Re: restrict software installation

From: Luv 2 Hack (love2hack@hotmail.com)
Date: 05/29/02 

From: "Luv 2 Hack" <love2hack@hotmail.com>
To: "Donald Voss" <voss@albany.edu>, <focus-ms@securityfocus.com>, <Gu1tarb0y@aol.com>
Date: Wed, 29 May 2002 01:31:40 -0700

This should help. Take a look:

Fortres 101 is an innovative security agent that resides invisibly between
the computer and the user. A computer sentinel, Fortres 101 monitors each
action the user makes and determines if that action is legal or not. As a
systems administrator for one or one thousand machines, software security is
a must. Protecting not only the software and hardware applications, Fortres
101 also protects time and money by preventing damage to files and programs.
You will no longer waste time re-imaging, ghosting, or reinstalling software
because of accidental or mischievous deletions and errors. Fortres 101
offers you the ability to restrict/block local hard drives and removable
floppy disk drives as well as any local file, folder, or application.
Install Fortres 101 on your Windows 95/98/Me and Windows NT/2000/XP
computers. For users of Windows 3.x, Fortres 101 v2.51d is available.

www.fortres.com

good luck.

Itsme
----- Original Message -----
From: "Donald Voss" <voss@albany.edu>
To: <focus-ms@securityfocus.com>
Sent: Tuesday, May 28, 2002 10:03 AM
Subject: Re: restrict software installation

> There are some win based products that will give you desktop / system
> config control. The trick is you need administrative support .. from
> the top down. Some are fairly simple .. the user gets the desktop,
> can do what ever they want, have a open dir[s] to drop files and are
> very surprised when one reboots the machine and all changes are gone
> .. back to the default setup.
>
> These can be setup to force browser into kiosk mode .. etc.
>
> You could go whole hog and switch to terminal services for everything
> .. non-trivial .. but when done the pc image is small and secure .
> everything runs off the server[s], all data is on servers. Using a
> ghost image type server allows you to rebuild / roll back a unit
> anytime.
>
> I try to keep lab[s] stable from one semester to the next .. approx
> 12 hr days [open use] .. you are talk 24 x 7 .. get the money and
> support to make this a decent setup .. you will need to take the
> desktop/control completely away from the shift users .. you can show
> management the return on this change .. the users will adjust .. be
> open to different options .. do a little reading on zenworks for nt
> by novell. It works. Do not get sucked into us vs them stuff. Go with
> the right tool for the right job.
>
>
> http://www.smartstuff.com/fps/fpsinfo.html
>
> http://www.greyware.com/software/xo/index.asp
>
> /regards,
>
> /don
>
>
>
> On 27 May 2002 at 22:55, Jens Benecke wrote:
>
> > On Fri, May 24, 2002 at 11:26:53AM -0400, Gu1tarb0y@aol.com wrote:
> >
> > > NT 4.0 SP6A STIG'd to NSA guidelines
> > > scenario:
> >
> > Hi,
> >
> > no solution, just a few ideas what we do here, and perhaps you can do
> > something similar.
> >
> > > The big guy wants me to let users surf the net responsibly (yeah
> > > right)) but restrict either their downloading OR AT LEAST the
> > > installation of software from the internet. I have less than 1..
> > > .. "1" so that for many installs, I have to undo that setting to load.
> >
> > I would do something like 'mount -o noexec /home', same for /tmp, as
> > these are usually the only partitions my users have write access to.
> > Preventing users from executing stuff on their home directory and in
> > /tmp will effectively prevent them from running their own programs.
> > Scripts are excluded of course (as long as the script interpreter lies
> > somewhere else).
> >
> > Is there some similar principle in Windows? Can you restrict people to
> > their home directory only, at all? I seem to remember that e.g. MS
> > Office wants write access all over the place, which makes life hard for
> > a secure multi-user environment.
> >
> > > Looking for options, suggestions, places to look. Issue 1: Keep the
> > > installation of unauthorized software at a minimum in a 24x7 shop
> > > where 3 shifts share machines and outages could affect 3 users. I
> > > prefer installation to require admin access. User would then place a
> > > service request for the needed software.
> >
> > Another principle we employ here is 'rsync'. rsync is a free tool that
> > synchronizes directories, files, or block devices (partitions) with an
> > emphasis on 'minimize network transfers'. On booting, the user is given
> > the option to boot normally or to restore a default system image from
> > the network. As only the parts are transferred over the network (and
> > written to disk) that have changed from the network image, this is
> > _really_ fast (usually under a minute for a 20GB harddisk).
> >
> > I assume there is software that is able to do similar things for
> > Windows, although a complete synchronization seems to be again made
> > impossible by unique system and registry keys (the only exceptions we
> > make are a few files in /etc which contain e.g. DHCP hostname, and log
> > files).
> >
> > > Issue 2) User's remove the password protected screensaver option
> > > while logged in. Prior to fielding to users, these setting were
> > > already configured in the registry for default users account and all
> > > existing accounts on the machine. Users manually undo this. If I
> > > remove the display option totally, users cannot customize the font
> > > size to their own visual abilities.
> >
> > Perhaps you can control this via some scripting stuff? On our desktops,
> > we can control almost every setting via DCOP
> > (http://www.google.com/search?q=dcop) commands, which can be used from
> > just about any scripting language there is (XML objects if everything
> > else fails).
> >
> > > option: a)Set NT group profile to remove the screensaver tab from user
> > > display option? b)Other suggestions?
> >
> > Well, these were just some ideas. Perhaps they point you to the right
> > direction. I have some Windows experience, but we don't do Windows here,
> > so I can't give you concrete examples.
> >
> >
> > --
> > mfg, Jens Benecke /// www.hitchhikers.de, www.linuxfaq.de, www.linux.ms
> > This mail is an attachment? Read
http://www.jensbenecke.de/misc/outlook.html
> >
>
>
> ___________________________________________
> Donald Voss voss@albany.edu
> Senior Progammer Analyst
>
> Geography and Planning Department, ES218
> The University at Albany
> 1400 Washington Avenue
> Albany, NY, 122222
>
> "Show me a man who enjoyed his school days and I will show you a
> bully and
> a bore"
>
>

Relevant Pages

  • How to disable Fortres 4.1
    ... It is possible to disable Fortres 4.1 by holding down the ... Platform tested: Windows 2000, SP2 ... Demonstrate your knowledge and understanding of core IT Security, ...
    (NT-Bugtraq)
  • limiting student access in XP
    ... a program called fortres 101. ... We just purchased 10 laptops using windows XP. ... to use fortress on these new XP machines. ... Is there another GOOD program or registry book/web resource that would do ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Windows 98 lockdown
    ... Last time we were using Windows 9x, we used a product called Fortres ... no deleting of those icons on the ...
    (Security-Basics)
  • RE: Windows 98 lockdown
    ... Get rid of it and install Windows 2000. ... Last time we were using Windows 9x, we used a product called Fortres ... lockdown Windows 98 desktops so that there is no ...
    (Security-Basics)
  • Re: restrict software installation
    ... Preventing users from executing stuff on their home directory and in ... Is there some similar principle in Windows? ... emphasis on 'minimize network transfers'. ... Perhaps you can control this via some scripting stuff? ...
    (Focus-Microsoft)