Re: Strategy for securing user account

Thanks for the info. I'll check out this tool, and most likely I'll use a
combination of both the tool and the manual permissions setup

Thanks,

A


"S. Pidgorny <MVP>" <slavickp@xxxxxxxxx> wrote in message
news:eugm56DPGHA.1696@xxxxxxxxxxxxxxxxxxxxxxx
It seems that you're looking at the kiosk-type lock down of the system.
For that purpose, Shared Computer Toolkit for Windows XP is the tool of
choice:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sct/default.mspx

and download is at

http://www.microsoft.com/downloads/details.aspx?familyid=7256D456-E3DA-42EA-857D-92B716077A84

Hwever, if you look at the most restricted user account, I'd start with a
group that is explicitely denied access to entire file system, and then
I'd give explicit rights to read/execute dependencies only. Some
experimenting is required.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-



"a" <xxxxxxx@xxxxxxxxxxx> wrote in message
news:1OkMf.14745$rL5.10492@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi everybody,

I need to be able to start a console application in the security context
of a user with very limited rights, on a Win 2003 computer:
- file write only to several directories
- file read only to other directories
- no create process abilities
- no network access

and probably other additional restrictions.

My question is, what is the right approach in creating a group, user
account and configuring all values to make sure I don't leave any
security holes while granting it a minimum of rights to be able to
perform its task. It is not obvious how to do this just from inspecting
the various security settings and policies.

This application will be started by a Windows service by callinig the
Win32 API CreateProcessAsUser, so there is no need for direct user
interaction with this application.

Any information or pointers to resources will be appreciated.

Thanks,

A





.

Relevant Pages

  • Re: Secure shared web hosting using MAC Framework
    ... run the web server and web users shell in a jail, ... Those rights should have priority on any traditional unix file ... This directive allows you to disable certain functions for security reasons. ... Web users and executed web scripts shouldn't be able to read ...
    (FreeBSD-Security)
  • Orwell meets Kafka
    ... THE OTHER DAY, the new secretary of homeland security, Michael Chertoff, scrapped the moronic rule requiring everyone to stay seated for 30 minutes coming in or out of Ronald Reagan Washington National Airport. ... If the American republic was built on any core principle, that principle is the rights of people to be free from the abuses of unchecked power. ...
    (soc.culture.australian)
  • RE: Rights
    ... the benefit is improved security. ... in restricting rights in favor of increased security. ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... The NSA has designated Norwich University a center of Academic ...
    (Security-Basics)
  • Re: Mailboxes instead of new users
    ... You are always welcomed to call PSS and open a Exchange security related ... Open the properties of the mailbox store in the Exchange System Manager, ... This posting is provided "AS IS" with no warranties, and confers no rights. ... > security group for the distribution group and give her "send as" rights. ...
    (microsoft.public.windows.server.sbs)
  • Re: WordPerfect
    ... could add Domain Users to the Power User group on each computer and this ... Win 2k's security is tightened down considerably more that Win NT ... >> and had profiles for other users to use the same icon to access WP8 and ... So we know it is a rights thing of some sort. ...
    (microsoft.public.win2000.security)