Re: Windows 2K Security Questions

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 11/26/04 

Date: Fri, 26 Nov 2004 03:53:09 GMT

You can do much of you want with Group Policy. Go to user configuration
administrative templates/system. For instance you can disable registry
settings and command prompt there and restrict the user to run only allowed
Windows applications. Be sure to read the full explanation of any setting
before enabling. You can also use ntfs permissions to restrict where a user
can write files to and what applications a user can execute. If you restrict
access to the root/drive folder to read/list/execute the only other place a
user can write to is their user's profile under documents and settings and
parts of the all user's profile which you can restrict also if need be. You
can log attempts to run applications by enabling auditing of object access
and then auditing executables for execute access and/or auditing of process
tracking. Both of those could generate thousands of events in the security
log, though you could try enabling auditing of process tracking for failure
only which may be a less thorough but more effective way to go. If you can
accomplish what you want with startup applications via Group Policy
"startup" scripts you may be able to start the program without the user
needing access to command prompt and such. Startup scripts however are
computer configuration and are not user specific but run in system
text. --- Steve

"Robert Paris" <rpjava@hotmail.com> wrote in message
news:OBOvIyp0EHA.3820@TK2MSFTNGP11.phx.gbl...
>I am looking for how I can do the following on Win2K:
>
> 1. Disable a User's ability to write to/edit the registry
> (Actually disable for all but Administrator)
>
> 2. Disable user's ability to write files to all but one folder
>
> 3. Disable user's ability to execute any program except for a few that I
> specify
> (And can I log attempts to run/execute programs?)
>
> 4. In disabling cmd.exe, can I set up only two programs to run (on
> startup)
> in command prompts (with RunAs service) - they're java programs - and
> still
> keep all other java programs and the user from being able to do anything
> in
> command prompt?
>
> Answers to any of these questions would be greatly appreciated. Any
> pointers
> to further resources would be great too! Thanks!
>
>

Relevant Pages

  • Re: Service Auto Start Problems in PPC2003
    ... Because as I said I can use activateservice and it works ... Inside the init function I have a logging statement that logs if the ... Nothing shows up on startup but when I do the ... > used your registry settings and they loaded fine for me on startup. ...
    (microsoft.public.pocketpc.developer)
  • Re: Configuring start up on XP Pro
    ... HKEY_LOCAL_MACHINE applies to the whole machine and not to individual users. ... Use HKEY_CURRENT_USER startup program settings for per user settings. ... Startup Control Panel is another pretty good application. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: BLUE SCREEN OF DEATH ON BOOT
    ... red-flagged error records that correspond to the date and time of your ... Also open Control Panel - System - Advanced and click on the Settings ... button in the Startup and Recovery section. ... and Recovery window click on the checkbox for "automatically restart" ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: Dial-up in XP Pro not available?! HELP!!!
    ... Open a command prompt, type the following commands and post the results ... It won't even start dialling as if modem wasn't there. ... Even in Network Settings and Connections, ...
    (microsoft.public.windowsxp.network_web)
  • Re: Local Group Policy
    ... This creates a bootable disk, that will run independently of the hard disk. ... You can also run Command Prompt, Regedit and other utilities directly from the GUI. ... >>> through and setting my GPO settings that i was locking my admin>>> account down ...
    (microsoft.public.windowsxp.security_admin)