A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » Security and Administration with Windows XP
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Domain Users are able to install applications.



 
 
Thread Tools Display Modes
  #1  
Old February 22nd 08, 12:47 AM posted to microsoft.public.windowsxp.security_admin
Wobzo
external usenet poster
 
Posts: 1
Default Domain Users are able to install applications.

I have a network where the newly deplouyed Workstations were tested such that
Domain Users were unable to install anything.
However it has recently happened that one of the so said users installed GE
(Google earth).
I found this to be very concerning as this should not have been possible.
approximately 6+ months ago, I personally tested the ability to install GE as
a user and it was not possible.
They also seemed to be able to install "MySpaceIM". My initial thought was
how was the user able to enter the keys under
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Un install".
I think this maybe launching the application under "SYSTEM" credentials.
All other local accounts are disabled and users are not members of anything
other than local users group.
What else are people able to run under the "SYSTEM" account?
How can I prevent the users from installing?
Ads
  #2  
Old February 22nd 08, 09:54 AM posted to microsoft.public.windowsxp.security_admin
Anteaus
external usenet poster
 
Posts: 1,330
Default Domain Users are able to install applications.

Actually, there is no specific code within Windows that determines "Limited
users cannot install software"

A Limited User is only able to write to the HKCU registry section, and to
disk folders with in his/her own profile, plus a few in All Users. This has
the effect that most setup programs won't work, as they need to write to
"Program Files" and to the HKLM registry.

However, it is perfectly possible to write an installer that works within
these limitations.

One possible fix is to bar the execution of programs from within the user's
profile. This has the added benefit of preventing downloaded programs being
run. BeyondLogic's TrustNoExe does this and is very effective, though not
suitable for every situation. Worth a look anyway.

If the user has access to network shares, then of course they may also be
able to save downloaded programs there, and run them.

"Wobzo" wrote:

I have a network where the newly deplouyed Workstations were tested such that
Domain Users were unable to install anything.
However it has recently happened that one of the so said users installed GE
(Google earth).
I found this to be very concerning as this should not have been possible.
approximately 6+ months ago, I personally tested the ability to install GE as
a user and it was not possible.
They also seemed to be able to install "MySpaceIM". My initial thought was
how was the user able to enter the keys under
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Un install".
I think this maybe launching the application under "SYSTEM" credentials.
All other local accounts are disabled and users are not members of anything
other than local users group.
What else are people able to run under the "SYSTEM" account?
How can I prevent the users from installing?

  #3  
Old February 22nd 08, 10:03 AM posted to microsoft.public.windowsxp.security_admin
Anteaus
external usenet poster
 
Posts: 1,330
Default Domain Users are able to install applications.

Oh, and an addtional point, have you checked what groups the users are
members-of on the domain-controller's console? If they are members of Domain
Admins, for example, then you have a security-hole you could drive a truck
through. This may not be apparent if you're looking at the local goups.


  #4  
Old February 22nd 08, 03:46 PM posted to microsoft.public.windowsxp.security_admin
Lanwench [MVP - Exchange]
external usenet poster
 
Posts: 1,547
Default Domain Users are able to install applications.

Wobzo wrote:
I have a network where the newly deplouyed Workstations were tested
such that Domain Users were unable to install anything.
However it has recently happened that one of the so said users
installed GE (Google earth).
I found this to be very concerning as this should not have been
possible. approximately 6+ months ago, I personally tested the
ability to install GE as a user and it was not possible.
They also seemed to be able to install "MySpaceIM". My initial
thought was how was the user able to enter the keys under
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Un install".
I think this maybe launching the application under "SYSTEM"
credentials.
All other local accounts are disabled and users are not members of
anything other than local users group.
What else are people able to run under the "SYSTEM" account?
How can I prevent the users from installing?


To add to the other reply -

You can't prevent limited users from installing software entirely, merely
based on their local group membership. As you've just seen, a lot of apps
don't require special permissions to install ...they don't write to the
restricted areas of the registry & file system.

You should look into group policy options to lock down your desktops if this
is a real concern at your company - software restriction can work well
although it can also be dangerous (play with this in a lab before
deploying). Try posting in microsoft.publicwindows.group_policy for more
help.


 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off






All times are GMT +1. The time now is 03:18 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.