Re: Security Problem
From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 05/24/03
- Next message: Rob and Terry Bond: "Unknown User in User List"
- Previous message: Wild1: "XP and Norton Antivirus 2003"
- In reply to: Abdur Rahman Ali: "Security Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 24 May 2003 08:21:57 -0700
What you outline can mostly be accomplished only
with extensive work modifying premissions.
Comments inside below . . .
"Abdur Rahman Ali" <abdur_rahman_ali@hotmail.com> wrote in message
news:129701c321bc$78672620$a501280a@phx.gbl...
> Respected Sir,
>
> I hope that you will be fine in all aspect of life. I
> wanted to ask/discuss some thing.
>
> I am using WindowsXp on my home PC system. I have made
> myself as an administration and about 5 other user are
> also using the same computer but with their own login and
> limited account. Only I have the full rights as an
> administration. But I have seen that many other option
> which I do not went the others users to change are not
> applicable. The other users can also change them.
> Following are the security problem I am facing. Please
> tell me any alternate for it. So that the other users of
> the computers can not change it.
>
> 1- No user should have access to Install/UnInstall any
> program, except Administrator.
>
They already cannot install software that will want to
write into the registry in many area needed to make the
software available to all accounts.
They can however install software that only needs to write
to disk. Since in item 6 you state they should be able to
write to their own area, and since there are some areas
outside of that specified in item 6 that are required for an
account to log in and function (temp, profile area, etc.)
this item 1 is not fully accomplishable.
However, you can make it (in Pro) so that if they have
installed something into the few areas where they can
write, the installed software will not be allowed to run.
> 2- No user should have access to delete any file from any
> local drives, except the Administrator. Even the files
> which the user created by himself, should be deleted only
> by the Administrator. I mean that the user can't even
> delete his own created files.
>
Again, this is not fully possible. For example, if they open
an Access database a temporary *.ldf file is created, and
you really do want it to be deleted when they are done.
However with correct NTFS settings you can make it so
that what you outline is how it is, but if you do that everywhere
then some things will break.
> 3- The user should not read/write/modify any others data.
>
Easily done with NTFS settings although a massive task
when you need to make sure that the entire storage is
set that way.
> 4- A list of all the users who have been working in the
> absent of Administrator should be noted by computer with
> user name, time in and time out and time period of the
> user. It should also tell that on which
> program/tool/software did the users worked. All this
> information should be saved in a secret file and should be
> open only and only by the Administrator.
>
Use the security event log
It does everything you have mentioned if you configure
it and auditing ACLs on the filesystem to have it do so
> 5- When you right-click on the desktop and properties link
> is displayed at the end. By which you can change the
> Display setting of the Desktop. No user should have
> access to change these setting. The should not have
> authority to go to the properties of the desktop, except
> the Administrator.
>
local policy allows you to take control over this (Pro version)
> 6- No user should have access to read/write/modify any
> local drives. Except the folder assigned to the user by
> the Administrator.
>
Use NTFS permissions effectively. Again, you will need to
weaken this requirement somewhat due to the absolute need
of accounts to write some other places in order to function.
Example, caching of web pages when browsing.
> Please provide me detail solution of all these above
> problems.
>
Details are left as an exercise.
If you have Home edition begin by getting Pro version
as these are professional features and requirements.
Then you could start with the XP resource kit
www.reskit.com for info on many aspects mentioned
and for the filesystem an introductory view is available
in short articles (but you will need to use Advanced ACL
editing extensively to accomplish your requirements)
HOW TO: Set, View, Change, or Remove Special Permissions for Files and
Folders in Windows XP
IN THIS TASK Permissions for Files and Folders Special Permissions
Defined
http://support.microsoft.com/?ID=308419
HOW TO: Set, View, Change, or Remove File and Folder Permissions in
Windows XP
IN THIS TASK Permissions for Files and Folders Set, View, Change, or
Remove File and Folder Permissions How Inheritance
http://support.microsoft.com/?ID=308418
HOW TO: Disable Simplified Sharing and Password-Protect a Shared Folder
in Windows XP
IN THIS TASK How to Disable Simple File Sharing How to Share a Folder
or Drive with Other People Troubleshooting
http://support.microsoft.com/?ID=307874
> Thanks A Lot
> Abdur Rahman Ali
begin 666 blue_bullet.gif
M1TE&.#EA!0`%`/?_`/___^_O_^?G_Z6E_YR<]YR<_XR,[Y24_X2$[WM[_UI:
MUF-C[T)"QCDYQC$QQBDIM2$AK0``````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M`````````````````````"P`````!0`%`$ ('P`#%$@P(( ``P\4!%A `(&#
0!P,*#%APP "#!A 0! 0`.P``
`
end
begin 666 1ptrans.gif
L1TE&.#EA`0`!`( ``/\SS ```"'Y! $`````+ `````!``$`0 ("A%$`.P``
`
end
- Next message: Rob and Terry Bond: "Unknown User in User List"
- Previous message: Wild1: "XP and Norton Antivirus 2003"
- In reply to: Abdur Rahman Ali: "Security Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
