Re: Need help with securing a local workstation
From: Steven L Umbach (n9rou_at_nscomcast.net)
Date: 02/15/04
- Next message: Chris Simmons: ""Windows cannot access the file gpt.ini for GPO" - Events 1058 and 1030 on XP client only."
- Previous message: anonymous_at_discussions.microsoft.com: "Re: Logon Script"
- In reply to: Tim Connolly: "Need help with securing a local workstation"
- Next in thread: wibble: "Re: Need help with securing a local workstation"
- Reply: wibble: "Re: Need help with securing a local workstation"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 15 Feb 2004 18:31:23 GMT
If the user is a member of just the users group, that will prevent them from
installing "most" software. I suggest you also change the ntfs permissions
on the root/drive folder to give everyone/users no more than
read/list/execute ntfs permissions. Group Policy can help somewhat by
configuring install.exe, setup.exe, etc to the disallowed Windows
application list as decribed in the KB link below. Renaming applications can
bypass that restriction. You may also want to diable the command prompt and
registry editing while you are at it. Be sure to read explaination of any
setting as disabling the command prompt for instance can cause batch files
not to run. To really lockdown applications/installations consider using XP
Pro where the very powerful Software Restriction Policies can use
hash/path/certificate rules to really lock down a computer.
http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
http://support.microsoft.com/default.aspx?scid=kb;en-us;310791
You can use Group Policy/user configuration/administrative templates/windows
components/Windows Explorer to hide and disable drives, but not USB. However
those settings only prohibit a user from using those drives while using
Explorer, My Computer, Network Places, run box etc and will not stop them
from accessing the drive through the command prompt, or other methods
possibly including applications themselves. Depending on your security
requirements you may want to use a computer case that blocks access to those
devices or disconnect the cables on the inside if the case is locked. You
can also disable access to those devices [including USB] via cmos and then
password protect the cmos settings and again be sure the case is locked.
Also be sure to disable cdrom autostart and configure cmos to boot only from
hard drive as it is very trivial to use a boot floppy/cdrom to reset the
local administrator password in less than five minutes. Of course other
security precautions apply such as using complex administrator
asswords. --- Steve MVP Windows Security
"Tim Connolly" <tgaptte@yahoo.com> wrote in message
news:3e181796.0402131051.75e2aded@posting.google.com...
> Hi,
>
> I need to lock down a Windows 2000 Professional SP 2 system so that
> the user cannot do any of the following:
>
> - Access the FDD
> - Access the CDROM
> - Access USB ports
> - Install software
> - And if possible, I'd love to prevent them from running software that
> isn't approved.
>
> Is this possible in the delivered Windows 2000 Professional SP2
> security?
>
> Any suggestions about how to go about this?
>
> Thanks in advance!
>
> Tim
- Next message: Chris Simmons: ""Windows cannot access the file gpt.ini for GPO" - Events 1058 and 1030 on XP client only."
- Previous message: anonymous_at_discussions.microsoft.com: "Re: Logon Script"
- In reply to: Tim Connolly: "Need help with securing a local workstation"
- Next in thread: wibble: "Re: Need help with securing a local workstation"
- Reply: wibble: "Re: Need help with securing a local workstation"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
