Basic question from a security newbie

From: Gordon Smith \(eMVP\) (Gordon.Smith_at_avnet.com)
Date: 09/05/03

• Next message: msd: "Re: stuck need primary user password"
• Previous message: Star Fleet Admiral Q: "Re: Auto update registery Keys"
• Next in thread: Gordon Smith \(eMVP\): "Re: Basic question from a security newbie"
• Reply: Gordon Smith \(eMVP\): "Re: Basic question from a security newbie"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 4 Sep 2003 17:23:19 -0700

Don't let the "MVP" fool you here... My MVP role isn't related to security.
:-)

I'm trying to lock down a computer for use in an internet cafe. I assumed
the rational way to approach this is to set the default security level under
software restriction policies to "disallow" and then list the few apps
(internet explorer, etc.) as apps that are allowed to run. Am I on the
right track?

Here's where I am getting confused. I set enforcement to apply to all users
except administrators (sounds logical). I set the default security level to
disallow. I logged out (even rebooted for good measure), but my limited
user accounts are still able to run everything. For grins, I went back to
the admin account and listed "sol.exe" using a hash rule as explicitly
disallowed. My guest account can't run sol.exe now, but I had assumed that
having a default rule of disallow would have acheived the same result.
Having the sol.exe show up as blocked tells me that the policies I'm
changing do actually mean something to the system, but the default rule of
disallow seems to be ignored.

Do I need to do something to have the default security level of "Disallow"
stick or am I misunderstanding what it means?

-- 
Gordon Smith (eMVP)
Gordon.Smith@nospam.avnet.com

---

• Next message: msd: "Re: stuck need primary user password"
• Previous message: Star Fleet Admiral Q: "Re: Auto update registery Keys"
• Next in thread: Gordon Smith \(eMVP\): "Re: Basic question from a security newbie"
• Reply: Gordon Smith \(eMVP\): "Re: Basic question from a security newbie"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Windows Vista current flaws ... Initial thoughts are to disallow the new OS until you have tested it ... > I work in Network Security for UC Berkeley's residence halls. ... > Before I decide on this, I wanted opinions on whether or not this ... (Security-Basics) Re: Cant change default printer page settings in OE & IE ... change the default settings there. ... You say "disallow such changes". ... a custom envelope and landscape is called for and defaults to ... MS MVP-Windows (IE, OE, Security, Shell/User) ... (microsoft.public.windows.inetexplorer.ie6_outlookexpress) [NT] Vulnerability in Microsoft Data Access Components Allows Code Execution (MS07-009) ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... this vulnerability by preventing Active Scripting and ActiveX controls ... mode sets the security level for the Internet zone to High. ... (Securiteam) Testimony of Jeff Schmidt, CEO, Authis ... Examining the Security Implications of Proposed Online Gambling Regulation ... recognized expert on issues related to online identification and authentication, ... authentication, and age verification. ... individual using The Internet. ... (rec.gambling.poker) << SBS news of the week 12/6/2004>> ... Simply connecting to the Internet — and doing ... You would NEVER set up a server with file and printing sharing ports ... McAfee says 'Skulls' mobile security threat still low ... ISPs raise the stakes on DDoS attacks ... (microsoft.public.backoffice.smallbiz2000)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)