RE: Win 2k Security Questions

From: Denis Wong _at_ Hong Kong (_at_)
Date: 11/25/04

Next message: Dave Patrick: "Re: changing boot programs?"
Previous message: William Smith: "Re: Connecting to Win2k from Mac OS 9.2"
In reply to: Robert Paris: "Win 2k Security Questions"
Next in thread: Robert Paris: "Re: Win 2k Security Questions"
Reply: Robert Paris: "Re: Win 2k Security Questions"
Messages sorted by: [ date ] [ thread ]

Date: Wed, 24 Nov 2004 19:59:02 -0800

1. use group policy (see below) or set security permission in the registry
(be careful)

2. use NTFS permission

3. use group policy

4. that depends on how you deal with the java

Under User Config\Administrative Templates\System\

Prevent access to the command prompt
"Prevents users from running the interactive command prompt, Cmd.exe. This
setting also determines whether batch files (.cmd and .bat) can run on the
computer. If you enable this setting and the user tries to open a command
window, the system displays a message explaining that a setting prevents the
action. Note: Do not prevent the computer from running batch files if the
computer uses logon, logoff, startup, or shutdown batch file scripts, or for
users that use Terminal Services."

Prevent access to registry editing tools
"Disables the Windows registry editor Regedit.exe. If this setting is
enabled and the user tries to start a registry editor, a message appears
explaining that a setting prevents the action. To prevent users from using
other administrative tools, use the Run only allowed Windows applications
setting."

Run only allowed Windows applications
"Limits the Windows programs that users have permission to run on the
computer. If you enable this setting, users can only run programs that you
add to the List of Allowed Applications. This setting only prevents users
from running programs that are started by the Windows Explorer process. It
does not prevent users from running programs such as Task Manager, which are
started by the system process or by other processes. Also, if users have
access to the command prompt, Cmd.exe, this setting does not prevent them
from starting programs in the command window that they are not permitted to
start by using Windows Explorer. Note: It is a requirement for third-party
applications with Windows 2000 or later certification to adhere to this
setting. Note: To create a list of allowed applications, click Show, click
Add, and then enter the application executable name (e.g., Winword.exe,
Poledit.exe, Powerpnt.exe)."

Don't run specified Windows applications
"Prevents Windows from running the programs you specify in this setting. If
you enable this setting, users cannot run programs that you add to the list
of disallowed applications. This setting only prevents users from running
programs that are started by the Windows Explorer process. It does not
prevent users from running programs, such as Task Manager, that are started
by the system process or by other processes. Also, if you permit users to
gain access to the command prompt, Cmd.exe, this setting does not prevent
them from starting programs in the command window that they are not permitted
to start by using Windows Explorer. Note: To create a list of disallowed
applications, click Show, click Add, and then enter the application
executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe)."

BR,
Denis

"Robert Paris" wrote:

> I am looking for how I can do the following on Win2K:
>
> 1. Disable a User's ability to write to/edit the registry
> (Actually disable for all but Administrator)
>
> 2. Disable user's ability to write files to all but one folder
>
> 3. Disable user's ability to execute any program except for a few that I
> specify
> (And can I log attempts to run/execute programs?)
>
> 4. In disabling cmd.exe, can I set up only two programs to run (on startup)
> in command prompts (with RunAs service) - they're java programs - and still
> keep all other java programs and the user from being able to do anything in
> command prompt?
>
> Answers to any of these questions would be greatly appreciated. Any pointers
> to further resources would be great too! Thanks!
>
>
>

Next message: Dave Patrick: "Re: changing boot programs?"
Previous message: William Smith: "Re: Connecting to Win2k from Mac OS 9.2"
In reply to: Robert Paris: "Win 2k Security Questions"
Next in thread: Robert Paris: "Re: Win 2k Security Questions"
Reply: Robert Paris: "Re: Win 2k Security Questions"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: File association problem
... When dealing with Command Prompt commands, ... Adds the association of .Lst with Notepad.Exe. ... I don't know where the executable is located for the Windows Picte ... "Registry Editor: ...
(microsoft.public.windowsxp.general)
Re: Windows Vista - Innovation or *another* /expensive/ Knock-Off?
... had their own proprietary binary format where data was stored. ... Then Microsoft decided that the Registry ... IIS, web applications defined, in the project file there were hard ... The Registry in Windows 3.11 was solely a repository ...
(borland.public.delphi.non-technical)
Win2k - Bypassing cmd.exe restrictions
... Windows 2000 allows an administrator to lock down access to ... The 'disable the command prompt' option has an extra setting ... If the 'command prompt script processing' is NOT disabled and cmd.exe ... access to edit this registry key, so to bypass the check we ...
(Pen-Test)
Re: Norton
... very effective but suggest *not* to use the 'Clean the Registry' option. ... Real-time AV applications - for viral malware. ... Windows Defender - Free ...
(alt.comp.anti-virus)
RE: run a batch file
... "Prevents users from running the interactive command prompt, ... Do not prevent the computer from running batch files if the ... "Limits the Windows programs that users have permission to run on the ... add to the List of Allowed Applications. ...
(microsoft.public.win2000.general)