Re: Question regarding microsoft security policy
From: Laura E. Hunter \(MVP\) (hunter(nospamplease)_at_sfs.upenn.edu)
Date: 04/20/04
- Next message: Si: "demoted server logon/off events"
- Previous message: Laura E. Hunter \(MVP\): "Re: 2000 server with NT4 clients"
- In reply to: luc wastiaux: "Question regarding microsoft security policy"
- Next in thread: Steven L Umbach: "Re: Question regarding microsoft security policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 20 Apr 2004 10:45:11 -0400
You can try using the compatws.inf security template in a 2000 environment,
which will apply to 2K or XP clients. In many cases, this will relax the
rights assignments enough to allow users to run their legacy apps, without
leaving the machine wide open or making everyone a local admin.
"
The default Windows 2000 security configuration gives members of the local
Users group strict security settings, while members of the local Power Users
group have security settings that are compatible with Windows NT 4.0 user
assignments. This default configuration enables certified Windows 2000
applications to run in the standard Windows environment for Users, while
still allowing applications that are not certified for Windows 2000 to run
successfully under the less secure Power Users configuration. However, if
Windows 2000 users are members of the Power Users group in order to run
applications not certified for Windows 2000, this may be too unsecure for
some environments. Some organizations may find it preferable to assign
users, by default, only as members of the Users group and then decrease the
security privileges for the Users group to the level where applications not
certified for Windows 2000 run successfully. The compatible template is
designed for such organizations. By lowering the security levels on specific
files, folders, and registry keys that are commonly accessed by
applications, the compatible template allows most applications to run
successfully under a User context. In addition, since it is assumed that the
administrator applying the compatible template does not want users to be
Power Users, all members of the Power Users group are removed."
-- ****************************** Laura E. Hunter - MCSE, MCT, MVP Replies to newsgroup only "luc wastiaux" <dustpuppy@airpost.net> wrote in message news:c62u7e022hh@news1.newsguy.com... > There are a lot of legacy application for windows that need write access > in Program Files, forcing you to promote local users to administrators or > these applications won't work. I'm not pleased at all with this since this > makes all the binaries in \program files and \winnt virus-writable. What > is being done in this regard by microsoft ? I wish more application > developpers became aware that machines are being used by more than one > user, and writing in \program files is not appropriate. > > -- > luc wastiaux
- Next message: Si: "demoted server logon/off events"
- Previous message: Laura E. Hunter \(MVP\): "Re: 2000 server with NT4 clients"
- In reply to: luc wastiaux: "Question regarding microsoft security policy"
- Next in thread: Steven L Umbach: "Re: Question regarding microsoft security policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
