Re: Question on XP network security

From: JP (palmeroj@hotmail.com)
Date: 03/21/03 

From: JP <palmeroj@hotmail.com>
Date: Fri, 21 Mar 2003 14:54:05 GMT

I know you meant well with your comment, but in all seriousness; the
large majority of users are automotive design engineers and a little
more technology savvy than you might be used to. They need the XP
plug-n-play features to connect a wide array of peripherals and
software applications in order to do their job.

For over 3 years, they've had NT 4.0 SP6a with just this level of
security and support hasn't been an issue. When a machine it trashed,
my support technicians re-image it remotely using Altiris with a
minimum of effort. This doesn't happen as often as you might think,
however.

On the other hand, responding to the requests for Administrator
access, or having a technician visit the site, in order to be able to
install their applications will make support impossible for my team.

Now that we're migrating to XP, I would like to close some of the
security flaws that the old OS had.

I'm not sure whether you meant adding each and every user account to
the local administrator's group, or the "DOMAIN\Domain Users" account.
Since there are about 3000 users in the company, adding each and every
account to the image is out of the question.

I did add the "MYDOMAIN\Domain Users" account to the local
administrator group and this had the desired effect, only problem is
that it gives every user full access to all other machines ACROSS the
network.

I'm seriously trying to find a middle ground between giving my users
as much control over their own machines as possible without violating
network security. I was wondering if giving the local USERS group
more rights might do the trick.

I was hoping to hear from other administrators what approach they
might have taken to resolve similar issues, or what security settings
they might have used on the local USERS group. Perhaps some registry
hacks to prevent unauthorized access across the network, etc.

I am seriously looking for answers or suggestions.

Thanks in advance.

John

PS. If you wish to email me, please remove the nospam substring from
the following email address: palmeroj@nospam.hotmail.com

On Fri, 21 Mar 2003 07:21:10 -0700, "Bruce Chambers"
<bchambers@nospam.cableone.net> wrote:

>Greetings --
>
> Add each user's domain account to the local administrators group.
>(And then hire several more technicians to clean up behind the users
>as they trash their installations.)
>
>Bruce Chambers
>Microsoft MVP - Shell/User
>
>Help us help you:
>http://dts-l.org/goodpost.htm
>http://www.catb.org/~esr/faqs/smart-questions.html
>----
>You can have peace. Or you can have freedom. Don't ever count on
>having both at once. -- RAH
>
>
><nospam@sp.com> wrote in message
>news:spbl7vomg0pl1vs5u8avn66qdbag7gferf@4ax.com...
>> I'm configuring a standard Windows XP Professional image that will
>> be
>> deployed to a large number of client workstations. The file system
>> will be NTFS.
>>
>> The domain is Windows NT 4.0 and 2000 Servers. No Active Directory
>> is
>> enabled yet.
>>
>> My problem is that the users want to have administrative rights over
>> their workstation. To accomplish this I've added the DOMAIN\All
>> Users
>> to the local Administrators group. However, users can also access
>> other workstations across the network, particularly troubling to me
>> is
>> access to the hidden shares.
>>
>> My question then is; how do I give users full control over their
>> machines while preventing them from accessing other machines across
>> the network?
>>
>> I'd appreciate any suggestions.
>>
>> Thank you.
>>
>> John
>

Relevant Pages

  • Re: XP HOME does not work like XP PRO
    ... >>>network (although the other two PC PRSs can see, but not access the PC HOME. ... >>>I have all users and administrators set ut identically on all three machines. ... >server as all my machines are simply plugged into a Netgear ADSL router. ... >BTW is it normal that each machine has an account administrator, ...
    (microsoft.public.windowsxp.network_web)
  • Re: Home Wireless Networking and File Sharing
    ... passwords on all machines. ... You do not need to be logged into the same account ... and Vista:" I have done that on all of the laptops and main PC and called ... network resourse. ...
    (microsoft.public.windowsxp.network_web)
  • Re: wireless networking and file sharing
    ... is the main source of material to be shared to my friend's laptop and my own. ... the network between my own laptop and desktop. ... Create matching user accounts and passwords on all machines. ... assigned to each user account can be different; ...
    (microsoft.public.windowsxp.network_web)
  • RE: 2K Server locking 98 users out
    ... We've noticed similar situations on our network and in addition to the ... incorrect credentials and eventually locks out their account. ... Since it is happening only on 98 machines, that makes me think of the ... just the Windows Password. ...
    (Focus-Microsoft)
  • Re: Rid AD of Circular Group Membership
    ... and have use on members if it is used there. ... Administrators group is still intact), nor do they have empowerments over ... Admins is being used for by the 30+ can be delegated I(ex. ... The quess is each has an account and uses it, ...
    (microsoft.public.windows.group_policy)