Re: Lockdown
From: Steven L Umbach (n9rouz_at_nscomcast.net)
Date: 11/02/03
- Next message: Steven L Umbach: "Re: Recovering Windows 2000"
- Previous message: Jim Eshelman: "Re: Use this package from the M$ Corp."
- In reply to: Patrice Vitry: "Lockdown"
- Next in thread: JasonW: "Re: Lockdown"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 02 Nov 2003 21:13:50 GMT
There are a couple things you can do assuming users do not have administrator rights.
By giving a user or group [do not use users/everyone because administrator is a
member] deny ntfs permissions or not having any allow permissions to a application
folder or file you can prevent the user from running that application or saving to a
folder. A user needs read/list/execute to run a program. They need write access to
save files and modify to delete folders and files. NTFS permissions are always your
main line of defense against unwanted access to data and applications. Do NOT however
change permissions on the \winnt folders or subfolders. You can change permissions on
such things as the executable files for games/utilities. You can use search to find
game executables as they may be in different or multiple locations.
Another way to lock down a computer is to use Group Policy. Group Policy for a stand
alone machine is invoked by entering gpedit.msc in the run box. There are a plethora
of options to lock down users under user configuration. On a stand alone machine,
user policies apply equally to ALL users including the administrator so be careful
not to lock yourself out, especially by restricting Microsoft Management Console,
though you can manage a computers Local Group Policy remotely from another network
computer as long as you know administrator logon/password to that computer.
In addition to using ntfs permissions to control access to applications you can also
control file associations which can help prevent users from using certain file types.
For instance go to explorer/tools/folder options/file types/registered files and
scroll down to mp3 and delete it. That way when a user double clicks the file, it
will not automatically play. Group Policy can be used to "hide" thr folder options
from users. To restrict users to a certain website, you need to have your firewall
allow internet access to only the ip address for that site. The firewall would be the
best way to configure, but if that is not possible then ipsec filtering can be
implemented on each computer to act as a firewall for that particular purpose. Also
you may want to implement Internet Explorer Kiosk mode which will replace the normal
Windows desktop. See link for more details. Windows XP Pro can be locked down much
tighter than W2K due to it's Software restriction Policies which is something you may
want to consider if you can not get desired results with W2K. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;154780
"Patrice Vitry" <p.vitry@alfred.org.au> wrote in message
news:03b201c3a144$64020d50$a001280a@phx.gbl...
> Hi All
>
> Can anyone help in locking down stand alone PC's. I
> operate a Picture Archiving Communication System in a
> major hospital in Melbourne. I need to be able to restrict
> users to only use the Intranet to access radiology images
> and nothing else, as some users are playing games and
> music in the operating suite and always messing with the
> settings. Any place you could point me too, such as script
> would help.
>
> Thanking you
>
> PV
- Next message: Steven L Umbach: "Re: Recovering Windows 2000"
- Previous message: Jim Eshelman: "Re: Use this package from the M$ Corp."
- In reply to: Patrice Vitry: "Lockdown"
- Next in thread: JasonW: "Re: Lockdown"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
