Is it possible to secure a multi-user Windows machine?

[delerious]

Here's what I want to do:

I want to have a standalone Windows 2000 Pro machine with multiple users
on it -- an Administrator and a couple of normal users in the Users group
(I won't have anyone in the Power Users group). One of the normal users
will just be an account for me (so that I don't have to log in as
Administrator), and the other normal user will be for people who come over
and want to use the computer.

I'm wondering if it is possible to set up Windows so that a normal user
cannot change any system-wide settings or damage anything besides his own
user files?

Sometimes it is actually possible for a normal user to change settings
that they shouldn't be able to change. For example, I used to run BlackIce
and I could change all the program settings as a normal user. Also,
earlier today I logged in as a normal user and was able to deactivate the
AntiVir real-time protection. Talk about poor security, those things
should only be changeable by the Administrator! But there is a way to get
around that problem -- you have to adjust the permissions on the GUI
executables so that normal users cannot run them. But is there a better
way to deal with that problem? Otherwise every time I install something
I'll have to remember to check if a normal user can change any of the
system-wide program settings, and if so, then I'll have to change the
permissions so that normal users can't run the GUIs.

And Windows lets normal users change certain other settings that apply to
the entire system (which ideally only the Administrator would be allowed
to modify). I remember making a change to a certain TCP/IP setting as a
normal user, and then was surprised after I logged in as Administrator and
saw that the setting was still changed. Normal users can also adjust the
system volume and screen resolution (those ideally should be user-specific
settings, but unfortunately they are for all users).

Is it possible to configure Windows so that normal users can only make
changes that affect themselves, and not any system-wide settings? I
thought I could set up a multi-user computer and not have to worry about
one user making changes that affect other users, but it seems to be much
more difficult to achieve in Windows than I thought it would be.

 

[NewScience]

I had the same problem so I created multiple .reg files and use Microsoft
Shared Computer Toolkit.

I have the following:

1. Administrator
2. Internet User
3. Normal User
4. Guest User
5. Limited User
6. Locked-down User
7. The Gamer
8. The System Updater

Depending on the user's needs I create the user then run one of the .reg
files and lock certain features.

For example, for the The Gamer, Locked-Down User and Limited User, I prevent
the user from accessing any drives in Windows Explorer (they don't even see
them - but apps can still access them), lock them into their C:\Documents
and Settings\[USERNAME\ folder (they can only see from there downward -
user's root folder),
prevent user's from dropping down to DOS, prevent user's from updating
system (either from network or CD), ....

The Gamer account sees nothing in the Start Menu, except Game favorites and
under All Programs .... My Games.
Everything else is gone. Cannot right-click on Desktop and access
Properties, or if I permit them, I remove some Tabs.

This can also be done for IE and Windows Explorer. Turn some tabs off or
even prevent Tools Folder Options feature(s).

The beauty of Microsoft Shared Computer Toolkit is that you can create a
user and the User's account is immediately created (C:\Documents and
Settings\[USERNAME]). Normally, the user must logon at least once in order
to create the account/folder. The Toolkit (which is a free download from
Microsoft), circumvents this.

This allows you to create a user, run a script to modify the user's account
in the registry and move onto the next user.

Let me know if you want other info.

 

[delerious]

Thanks for the reply. That sounds like exactly what I want, but it looks
like the Microsoft Shared Computer Toolkit is only available for Windows
XP. I'm running Windows 2000. :-(

I had the same problem so I created multiple .reg files and use Microsoft
Shared Computer Toolkit.

I have the following:

1. Administrator
2. Internet User
3. Normal User
4. Guest User
5. Limited User
6. Locked-down User
7. The Gamer
8. The System Updater

Depending on the user's needs I create the user then run one of the .reg
files and lock certain features.

For example, for the The Gamer, Locked-Down User and Limited User, I
prevent the user from accessing any drives in Windows Explorer (they don't
even see them - but apps can still access them), lock them into their
C:\Documents and Settings\[USERNAME\ folder (they can only see from there
downward - user's root folder),
prevent user's from dropping down to DOS, prevent user's from updating
system (either from network or CD), ....

