Re: Security on student's workstations?
From: Steven L Umbach (n9rou@attbi.com)
Date: 03/26/03
- Next message: Steven L Umbach: "Re: Defining user's rights"
- Previous message: Stuart Bessler: "Re: Printer Color Management"
- In reply to: Mike: "Re: Security on student's workstations?"
- Next in thread: Mike: "Re: Security on student's workstations?"
- Reply: Mike: "Re: Security on student's workstations?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Steven L Umbach" <n9rou@attbi.com> Date: Wed, 26 Mar 2003 00:35:30 GMT
That is true. Windows XP/2003 is much more capable in that regard.
Keep in mind that Group Policy hides a lot from the user, but a determined
user may be able to bypass it a lot of the Group Policy lockdown if that
alone is used. . Do not make the students administrators or even power users
unless absolutely necessary. Access to boot devices will allow a user to
crack/change administrator password or install another operating system,etc.
Be sure to make hard drive first in boot order, password protect cmos, lock
case, disable cdrom autorun, and disable any unneeded ports in cmos - have
you seen those cute finger size usb drives?? Regular users will be
restricted from installing most software - but not all (if it does not write
to systemroot I believe). Change permissions on root drive to administrators
full and authenticated users read/list/execute to start and tweak from
there. Consider implementing ntfs disk quota and allow reasonable space for
normal use. You can use internet zones feature in Internet Explorer to
disable file downloads or restrict downloads to certain sites, of course
that will only disable downloads using IE. In security options you can
disable install of unsigned software/drivers. If remote management or file
sharing of these computers is not needed then disable the server service.
That will stop them from sharing folders and trying to manage other users
computers. Services to consider disabling if not needed are - messenger
(stops net send messages), alerter, remote access connections, remote
registry service, IIS admin service, telnet, smtp, snmp (if present), ftp
publishing, www, and Netmeeting. This is by no means a complete list, but a
good start, and document any changes so that you can easily go back to
default for troubleshooting. Run MBSA for a good idea on how secure a
computer is. It will also recommend services to disable. A firewall with
outbound access will do wonders for you if internet connection is needed.
You would be able to block most of those file sharing/chat/ftp programs
from working even if they were able to install one. Good luck. --- Steve
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B320454
"Mike" <nugget-NOSPAM@chello.se> wrote in message
news:DPSfa.28796$oe.37805@amstwist00...
> Thanks!
>
> However, as far as I know there's no real good way to disable/allowing
> programs with Group Policys - one must allow/disallow filenames (such as
> "notepad.exe") but that would still not prevent the user from renaming a
> program they've donwloaded and running it as "notepad.exe".
>
> Or am I missing something here?
>
>
> "Fred Baumhardt [MSFT]" <fredbaum@microsoft.com> wrote in message
> news:#TCwPQm8CHA.2376@TK2MSFTNGP10.phx.gbl...
> > Ummm - Group Policy - Group Policy - Group Policy :)
> >
> > Download and read the Windows 2000 security operations guide from
> > MSDN.microsoft.com/practices
> >
> > Simply put you want to use group policy to restrict groups, services,
> NTFS,
> > Registry Key, and Security settings. In addition you can use the admin
> > template to restrict all sorts of of executables. Note - it is easier to
> > come up with a list of what you want to run, rather than try to come up
> with
> > an ever changing list of what you dont. If you have any XP desktops as
> well
> > as your 2K machines you can use software restriction policy - which
takes
> > the execution restriction one step further.
> >
> > Fred
> >
> > --
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> > "Mike" <nugget-NOSPAM@chello.se> wrote in message
> > news:YxKfa.28625$oe.37158@amstwist00...
> > > Hi everyone,
> > >
> > > I'm currently working with securing an high-school's student
> workstations
> > > and I'm just wondering if there are any good tips on how to secure
> Windows
> > > 2000 Pro clients for things such as these:
> > >
> > > - Only allow certain software to run, and disallow students to run
> > > stand-alone executables, for example.
> > > - NTFS security on local disks, for "normal" software like Office
> > > 2000. What is needed by a minimum?
> > > - What services can safely be stopped?
> > >
> > > And stuff similar to this. If you are interested we run Office 2000, a
> few
> > > Macromedia programs and a few Adobe programs mostly.
> > >
> > > Are there any good guidelines for setting up clients in schools? Any
> > > information, URLs, or answers directly to this NG would be most
> > appreciated!
> > >
> > > Regards,
> > > Mike
> > >
> > >
> >
> >
>
>
- Next message: Steven L Umbach: "Re: Defining user's rights"
- Previous message: Stuart Bessler: "Re: Printer Color Management"
- In reply to: Mike: "Re: Security on student's workstations?"
- Next in thread: Mike: "Re: Security on student's workstations?"
- Reply: Mike: "Re: Security on student's workstations?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
