Re: Strategy for securing user account
- From: "Jon Phipps" <jcphipps20@xxxxxxxxxxx>
- Date: Tue, 28 Feb 2006 13:58:55 -0700
I would recommend this tool, I use it at work for securing student desktops.
This saves me much headache in trying to figure out how they disabled
something, what they installed that crapped the machine etc. The only thing
I have found is that if you want to secure a domain account it the app must
be run on the DC and the account secured there.
Jon
"a" <xxxxxxx@xxxxxxxxxxx> wrote in message
news:ta%Mf.38274$F_3.9053@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks for the info. I'll check out this tool, and most likely I'll use a
combination of both the tool and the manual permissions setup
Thanks,
A
"S. Pidgorny <MVP>" <slavickp@xxxxxxxxx> wrote in message
news:eugm56DPGHA.1696@xxxxxxxxxxxxxxxxxxxxxxx
It seems that you're looking at the kiosk-type lock down of the system.
For that purpose, Shared Computer Toolkit for Windows XP is the tool of
choice:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sct/default.mspx
and download is at
http://www.microsoft.com/downloads/details.aspx?familyid=7256D456-E3DA-42EA-857D-92B716077A84
Hwever, if you look at the most restricted user account, I'd start with a
group that is explicitely denied access to entire file system, and then
I'd give explicit rights to read/execute dependencies only. Some
experimenting is required.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
"a" <xxxxxxx@xxxxxxxxxxx> wrote in message
news:1OkMf.14745$rL5.10492@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi everybody,
I need to be able to start a console application in the security context
of a user with very limited rights, on a Win 2003 computer:
- file write only to several directories
- file read only to other directories
- no create process abilities
- no network access
and probably other additional restrictions.
My question is, what is the right approach in creating a group, user
account and configuring all values to make sure I don't leave any
security holes while granting it a minimum of rights to be able to
perform its task. It is not obvious how to do this just from inspecting
the various security settings and policies.
This application will be started by a Windows service by callinig the
Win32 API CreateProcessAsUser, so there is no need for direct user
interaction with this application.
Any information or pointers to resources will be appreciated.
Thanks,
A
.
- References:
- Prev by Date: Windows software inventory? Is there a way?
- Previous by thread: Re: Strategy for securing user account
- Next by thread: Problem Security on object in AD!!!
- Index(es):
Relevant Pages
|
|
