Desktop Lockdown
I'm currently running Windows 2000 Pro -- soon to be XP and shortly on a
Windows 2003 domain -- and I want to lockdown the desktops. I don't want users to be able to install any programs -- whether by inserting a CD to install something, or downloading some junk, like Webshots and AIM. But ometimes, they may need to download a pdf file so I can't halt ALL downloads. I also have a program that needs to be installed per user due to registry settings. So, I've started installing everything under an Administrator account and making that the Default User account to circumvent that issue. In doing so, have I granted that user more file and registry permissions than I should have? I don't want them to have rights beyond User -- not even Power User. Lastly, is there a Windows security template that would be good to use on the domain (within Group Policy) that would give the ideal permission restrictions I'm looking to implment? Thanks for your thoughts and ideas... |
Frank wrote: I'm currently running Windows 2000 Pro -- soon to be XP and shortly on a Windows 2003 domain -- and I want to lockdown the desktops. I don't want users to be able to install any programs -- whether by inserting a CD to install something, or downloading some junk, like Webshots and AIM. But ometimes, they may need to download a pdf file so I can't halt ALL downloads. I also have a program that needs to be installed per user due to registry settings. So, I've started installing everything under an Administrator account and making that the Default User account to circumvent that issue. In doing so, have I granted that user more file and registry permissions than I should have? I don't want them to have rights beyond User -- not even Power User. By pure definition you have given them more permission than just User. Administrator user. Administrator has access to everything. Lastly, is there a Windows security template that would be good to use on the domain (within Group Policy) that would give the ideal permission restrictions I'm looking to implment? Thanks for your thoughts and ideas... well, we're not sure of the exact details you need on everything in the domain or the local machines but I'd start out with the Default Domain Policy that already exists in the Group Policy Management console and edit it to suit your needs(better yet, copy it and edit the copy in case you need to revert back to the default). Then do something similar, with slightly different settings, and apply it to your workstations (servers will need different settings from workstations so let them fall under the auspices of the domain policy or even create specific server policies in addition to specific workstation related policies). Look on nsa.gov and search for security guidelines for Windows. If you really want it locked down you can start modifying registry and FS permissions as well as redirecting a user's desktop to a readonly location and only giving them write access to a My Documents folder. You can also restrict use of MSI and disable access to all the drives in the system (don't disable access to the C drive). All that is done within group policies under the User configuration section. hope that helps Brandon |
All times are GMT +1. The time now is 09:55 PM. |
Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright © 2004 - 2006 PCbanter
Comments are property of their posters