Re: I need Ideas on securing a remote Win2k machine

From: Dirk Gently (dirknews@nycap.rr_REMOVE_ME.com)
Date: 01/31/03 

From: Dirk Gently <dirknews@nycap.rr_REMOVE_ME.com>
Date: Fri, 31 Jan 2003 17:38:31 GMT

Hey Ben & Ralph,

Thanks for the comments.

I'm a novice at group policy, but I will investigate further in the
next couple of days. So forgive me for the newbie-type comment
here...

But I had thought that group policy was really going to apply that
policy to all acounts on the machine, and there was no real way to
apply different security or system options, based on a different group
that a person belongs to.

Am I way off base here? I did do research online, but didn't find any
information that really suggested I could set the "Users" group for
instance to have one particular shell. I haven't yet checked out
Ralph's URL's he posted - I will later on tonight when I have more
time. But if anyone has any other specific places that I could learn
about this, I would sure appreciate the advice.

Take care - and thanks again!

Dirk

On Thu, 30 Jan 2003 22:42:13 -0800, "Benn Wolff"
<Benn_Wolff@CIRI-hotmail.com> wrote:

>i would use group policy
>make a group policy temp &
>then make a users group ( non admins )
>use group policy setting to secure the users group.
>lock down what you want to !
>add the users you need to look down to the above users group!
>
>
>"Ralph D. Worgul" <rworgul@hotmail.com> wrote in message
>news:#42KS#NyCHA.1420@TK2MSFTNGP12...
>> Hi Dirk,
>>
>> a couple of ideas come to mind, but I am not sure if you have thought of
>> those or not.
>>
>> a. Use Loop Processing to ensure that the machine policy will always be
>> applied.
>> b. Memory serves correctly there is something available on the resource
>kit
>> to automatically remove local profiles, but I get guess this could also be
>> done through a schedule batch file
>> c. filter any GPO to avoid them being applied to the "administrator"
>> account.
>>
>> The following link may also be helpful, since it talks about specific
>> implementation scenarios including yours
>>
>http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
>> ol/windows2000serv/deploy/confeat/grppolsc.asp
>>
>> Hope this helps
>>
>> Ralph D. Worgul
>>
>> "Dirk Gently" <dirknews@nycap.rr_REMOVE_ME.com> wrote in message
>> news:auej3vs0be922omufo426101fltqm2cddq@4ax.com...
>> > Hey folks,
>> >
>> > I'm trying to put together a type of secure "Kiosk", where remote
>> > users will be able to run a specific application, and only have access
>> > to that app. I would probably setup that application as their shell,
>> > unless I can find another configureable secure "shell" that will allow
>> > me to just specify a few apps to run.
>> >
>> > Anyway - to the root of my difficulty. We run in a domain
>> > environment, and in general - anyone who has an account on that
>> > domain, can logon to that PC and create a profile. I want to find a
>> > way to limit that. (I personally will be accessing this remote PC via
>> > PC Anywhere public-key encryption, across our intranet)
>> >
>> > I could run the machine as a workstation, not logged into the domain -
>> > and just remotely administer individual accounts, but I've seen
>> > recomendations against that, suggesting the domain approach is more
>> > secure. (Although it does give domain admins full access to that
>> > machine, which I also don't really like)
>> >
>> > What I'm looking for is ideas on how to control what people can login
>> > to that machine, so that only domain accounts I "grant" access to, can
>> > login. I'd also like to entertain ideas on how I can restrict new
>> > account access to a special shell - while the main admin accounts (me)
>> > have the normal shell. The investigating I have done has left me with
>> > few solutions... gpedit basically would apply to all accounts - and I
>> > clearly want some accounts to have full access to that machine and
>> > it's resources.
>> >
>> > One thought I had was to replace the default explorer shell, and hence
>> > all new users created would automatically boot into that program I am
>> > looking to lock people into. (And manually set the admin accounts to
>> > a custom shell - which just happens to be a renamed windows explorer
>> > shell)
>> >
>> > Thanks for reading
>> >
>> > Dirk
>>
>>
>

Relevant Pages

  • RE: Custom Shell or Exploror based shell
    ... Add Group Policy Object Editor ... Interface" shell. ... Now I am trying to lock down the single user without limiting ... I will probably use Manual Reseal Technique - install embedded and ...
    (microsoft.public.windowsxp.embedded)
  • Windows XP for untrusted users
    ... computers and the user logons they use are currently members of Active ... So far as I said I've used group policy, ... shell such as blackbox for windows and finally using no shell and configuring ...
    (microsoft.public.windowsxp.security_admin)
  • Re: how to remove taskbar ?
    ... easy way to return the kiosk user to an Explorer shell, ... extra application in group policy for startup but it did not start. ... and then set your custom Group Policy to exclude non-Admin from ...
    (microsoft.public.windowsxp.embedded)
  • Re: I need Ideas on securing a remote Win2k machine
    ... make a group policy temp & ... use group policy setting to secure the users group. ... I would probably setup that application as their shell, ... >> and just remotely administer individual accounts, ...
    (microsoft.public.win2000.security)
  • Re: Deny windows explorer from users
    ... > How to deny Windows Explorer from users, using AD group policy? ... Change the Shell, ...
    (microsoft.public.windows.group_policy)