Re: Block AOL Inst. Messenger???
From: Steven L Umbach (n9rou@attbi.com)
Date: 04/05/03
- Next message: Steven L Umbach: "Re: network and dialup connections folder"
- Previous message: Nick Finco [MS]: "Re: Help, security problem"
- In reply to: Jon Knudson: "Re: Block AOL Inst. Messenger???"
- Next in thread: Jon Knudson: "Re: Block AOL Inst. Messenger???"
- Reply: Jon Knudson: "Re: Block AOL Inst. Messenger???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Steven L Umbach" <n9rou@attbi.com> Date: Sat, 05 Apr 2003 02:40:33 GMT
Hi Jon. There are a couple more things that may help. First the
workstation must be secure in that the case is locked, the cmos is password
protected,the hard drive is first in boot order, autorun is disabled for
cdrom, and usb ports are disabled in cmos if they are not needed. The case
lock is so that the cover can not be removed so that the battery can be
momentarily unhooked or the cmos jumper is used to reset the cmos to bypass
its password protection. If someone is allowed to boot to
floppy/cdrom/zipdrive then they can EASILY crack or null administrator
password. Administrator password must be guarded and hard to guess. I would
enable account log on activity to see if someone is getting unauthorized
administrator access. Internet Explorer can be configured to disable file
downloading and users can be denied access change back those settings. This
can be easily done using group policy at the domain level. It can be done at
the individual computer level also, but takes a lot more time. Of course
that will not stop file downloading if other browsers etc have been
installed The other main thing to do is to tighten up ntfs permissions. Try
this on one user/test machine before wide spread implementation to make sure
basic functionality is not affected. First on the root folder of each
drive/partition set ntfs permissions to full for administrator,
read/execute/list for authenticated users, and remove the everyone group.
Other folders added to the root folder since installation should probably
have the same permissions applied to them. The program folder's default
installation ntfs permissions should be fine along with the the windows
folder. You can uses secedit to restore default permissions before doing any
changes if you are unsure that a user may have made changes using
administrative access. Usually wise users will figure out if they can not
install in the root or program files folder, they will try to install in a
folder in their profile where they have full access by default. Here is
where custom ntfs permissions may have greatest impact. You need to modify
permissions so that users can still write/modify/delete files (assuming they
need to), but not create folders. I think that will stop almost all software
installation since most installation programs need to create folders. The
user profile is stored in a folder named after the user under documents and
settings. On that folder change ntfs permissions as follows. For the user -
deselect full control and leave everything else including modify. Then
select advanced/username/edit/uncheck create folders/append data from the
allow column and then OK. You should find yourself back at the advanced
security permissions window. Next select add, then select user name. In the
apply on to box select- "files only" and in the allow column select create
folders/append data, then hit OK and when that takes you back to the
advanced settings box check "replace settings on child objects ... " and OK
again. That should change the permissions on the user profile to not allow
them to create folders, but still save/append/delete files. Hopefully that
will help you with your fun loving students. -- Steve
http://www.jsiinc.com/SUBL/tip5500/rh5571.htm
"Jon Knudson" <jknudson@attbi.com> wrote in message
news:OAjx3tp#CHA.2308@TK2MSFTNGP10.phx.gbl...
> Hi Steve,
>
> Thanks for the suggestion. This is in a school environment and the high
> school students and evening school students keep re-installing as fast as
we
> remove these programs. I will try out your much appreciated tip.
>
> Jon
>
> "Steven L Umbach" <n9rou@attbi.com> wrote in message
> news:6f6ja.61785$OV.182440@rwcrnsc54...
> > That is very difficult to do. There are options in group
> policy/user
> > configuration/administrative templates/system I believe to add
> > allowed/disallowed programs, but there are ways around that such as
> > renaming. You might want to consider disk quotas for ntfs as one
deterrent
> > so that a user does not use up all his space installing a program.
> Otherwise
> > a firewall solution that includes blocking unauthorized outbound access
> may
> > be something to consider. It may not stop someone from installing a
> program,
> > but you can prevent them from using it (unless they tunnel through an
> > allowed port) and as such not putting the network at risk and wasting
> > time. --- Steve
> >
> > "Jon Knudson" <jknudson@attbi.com> wrote in message
> > news:OtTwKij#CHA.2148@TK2MSFTNGP10.phx.gbl...
> > > Is there a way to block the installation of AOL instant messenger,
> gator,
> > > snood, etc. without purchasing some utility? I know MSN messenger will
> not
> > > install without Admin rights but AOL seems to blow right past that
> little
> > > requirement. Help greatly appreciated.
> > >
> > > Thanks,
> > >
> > > Jon
> > >
> > >
> >
> >
>
>
- Next message: Steven L Umbach: "Re: network and dialup connections folder"
- Previous message: Nick Finco [MS]: "Re: Help, security problem"
- In reply to: Jon Knudson: "Re: Block AOL Inst. Messenger???"
- Next in thread: Jon Knudson: "Re: Block AOL Inst. Messenger???"
- Reply: Jon Knudson: "Re: Block AOL Inst. Messenger???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
