Re: restrict software installation
From: Eduardo Cruz (eduardo.cruz@tsg.com)Date: 05/27/02
- Previous message: Patrick Andry: "Re: restrict software installation"
- In reply to: Gu1tarb0y@aol.com: "restrict software installation"
- Next in thread: Jens Benecke: "Re: restrict software installation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Eduardo Cruz" <eduardo.cruz@tsg.com> To: <Gu1tarb0y@aol.com>, <focus-ms@securityfocus.com> Date: Mon, 27 May 2002 17:34:46 +0200
Have you think about a network level solution to your issue?
For example:
Put a linux box in the middle of the connection between the stations and the
router/gateway to the internet with a filter on his firewall (iptables)
droping packets that contain for example the sentence :
Content-Type: application/self-extracting
or
Content-Type: application/x-zip
or
Content-Type: application/octet-stream (binaries/exe..etc)
so do you get the point? by droping the packet incoming to the workstation u
disable right away their type of downloads.
regards, edu.
----- Original Message -----
From: <Gu1tarb0y@aol.com>
To: <focus-ms@securityfocus.com>
Sent: Friday, May 24, 2002 5:26 PM
Subject: restrict software installation
> NT 4.0 SP6A STIG'd to NSA guidelines
> scenario
> The big guy wants me to let users surf the net responsibly (yeah right))
but restrict
> either their downloading OR AT LEAST the installation of software from the
internet.
> I have less than 100 users on NT 4.0 worktations and tried searching the
archive
> threads already, but my methods need refining. Due to security
restrictions already on
> the workstations, many but not all apps must be loaded by an admin. We
have the HKLM\System\ etc...
> 8.3 filename registry set to "1" so that for many installs, I have to undo
that setting to load.
>
> These restrictions do not prevent the users from installing all software.
Due to original network
> configuration, patch updates are typically sent to the user in the
logon.bat. For them to
> access and install, domain users are give access to local admin group
their machines. Most do
> not know this or what is allows. If I take domain users out of the local
admin group, then not all
> network drive access is provided at logon.
>
> Looking for options, suggestions, places to look.
> Issue 1: Keep the installation of unauthorized software at a minimum in a
24x7 shop
> where 3 shifts share machines and outages could affect 3 users. I prefer
installation
> to require admin access. User would then place a service request for the
needed software.
>
> options:
> a)NT policy config: Manage by groups. What would I try to set that would
prevent them
> from installing most software.
> b)Use something to filter executable downloads (e.g. SurfControl Web
filtering).
> c)Other suggestions?
>
> Issue 2) User's remove the password protected screensaver option while
logged in. Prior to
> fielding to users, these setting were already configured in the registry
for default users
> account and all existing accounts on the machine. Users manually undo
this. If I remove
> the display option totally, users cannot customize the font size to their
own visual
> abilities.
>
> option:
> a)Set NT group profile to remove the screensaver tab from user display
option?
> b)Other suggestions?
>
> TIA
>
> Jim McFarlen
>
>
>
- Previous message: Patrick Andry: "Re: restrict software installation"
- In reply to: Gu1tarb0y@aol.com: "restrict software installation"
- Next in thread: Jens Benecke: "Re: restrict software installation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
