xp lock down

From: Peter Clark (clark_at_hushmail.com)
Date: 04/28/03


Date: Mon, 28 Apr 2003 14:10:48 -0700


investigate software restriction policies:

(from brief notes of mine)

start -> settings -> control panel -> administrative tools
-> Local Security Policy
or secpol.msc

security settings\software restriction policies\security levels
security settings\software restriction policies\additional
rules

make sure you add the following new hash rules!!
userinit.exe (VERY %$^*& CRITICAL IF YOU WANT TO LOGON)
explorer.exe (SOMETIMES A SHELL IS REALLY NICE TO HAVE)

add addition programs that you want a user to be allowed to run

change the enforcement option to apply software
restrictions to all users except local administrators.

if you do lock yourself out you can reboot into safe mode,
logon as an administrator
and change the policy (run gpupdate /force - it will fail,
but it will update on reboot)
else reboot and attempt to logon twice.

for the other security settings, investigate/import/modify
the securews.inf template for local security policy and
group policy. tweakui and some updating of shortcuts may
also help.

>-----Original Message-----
>hello everybody!
>I am trying to lock down a stand alone windows xp pro,
>what I mean by locking down is to create a user with no
>right but to launch one app. also I would like to
>disabale the run command, and to take away the settings
>out of the start menu programs. but here is the problem
>when login as administrator I need to be able to run
>anythin.
>.
>