Re: I need Ideas on securing a remote Win2k machine

From: Dirk Gently (dirknews@nycap.rr_REMOVE_ME.com)
Date: 02/10/03

• Next message: Wayne: "File Integrety Checker"
• Previous message: Russ: "Re: Benefits and drawbacks of password complexity"
• Next in thread: Rhynier Myburgh [MSFT]: "Re: I need Ideas on securing a remote Win2k machine"
• Reply: Rhynier Myburgh [MSFT]: "Re: I need Ideas on securing a remote Win2k machine"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Dirk Gently <dirknews@nycap.rr_REMOVE_ME.com>
Date: Mon, 10 Feb 2003 20:25:35 GMT

Thanks Rhynier,

Sorry for the delay on contining this discussion - I have been very
busy with other crisis at work....

On Fri, 31 Jan 2003 11:50:05 -0800, "Rhynier Myburgh [MSFT]"
<rhynierm@online.microsoft.com> wrote:

>Firstly, here are the basic concepts that should help you:
> * You can apply user group policy settings on a per machine basis
>(loopback processing).
> * You can set security filtering on a group policy object.
> * There are group policy settings to lock down the Start Menu to such an
>extent that it is virtually unusable :)
> * You can set a policy to run an application at logon (your kiosk app,
>maybe).
> * If all else fails, you can create your own policy to set the registry
>key controlling the shell.
>
>Based on this I would suggest the following:
>On the kiosk machines:
> 1. Remove the "Domain Admins" group as a member of the local
>"Administrators" group.
> 2. Remember to add your domain account to the local "Administrators"
>group. You could also create a special "Kiosk Admins" group in the domain
>and rather add it.
>
>In Active Directory:
> 1. Create a new Organizational Unit for the kiosk computers and move
>them all into that OU.

Forgive the excessive quoting - but figured it might be relevant.

I do not have domain admin access - so I assume by what you are
saying, that I must get someone with that access to create a new OU in
our domain for these computers. (And that the OU comprises computers
with certain given machine names)

> 4. Create a Group Policy Object linked to this OU and set all the
>settings you need to lock down these machines.

Is that GPO on each machine - or on the AD? I thought it was on each
machine, but I'm not so sure. The more I read below, the more it
suggests that I need to get the domain admin to do a lot of this.
(Something that I was hoping to avoid - I could spend a lot of time
configuring the GPO on the local machine... I can mess with it until
I get it just right... But I don't think I could get domain admins to
volunteer to do all this extra "non-standard" work. E.g, this is MY
project, and I don't think that I'll get TONS of help at the remote
location. I might - but I'd rather not plan on it)

> i. You'll have to obviously find the right set of settings that lock
>down these machines the way you want.

This part probably won't be a problem for me. (At least if we were
talking about GPO on the local machine)

[Snip]

>I know that this does not address your problem of restricting who can log
>onto these machines, but since everybody except you will have only a kiosk
>experience it should not be a problem. There are a few Computer

Your solution, other than potential work by the domain admin... would
be fine... I guess I don't have a problem with anyone being able to
login to the computer - if they were inhibitted from doing anything
other than the application I wanted them to run...

But I apparently might need to keep looking... Unless I can find a
remote domain admin who wants to really help....

I guess I could go back to just setting up two accounts, and running
the machine in workstation mode... One account would have admin
access, and the other would have it's shell set to my application.
I'd rather avoid that, but it might be my only choice for now - since
I have limitted IM support for this endeavor. (Although I haven't yet
asked - I'm just expecting the worst)

Dirk

---

• Next message: Wayne: "File Integrety Checker"
• Previous message: Russ: "Re: Benefits and drawbacks of password complexity"
• Next in thread: Rhynier Myburgh [MSFT]: "Re: I need Ideas on securing a remote Win2k machine"
• Reply: Rhynier Myburgh [MSFT]: "Re: I need Ideas on securing a remote Win2k machine"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: User Computer Restriction ... create new OU and move the computers that you intent to be used by only ... domain admin and student accounts to this new OU. ... create new group policy ... (microsoft.public.windows.server.networking) RE: SCW --> GPO ... we need the rights of Domain Admin or Group Policy Creator Owner ... check app event log & system event log to see if there is any GPO related ... Command completed with error. ... (microsoft.public.windows.group_policy) Re: Security Breach in AD! Help! ... For example suppose an attacker knew that a domain admin used a particular ... compromise it he could put a simple script such as a logon script or logoff ... > I found the solution to the group policy refresh interval thing...sort of. ... (microsoft.public.win2000.security) Re: Security Filtering does not work correctly in GPO ... Deny apply only. ... where the domain admin was logged on. ... the settings in the "User Group Policy" were gone. ... "Scope-Setting" in the Group Policy object. ... (microsoft.public.windows.server.active_directory) Re: Not able to edit Group Policy Objects, ... Uninstalling Director will fix the problem, installing it bound only to the ... > Make sure the client has "read" permissions so that the group policy can ... use a domain admin or ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)