Re: Need help with securing a local workstation
From: wibble (yeahright_at_hotmail.com)
Date: 02/15/04
- Next message: brooz: "Re: A:\ not accessible Incorrect function"
- Previous message: Chris Simmons: "Re: "Windows cannot access the file gpt.ini for GPO" - Events 1058 and 1030 on XP client only."
- In reply to: Steven L Umbach: "Re: Need help with securing a local workstation"
- Next in thread: Tim Connolly: "Re: Need help with securing a local workstation"
- Reply: Tim Connolly: "Re: Need help with securing a local workstation"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 15 Feb 2004 22:15:59 -0000
Always....Always password protect the BIOS - Have you seen the damage that
can be done with the Linux boot disk
"Steven L Umbach" <n9rou@nscomcast.net> wrote in message
news:%VOXb.313570$I06.3174574@attbi_s01...
> If the user is a member of just the users group, that will prevent them
from
> installing "most" software. I suggest you also change the ntfs permissions
> on the root/drive folder to give everyone/users no more than
> read/list/execute ntfs permissions. Group Policy can help somewhat by
> configuring install.exe, setup.exe, etc to the disallowed Windows
> application list as decribed in the KB link below. Renaming applications
can
> bypass that restriction. You may also want to diable the command prompt
and
> registry editing while you are at it. Be sure to read explaination of any
> setting as disabling the command prompt for instance can cause batch files
> not to run. To really lockdown applications/installations consider using
XP
> Pro where the very powerful Software Restriction Policies can use
> hash/path/certificate rules to really lock down a computer.
> http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
> http://support.microsoft.com/default.aspx?scid=kb;en-us;310791
>
> You can use Group Policy/user configuration/administrative
templates/windows
> components/Windows Explorer to hide and disable drives, but not USB.
However
> those settings only prohibit a user from using those drives while using
> Explorer, My Computer, Network Places, run box etc and will not stop them
> from accessing the drive through the command prompt, or other methods
> possibly including applications themselves. Depending on your security
> requirements you may want to use a computer case that blocks access to
those
> devices or disconnect the cables on the inside if the case is locked. You
> can also disable access to those devices [including USB] via cmos and then
> password protect the cmos settings and again be sure the case is locked.
> Also be sure to disable cdrom autostart and configure cmos to boot only
from
> hard drive as it is very trivial to use a boot floppy/cdrom to reset the
> local administrator password in less than five minutes. Of course other
> security precautions apply such as using complex administrator
> asswords. --- Steve MVP Windows Security
>
> "Tim Connolly" <tgaptte@yahoo.com> wrote in message
> news:3e181796.0402131051.75e2aded@posting.google.com...
> > Hi,
> >
> > I need to lock down a Windows 2000 Professional SP 2 system so that
> > the user cannot do any of the following:
> >
> > - Access the FDD
> > - Access the CDROM
> > - Access USB ports
> > - Install software
> > - And if possible, I'd love to prevent them from running software that
> > isn't approved.
> >
> > Is this possible in the delivered Windows 2000 Professional SP2
> > security?
> >
> > Any suggestions about how to go about this?
> >
> > Thanks in advance!
> >
> > Tim
>
>
- Next message: brooz: "Re: A:\ not accessible Incorrect function"
- Previous message: Chris Simmons: "Re: "Windows cannot access the file gpt.ini for GPO" - Events 1058 and 1030 on XP client only."
- In reply to: Steven L Umbach: "Re: Need help with securing a local workstation"
- Next in thread: Tim Connolly: "Re: Need help with securing a local workstation"
- Reply: Tim Connolly: "Re: Need help with securing a local workstation"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
