Re: Windows Desktop Lockdown on 2000 Server Environment
From: Steven L Umbach (n9rouz_at_nscomcast.net)
Date: 12/03/03
- Next message: Steven L Umbach: "Re: Configuring IPSec tunnel between W2K server & Cisco device - HOW???"
- Previous message: Ben: "Re: Local Security Policy on a DC"
- In reply to: anonymous_at_discussions.microsoft.com: "Re: Windows Desktop Lockdown on 2000 Server Environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 03 Dec 2003 17:12:23 GMT
Group Policy does hide a lot of access. You really need to be sure that ntfs
permissions are locked down to prevent a user from accessing what they should not. By
default, XP has pretty good ntfs security. You may want to remove the write
permission for the users group from the drive/root folder and leave them with
read/list/execute. Check the advanced page of the security page to check advanced
permissions also for the users group. On XP Pro, I really don't thing you need extra
program because Software Restriction Policies are very powerful and can be configured
to lock a user down like a coffin lid. I also suggest that you read the free
Microsoft XP Security Guide. --- Steve
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/winclnt/secwinxp/default.asp
http://www.infosec.uga.edu/windows.html -- Great list of security guides.
<anonymous@discussions.microsoft.com> wrote in message
news:078601c3b95a$6e096310$a301280a@phx.gbl...
> Thanks for the response Steve! I've been working with
> GPO on a test OU and have made some progress. I'm still
> pruning for a more direct approach to suffice my goal.
> I've found that GPO works well but I'm worried about
> those "Genius" who search for other ways of breaking
> through that level of Windows Security. I've been
> searching for desktop management software but haven't
> found one. Any suggestions?
>
> >-----Original Message-----
> >Check Group Policy user configuration/administrative
> templates for several options to
> >limit users. To limit the desktop, you may want to look
> into mandatory profiles which
> >will not allow any changes to be saved to the profile.
> XP Pro has Software
> >Restriction Policies that can be used to lock down a
> users ability to install and run
> >software and even prevent a lot of malicious
> programs/scripts [.vbs and such] from
> >executing which is a huge improvement over W2K. I
> suggest that you set up a test
> >Organizational Unit with it's own GPO to tweak your
> settings before rolling out. ---
> >Steve
> >
> >http://www.microsoft.com/technet/treeview/default.asp?
> url=/technet/prodtechnol/winxppro/maintain/rstrplcy.asp
> >http://support.microsoft.com/?kbid=310791
> >http://support.microsoft.com/default.aspx?scid=kb;en-
> us;307900
> >
> >"Marvin" <mnurse@seedschooldc.org> wrote in message
> >news:067101c3b888$2dfec440$a401280a@phx.gbl...
> >> I'm trying to lockdown several workstations running
> >> Windows XP Pro. on a Windows 2000 Server using Group
> >> Policies. Any suggestions will help. I'm basically
> just
> >> trying to have a limited desktop and specified apps
> >> running on these workstations. Thank you for your
> >> assistance....
> >
> >
> >.
> >
- Next message: Steven L Umbach: "Re: Configuring IPSec tunnel between W2K server & Cisco device - HOW???"
- Previous message: Ben: "Re: Local Security Policy on a DC"
- In reply to: anonymous_at_discussions.microsoft.com: "Re: Windows Desktop Lockdown on 2000 Server Environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
