Re: I need Ideas on securing a remote Win2k machine
From: Ralph D. Worgul (rworgul@hotmail.com)
Date: 01/31/03
- Next message: Tan Fang Wai: "Active Desktop"
- Previous message: Tan Fang Wai: "restrictions to control panel"
- In reply to: Dirk Gently: "I need Ideas on securing a remote Win2k machine"
- Next in thread: Benn Wolff: "Re: I need Ideas on securing a remote Win2k machine"
- Reply: Benn Wolff: "Re: I need Ideas on securing a remote Win2k machine"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Ralph D. Worgul" <rworgul@hotmail.com> Date: Thu, 30 Jan 2003 21:18:22 -0700
Hi Dirk,
a couple of ideas come to mind, but I am not sure if you have thought of
those or not.
a. Use Loop Processing to ensure that the machine policy will always be
applied.
b. Memory serves correctly there is something available on the resource kit
to automatically remove local profiles, but I get guess this could also be
done through a schedule batch file
c. filter any GPO to avoid them being applied to the "administrator"
account.
The following link may also be helpful, since it talks about specific
implementation scenarios including yours
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windows2000serv/deploy/confeat/grppolsc.asp
Hope this helps
Ralph D. Worgul
"Dirk Gently" <dirknews@nycap.rr_REMOVE_ME.com> wrote in message
news:auej3vs0be922omufo426101fltqm2cddq@4ax.com...
> Hey folks,
>
> I'm trying to put together a type of secure "Kiosk", where remote
> users will be able to run a specific application, and only have access
> to that app. I would probably setup that application as their shell,
> unless I can find another configureable secure "shell" that will allow
> me to just specify a few apps to run.
>
> Anyway - to the root of my difficulty. We run in a domain
> environment, and in general - anyone who has an account on that
> domain, can logon to that PC and create a profile. I want to find a
> way to limit that. (I personally will be accessing this remote PC via
> PC Anywhere public-key encryption, across our intranet)
>
> I could run the machine as a workstation, not logged into the domain -
> and just remotely administer individual accounts, but I've seen
> recomendations against that, suggesting the domain approach is more
> secure. (Although it does give domain admins full access to that
> machine, which I also don't really like)
>
> What I'm looking for is ideas on how to control what people can login
> to that machine, so that only domain accounts I "grant" access to, can
> login. I'd also like to entertain ideas on how I can restrict new
> account access to a special shell - while the main admin accounts (me)
> have the normal shell. The investigating I have done has left me with
> few solutions... gpedit basically would apply to all accounts - and I
> clearly want some accounts to have full access to that machine and
> it's resources.
>
> One thought I had was to replace the default explorer shell, and hence
> all new users created would automatically boot into that program I am
> looking to lock people into. (And manually set the admin accounts to
> a custom shell - which just happens to be a renamed windows explorer
> shell)
>
> Thanks for reading
>
> Dirk
- Next message: Tan Fang Wai: "Active Desktop"
- Previous message: Tan Fang Wai: "restrictions to control panel"
- In reply to: Dirk Gently: "I need Ideas on securing a remote Win2k machine"
- Next in thread: Benn Wolff: "Re: I need Ideas on securing a remote Win2k machine"
- Reply: Benn Wolff: "Re: I need Ideas on securing a remote Win2k machine"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