The Gamer account sees nothing in the Start Menu, except Game favorites
and under All Programs .... My Games.
Everything else is gone. Cannot right-click on Desktop and access
Properties, or if I permit them, I remove some Tabs.

This can also be done for IE and Windows Explorer. Turn some tabs off or
even prevent Tools Folder Options feature(s).

The beauty of Microsoft Shared Computer Toolkit is that you can create a
user and the User's account is immediately created (C:\Documents and
Settings\[USERNAME]). Normally, the user must logon at least once in
order to create the account/folder. The Toolkit (which is a free download
from Microsoft), circumvents this.

This allows you to create a user, run a script to modify the user's
account in the registry and move onto the next user.

Let me know if you want other info.

Here's what I want to do:

I want to have a standalone Windows 2000 Pro machine with multiple users
on it -- an Administrator and a couple of normal users in the Users group
(I won't have anyone in the Power Users group). One of the normal users
will just be an account for me (so that I don't have to log in as
Administrator), and the other normal user will be for people who come over
and want to use the computer.

I'm wondering if it is possible to set up Windows so that a normal user
cannot change any system-wide settings or damage anything besides his own
user files?

Sometimes it is actually possible for a normal user to change settings
that they shouldn't be able to change. For example, I used to run BlackIce
and I could change all the program settings as a normal user. Also, earlier today I logged in as a normal user and was able to deactivate the AntiVir real-time protection. Talk about poor security, those things should only be changeable by the Administrator! But there is a way to get around that problem -- you have to adjust the permissions on the GUI executables so that normal users cannot run them. But is there a better way to deal with that problem? Otherwise every time I install something I'll have to remember to check if a normal user can change any of the system-wide program settings, and if so, then I'll have to change the permissions so that normal users can't run the GUIs.

And Windows lets normal users change certain other settings that apply to
the entire system (which ideally only the Administrator would be allowed
to modify). I remember making a change to a certain TCP/IP setting as a
normal user, and then was surprised after I logged in as Administrator and
saw that the setting was still changed. Normal users can also adjust the system volume and screen resolution (those ideally should be user-specific settings, but unfortunately they are for all users).

Is it possible to configure Windows so that normal users can only make
changes that affect themselves, and not any system-wide settings? I
thought I could set up a multi-user computer and not have to worry about
one user making changes that affect other users, but it seems to be much
more difficult to achieve in Windows than I thought it would be.

--

 

[Malke]

Thanks for the reply. That sounds like exactly what I want, but it
looks like the Microsoft Shared Computer Toolkit is only available for
Windows
XP. I'm running Windows 2000. :-(

Then you have the ability to set Group Policies with gpedit.msc. The
Shared User Toolkit makes things easier, but since you can't use it
you'll need to work very carefully and create policies. For questions
about Group Policy, post here:

microsoft.public.windows.group_policy

Malke

 

[NewScience]

The problem with Group Policy, as I understand, on a single PC you cannot
setup policies on a per user basis.
If you set policies under User Configuration, it does it for all users on
the system.

How does one set a policy for User A and a totally different policy for User
B or C or D?

 

[NewScience]

You can do the same thing without the Shared Toolkit. All that buys you, in
your case, is creating a new user and profile at the creation time.

You can still 'do it the old fashion way' by creating a new user, logging
in, run regedit (RunAs Adminsitrator on regedit) and import the specific
..reg file on the user.

You can also create each user, login the user, logout and do this for each
user.
Then login as administrator, open regedit (or regedt32), load each user's
profile hive as a unique name (e.g., NewUser), have all your scripts set to
modify HKEY_USERS\NewUser registry settings, and them import the reg files,
unload the hive and move onto the next User.

Thanks for the reply. That sounds like exactly what I want, but it looks
like the Microsoft Shared Computer Toolkit is only available for Windows
XP. I'm running Windows 2000. :-(

I had the same problem so I created multiple .reg files and use Microsoft
Shared Computer Toolkit.

I have the following:

1. Administrator
2. Internet User
3. Normal User
4. Guest User
5. Limited User
6. Locked-down User
7. The Gamer
8. The System Updater

Depending on the user's needs I create the user then run one of the .reg
files and lock certain features.

