Re: Deny Interactive Logon but Allow Runas

Steven L Umbach added these comments in the current discussion
du jour ...

The problem is even if you could find a way once they know
administrator credentials they could undo any restrictions you
put on the computer anyhow if they are skilled and determined
enough. There are third party runas solutions that can encode
a password used to run a script that could be something to
look at. Cpau is a free one from http://www.joeware.net .
Group Policy Software Restriction Policies is something else
that may help prevent installing of unauthorized software even
for local administrators though it can be bypassed in Safe
Mode though it is very unlikely they would know that.

At the company I am retired from, they first implemented
draconian rules for Windows 2000 and now XP that completely stops
ordinary users from installing/uninstalling anything,
modifying/deleting system files, nothing at all. This is done
centrally when a user logs into what once was a Novell NOS and is
now Windows Server, I think. Each department has a single or
multiple number of designated dept. admins appointed by the
manager who does have the permission to change systems. Once
these rules were implemented after we finally moved off Windows
95 - not even 98 - virtually all user-error problems disappeared.

Now, this sort of Big Brother application of central rule works
well in a very large company with the resources to use built-in
security in the O/S or NOS, buy utilities to do it, as you
suggest above, or write code in Visual C++, Java, whatever that
will custom alter end-user systems to accomplish management's
goals. I left the company barely 6 months after 9/11 and
beginning in late 2002 and more into 2003-2005 or so, I know
they've clamped down more and more to not only save internal
customer support manpower but also in a company-wide effort to
reduce hacking, malicious sabotage, malware, whatever. And, the
entire network sits behind multiple proxy servers to protect the
"clean" side from the "dirty" side.

I gave up being a Registered MS Basher some time back, but I
think most folks even moderately savvy about XP's so-called
security know that it is just plain marketing hype and bullshit.
No, I repeat, NO secure software would allow a user to bypass
system administrator rules by booting into Safe Mode any more
than it would allow an end-user to change system PWs, BIOS
settings, and all the other things that can cause heartburn to a
large support staff. Now, do the users like this? Not hardly!
But, my company, like most large corporations, has an old-
fashioned, somewhat romantic notion that they're in business to
make money and PCs are an important tool to accomplish business
plans, but they are NOT toys nor hobbyist playthings.

Sole proprietarship companies either do their own tech support or
higher it done. Big companies have IT staffs to do it. It is from
the "mom and pop" size very small firms, to small, to mid-size
companies that are in the most trouble because their managements
either do not understand what it really takes to run a complex
network or they cannot or will not allocate manpower or financial
resources. That's a tough row to hoe, and one that the OP hasn't
give much insight as to what his management's direction(s) are.

I'm running off at the mouth here mainly because the general
problem described in this thread that is often summarized by some
OP as "how do I restrict folders or apps or installs or even
individual files other than via account?". This is seen here and
in many other peer-to-peer help NGs and I have yet to see a fully
implementable way to do all of this with XP unless some special
means are taken - read: spend some money.

--
HP, aka Jerry
.

Relevant Pages

  • Re: corrupted profiles and much more
    ... crossposted it to Windows Update newsgroup) but it must've gotten lost in the ether because it hasn't appeared. ... I'd recommend either contacting HP Support or Microsoft Vista SP1 Support, ... issues started right after installing that update, ...
    (microsoft.public.security)
  • Re: Windows vs Linux Security
    ... For Windows releases like ... administrator and non-administrator access. ... and best practice has been to use a regular account ... could avoid the problems by installing a video card with dedicated ...
    (comp.os.linux.misc)
  • Re: Window Update Not Working
    ... Free unlimited installation and compatibility support is available for Windows Vista, but only for Service Pack 2 (SP2). ... If you suspect that installing SP2 has nothing to do with the behavior: ...
    (microsoft.public.windowsupdate)
  • Re: Security Update KB958644 broke my wireless NIC!
    ... If the choice boils down to installing KB958644 or having wireless access, ... Support to figure out why your wireless card or router isn't working: ... Start a free Windows Update support incident request: ... for security update support issues, ...
    (microsoft.public.windowsupdate)
  • Re: HELP!! Dual monitors - Primary shuts off when mouse moves off it!
    ... I start to miss my Windows ... when installing new ... > This isn't to say that I don't absolutely love Linux. ... Yes, lack of support. ...
    (alt.linux)