Re: I need Ideas on securing a remote Win2k machine
From: Rhynier Myburgh [MSFT] (rhynierm@online.microsoft.com)
Date: 02/12/03
- Next message: Tom Rodman: "free CLI tool to view new Windows 2000 inherited directory-ACLs?"
- Previous message: Eric Chamberlain: "Re: Certificate Services won't start on a new off-line root CA."
- In reply to: Dirk Gently: "Re: I need Ideas on securing a remote Win2k machine"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Rhynier Myburgh [MSFT]" <rhynierm@online.microsoft.com> Date: Wed, 12 Feb 2003 09:44:20 -0800
If you do want to try and explore this solution some more, the following
additional info might help:
1. All a domain administrator has to do is:
i. Create the new Organizational Unit
ii. Move the computer accounts into that OU
iii. Create the group policy objects and link them to that OU (it will
therefore apply to all computers/users in that OU)
iv. Optional: Change the permissions on the OU to make you a delegated
group policy creator/owner
v. Change the permissions on the GPOs to give you full control over
them.
2. Now you can:
i. Run dsa.msc ("Active Directory Users and Computers"), go to the OU
and get to the GPO editor from there.
OR
i. Run mmc.exe, add the "Group Policy Editor" (called "Group Policy
Object Editor" in XP), click on "Browse" and locate your GPO to edit.
ii. Edit your GPOs as described in my previous posting ...
Just remember that a Group Policy Object gets linked to an Organizational
Unit in Active Directory. From there it gets applied to all user and
computer objects in that OU and below. There are obviously rules governing
how multiple GPOs can apply to somebody, but for that you can search for
"Group Policy White Paper" on www.microsoft.com.
All the best with your endeavor,
Rhynier
-- This posting is provided "AS IS" with no warranties, and confers no rights. "Dirk Gently" <dirknews@nycap.rr_REMOVE_ME.com> wrote in message news:302g4vgbu931i6oa6ru98opcv3a3flaujt@4ax.com... > Thanks Rhynier, > > Sorry for the delay on contining this discussion - I have been very > busy with other crisis at work.... > > On Fri, 31 Jan 2003 11:50:05 -0800, "Rhynier Myburgh [MSFT]" > <rhynierm@online.microsoft.com> wrote: > > >Firstly, here are the basic concepts that should help you: > > * You can apply user group policy settings on a per machine basis > >(loopback processing). > > * You can set security filtering on a group policy object. > > * There are group policy settings to lock down the Start Menu to such an > >extent that it is virtually unusable :) > > * You can set a policy to run an application at logon (your kiosk app, > >maybe). > > * If all else fails, you can create your own policy to set the registry > >key controlling the shell. > > > >Based on this I would suggest the following: > >On the kiosk machines: > > 1. Remove the "Domain Admins" group as a member of the local > >"Administrators" group. > > 2. Remember to add your domain account to the local "Administrators" > >group. You could also create a special "Kiosk Admins" group in the domain > >and rather add it. > > > >In Active Directory: > > 1. Create a new Organizational Unit for the kiosk computers and move > >them all into that OU. > > Forgive the excessive quoting - but figured it might be relevant. > > I do not have domain admin access - so I assume by what you are > saying, that I must get someone with that access to create a new OU in > our domain for these computers. (And that the OU comprises computers > with certain given machine names) > > > 4. Create a Group Policy Object linked to this OU and set all the > >settings you need to lock down these machines. > > Is that GPO on each machine - or on the AD? I thought it was on each > machine, but I'm not so sure. The more I read below, the more it > suggests that I need to get the domain admin to do a lot of this. > (Something that I was hoping to avoid - I could spend a lot of time > configuring the GPO on the local machine... I can mess with it until > I get it just right... But I don't think I could get domain admins to > volunteer to do all this extra "non-standard" work. E.g, this is MY > project, and I don't think that I'll get TONS of help at the remote > location. I might - but I'd rather not plan on it) > > > i. You'll have to obviously find the right set of settings that lock > >down these machines the way you want. > > This part probably won't be a problem for me. (At least if we were > talking about GPO on the local machine) > > [Snip] > > >I know that this does not address your problem of restricting who can log > >onto these machines, but since everybody except you will have only a kiosk > >experience it should not be a problem. There are a few Computer > > Your solution, other than potential work by the domain admin... would > be fine... I guess I don't have a problem with anyone being able to > login to the computer - if they were inhibitted from doing anything > other than the application I wanted them to run... > > But I apparently might need to keep looking... Unless I can find a > remote domain admin who wants to really help.... > > I guess I could go back to just setting up two accounts, and running > the machine in workstation mode... One account would have admin > access, and the other would have it's shell set to my application. > I'd rather avoid that, but it might be my only choice for now - since > I have limitted IM support for this endeavor. (Although I haven't yet > asked - I'm just expecting the worst) > > Dirk
- Next message: Tom Rodman: "free CLI tool to view new Windows 2000 inherited directory-ACLs?"
- Previous message: Eric Chamberlain: "Re: Certificate Services won't start on a new off-line root CA."
- In reply to: Dirk Gently: "Re: I need Ideas on securing a remote Win2k machine"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