For example, for the The Gamer, Locked-Down User and Limited User, I
prevent the user from accessing any drives in Windows Explorer (they don't
even see them - but apps can still access them), lock them into their
C:\Documents and Settings\[USERNAME\ folder (they can only see from there
downward - user's root folder),
prevent user's from dropping down to DOS, prevent user's from updating
system (either from network or CD), ....

The Gamer account sees nothing in the Start Menu, except Game favorites
and under All Programs .... My Games.
Everything else is gone. Cannot right-click on Desktop and access
Properties, or if I permit them, I remove some Tabs.

This can also be done for IE and Windows Explorer. Turn some tabs off or
even prevent Tools Folder Options feature(s).

The beauty of Microsoft Shared Computer Toolkit is that you can create a
user and the User's account is immediately created (C:\Documents and
Settings\[USERNAME]). Normally, the user must logon at least once in
order to create the account/folder. The Toolkit (which is a free download
from Microsoft), circumvents this.

This allows you to create a user, run a script to modify the user's
account in the registry and move onto the next user.

Let me know if you want other info.

Here's what I want to do:

I want to have a standalone Windows 2000 Pro machine with multiple users
on it -- an Administrator and a couple of normal users in the Users group
(I won't have anyone in the Power Users group). One of the normal users
will just be an account for me (so that I don't have to log in as
Administrator), and the other normal user will be for people who come
over and want to use the computer.

I'm wondering if it is possible to set up Windows so that a normal user
cannot change any system-wide settings or damage anything besides his own
user files?

Sometimes it is actually possible for a normal user to change settings
that they shouldn't be able to change. For example, I used to run
BlackIce and I could change all the program settings as a normal user.
Also, earlier today I logged in as a normal user and was able to
deactivate the AntiVir real-time protection. Talk about poor security,
those things should only be changeable by the Administrator! But there
is a way to get around that problem -- you have to adjust the
permissions on the GUI executables so that normal users cannot run them.
But is there a better way to deal with that problem? Otherwise every
time I install something I'll have to remember to check if a normal user
can change any of the system-wide program settings, and if so, then I'll
have to change the permissions so that normal users can't run the GUIs.

And Windows lets normal users change certain other settings that apply to
the entire system (which ideally only the Administrator would be allowed
to modify). I remember making a change to a certain TCP/IP setting as a
normal user, and then was surprised after I logged in as Administrator
and saw that the setting was still changed. Normal users can also adjust
the system volume and screen resolution (those ideally should be
user-specific settings, but unfortunately they are for all users).

Is it possible to configure Windows so that normal users can only make
changes that affect themselves, and not any system-wide settings? I
thought I could set up a multi-user computer and not have to worry about
one user making changes that affect other users, but it seems to be much
more difficult to achieve in Windows than I thought it would be.

 

[delerious]

The problem with Group Policy, as I understand, on a single PC you cannot
setup policies on a per user basis.
If you set policies under User Configuration, it does it for all users on
the system.

That would be a problem.

How does one set a policy for User A and a totally different policy for
User B or C or D?

I'd like to know the answer to that.

 

[delerious]

You can do the same thing without the Shared Toolkit. All that buys you,
in your case, is creating a new user and profile at the creation time.

You can still 'do it the old fashion way' by creating a new user, logging
in, run regedit (RunAs Adminsitrator on regedit) and import the specific
.reg file on the user.

What .REG files are you referring to?

You can also create each user, login the user, logout and do this for each
user.
Then login as administrator, open regedit (or regedt32), load each user's
profile hive as a unique name (e.g., NewUser), have all your scripts set
to modify HKEY_USERS\NewUser registry settings, and them import the reg
files, unload the hive and move onto the next User.

I'm not using any scripts right now... are you referring to any scripts
in particular?

 

[NewScience]

The .REG Files I am referring to are files that you create manually based on
what settings you wish to force on a user.

This is what I do when I want to create a simple user you logs in to play
Games and cannot go or do anything else.

1. Login as Administrator user.
2. Create a new user.
3. Logout as Administrator user and login as new user name.
4. Setup anything as far as desktop, background, ...
5. Logout as new user and login as Administrator again
6. Open Regedt32 (since you are on Windows 2000)
7. Click on HKEY_USERS key name
8. Click on File | Load Hive
9. Select C:\Documents and Settings\[New UserName]\ntuser.dat
10. Set unique name to LimitedUser
11. Select File | Import
12. Select File to be used to import settings (see below)
13. Import settings file
14. Click on HKEY_USERS/LimitedUser key name
15. Select File | Unload Hive
16. Click OK for confirmation
17. Close Regedt32.exe

This now has changed the user to you preset settings.

