Re: TweakUI and Security
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 7 Sep 2006 22:52:14 -0500
Group Policy alone should not be used to restrict a user's access to a
computer. Make sure that NTFS permissions do not allow users to write to
places that you do not want them to and in a default installation a user can
write to their user profile under documents and settings, the documents and
settings\all users\shared documents folder, and the drive/root folder if you
check the special permissions to it. In addition to NTFS you can use
Software Restriction Policies to prevent unauthorized software from being
run with path/hash/certificate rules and having a default unrestricted or
disallowed security level. The link below explains much more on SRP and when
configuring them checking the application log for SRP events can help you
tweak SRP rules and keep in mind that desktop/menu shortcut .lnk files are
by default restricted by SRP in file types.
Steve
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
"David Sharman" <dsharman@xxxxxxxxxxxxxx> wrote in message
news:%23$Ubv3c0GHA.772@xxxxxxxxxxxxxxxxxxxxxxx
Hello All,
I run a small network for the employee's social club of a large company
which consisting of 1 Windows Server 2003 SP1 and several client computers
running Windows XP Pro.
The client computers are mainly provided for members of the social club to
pass their downtime such as lunch breaks by surfing the Internet and
thought to have been severely restricted using GP's so as to prevent
modification of the client computer, networking and server systems and
hopefully to assist in the prevention computer virus infection and the
installation of illegal software. Members are also prevented from logging
on to the local computer using GP.
Restrictions thought to have been enforced include only granting members
access to their own directories, the Intranet and the Internet and cannot
see the local hard drives, all system control panels hidden except where
only personal choice options are available such as selecting the autotype
feature in Internet Explorer, no access to the command prompt , etc etc
From what I can see their is no way to create new folders and store files
on the local computer nor the ability to install unauthorised software but
every so often when I scan the client hard drives they seem to doing
exactly that!
Of greatest concern is that during one of these scans I came across
"TweakUI".
I think I came across somewhere that TweakUI cannot be prevented from
running on the local computers and that all you can do is ensure
continueing refresh of the active directories group policies.
My questions is;
"What settings can I check are in place regarding the relevant GP's within
AD to ensure TweakUI or any similar software cannot be used to break the
integrity of the computer network?"
Thanking you for your assistance
David Sharman
Regional Computer Services
.
- References:
- TweakUI and Security
- From: David Sharman
- TweakUI and Security
- Prev by Date: Re: Network Cable Disconnection and Elevated Access
- Next by Date: Re: incorrect google search
- Previous by thread: TweakUI and Security
- Next by thread: Firewall of windows and Firefox
- Index(es):
Relevant Pages
|
