restrict software installation

From: Gu1tarb0y@aol.com
Date: 05/24/02 

Date: Fri, 24 May 2002 11:26:53 -0400
From: Gu1tarb0y@aol.com
To: focus-ms@securityfocus.com

NT 4.0 SP6A STIG'd to NSA guidelines
scenario:
The big guy wants me to let users surf the net responsibly (yeah right)) but restrict
either their downloading OR AT LEAST the installation of software from the internet.
I have less than 100 users on NT 4.0 worktations and tried searching the archive
threads already, but my methods need refining. Due to security restrictions already on
the workstations, many but not all apps must be loaded by an admin. We have the HKLM\System\ etc...
8.3 filename registry set to "1" so that for many installs, I have to undo that setting to load.

These restrictions do not prevent the users from installing all software. Due to original network
configuration, patch updates are typically sent to the user in the logon.bat. For them to
access and install, domain users are give access to local admin group their machines. Most do
not know this or what is allows. If I take domain users out of the local admin group, then not all
network drive access is provided at logon.

Looking for options, suggestions, places to look.
Issue 1: Keep the installation of unauthorized software at a minimum in a 24x7 shop
where 3 shifts share machines and outages could affect 3 users. I prefer installation
to require admin access. User would then place a service request for the needed software.

options:
a)NT policy config: Manage by groups. What would I try to set that would prevent them
from installing most software.
b)Use something to filter executable downloads (e.g. SurfControl Web filtering).
c)Other suggestions?

Issue 2) User's remove the password protected screensaver option while logged in. Prior to
fielding to users, these setting were already configured in the registry for default users
account and all existing accounts on the machine. Users manually undo this. If I remove
the display option totally, users cannot customize the font size to their own visual
abilities.

option:
a)Set NT group profile to remove the screensaver tab from user display option?
b)Other suggestions?

TIA

Jim McFarlen

Relevant Pages

  • WSUS did not apply KB931836
    ... Installation and deplyment went well, ... downloading and applying critical updates, ... No machines presently have updates pending. ...
    (microsoft.public.windows.server.sbs)
  • Re: SMS 2003 must use domain admin. to install?
    ... You do NOT need to add the MEMBER_SERVER$ to the local admin group on the ... Just grant MEMBER_SERVER$ full control to the System Management container ... >> you want to publish in AD you have to give the same account full control ... >>>>> installation, so I can't extend the active directory schema during ...
    (microsoft.public.sms.setup)
  • office 2k3 deploy error - Installation file not found
    ... The local system account ... is a part of the local admin group. ... A required installation file SKU011.CAB could not be found ... Original Installation Source Required ...
    (microsoft.public.sms.swdist)
  • Re: Linux clients in network - experiences?
    ... as you're bound to buy more machines, deal with hardware failures, etc. ... can deal with installation, tough you may want to hack it so that most ... you'll need a secure channel to the install server (we use a dedicated ssh ... the Packages.gz lists that apt-get uses on "normal" ...
    (Debian-User)
  • Re: Software Update - Distribution Status; How is this reported back to SMS?
    ... For all new machines that are added to the network, ... office2003 sp2 pre-installed with SP2 before the advanced client is ... installed via Client Push Installation. ... The compliance reports indicate ...
    (microsoft.public.sms.admin)