>workstations only connect to them - thus eliminating local printers on
>workstations.

And thus revoking most user's ability to perform actions on the queue such
as changing paper sizes and trays in some cases. Your heart's in the right
place but I bet you get some push back during the conversion.

>Having a user double-click on a server's printer from a
>workstation wouldn't create a printer connection unless the driver for the
printer
>was already installed on the workstation, because, apparently, a user

You are mistaken in this assumption, which appears to be what led you to
believe con2prt is giving you special rights. You can't connect to a
network queue if the server doesn't have a driver for your OS (Win2k in your
case, I assume), but even as a normal "User" (not an admin or even a power
user) I'm able to point and install any printer off a Win2k print server to
either of my freshly installed Win2k SP2 or NT4 SP6a workstations without
previous drivers. I did about ten; HP, Xerox, Tektronix, etc.

>colleague, I tried con2prt, from the ZAK. Amazingly, the use of con2prt
>allowed *any* user to install printer drivers on workstations.

All con2prt does is make a connection to a network printer _for the current
user_ (just like your instructions above) and only copies drivers to the
shared driver area and edits HKCU. If you logoff and back on as the
administrator, you wouldn't be able to see the printer that was installed
(although the drivers would be in place).

<snip!>

Regardless of spooler context, you'd have to have phys access to the machine
on which you'd want to wreak havoc, and con2prt doesn't give you any special
powers because it's limited to HKCU reg edits and the file copies you think
it's backdooring could be done manually with explorer after looking at the
registry.

The only thing you can't do on Win2k & NT4 as a mere "user" (non-admin,
non-power user) is create a *local* print queue (one that's visible no
matter who logs on) which would go quite a bit further to helping you wreak
print driver havoc on multiple users, but you'd leave a pretty good trail ;)

>I can't believe this is a real issue. I'm just posting this because I can't
>believe my eyes. Con2prt is a mature and widespread utility, and it's still
>used on W2K's ZAK; if it showed any potential for security exploits, I
>suppose it would have been fixed - or the system API that it calls. Or am I
>being too optimistic?
>
>Paulo Meireles
>MCSE

I'm in the middle of scripting the client conversions of a large print
server migration (same-named queues from one server to another) for ~6k
users of Win95, NT4 & Win2k. Con2prt is pretty useless (IMHO) because it's
limited to 1) deleting _all_ network connections for the current user, and
2) creating connections to network queues--it's not meant to aid in print
queue migrations unless it's automated by some serious scripting--and if
your at that level you know your way around the printer registry areas well
enough to make the mods yourself, in my experience.

Jesse Jacob
MCSE

----------------------------------------------------------------------------
Delivery co-sponsored by BindView Corporation
============================================================================
TREND MICRO REAL-TIME VIRUS ALERTS
If you would like to know about a virus outbreak before CNN and ZDNet get
Trend Micro Virus Info Feed FREE. Simply copy and paste a small piece of
code to give your visitors a real-time top 10 list and the latest virus
advisories. Setup takes just 10 minutes and requires no server-side code on
your Web site. All content is updated automatically from Trend Micro's Web
site.
http://www.antivirus.com/banners/tracking.asp?si=8&BI;=237&UL;=/syndication/vi
nfo/
----------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]