Re: Strategy for securing user account

I would recommend this tool, I use it at work for securing student desktops.
This saves me much headache in trying to figure out how they disabled
something, what they installed that crapped the machine etc. The only thing
I have found is that if you want to secure a domain account it the app must
be run on the DC and the account secured there.

Jon
"a" <xxxxxxx@xxxxxxxxxxx> wrote in message
news:ta%Mf.38274$F_3.9053@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks for the info. I'll check out this tool, and most likely I'll use a
combination of both the tool and the manual permissions setup

Thanks,

A


"S. Pidgorny <MVP>" <slavickp@xxxxxxxxx> wrote in message
news:eugm56DPGHA.1696@xxxxxxxxxxxxxxxxxxxxxxx
It seems that you're looking at the kiosk-type lock down of the system.
For that purpose, Shared Computer Toolkit for Windows XP is the tool of
choice:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sct/default.mspx

and download is at

http://www.microsoft.com/downloads/details.aspx?familyid=7256D456-E3DA-42EA-857D-92B716077A84

Hwever, if you look at the most restricted user account, I'd start with a
group that is explicitely denied access to entire file system, and then
I'd give explicit rights to read/execute dependencies only. Some
experimenting is required.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-



"a" <xxxxxxx@xxxxxxxxxxx> wrote in message
news:1OkMf.14745$rL5.10492@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi everybody,

I need to be able to start a console application in the security context
of a user with very limited rights, on a Win 2003 computer:
- file write only to several directories
- file read only to other directories
- no create process abilities
- no network access

and probably other additional restrictions.

My question is, what is the right approach in creating a group, user
account and configuring all values to make sure I don't leave any
security holes while granting it a minimum of rights to be able to
perform its task. It is not obvious how to do this just from inspecting
the various security settings and policies.

This application will be started by a Windows service by callinig the
Win32 API CreateProcessAsUser, so there is no need for direct user
interaction with this application.

Any information or pointers to resources will be appreciated.

Thanks,

A







.

Relevant Pages

  • Risks Digest 25.73
    ... German electronic health card system failure ... Risks of the Cloud: Liquid Motors ... Oakland 2010, IEEE Symposium on Security and Privacy, CFP ... A friend's facebook account was hacked recently (a neat little short-term ...
    (comp.risks)
  • Re: MBSA, Office Update, Versions, Failures
    ... I apologize for posting this to three groups (MBSA, Windows Update, ... with Domain User account. ... Microsoft Baseline Security Advisor (? ... Office 2000 Security Patches - Red X's, ...
    (microsoft.public.officeupdate)
  • Re: write with cURL
    ... you can stop making excuses. ... up an account for you, process the billing, etc. ... possible features from a web site to make up for the security issues. ... Nothing you have told me shows me you know how to lock down a server ...
    (alt.php)
  • Re: User Accounts
    ... account that surfs the web, and confining everything that comes down the ... Especially since folder permissions has less downside risk than filtering ... >every tool and feature in XP to lock down security as best as is possible. ... and settings do not stay the same when user account rights ...
    (microsoft.public.windowsxp.security_admin)
  • Re: User Accounts
    ... >every tool and feature in XP to lock down security as best as is possible. ... code that is exposed to the "outside", the higher the risk of exploit. ... If I limit an account in XP Home, it falls back to hiding paths, ... and settings do not stay the same when user account rights are ...
    (microsoft.public.windowsxp.security_admin)