G
Guest
As part our security policy our organization needs to prevent installation of unauthorized softwares ex. chat clients such yahoo or msn or any other client. Also such as surfstart that enable bypassing the proxy. Is there a way to do it?
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
R
Robert Moir
Aafaq said:As part our security policy our organization needs to prevent
installation of unauthorized softwares ex. chat clients such yahoo or
msn or any other client. Also such as surfstart that enable bypassing
the proxy. Is there a way to do it?
Well as you are posting to a Windows 2000 newsgroup, I'm going to suggest
using group policies to lock down the workstations and restrict user rights
in order to prevent them from installing software.
--
--
Rob Moir, Microsoft MVP for servers & security
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
Kazaa - Software update services for your Viruses and Spyware.
G
Guest
We have tried using group policies but smart users still bypass it. For example, we configure proxy setting in browser through group policy then users install a software called startsurf.exe which allows them to bypass proxy. To further complicate the issue if we put the startsurf.exe in denied list in group policies then they rename it and run. They also store it in there mailboxes or rename it on home folders and also change the extension. Our current group policy setting has allow all the applications and deny the applications in list. If we change the policy to deny all and allow the listed application it may prevent them running unauthorized applications but I am sure it can be renamed to to allowed application and run again. What could be the foolproof method of preventing installtion and detection of unauthorized applications/softwares
Thanks
Aafa
----- Robert Moir wrote: ----
Aafaq Manzoor wrote
Well as you are posting to a Windows 2000 newsgroup, I'm going to sugges
using group policies to lock down the workstations and restrict user right
in order to prevent them from installing software
--
--
Rob Moir, Microsoft MVP for servers & securit
Website - http://www.robertmoir.co.u
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.htm
Kazaa - Software update services for your Viruses and Spyware
Thanks
Aafa
----- Robert Moir wrote: ----
Aafaq Manzoor wrote
As part our security policy our organization needs to preven
installation of unauthorized softwares ex. chat clients such yahoo o
msn or any other client. Also such as surfstart that enable bypassin
the proxy. Is there a way to do it
Well as you are posting to a Windows 2000 newsgroup, I'm going to sugges
using group policies to lock down the workstations and restrict user right
in order to prevent them from installing software
--
--
Rob Moir, Microsoft MVP for servers & securit
Website - http://www.robertmoir.co.u
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.htm
Kazaa - Software update services for your Viruses and Spyware
A
Andrew Mitchell
We have tried using group policies but smart users still bypass it. For
example, we configure proxy setting in browser through group policy
then users install a software called startsurf.exe which allows them to
bypass proxy. To further complicate the issue if we put the
startsurf.exe in denied list in group policies then they rename it and
run. They also store it in there mailboxes or rename it on home folders
and also change the extension. Our current group policy setting has
allow all the applications and deny the applications in list. If we
change the policy to deny all and allow the listed application it may
prevent them running unauthorized applications but I am sure it can be
renamed to to allowed application and run again. What could be the
foolproof method of preventing installtion and detection of
unauthorized applications/softwares?
Why is your firewall allowing clients to make outbound connections? If you
have a proxy server configured, your firewall should be setup to only allow
outbound connections from the proxy servers IP address. All other traffic
should be blocked.
Doing it this way means that they can run whatever they want on their PC but
it will never be able to talk to the outside world.
G
Guest
Restricting the access on firewall may completely stop access to even to legitimate and production related site also. Startsurf was a example to demstrate what is can be possible bigger issue is compliance to the policy having no unauthorrized softwares on machines. That is why it is rather more important to prevent the installation then breaking the functionality of it. Any thoughts
Thanks
Aafaq
Thanks
Aafaq
A
Andrew Mitchell
Restricting the access on firewall may completely stop access to even
to legitimate and production related site also.
How so? If all clients have their browser configured to use the proxy
server (preferably through a group policy) and only the proxy can access
the internet on port 80 then users can browse the intenet via the proxy. If
they require direct access through the firewall for other applications you
only open the ports that the application in question requires.
Other applications that require a direct connection (MSN Messenger etc.)
would be blocked. If they use another application to bypass the proxy, they
would be blocked.
If they leave things alone it will work just fine.
Startsurf was a example
to demstrate what is can be possible bigger issue is compliance to the
policy having no unauthorrized softwares on machines.
If you were using Windows Server 2003 with Windows XP clients you could
prevent them from running the applications even if they renamed them, but
with Windows 2000 that is not an option without using third party products.
You could start by ensuring that users are not local administrators on
their PC's and add msiexec.exe to the deny list. This would stop any
applications that use the Windows installer from being installed (I think -
I haven't tried this).
If the users only need to run a limited number of applications you could
create a default policy of deny all, then just add the applications you
want to allow them to run.
It sounds to me like this is more of a people management problem than a
technical problem. Do you have an official internet access or computer use
policy it your work? Does it cover situations such as this and, if so, have
you notified the users managers of the breach of policy?
That is why it is
rather more important to prevent the installation then breaking the
functionality of it.
A correctly setup proxy/firewall combination will ensure your security
without reducing legitimate functionality.
G
Guest
Lastly, which third pary softwares are available
Thanks a lot Andrew for your detalied respose. made things very clear
Thanks
Aafaq
Thanks a lot Andrew for your detalied respose. made things very clear
Thanks
Aafaq
A
Andrew Mitchell
=?Utf-8?B?QWFmYXE=?= said:Lastly, which third pary softwares are available?
Having a closer look at this, AppSec which is part of the Windows 2000
resource kit may help out. You can define application names *and paths* that
are allowed to run. Simply install your allowed applications, then grant the
user only read and execute permissions to files in that directory. That way
they cannot overwrite authorised apps with applications of their own.
http://www.microsoft.com/windows2000/techinfo/reskit/tools/hotfixes/appsec-
o.asp
Andy.
Ask a Question
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.