Re: restrict software installation

From: Patrick Andry (pandry@wolverinefreight.ca)
Date: 05/27/02 

Date: Mon, 27 May 2002 12:07:19 -0400
From: Patrick Andry <pandry@wolverinefreight.ca>
To: Gu1tarb0y@aol.com

I ran into a similar issue, where trusted users were able to do whatever
they wanted to the machines, but the majority of the company had varying
degrees of restrictions. What I ended up doing was installing a proxy
server with a couple of freeware apps to prevent file downloads, etc.

> Issue 1: Keep the installation of unauthorized software at a
> minimum in a 24x7 shop where 3 shifts share machines and outages
> could affect 3 users. I prefer installation to require admin
> access. User would then place a service request for the needed
> software. options: a)NT policy config: Manage by groups. What
> would I try to set that would prevent them from installing most
> software. b)Use something to filter executable downloads (e.g.
> SurfControl Web filtering). c)Other suggestions?

I used Squid with Dan's Guardian on a linux box. This blocked web
downloads of the extensions I chose. The acl's to set this up were a
bit cumbersome, but if you could configure and restrict the proxy server
setup on a per-machine basis, it would work. For production though,
check out MS's proxy server. It should integrate easier.

> Issue 2) User's remove the password protected screensaver option
> while logged in. Prior to fielding to users, these setting were
> already configured in the registry for default users account and
> all existing accounts on the machine. Users manually undo this.
> If I remove the display option totally, users cannot customize the
> font size to their own visual abilities.
Are screen saver passwords necessary? I find them to be more of a
headache than anything.

I recommend preventing the use of these in a production environment.
They are cumbersome, easily forgotten, and frankly, you have better
things to do with your time than resetting screensaver passwords all the
time. Have the users lock the workstation instead. It's safer, and
easier for you to reset if they lose their password.

> Jim McFarlen
>
>

Relevant Pages

  • RE: old xp home computers
    ... Firstly I would just like to thankeveryone for all your advice. ... I have ben able to bypass the passwords on Xp and the ... that there is a fan or cooling system missing from AMD built in chip. ... > particular machines. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: unified authentication
    ... > I have a number of FreeBSD machines. ... Each *class* of server or device gets a different root password (or ... root/enable passwords, and have a bit less worry about ex-employees. ... only sysadmins have logins on routers.) ...
    (FreeBSD-Security)
  • Re: Printer cncted to Vista 64-bit, cant print from XP puter
    ... do not need to be logged into the same account on all machines and the ... accounts/passwords just need to exist and match on all machines. ... Putting passwords and accounts on my ... the XP Laptop computer and the Vista64-bit... ...
    (microsoft.public.windows.vista.networking_sharing)
  • mysq/php/blowfish (was vtiger/mysql/encryption)
    ... MySQL stores and php encrypts/decrypts data. ... I used mysqldump and saw that the passwords in MySQL ... machines with varying success. ...
    (freebsd-questions)
  • RE: Tool to find hidden web proxy server
    ... you monitor the network traffic and see which authorized machines are generating the most of the traffic. ... And hen you can conclude who is running the proxy server on their machines. ... > Ethical Hacking at the InfoSec Institute. ... > learn to write exploits and attack security infrastructure. ...
    (Pen-Test)
Quantcast