Re: Question on XP network security
From: Bruce Chambers (bchambers@nospam.cableone.net)
Date: 03/21/03
- Next message: Bruce Chambers: "Re: Microsoft security patch contains virus???"
- Previous message: Jimshu1: "Re: XP Pro - Export Encryption Key"
- In reply to: JP: "Re: Question on XP network security"
- Next in thread: JP: "Re: Question on XP network security"
- Reply: JP: "Re: Question on XP network security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Bruce Chambers" <bchambers@nospam.cableone.net> Date: Fri, 21 Mar 2003 08:42:34 -0700
Greetings --
Normally, one goes to each individual workstation, and adds that
workstation's user's domain account to that workstation's local
administrator group. Otherwise, you risk giving everyone full access
to everything. Obviously, this cannot be done in advance, via drive
imaging/cloning, but it's the only way to ensure that User A has the
necessary privileges on his/her own workstation, but not on User B's
or User C's workstations. It can be done also remotely, using MMC.
It'll
be somewhat tedious connecting to each workstation individually, but
there'll be no need to physically visit each workstation to perform
this chore manually.
In order to do what you want (have the local admin privileges
included in the disk image), I'd create a global group on the domain
for the sole purpose of having local administrative privileges. Call
it "Local-Admin," or something similarly descriptive. Add the users
whom you want to have local privileges to the workstations to be
configured via your drive image. On the machine from which you're
creating the image, add the global group Local-Admin to the local
administrators group. Then the necessary privileges will be included
in the disk image. Of course, using this method, User A will have
administrative privileges to User B's and User C's workstation, and
vice versa. I hope you can trust you users not to discover this and
decide to "mess" with one another's machines.
To be honest, though, in my experience, it's usually been the more
technically "savvy" users who cause the most problems. (Not all, by
any means, but an alarming proportion of them.) For some unknown
reason, they seem to think that their specialized expertise in their
chosen field somehow also magically bestows them with expertise about
operating system and software configuration and functions, hardware
compatibility, etc. I've also found that engineers are often the
worst of the lot. For that matter, nothing scares me more than seeing
and engineer reach for a tool. ;-} Seriously, though, if you
haven't experienced this, I envy you your users. You're very
fortunate.
As for sending your technicians to visit the site to install
applications, have you considered using SMS to install apps remotely?
Saves a lot of leg work, and can be done from your desk.
Bruce Chambers
Microsoft MVP - Shell/User
Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html
---- You can have peace. Or you can have freedom. Don't ever count on having both at once. -- RAH "JP" <palmeroj@hotmail.com> wrote in message news:ah8m7v4fs05j02t34btnr9rsgpvinr3mb8@4ax.com... > I know you meant well with your comment, but in all seriousness; the > large majority of users are automotive design engineers and a little > more technology savvy than you might be used to. They need the XP > plug-n-play features to connect a wide array of peripherals and > software applications in order to do their job. > > For over 3 years, they've had NT 4.0 SP6a with just this level of > security and support hasn't been an issue. When a machine it > trashed, > my support technicians re-image it remotely using Altiris with a > minimum of effort. This doesn't happen as often as you might think, > however. > > On the other hand, responding to the requests for Administrator > access, or having a technician visit the site, in order to be able > to > install their applications will make support impossible for my team. > > Now that we're migrating to XP, I would like to close some of the > security flaws that the old OS had. > > I'm not sure whether you meant adding each and every user account to > the local administrator's group, or the "DOMAIN\Domain Users" > account. > Since there are about 3000 users in the company, adding each and > every > account to the image is out of the question. > > I did add the "MYDOMAIN\Domain Users" account to the local > administrator group and this had the desired effect, only problem is > that it gives every user full access to all other machines ACROSS > the > network. > > I'm seriously trying to find a middle ground between giving my users > as much control over their own machines as possible without > violating > network security. I was wondering if giving the local USERS group > more rights might do the trick. > > I was hoping to hear from other administrators what approach they > might have taken to resolve similar issues, or what security > settings > they might have used on the local USERS group. Perhaps some registry > hacks to prevent unauthorized access across the network, etc. > > I am seriously looking for answers or suggestions. > > Thanks in advance. > > John > > PS. If you wish to email me, please remove the nospam substring from > the following email address: palmeroj@nospam.hotmail.com > > On Fri, 21 Mar 2003 07:21:10 -0700, "Bruce Chambers" > <bchambers@nospam.cableone.net> wrote: > > >Greetings -- > > > > Add each user's domain account to the local administrators > > group. > >(And then hire several more technicians to clean up behind the > >users > >as they trash their installations.) > > > >Bruce Chambers > >Microsoft MVP - Shell/User > > > >Help us help you: > >http://dts-l.org/goodpost.htm > >http://www.catb.org/~esr/faqs/smart-questions.html > >---- > >You can have peace. Or you can have freedom. Don't ever count on > >having both at once. -- RAH > > > > > ><nospam@sp.com> wrote in message > >news:spbl7vomg0pl1vs5u8avn66qdbag7gferf@4ax.com... > >> I'm configuring a standard Windows XP Professional image that > >> will > >> be > >> deployed to a large number of client workstations. The file > >> system > >> will be NTFS. > >> > >> The domain is Windows NT 4.0 and 2000 Servers. No Active > >> Directory > >> is > >> enabled yet. > >> > >> My problem is that the users want to have administrative rights > >> over > >> their workstation. To accomplish this I've added the DOMAIN\All > >> Users > >> to the local Administrators group. However, users can also access > >> other workstations across the network, particularly troubling to > >> me > >> is > >> access to the hidden shares. > >> > >> My question then is; how do I give users full control over their > >> machines while preventing them from accessing other machines > >> across > >> the network? > >> > >> I'd appreciate any suggestions. > >> > >> Thank you. > >> > >> John > > >
- Next message: Bruce Chambers: "Re: Microsoft security patch contains virus???"
- Previous message: Jimshu1: "Re: XP Pro - Export Encryption Key"
- In reply to: JP: "Re: Question on XP network security"
- Next in thread: JP: "Re: Question on XP network security"
- Reply: JP: "Re: Question on XP network security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
