Re: Block AOL Inst. Messenger???

From: Steven L Umbach (sumbach@ameritech.net)
Date: 04/05/03 

From: "Steven L Umbach" <sumbach@ameritech.net>
Date: Sat, 05 Apr 2003 15:47:08 GMT

     No problem Jon. I am in hog heaven ever since I set up my laptop with
wireless - now I can type up messages while I watch Sci Fi or History
channel. --- Steve

"Jon Knudson" <jknudson@attbi.com> wrote in message
news:eMFasB4#CHA.2176@TK2MSFTNGP12.phx.gbl...
> Hi Steven,
>
> Wow! Thanks so much for your help. You really took a lot of time to get
all
> this down. Thanks so much.
>
> Jon
>
> "Steven L Umbach" <n9rou@attbi.com> wrote in message
> news:Bmrja.331184$3D1.178838@sccrnsc01...
> > Hi Jon. There are a couple more things that may help. First the
> > workstation must be secure in that the case is locked, the cmos is
> password
> > protected,the hard drive is first in boot order, autorun is disabled for
> > cdrom, and usb ports are disabled in cmos if they are not needed. The
case
> > lock is so that the cover can not be removed so that the battery can be
> > momentarily unhooked or the cmos jumper is used to reset the cmos to
> bypass
> > its password protection. If someone is allowed to boot to
> > floppy/cdrom/zipdrive then they can EASILY crack or null administrator
> > password. Administrator password must be guarded and hard to guess. I
> would
> > enable account log on activity to see if someone is getting unauthorized
> > administrator access. Internet Explorer can be configured to disable
file
> > downloading and users can be denied access change back those settings.
> This
> > can be easily done using group policy at the domain level. It can be
done
> at
> > the individual computer level also, but takes a lot more time. Of course
> > that will not stop file downloading if other browsers etc have been
> > installed The other main thing to do is to tighten up ntfs permissions.
> Try
> > this on one user/test machine before wide spread implementation to make
> sure
> > basic functionality is not affected. First on the root folder of each
> > drive/partition set ntfs permissions to full for administrator,
> > read/execute/list for authenticated users, and remove the everyone
group.
> > Other folders added to the root folder since installation should
probably
> > have the same permissions applied to them. The program folder's default
> > installation ntfs permissions should be fine along with the the windows
> > folder. You can uses secedit to restore default permissions before doing
> any
> > changes if you are unsure that a user may have made changes using
> > administrative access. Usually wise users will figure out if they can
not
> > install in the root or program files folder, they will try to install in
a
> > folder in their profile where they have full access by default. Here is
> > where custom ntfs permissions may have greatest impact. You need to
modify
> > permissions so that users can still write/modify/delete files (assuming
> they
> > need to), but not create folders. I think that will stop almost all
> software
> > installation since most installation programs need to create folders.
The
> > user profile is stored in a folder named after the user under documents
> and
> > settings. On that folder change ntfs permissions as follows. For the
> user -
> > deselect full control and leave everything else including modify. Then
> > select advanced/username/edit/uncheck create folders/append data from
the
> > allow column and then OK. You should find yourself back at the advanced
> > security permissions window. Next select add, then select user name. In
> the
> > apply on to box select- "files only" and in the allow column select
create
> > folders/append data, then hit OK and when that takes you back to the
> > advanced settings box check "replace settings on child objects ... " and
> OK
> > again. That should change the permissions on the user profile to not
allow
> > them to create folders, but still save/append/delete files. Hopefully
that
> > will help you with your fun loving students. -- Steve
> >
> >
> > http://www.jsiinc.com/SUBL/tip5500/rh5571.htm
> >
> > "Jon Knudson" <jknudson@attbi.com> wrote in message
> > news:OAjx3tp#CHA.2308@TK2MSFTNGP10.phx.gbl...
> > > Hi Steve,
> > >
> > > Thanks for the suggestion. This is in a school environment and the
high
> > > school students and evening school students keep re-installing as fast
> as
> > we
> > > remove these programs. I will try out your much appreciated tip.
> > >
> > > Jon
> > >
> > > "Steven L Umbach" <n9rou@attbi.com> wrote in message
> > > news:6f6ja.61785$OV.182440@rwcrnsc54...
> > > > That is very difficult to do. There are options in group
> > > policy/user
> > > > configuration/administrative templates/system I believe to add
> > > > allowed/disallowed programs, but there are ways around that such as
> > > > renaming. You might want to consider disk quotas for ntfs as one
> > deterrent
> > > > so that a user does not use up all his space installing a program.
> > > Otherwise
> > > > a firewall solution that includes blocking unauthorized outbound
> access
> > > may
> > > > be something to consider. It may not stop someone from installing a
> > > program,
> > > > but you can prevent them from using it (unless they tunnel through
an
> > > > allowed port) and as such not putting the network at risk and
wasting
> > > > time. --- Steve
> > > >
> > > > "Jon Knudson" <jknudson@attbi.com> wrote in message
> > > > news:OtTwKij#CHA.2148@TK2MSFTNGP10.phx.gbl...
> > > > > Is there a way to block the installation of AOL instant messenger,
> > > gator,
> > > > > snood, etc. without purchasing some utility? I know MSN messenger
> will
> > > not
> > > > > install without Admin rights but AOL seems to blow right past that
> > > little
> > > > > requirement. Help greatly appreciated.
> > > > >
> > > > > Thanks,
> > > > >
> > > > > Jon
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Block AOL Inst. Messenger???
    ... and usb ports are disabled in cmos if they are not needed. ... installed The other main thing to do is to tighten up ntfs permissions. ... Other folders added to the root folder since installation should probably ...
    (microsoft.public.win2000.security)
  • Re: Block AOL Inst. Messenger???
    ... > administrator access. ... > installed The other main thing to do is to tighten up ntfs permissions. ... First on the root folder of each ... > Other folders added to the root folder since installation should probably ...
    (microsoft.public.win2000.security)
  • Re: Published install works for one user but fails for another. Both have same rights
    ... I am not sure that you are trying to deploy this application via GPO. ... you need to typically do an Administrative Installation (not always the ... I typically create a folder called APPLICATIONS and then ... Control on both the Share and NTFS permissions and then either Domain Users ...
    (microsoft.public.win2000.group_policy)
  • Re: HELP with OE
    ... Do point 3a below and then do a File | Folder | Compact all in OE. ... and then compact manually and frequently using File ... affect the ability of your antivirus software to block infections. ... Most of the problems with a faulty installation are due to other programs ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: Compacte Files - Reading them
    ... > file to a backup folder. ... and then compact manually and frequently using File ... affect the ability of your antivirus software to block infections. ... Most of the problems with a faulty installation are due to other programs ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)