Win 2k Security Questions

[Robert Paris]

I am looking for how I can do the following on Win2K:

1. Disable a User's ability to write to/edit the registry
(Actually disable for all but Administrator)

2. Disable user's ability to write files to all but one folder

3. Disable user's ability to execute any program except for a few that I
specify
(And can I log attempts to run/execute programs?)

4. In disabling cmd.exe, can I set up only two programs to run (on startup)
in command prompts (with RunAs service) - they're java programs - and still
keep all other java programs and the user from being able to do anything in
command prompt?

Answers to any of these questions would be greatly appreciated. Any pointers
to further resources would be great too! Thanks!

 

[Guest]

1. use group policy (see below) or set security permission in the registry
(be careful)

2. use NTFS permission

3. use group policy

4. that depends on how you deal with the java

Under User Config\Administrative Templates\System\

Prevent access to the command prompt
"Prevents users from running the interactive command prompt, Cmd.exe. This
setting also determines whether batch files (.cmd and .bat) can run on the
computer. If you enable this setting and the user tries to open a command
window, the system displays a message explaining that a setting prevents the
action. Note: Do not prevent the computer from running batch files if the
computer uses logon, logoff, startup, or shutdown batch file scripts, or for
users that use Terminal Services."

Prevent access to registry editing tools
"Disables the Windows registry editor Regedit.exe. If this setting is
enabled and the user tries to start a registry editor, a message appears
explaining that a setting prevents the action. To prevent users from using
other administrative tools, use the Run only allowed Windows applications
setting."

Run only allowed Windows applications
"Limits the Windows programs that users have permission to run on the
computer. If you enable this setting, users can only run programs that you
add to the List of Allowed Applications. This setting only prevents users
from running programs that are started by the Windows Explorer process. It
does not prevent users from running programs such as Task Manager, which are
started by the system process or by other processes. Also, if users have
access to the command prompt, Cmd.exe, this setting does not prevent them
from starting programs in the command window that they are not permitted to
start by using Windows Explorer. Note: It is a requirement for third-party
applications with Windows 2000 or later certification to adhere to this
setting. Note: To create a list of allowed applications, click Show, click
Add, and then enter the application executable name (e.g., Winword.exe,
Poledit.exe, Powerpnt.exe)."

Don't run specified Windows applications
"Prevents Windows from running the programs you specify in this setting. If
you enable this setting, users cannot run programs that you add to the list
of disallowed applications. This setting only prevents users from running
programs that are started by the Windows Explorer process. It does not
prevent users from running programs, such as Task Manager, that are started
by the system process or by other processes. Also, if you permit users to
gain access to the command prompt, Cmd.exe, this setting does not prevent
them from starting programs in the command window that they are not permitted
to start by using Windows Explorer. Note: To create a list of disallowed
applications, click Show, click Add, and then enter the application
executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe)."

BR,
Denis

 

[Robert Paris]

Thanks for the quick reply!

Question:

"Note: It is a requirement for third-party applications with Windows 2000 or
later certification to adhere to this
setting."

Does the above quote mean that a trojan/virus program could ignore the
settings and still run?!