Is it possible to secure a multi-user computer?

[delerious]

I'm running Windows 2000 Pro (although my post also applies for XP) on my
home computer, and I would like to try to set up multiple accounts on it
in a way that keeps the computer secure.

I have an Administrator account, a personal account that is in the Users
group, and another account in the Users group (let's call that user
"untrusted").

Can I secure my computer in a way that the "untrusted" user cannot make
any system-wide settings changes or damage anything besides his own user
files?

There are some programs that run as services (such as firewalls or
anti-virus programs) that actually allow ANY user to change global program
settings, which is a pretty serious security flaw. I've gotten around
this problem by adding a Deny Full Control permission to the "untrusted"
user on the GUI executables for those programs. Is this the best way to
handle the situation, or is there a better way to prevent normal users
from making global settings changes to such programs?

Also, there are some things that ideally should be user-specific, but
Windows makes system-specific for some reason, like screen resolution and
sound volume. Any way to make those be user-specific?

And some things should be only be modifiable by the Administrator, but
Windows allows ANY user to change. For example, I remember trying to
change one of the TCP/IP settings as a normal user and Windows allowed it,
and then I logged in as Administrator and the setting still had the new
value. That was pretty disappointing. I'm sure there are other things
that I can't remember off the top of my head, but is there a way to
prevent normal users from changing those settings?

 

[Dave B.]

If your running Windows 2000 then you should be posting in one of the
Windows 2000 groups.

 

[delerious]

I did (and also posted to a WinXP group). I figure that if there is a
solution for the problem in XP, then that solution will probably also work
for Windows 2000. And the XP groups have more traffic than the Windows
2000 groups.

 

[Roger Abell [MVP]]

I did (and also posted to a WinXP group). I figure that if there is a
solution for the problem in XP, then that solution will probably also work
for Windows 2000. And the XP groups have more traffic than the Windows
2000 groups.

If you were using XP Pro then things would be much more simple than
for Windows 2000 with your objectives.

For individual services that allow the user to make use of elevated
privs to modify things normally reserved to admins there is not much
that you can do, save getting rid of that ill-designed service software.
Perhaps they have a version that is actually Windows logo compliant.

Windows XP includes SAFER (software restriction policy) that can
be used to tweak about with what can be run, although its use outside
of a domain is less than flexible.

If your W2k is installed using NTFS, then much is restricted just by
making the accounts at most members of Users (i.e. not power users,
not admins).

Windows 2000 is a while ago for me, but I do not recall normal
users being able to change any config of the network stack.

Windows Vista (finally) makes some settings, like screen resolution,
adjustable by normal users.

 

[delerious]

If you were using XP Pro then things would be much more simple than
for Windows 2000 with your objectives.

For individual services that allow the user to make use of elevated
privs to modify things normally reserved to admins there is not much
that you can do, save getting rid of that ill-designed service software.
Perhaps they have a version that is actually Windows logo compliant.

Some programs have an option to only allow Administrator to modify
settings, but many do not have that.

Windows XP includes SAFER (software restriction policy) that can
be used to tweak about with what can be run, although its use outside
of a domain is less than flexible.

If your W2k is installed using NTFS, then much is restricted just by
making the accounts at most members of Users (i.e. not power users,
not admins).

Yeah, I use Users and not Power Users. But still, Users have access to
some things they shouldn't have access to. And this reminds me, the
permissions setup on Windows is horrible. Many folders have a permission
for Everyone, even if not everyone will need access to it. In addition, a
lot of child folders have the same exact permissions as the parent folder,
but the permissions will be defined directly on the child, when inheriting
the permissions would make more sense.

Windows 2000 is a while ago for me, but I do not recall normal
users being able to change any config of the network stack.

I just checked. It isn't really the network stack, but if you go under
the Local Area Connection properties, and then the Adapter properties,
under Power Management, a normal user will be able to change those 2
checkboxes, when they shouldn't be allowed to do so.

Windows Vista (finally) makes some settings, like screen resolution,
adjustable by normal users.

Screen resolution is already adjustable by normal users. Or do you mean
"not adjustable"?

 

[Roger Abell [MVP]]

Some programs have an option to only allow Administrator to modify
settings, but many do not have that.

Again, Windows logo compliant software is supposed to retrain what
an elevated account will do so that it upholds policies.

Yeah, I use Users and not Power Users. But still, Users have access to
some things they shouldn't have access to. And this reminds me, the
permissions setup on Windows is horrible. Many folders have a permission
for Everyone, even if not everyone will need access to it. In addition, a

You say Windows, but it sounds like you are speaking of NT 4. W2k did
restrict this further by giving control over just what "Everyone" actually
covers, and it also started the movement toward more sane default ACLing
of storage. XP went further this regards, and now Vista has nudged further.

lot of child folders have the same exact permissions as the parent folder,
but the permissions will be defined directly on the child, when inheriting
the permissions would make more sense.

My best advice is to use an OS designed after MS started to catch the safety
religion, i.e. XP SP2 at a minimum.

I just checked. It isn't really the network stack, but if you go under
the Local Area Connection properties, and then the Adapter properties,
under Power Management, a normal user will be able to change those 2
checkboxes, when they shouldn't be allowed to do so.



Screen resolution is already adjustable by normal users. Or do you mean
"not adjustable"?

Like I have said, W2k is a long time ago for me at this point.

Roger

 

[delerious]

My best advice is to use an OS designed after MS started to catch the
safety
religion, i.e. XP SP2 at a minimum.

I may have to do that. Although I'm sure that some of the things I
mentioned will still be present in XP SP2 or even Vista, because neither
of those are OSes rewritten from scratch -- they are still based on
NT/2000/XP code.

Like I have said, W2k is a long time ago for me at this point.

But what did you mean? Vista allows normal users to adjust the screen
resolution?

 

[Roger Abell [MVP]]

Roger Abell [MVP] wrote:

But what did you mean? Vista allows normal users to adjust the screen
resolution?

Yes, and a few other things that previously were reserved to
admins without much or any good reason.

 

[delerious]

Yes, and a few other things that previously were reserved to
admins without much or any good reason.

Ideally things like screen resolution and sound volume would be user
settings. Is this the case?

 

[Roger Abell [MVP]]

Ideally things like screen resolution and sound volume would be user
settings. Is this the case?

OK, again. Yes.