Re: I need Ideas on securing a remote Win2k machine

From: Benn Wolff (Benn_Wolff@CIRI-hotmail.com)
Date: 01/31/03

• Next message: Jacy Grant: "How to monitor who (IP) log on/off?"
• Previous message: neo techopolis: "Re: ANNOUNCEMENT: New SQL Server security tool - SQL Server 2000 Scan Tool"
• In reply to: Ralph D. Worgul: "Re: I need Ideas on securing a remote Win2k machine"
• Next in thread: Dirk Gently: "Re: I need Ideas on securing a remote Win2k machine"
• Reply: Dirk Gently: "Re: I need Ideas on securing a remote Win2k machine"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Benn Wolff" <Benn_Wolff@CIRI-hotmail.com>
Date: Thu, 30 Jan 2003 22:42:13 -0800

i would use group policy
make a group policy temp &
then make a users group ( non admins )
use group policy setting to secure the users group.
lock down what you want to !
add the users you need to look down to the above users group!

"Ralph D. Worgul" <rworgul@hotmail.com> wrote in message
news:#42KS#NyCHA.1420@TK2MSFTNGP12...
> Hi Dirk,
>
> a couple of ideas come to mind, but I am not sure if you have thought of
> those or not.
>
> a. Use Loop Processing to ensure that the machine policy will always be
> applied.
> b. Memory serves correctly there is something available on the resource
kit
> to automatically remove local profiles, but I get guess this could also be
> done through a schedule batch file
> c. filter any GPO to avoid them being applied to the "administrator"
> account.
>
> The following link may also be helpful, since it talks about specific
> implementation scenarios including yours
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
> ol/windows2000serv/deploy/confeat/grppolsc.asp
>
> Hope this helps
>
> Ralph D. Worgul
>
> "Dirk Gently" <dirknews@nycap.rr_REMOVE_ME.com> wrote in message
> news:auej3vs0be922omufo426101fltqm2cddq@4ax.com...
> > Hey folks,
> >
> > I'm trying to put together a type of secure "Kiosk", where remote
> > users will be able to run a specific application, and only have access
> > to that app. I would probably setup that application as their shell,
> > unless I can find another configureable secure "shell" that will allow
> > me to just specify a few apps to run.
> >
> > Anyway - to the root of my difficulty. We run in a domain
> > environment, and in general - anyone who has an account on that
> > domain, can logon to that PC and create a profile. I want to find a
> > way to limit that. (I personally will be accessing this remote PC via
> > PC Anywhere public-key encryption, across our intranet)
> >
> > I could run the machine as a workstation, not logged into the domain -
> > and just remotely administer individual accounts, but I've seen
> > recomendations against that, suggesting the domain approach is more
> > secure. (Although it does give domain admins full access to that
> > machine, which I also don't really like)
> >
> > What I'm looking for is ideas on how to control what people can login
> > to that machine, so that only domain accounts I "grant" access to, can
> > login. I'd also like to entertain ideas on how I can restrict new
> > account access to a special shell - while the main admin accounts (me)
> > have the normal shell. The investigating I have done has left me with
> > few solutions... gpedit basically would apply to all accounts - and I
> > clearly want some accounts to have full access to that machine and
> > it's resources.
> >
> > One thought I had was to replace the default explorer shell, and hence
> > all new users created would automatically boot into that program I am
> > looking to lock people into. (And manually set the admin accounts to
> > a custom shell - which just happens to be a renamed windows explorer
> > shell)
> >
> > Thanks for reading
> >
> > Dirk
>
>

---

• Next message: Jacy Grant: "How to monitor who (IP) log on/off?"
• Previous message: neo techopolis: "Re: ANNOUNCEMENT: New SQL Server security tool - SQL Server 2000 Scan Tool"
• In reply to: Ralph D. Worgul: "Re: I need Ideas on securing a remote Win2k machine"
• Next in thread: Dirk Gently: "Re: I need Ideas on securing a remote Win2k machine"
• Reply: Dirk Gently: "Re: I need Ideas on securing a remote Win2k machine"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: I need Ideas on securing a remote Win2k machine ... Hey Ben & Ralph, ... I'm a novice at group policy, but I will investigate further in the ... I would probably setup that application as their shell, ... >>> and just remotely administer individual accounts, ... (microsoft.public.win2000.security) Re: Administrator restricted - Control Panel Missing ... If you did not specifically set up Group Policy to restrict access to ... The command net users will display user accounts and net user username will ... type of administrator. ... the control panel was missing. ... (microsoft.public.windowsxp.security_admin) RE: Deny Log on Locally to some accounts through GPO ... Microsoft Windows Operating System Group Policy Result tool v2.0 ... Disable RDP Application Accounts ... Filtering: Not Applied ... This list only includes links in the domain of the GPO. ... (microsoft.public.windows.server.active_directory) Re: Deny Log on Locally to some accounts through GPO ... accounts reside... ... We also created a GPO named "Disable RDP Application Accounts". ... Microsoft Windows XP Operating System Group Policy Result tool ... Filtering: Not Applied ... (microsoft.public.windows.server.active_directory) Re: debugger user autochange ... One possibility could be that Group Policy Restricted Groups are being ... applied to the computers in question. ... I think I failed to convey the problem clearly - the user accounts ... domain/userxyz assigned to the administrator group. ... (microsoft.public.windowsxp.security_admin)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)