Re: Prevent users installing software
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 23 Mar 2006 10:57:21 -0600
For workgroup computers your best bet is to try out the free Shared Computer
Toolkit from Microsoft that may be able to do most if not all of what you
want. It takes advantage of Group Policy settings that normally can not be
implemented per user on a stand alone computer.
http://www.microsoft.com/windowsxp/sharedaccess/default.mspx --- Shared
Computer Toolkit
Though I believe the Shared Computer Toolkit can be implemented in an Active
directory domain in my opinion I would first try using Group Policy features
and access control lists to do what you want. In particular you can use
Software Restriction Policies to manage what users can install and run on
their computers. I suggest that you try a test computer first as SRP can be
difficult to tweak and you need to keep in mind that shortcuts [.lnk files]
are restricted by SRP by default and allowances may need to be made for that
depending on how far you lockdown the users. Usually events will be recorded
in the application log when SRP kicks in that can help troubleshoot
problems.
As far as access control lists you need to make sure that the users [or
group they are in] do not have any permissions to shares in the domain which
means either explicitly add their group with deny permissions or do not user
authenticated users/everyone/users in the permissions list but use specific
groups that are allowed access [best method IMHO] using principle of least
privilege. You can also use the user rights for "access this computer from
the network" and "deny access to this computer from the network" to control
what users/groups have access to computer shares keeping in mind that a deny
user right overrides the corresponding allow user right. User rights are
part of Group Policy under computer configuration/Windows settings/security
settings/local policies/user rights. A more advanced topic is using ipsec to
control what computers have access to other computers in the domain but
ipsec policies take a lot of planning and testing before implementing and
allowances for exceptions for domain controllers or big problems can occur.
The links below may help get you started. --- Steve
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
--- Software Restriction Policies
http://www.microsoft.com/smallbusiness/support/checklist/default.mspx
http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch04n.mspx
--- Threats and Countermeasures user rights overview
"jeffuk123" <jeffuk123@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:65B0DA00-AFF6-42C0-B1D7-77962CAC845F@xxxxxxxxxxxxxxxx
Hello to all,
I would be most grateful if anyone could give me some guidance on how to
prevent users from installing software and changing settings on a
standalone
windows xp laptop or PC.
Basically, the users will only have Internet access and will be taking the
laptops away with them from the workplace, but must have basic user
accounts.
The other way, although this may not be within the realms of this thread.
Our cleint has a windows 2003 server and the new laptops must not have
access
to exisitng network resources also. How could I set this up on the domain
controller whereby users can access the internet, but not be able to
access
the exisiting network resources. I was wondering if I could join the
laptops
to the existing domain and create a group for these users and then deny
this
group access to the existing network resources, and prevent them from
being
able to change settings and install software through group policy.
However,
where in group policy does this occur and would it be best to create
mandatory profiles?
Any idea and guidance would really be appreciated about how to set this
up.
Many thanks to all,
Jeff
.
- Prev by Date: Re: Prevent users installing software
- Next by Date: Re: Profiles problem
- Previous by thread: Re: Prevent users installing software
- Next by thread: Re: Prevent users installing software
- Index(es):
Relevant Pages
|
