Re: Question on XP network security
From: JP (palmeroj@nospam.hotmail.com)
Date: 03/22/03
- Next message: JP: "Re: Question on XP network security"
- Previous message: Roger Abell [MVP]: "Re: LSASS.EXE error"
- In reply to: Bruce Chambers: "Re: Question on XP network security"
- Next in thread: John: "Re: Question on XP network security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: JP <palmeroj@nospam.hotmail.com> Date: Sat, 22 Mar 2003 05:32:00 GMT
Installing SMS is also an ongoing project. With SP4 it is XP aware,
and we're trying to package applications using Wise 4.0. This will be
an ongoing effort, along with installing Active Directory. As you can
probably tell, I have my hands full.
My original intent was to not add the users to the local admin group,
but found out that the local users group limits access too much. There
are some login scripts that apply registry changes and fails unless
the user has administrator rights.
Perhaps making them members of the Power Users group? Or maybe
modifying the privileges of the Users group using global policies?
Thanks for your reply.
John
On Fri, 21 Mar 2003 08:42:34 -0700, "Bruce Chambers"
<bchambers@nospam.cableone.net> wrote:
>Greetings --
>
> Normally, one goes to each individual workstation, and adds that
>workstation's user's domain account to that workstation's local
>administrator group. Otherwise, you risk giving everyone full access
>to everything. Obviously, this cannot be done in advance, via drive
>imaging/cloning, but it's the only way to ensure that User A has the
>necessary privileges on his/her own workstation, but not on User B's
>or User C's workstations. It can be done also remotely, using MMC.
>It'll
>be somewhat tedious connecting to each workstation individually, but
>there'll be no need to physically visit each workstation to perform
>this chore manually.
>
> In order to do what you want (have the local admin privileges
>included in the disk image), I'd create a global group on the domain
>for the sole purpose of having local administrative privileges. Call
>it "Local-Admin," or something similarly descriptive. Add the users
>whom you want to have local privileges to the workstations to be
>configured via your drive image. On the machine from which you're
>creating the image, add the global group Local-Admin to the local
>administrators group. Then the necessary privileges will be included
>in the disk image. Of course, using this method, User A will have
>administrative privileges to User B's and User C's workstation, and
>vice versa. I hope you can trust you users not to discover this and
>decide to "mess" with one another's machines.
>
> To be honest, though, in my experience, it's usually been the more
>technically "savvy" users who cause the most problems. (Not all, by
>any means, but an alarming proportion of them.) For some unknown
>reason, they seem to think that their specialized expertise in their
>chosen field somehow also magically bestows them with expertise about
>operating system and software configuration and functions, hardware
>compatibility, etc. I've also found that engineers are often the
>worst of the lot. For that matter, nothing scares me more than seeing
>and engineer reach for a tool. ;-} Seriously, though, if you
>haven't experienced this, I envy you your users. You're very
>fortunate.
>
> As for sending your technicians to visit the site to install
>applications, have you considered using SMS to install apps remotely?
>Saves a lot of leg work, and can be done from your desk.
>
>Bruce Chambers
>Microsoft MVP - Shell/User
>
>Help us help you:
>http://dts-l.org/goodpost.htm
>http://www.catb.org/~esr/faqs/smart-questions.html
>----
>You can have peace. Or you can have freedom. Don't ever count on
>having both at once. -- RAH
>
>
>"JP" <palmeroj@hotmail.com> wrote in message
>news:ah8m7v4fs05j02t34btnr9rsgpvinr3mb8@4ax.com...
>> I know you meant well with your comment, but in all seriousness; the
>> large majority of users are automotive design engineers and a little
>> more technology savvy than you might be used to. They need the XP
>> plug-n-play features to connect a wide array of peripherals and
>> software applications in order to do their job.
>>
>> For over 3 years, they've had NT 4.0 SP6a with just this level of
>> security and support hasn't been an issue. When a machine it
>> trashed,
>> my support technicians re-image it remotely using Altiris with a
>> minimum of effort. This doesn't happen as often as you might think,
>> however.
>>
>> On the other hand, responding to the requests for Administrator
>> access, or having a technician visit the site, in order to be able
>> to
>> install their applications will make support impossible for my team.
>>
>> Now that we're migrating to XP, I would like to close some of the
>> security flaws that the old OS had.
>>
>> I'm not sure whether you meant adding each and every user account to
>> the local administrator's group, or the "DOMAIN\Domain Users"
>> account.
>> Since there are about 3000 users in the company, adding each and
>> every
>> account to the image is out of the question.
>>
>> I did add the "MYDOMAIN\Domain Users" account to the local
>> administrator group and this had the desired effect, only problem is
>> that it gives every user full access to all other machines ACROSS
>> the
>> network.
>>
>> I'm seriously trying to find a middle ground between giving my users
>> as much control over their own machines as possible without
>> violating
>> network security. I was wondering if giving the local USERS group
>> more rights might do the trick.
>>
>> I was hoping to hear from other administrators what approach they
>> might have taken to resolve similar issues, or what security
>> settings
>> they might have used on the local USERS group. Perhaps some registry
>> hacks to prevent unauthorized access across the network, etc.
>>
>> I am seriously looking for answers or suggestions.
>>
>> Thanks in advance.
>>
>> John
>>
>> PS. If you wish to email me, please remove the nospam substring from
>> the following email address: palmeroj@nospam.hotmail.com
>>
>> On Fri, 21 Mar 2003 07:21:10 -0700, "Bruce Chambers"
>> <bchambers@nospam.cableone.net> wrote:
>>
>> >Greetings --
>> >
>> > Add each user's domain account to the local administrators
>> > group.
>> >(And then hire several more technicians to clean up behind the
>> >users
>> >as they trash their installations.)
>> >
>> >Bruce Chambers
>> >Microsoft MVP - Shell/User
>> >
>> >Help us help you:
>> >http://dts-l.org/goodpost.htm
>> >http://www.catb.org/~esr/faqs/smart-questions.html
>> >----
>> >You can have peace. Or you can have freedom. Don't ever count on
>> >having both at once. -- RAH
>> >
>> >
>> ><nospam@sp.com> wrote in message
>> >news:spbl7vomg0pl1vs5u8avn66qdbag7gferf@4ax.com...
>> >> I'm configuring a standard Windows XP Professional image that
>> >> will
>> >> be
>> >> deployed to a large number of client workstations. The file
>> >> system
>> >> will be NTFS.
>> >>
>> >> The domain is Windows NT 4.0 and 2000 Servers. No Active
>> >> Directory
>> >> is
>> >> enabled yet.
>> >>
>> >> My problem is that the users want to have administrative rights
>> >> over
>> >> their workstation. To accomplish this I've added the DOMAIN\All
>> >> Users
>> >> to the local Administrators group. However, users can also access
>> >> other workstations across the network, particularly troubling to
>> >> me
>> >> is
>> >> access to the hidden shares.
>> >>
>> >> My question then is; how do I give users full control over their
>> >> machines while preventing them from accessing other machines
>> >> across
>> >> the network?
>> >>
>> >> I'd appreciate any suggestions.
>> >>
>> >> Thank you.
>> >>
>> >> John
>> >
>>
>
- Next message: JP: "Re: Question on XP network security"
- Previous message: Roger Abell [MVP]: "Re: LSASS.EXE error"
- In reply to: Bruce Chambers: "Re: Question on XP network security"
- Next in thread: John: "Re: Question on XP network security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
