Re: Block AOL Inst. Messenger???

From: Jon Knudson (jknudson@attbi.com)
Date: 04/05/03 

From: "Jon Knudson" <jknudson@attbi.com>
Date: Sat, 5 Apr 2003 09:30:56 -0500

Hi Steven,

Wow! Thanks so much for your help. You really took a lot of time to get all
this down. Thanks so much.

Jon

"Steven L Umbach" <n9rou@attbi.com> wrote in message
news:Bmrja.331184$3D1.178838@sccrnsc01...
> Hi Jon. There are a couple more things that may help. First the
> workstation must be secure in that the case is locked, the cmos is
password
> protected,the hard drive is first in boot order, autorun is disabled for
> cdrom, and usb ports are disabled in cmos if they are not needed. The case
> lock is so that the cover can not be removed so that the battery can be
> momentarily unhooked or the cmos jumper is used to reset the cmos to
bypass
> its password protection. If someone is allowed to boot to
> floppy/cdrom/zipdrive then they can EASILY crack or null administrator
> password. Administrator password must be guarded and hard to guess. I
would
> enable account log on activity to see if someone is getting unauthorized
> administrator access. Internet Explorer can be configured to disable file
> downloading and users can be denied access change back those settings.
This
> can be easily done using group policy at the domain level. It can be done
at
> the individual computer level also, but takes a lot more time. Of course
> that will not stop file downloading if other browsers etc have been
> installed The other main thing to do is to tighten up ntfs permissions.
Try
> this on one user/test machine before wide spread implementation to make
sure
> basic functionality is not affected. First on the root folder of each
> drive/partition set ntfs permissions to full for administrator,
> read/execute/list for authenticated users, and remove the everyone group.
> Other folders added to the root folder since installation should probably
> have the same permissions applied to them. The program folder's default
> installation ntfs permissions should be fine along with the the windows
> folder. You can uses secedit to restore default permissions before doing
any
> changes if you are unsure that a user may have made changes using
> administrative access. Usually wise users will figure out if they can not
> install in the root or program files folder, they will try to install in a
> folder in their profile where they have full access by default. Here is
> where custom ntfs permissions may have greatest impact. You need to modify
> permissions so that users can still write/modify/delete files (assuming
they
> need to), but not create folders. I think that will stop almost all
software
> installation since most installation programs need to create folders. The
> user profile is stored in a folder named after the user under documents
and
> settings. On that folder change ntfs permissions as follows. For the
user -
> deselect full control and leave everything else including modify. Then
> select advanced/username/edit/uncheck create folders/append data from the
> allow column and then OK. You should find yourself back at the advanced
> security permissions window. Next select add, then select user name. In
the
> apply on to box select- "files only" and in the allow column select create
> folders/append data, then hit OK and when that takes you back to the
> advanced settings box check "replace settings on child objects ... " and
OK
> again. That should change the permissions on the user profile to not allow
> them to create folders, but still save/append/delete files. Hopefully that
> will help you with your fun loving students. -- Steve
>
>
> http://www.jsiinc.com/SUBL/tip5500/rh5571.htm
>
> "Jon Knudson" <jknudson@attbi.com> wrote in message
> news:OAjx3tp#CHA.2308@TK2MSFTNGP10.phx.gbl...
> > Hi Steve,
> >
> > Thanks for the suggestion. This is in a school environment and the high
> > school students and evening school students keep re-installing as fast
as
> we
> > remove these programs. I will try out your much appreciated tip.
> >
> > Jon
> >
> > "Steven L Umbach" <n9rou@attbi.com> wrote in message
> > news:6f6ja.61785$OV.182440@rwcrnsc54...
> > > That is very difficult to do. There are options in group
> > policy/user
> > > configuration/administrative templates/system I believe to add
> > > allowed/disallowed programs, but there are ways around that such as
> > > renaming. You might want to consider disk quotas for ntfs as one
> deterrent
> > > so that a user does not use up all his space installing a program.
> > Otherwise
> > > a firewall solution that includes blocking unauthorized outbound
access
> > may
> > > be something to consider. It may not stop someone from installing a
> > program,
> > > but you can prevent them from using it (unless they tunnel through an
> > > allowed port) and as such not putting the network at risk and wasting
> > > time. --- Steve
> > >
> > > "Jon Knudson" <jknudson@attbi.com> wrote in message
> > > news:OtTwKij#CHA.2148@TK2MSFTNGP10.phx.gbl...
> > > > Is there a way to block the installation of AOL instant messenger,
> > gator,
> > > > snood, etc. without purchasing some utility? I know MSN messenger
will
> > not
> > > > install without Admin rights but AOL seems to blow right past that
> > little
> > > > requirement. Help greatly appreciated.
> > > >
> > > > Thanks,
> > > >
> > > > Jon
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Block AOL Inst. Messenger???
    ... and usb ports are disabled in cmos if they are not needed. ... installed The other main thing to do is to tighten up ntfs permissions. ... Other folders added to the root folder since installation should probably ...
    (microsoft.public.win2000.security)
  • Re: Creating "Home" dirs via script
    ... But share access is only half the story; what NTFS permissions ... This script can be "wrapped" in another to create MANY home folders at ... If doesFolderExist = 0 then 'If Folder does not exist, ... Set ace = CreateObject ...
    (microsoft.public.windows.server.scripting)
  • Re: Published install works for one user but fails for another. Both have same rights
    ... I am not sure that you are trying to deploy this application via GPO. ... you need to typically do an Administrative Installation (not always the ... I typically create a folder called APPLICATIONS and then ... Control on both the Share and NTFS permissions and then either Domain Users ...
    (microsoft.public.win2000.group_policy)
  • Re: some files are not accessable in shared folder in home network
    ... If you're familiar with NTFS permissions, check 'em yourself and adjust as necessary. ... they're on the Security tab when you right-click on a file or folder and choose Properties. ... computers that have to go to that folder on the primary computer,.. ... It is strange because of the hundred or so .exe files in that folder, ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Block AOL Inst. Messenger???
    ... and usb ports are disabled in cmos if they are not needed. ... >> installed The other main thing to do is to tighten up ntfs permissions. ... First on the root folder of each ... >> installation ntfs permissions should be fine along with the the windows ...
    (microsoft.public.win2000.security)