LimitedUser.reg file example:

Windows Registry Editor Version 5.00

[HKEY_USERS\LimitedUser\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000001

This example prevents My Computer from showing on the Desktop or Windows
Explorer, only allowing the user to see their working directory on down.

 

[delerious]

The .REG Files I am referring to are files that you create manually based
on what settings you wish to force on a user.

This is what I do when I want to create a simple user you logs in to play
Games and cannot go or do anything else.

1. Login as Administrator user.
2. Create a new user.
3. Logout as Administrator user and login as new user name.
4. Setup anything as far as desktop, background, ...
5. Logout as new user and login as Administrator again
6. Open Regedt32 (since you are on Windows 2000)
7. Click on HKEY_USERS key name
8. Click on File | Load Hive
9. Select C:\Documents and Settings\[New UserName]\ntuser.dat
10. Set unique name to LimitedUser
11. Select File | Import
12. Select File to be used to import settings (see below)
13. Import settings file
14. Click on HKEY_USERS/LimitedUser key name
15. Select File | Unload Hive
16. Click OK for confirmation
17. Close Regedt32.exe

This now has changed the user to you preset settings.

LimitedUser.reg file example:

Windows Registry Editor Version 5.00

[HKEY_USERS\LimitedUser\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000001

This example prevents My Computer from showing on the Desktop or Windows
Explorer, only allowing the user to see their working directory on down.

Thanks for the information. I'll have to take a closer look at this over
the weekend. Do you have a pointer to any site that describes what else
can be put into the LimitedUser.reg file to restrict things from users?

 

[NewScience]

Thanks for the information. I'll have to take a closer look at this over

the weekend. Do you have a pointer to any site that describes what else
can be put into the LimitedUser.reg file to restrict things from users?

No. I spent about a month using RegMon (a Registry Monitoring application
from www.sysinternals.com) and a Microsoft Windows XP book, Windows 2000
book delaing with the registry, and created .reg files for my purposes.
Once created as I mentioned that can be used in any environment.

I started creating a document on all the basic .reg files I created, but I
can tell you that most of the changes are made in:

HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Microsoft\Policies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

A good spot is www.winguides.com to look at that lays out the different
features you can change.

If you give me an idea off what you want, I can let you know on what to
'tweak'.

Mostly, I change access to:

Control Panel
IE Configurations
Windows Explorer Configurations
Internet connection changes
Basic User Environment operations (DOS command, Windows Explorer Views, ...)
Login/Logout features
Start Menu and Taskbar configurations

all different based on MY user types ... regardless of Admin, Power User, or
Limited User.

The .REG Files I am referring to are files that you create manually based
on what settings you wish to force on a user.

This is what I do when I want to create a simple user you logs in to play
Games and cannot go or do anything else.

1. Login as Administrator user.
2. Create a new user.
3. Logout as Administrator user and login as new user name.
4. Setup anything as far as desktop, background, ...
5. Logout as new user and login as Administrator again
6. Open Regedt32 (since you are on Windows 2000)
7. Click on HKEY_USERS key name
8. Click on File | Load Hive
9. Select C:\Documents and Settings\[New UserName]\ntuser.dat
10. Set unique name to LimitedUser
11. Select File | Import
12. Select File to be used to import settings (see below)
13. Import settings file
14. Click on HKEY_USERS/LimitedUser key name
15. Select File | Unload Hive
16. Click OK for confirmation
17. Close Regedt32.exe

This now has changed the user to you preset settings.

LimitedUser.reg file example:

Windows Registry Editor Version 5.00

[HKEY_USERS\LimitedUser\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000001

This example prevents My Computer from showing on the Desktop or Windows
Explorer, only allowing the user to see their working directory on down.

Thanks for the information. I'll have to take a closer look at this over
the weekend. Do you have a pointer to any site that describes what else
can be put into the LimitedUser.reg file to restrict things from users?