RE: How to block users from installing other apps
From: Sakaba (Sakaba_at_alexandria.cc)
Date: 07/04/03
- Previous message: jazzmanvibration_at_hotmail.com: "Re: How to block users from installing other apps"
- In reply to: VNV Jeep: "RE: How to block users from installing other apps"
- Next in thread: Dennis Bauer: "RE: How to block users from installing other apps"
- Reply: Dennis Bauer: "RE: How to block users from installing other apps"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "VNV Jeep" <vnvjeep@hotmail.com>, <janehan22@yahoo.com> Date: Fri, 4 Jul 2003 23:15:01 +0900
Not that I disagree with what you are saying but I think as a caveat its
important to note that there are a number of tools that run off a simple
floppy and allow the user to reboot their machine and change the local
admin password. Then they simply login as local admin on the machine and
add their domain account to the local admin group.
Example: http://home.eunet.no/~pnordahl/ntpasswd/
So don't add D-users to the local admin account but don't be surprised if
your more IT aware users do it themselves.
Peace,
sakaba
-----Original Message-----
From: VNV Jeep [mailto:vnvjeep@hotmail.com]
Sent: Friday, July 04, 2003 1:07 AM
To: janehan22@yahoo.com
Cc: focus-ms@securityfocus.com
Subject: RE: How to block users from installing other apps
Jane... I would *HIGHLY* recommend you do not add domain users to the local
Admin group. Bad bad bad, very bad. I agree with your help desk
manager...
you don't want to do this. Yes, it will only cause damage to the local
machine, but it could have bigger impacts around your domain...
What can happen?
1.) They can download illegal software & install it.
2.) If you have any software/OS standardization, this will be shot.
3.) They can run & execute viruses, which have the capability to delete
system files in the OS (which they normally can't delete but since they're
admin, anything goes).
4.) By running viruses/trojans, and being successfully executed, they have
the capability to traverse the network and hit other workstations/servers
on
the domain.
5.) They can stop & start services.
6.) They can uninstall standard software you may have on there.
7.) They can make network card property changes...
I could go on & on...
It's not hard to manipulate permissions for your apps so that these users
can run under a restricted user account. You don't need filemon/regmon to
do this. (you might in an extremely rare occasion, but have not had to use
them yet). What works 99% of the time is this:
1.) Go into the program files\<appname folder> and give local users modify
rights.
2.) Go into the HKLM\software\<appname folder> and do the same.
That's it.
Good luck,
Mike
|-----Original Message-----
|From: Jane Han [mailto:janehan22@yahoo.com]
|Sent: Thursday, July 03, 2003 11:47 AM
|To: Dennis Bauer; focus-ms@securityfocus.com
|Subject: RE: How to block users from installing other apps
|
|
|Thanks for all help.
|
|I downloaded regmon and filemon and going to find
|which permission need to apply to the reg keys and
|files level.
|
|Currently, I met some resistance from help desk
|manager, which many changes could be done at users'
|level if we need to change reg and file permission.
|he challenged me that the only damage can be caused
|only at local computer, not at domain.
|
|If someone can list all damages that caused by
|assigning domain users to the local administrators
|group, I would greatly appreciate it.
|
|Thanks in advance,
|
|Jane
|
|
|
|--- Dennis Bauer <dbauer@Mines.EDU> wrote:
|> Have you tried regmon and filemon to see what you
|> need to open for users
|> to be able to run the apps?
|>
|>
|> -----Original Message-----
|> From: Jane Han [mailto:janehan22@yahoo.com]
|> Sent: Wednesday, June 25, 2003 2:22 PM
|> To: focus-ms@securityfocus.com
|> Subject: How to block users from installing other
|> apps
|>
|>
|> Due to several customized inhouse applications, the
|> users need to be local aministrator to lauch the
|> applications. Since most users are local
|> admin, they can download and install applications
|> such
|> as games, AOL instant messages...from internet.
|>
|> Is it possible to block users from installing
|> applications through Group Policy in this case? or
|> disable internet explorer?
|>
|> Any solutions or suggestions?
|>
|>
|> Thanks in advance,
|> Jane
|>
|>
|> __________________________________
|> Do you Yahoo!?
|> SBC Yahoo! DSL - Now only $29.95 per month!
|> http://sbc.yahoo.com
|>
|>
|---------------------------------------------------------------
|---------
|> -----
|>
|---------------------------------------------------------------
|---------
|> ------
|>
|
|
|__________________________________
|Do you Yahoo!?
|SBC Yahoo! DSL - Now only $29.95 per month!
|http://sbc.yahoo.com
|
|---------------------------------------------------------------
|--------------
|---------------------------------------------------------------
|---------------
|
_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail
---------------------------------------------------------------------------
-- --------------------------------------------------------------------------- --- ----------------------------------------------------------------------------- ------------------------------------------------------------------------------
- Previous message: jazzmanvibration_at_hotmail.com: "Re: How to block users from installing other apps"
- In reply to: VNV Jeep: "RE: How to block users from installing other apps"
- Next in thread: Dennis Bauer: "RE: How to block users from installing other apps"
- Reply: Dennis Bauer: "RE: How to block users from installing other apps"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
