Re: Prevent users installing software
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 23 Mar 2006 17:58:34 -0600
By default in a domain configuration the only thing that is stopping any
user from accessing domain resources is credentials. In other words a user
on a Windows 98 computer or Apple Mac laptop could potentially access files
on a domain file server if they new the logon/password of a domain user that
had access to the file server. The administrator of the domain could
implement ipsec require policy for that file server that would make it
impossible for non domain users to access the domain file server because
ipsec by default requires that the domain computers authenticate with each
other via Kerberos before network communications can begin. Other concerns
[particularly if ipsec is not used] is that a public user computer could be
infected with a worm that could attempt to infect the whole network
including domain computers via file and print sharing. That can happen even
if the credentials of the other users are not known if the worm exploits a
vulnerability of the operating system like blaster did for RPC. That is one
reason it is very important to keep your computers current with critical
security updates that could expose your computers to such threats. ---
Steve
"jeffuk123" <jeffuk123@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E8857C66-50C2-4E93-B78A-711F87186727@xxxxxxxxxxxxxxxx
Thanks Guys,
Apart from these users members of the public need to be able to access the
internet if they take their own laptops to the mobile classroom.
I thought that being on a workgroup users would have access to network
resources and the whole point of being on a domain was to prevent this!!!
Many thanks
"Leythos" wrote:
In article <65B0DA00-AFF6-42C0-B1D7-77962CAC845F@xxxxxxxxxxxxx>,
jeffuk123@xxxxxxxxxxxxxxxxxxxxxxxxx says...
Hello to all,
I would be most grateful if anyone could give me some guidance on how
to
prevent users from installing software and changing settings on a
standalone
windows xp laptop or PC.
Basically, the users will only have Internet access and will be taking
the
laptops away with them from the workplace, but must have basic user
accounts.
The other way, although this may not be within the realms of this
thread.
Our cleint has a windows 2003 server and the new laptops must not have
access
to exisitng network resources also. How could I set this up on the
domain
controller whereby users can access the internet, but not be able to
access
the exisiting network resources. I was wondering if I could join the
laptops
to the existing domain and create a group for these users and then deny
this
group access to the existing network resources, and prevent them from
being
able to change settings and install software through group policy.
However,
where in group policy does this occur and would it be best to create
mandatory profiles?
Any idea and guidance would really be appreciated about how to set this
up.
Many thanks to all,
Computers that are part of a "Workgroup" and never having been part of
the "Domain" that don't have complementary accounts on the domain, don't
have access to the Server files, but they could get access to DHCP and
internet depending on how you have your Internet firewall setup.
--
spam999free@xxxxxxxxxx
remove 999 in order to email me
.
- Prev by Date: Re: MS Security Center
- Next by Date: Re: DNS queries in Windows XP Professional (SP2)
- Previous by thread: Re: Prevent users installing software
- Next by thread: Re: Profiles problem
- Index(es):
Relevant Pages
|
