Re: restrict software installation
From: Donald Voss (voss@albany.edu)Date: 05/28/02
- Previous message: Burak Bayoglu: "Problem - Using IPSec to secure Windows Messenger Traffic"
- In reply to:(deleted message) Jens Benecke: "Re: restrict software installation"
- Next in thread: Luv 2 Hack: "Re: restrict software installation"
- Next in thread: Kurt Seifried: "Re: restrict software installation"
- Reply: Luv 2 Hack: "Re: restrict software installation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Donald Voss" <voss@albany.edu> To: focus-ms@securityfocus.com Date: Tue, 28 May 2002 13:03:53 -0400
There are some win based products that will give you desktop / system
config control. The trick is you need administrative support .. from
the top down. Some are fairly simple .. the user gets the desktop,
can do what ever they want, have a open dir[s] to drop files and are
very surprised when one reboots the machine and all changes are gone
.. back to the default setup.
These can be setup to force browser into kiosk mode .. etc.
You could go whole hog and switch to terminal services for everything
.. non-trivial .. but when done the pc image is small and secure .
everything runs off the server[s], all data is on servers. Using a
ghost image type server allows you to rebuild / roll back a unit
anytime.
I try to keep lab[s] stable from one semester to the next .. approx
12 hr days [open use] .. you are talk 24 x 7 .. get the money and
support to make this a decent setup .. you will need to take the
desktop/control completely away from the shift users .. you can show
management the return on this change .. the users will adjust .. be
open to different options .. do a little reading on zenworks for nt
by novell. It works. Do not get sucked into us vs them stuff. Go with
the right tool for the right job.
http://www.smartstuff.com/fps/fpsinfo.html
http://www.greyware.com/software/xo/index.asp
/regards,
/don
On 27 May 2002 at 22:55, Jens Benecke wrote:
> On Fri, May 24, 2002 at 11:26:53AM -0400, Gu1tarb0y@aol.com wrote:
>
> > NT 4.0 SP6A STIG'd to NSA guidelines
> > scenario:
>
> Hi,
>
> no solution, just a few ideas what we do here, and perhaps you can do
> something similar.
>
> > The big guy wants me to let users surf the net responsibly (yeah
> > right)) but restrict either their downloading OR AT LEAST the
> > installation of software from the internet. I have less than 1..
> > .. "1" so that for many installs, I have to undo that setting to load.
>
> I would do something like 'mount -o noexec /home', same for /tmp, as
> these are usually the only partitions my users have write access to.
> Preventing users from executing stuff on their home directory and in
> /tmp will effectively prevent them from running their own programs.
> Scripts are excluded of course (as long as the script interpreter lies
> somewhere else).
>
> Is there some similar principle in Windows? Can you restrict people to
> their home directory only, at all? I seem to remember that e.g. MS
> Office wants write access all over the place, which makes life hard for
> a secure multi-user environment.
>
> > Looking for options, suggestions, places to look. Issue 1: Keep the
> > installation of unauthorized software at a minimum in a 24x7 shop
> > where 3 shifts share machines and outages could affect 3 users. I
> > prefer installation to require admin access. User would then place a
> > service request for the needed software.
>
> Another principle we employ here is 'rsync'. rsync is a free tool that
> synchronizes directories, files, or block devices (partitions) with an
> emphasis on 'minimize network transfers'. On booting, the user is given
> the option to boot normally or to restore a default system image from
> the network. As only the parts are transferred over the network (and
> written to disk) that have changed from the network image, this is
> _really_ fast (usually under a minute for a 20GB harddisk).
>
> I assume there is software that is able to do similar things for
> Windows, although a complete synchronization seems to be again made
> impossible by unique system and registry keys (the only exceptions we
> make are a few files in /etc which contain e.g. DHCP hostname, and log
> files).
>
> > Issue 2) User's remove the password protected screensaver option
> > while logged in. Prior to fielding to users, these setting were
> > already configured in the registry for default users account and all
> > existing accounts on the machine. Users manually undo this. If I
> > remove the display option totally, users cannot customize the font
> > size to their own visual abilities.
>
> Perhaps you can control this via some scripting stuff? On our desktops,
> we can control almost every setting via DCOP
> (http://www.google.com/search?q=dcop) commands, which can be used from
> just about any scripting language there is (XML objects if everything
> else fails).
>
> > option: a)Set NT group profile to remove the screensaver tab from user
> > display option? b)Other suggestions?
>
> Well, these were just some ideas. Perhaps they point you to the right
> direction. I have some Windows experience, but we don't do Windows here,
> so I can't give you concrete examples.
>
>
> --
> mfg, Jens Benecke /// www.hitchhikers.de, www.linuxfaq.de, www.linux.ms
> This mail is an attachment? Read http://www.jensbenecke.de/misc/outlook.html
>
___________________________________________
Donald Voss voss@albany.edu
Senior Progammer Analyst
Geography and Planning Department, ES218
The University at Albany
1400 Washington Avenue
Albany, NY, 122222
"Show me a man who enjoyed his school days and I will show you a
bully and
a bore"
- Previous message: Burak Bayoglu: "Problem - Using IPSec to secure Windows Messenger Traffic"
- In reply to:(deleted message) Jens Benecke: "Re: restrict software installation"
- Next in thread: Luv 2 Hack: "Re: restrict software installation"
- Next in thread: Kurt Seifried: "Re: restrict software installation"
- Reply: Luv 2 Hack: "Re: restrict software installation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
