Remove permissions to install software from Power Users group

[Guest]

Hello,
I'm trying to lockdown Windows XP Pro workstations in our Domain. I've tried
removing users from the PC's local "Administrartors" group, but this
generated lots of problems running applications, most of which were
associated with insufficient permissions to local files and folders.
I would like to add all domain users to the local "Power Users" group (which
should be easy to achieve) but remove their ability to install software.
Is there an easy way anyone knows of of removing this "right" from the Power
Users group?

Thanks

 

[Shenan Stanley]

I'm trying to lockdown Windows XP Pro workstations in our Domain.
I've tried removing users from the PC's local "Administrartors"
group, but this generated lots of problems running applications,
most of which were associated with insufficient permissions to
local files and folders.
I would like to add all domain users to the local "Power Users"
group (which should be easy to achieve) but remove their ability to
install software.
Is there an easy way anyone knows of of removing this "right" from
the Power Users group?

When dealing with security - give least privs first and GRANT what is
necessary beyond that. Do not try to work in the opposite direction. You
will end up giving to many rights and possibly - not even know you did it
until things go wrong.

If they have software that is not working when they are simply 'users' on
the workstation, you should try and discover why (likely file/folder
permissions to the program folders and/or to the All Users profile
directory - MAYBE permissions to a given registry key...) and fix that
instead of continuing to grant the users more rights than they should have.

 

[Guest]

Hi Shenan,
Thanks for the speedy reply.
I too am a firm believer in the "least priveledges required" rule -
unfortunately we run so many different applications, it would take me many
months to identify the user requirements for each application. The Power
Users group membership ,without the ability to install software, would be a
lot more secure than the position we are in currently - i.e. all users are
local Administrators.
Thanks,
Kieron

 

[Steve Riley [MSFT]]

That's still not good enough. There are some exploits (I'll leave the
research up to you, heh) that allow power users to elevate to
administrators. That's why we've removed power users from Windows Vista.

Instead, demote your users to standard user. Then, for troublesome
applications, profile them using Aaron Margosis's LUA BugLight tool. This
will allow you to relax permissions on particular registry keys and files so
that these apps will run under standard user accounts.

http://blogs.msdn.com/aaron_margosis/archive/2006/08/07/LuaBuglight.aspx

 

[Guest]

Hi Steve,
Thanks for the response. I wish that our organisation only had a few
"troublseome" applications that I could analyse with the tool you
recommended, to relax the relevant permissions at my leisure. Unfortunately,
when I tried the lockdown a few months ago, to a limited number of users (30)
and applications, the number of help desk calls generated was unmanageable,
as well as the inconvenience caused to users. So we ended up giving back
users full admin rights (I know, I know - but I inherited this situation) so
that we could all "get back to our day jobs". The majority of the problems
were due to the users having insufficeint permissions to local files and
folders. Hence my original query regarding "Power Users" without the rights
to install software - as my main concern at the moment is preventing users
installing software.
I'll look further at the LUABuglight, but I suspect this will be a long,
hard job.

Thanks,
Kieron
--
KieronH

That's still not good enough. There are some exploits (I'll leave the
research up to you, heh) that allow power users to elevate to
administrators. That's why we've removed power users from Windows Vista.

Instead, demote your users to standard user. Then, for troublesome
applications, profile them using Aaron Margosis's LUA BugLight tool. This
will allow you to relax permissions on particular registry keys and files so
that these apps will run under standard user accounts.

http://blogs.msdn.com/aaron_margosis/archive/2006/08/07/LuaBuglight.aspx


--
Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com

 

[Shenan Stanley]

Thanks for the response. I wish that our organisation only had a few
"troublseome" applications that I could analyse with the tool you
recommended, to relax the relevant permissions at my leisure.
Unfortunately, when I tried the lockdown a few months ago, to a
limited number of users (30) and applications, the number of help
desk calls generated was unmanageable, as well as the inconvenience
caused to users. So we ended up giving back users full admin rights
(I know, I know - but I inherited this situation) so that we could
all "get back to our day jobs". The majority of the problems were
due to the users having insufficeint permissions to local files and
folders. Hence my original query regarding "Power Users" without
the rights to install software - as my main concern at the moment
is preventing users installing software.
I'll look further at the LUABuglight, but I suspect this will be a
long, hard job.

Image a machine...
Apply that image to a machine in your office and give yourself an account
with user-only rights to test with.
Fix the problems on that machine.
Rinse/repeat as needed.

I manage machines with 100+ apps and 40,000+ potential users in an open
access environment - none of those users have greater than user rights.
Yes - it takes some effort - but if you find out the apps - you can create
a script to give the correct access to folders and registry entries. It
*will* take time - but you and your whole organization will be better off
for it.