need to be.  Don’t get lazy and complacent do the right thing today.