Need help with securing a local workstation

[Tim Connolly]

Hi,

I need to lock down a Windows 2000 Professional SP 2 system so that
the user cannot do any of the following:

- Access the FDD
- Access the CDROM
- Access USB ports
- Install software
- And if possible, I'd love to prevent them from running software that
isn't approved.

Is this possible in the delivered Windows 2000 Professional SP2
security?

Any suggestions about how to go about this?

Thanks in advance!

Tim

 

[Derek Melber [MVP]]

Use the local group policy settings. To get there, go to Start-Run-MMC

Then, add in the Group Policy snap-in. You will import the local GPO. Poke
around in there, you will find what you are looking for.

 

[Derek Melber [MVP]]

I will need to double check, but I am fairly sure that USB devices will be
controlled through the Removable Media GPO settings. I will need to double
check that, but it is easy enough to test.

--
Derek Melber

USB ports cannot be locked through GPOs. However, you can disable it

locally at the hardware management console.

 

[Andrew Mitchell]

USB ports cannot be locked through GPOs. However, you can disable it
locally at the hardware management console.

Or just disable the USB ports in the BIOS and password protect the BIOS to
prevent them being re-enabled.
Your hardware vendor may be able to deliver them preconfigured like this.

Andy.

 

[Steven L Umbach]

If the user is a member of just the users group, that will prevent them from
installing "most" software. I suggest you also change the ntfs permissions
on the root/drive folder to give everyone/users no more than
read/list/execute ntfs permissions. Group Policy can help somewhat by
configuring install.exe, setup.exe, etc to the disallowed Windows
application list as decribed in the KB link below. Renaming applications can
bypass that restriction. You may also want to diable the command prompt and
registry editing while you are at it. Be sure to read explaination of any
setting as disabling the command prompt for instance can cause batch files
not to run. To really lockdown applications/installations consider using XP
Pro where the very powerful Software Restriction Policies can use
hash/path/certificate rules to really lock down a computer.
http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
http://support.microsoft.com/default.aspx?scid=kb;en-us;310791

You can use Group Policy/user configuration/administrative templates/windows
components/Windows Explorer to hide and disable drives, but not USB. However
those settings only prohibit a user from using those drives while using
Explorer, My Computer, Network Places, run box etc and will not stop them
from accessing the drive through the command prompt, or other methods
possibly including applications themselves. Depending on your security
requirements you may want to use a computer case that blocks access to those
devices or disconnect the cables on the inside if the case is locked. You
can also disable access to those devices [including USB] via cmos and then
password protect the cmos settings and again be sure the case is locked.
Also be sure to disable cdrom autostart and configure cmos to boot only from
hard drive as it is very trivial to use a boot floppy/cdrom to reset the
local administrator password in less than five minutes. Of course other
security precautions apply such as using complex administrator
asswords. --- Steve MVP Windows Security

 

[wibble]

Always....Always password protect the BIOS - Have you seen the damage that
can be done with the Linux boot disk

If the user is a member of just the users group, that will prevent them from
installing "most" software. I suggest you also change the ntfs permissions
on the root/drive folder to give everyone/users no more than
read/list/execute ntfs permissions. Group Policy can help somewhat by
configuring install.exe, setup.exe, etc to the disallowed Windows
application list as decribed in the KB link below. Renaming applications can
bypass that restriction. You may also want to diable the command prompt and
registry editing while you are at it. Be sure to read explaination of any
setting as disabling the command prompt for instance can cause batch files
not to run. To really lockdown applications/installations consider using XP
Pro where the very powerful Software Restriction Policies can use
hash/path/certificate rules to really lock down a computer.
http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
http://support.microsoft.com/default.aspx?scid=kb;en-us;310791

You can use Group Policy/user configuration/administrative templates/windows
components/Windows Explorer to hide and disable drives, but not USB. However
those settings only prohibit a user from using those drives while using
Explorer, My Computer, Network Places, run box etc and will not stop them
from accessing the drive through the command prompt, or other methods
possibly including applications themselves. Depending on your security
requirements you may want to use a computer case that blocks access to those
devices or disconnect the cables on the inside if the case is locked. You
can also disable access to those devices [including USB] via cmos and then
password protect the cmos settings and again be sure the case is locked.
Also be sure to disable cdrom autostart and configure cmos to boot only from
hard drive as it is very trivial to use a boot floppy/cdrom to reset the
local administrator password in less than five minutes. Of course other
security precautions apply such as using complex administrator
asswords. --- Steve MVP Windows Security

Hi,

I need to lock down a Windows 2000 Professional SP 2 system so that
the user cannot do any of the following:

- Access the FDD
- Access the CDROM
- Access USB ports
- Install software
- And if possible, I'd love to prevent them from running software that
isn't approved.

Is this possible in the delivered Windows 2000 Professional SP2
security?

Any suggestions about how to go about this?

Thanks in advance!

Tim

 

[Tim Connolly]

Hi,

Thanks for the great information...one point of clarification: I
actually need to lock the computer down in this way for one specific
user...an Administrator level user should be able to use all functions
locked out for the other user.

Will these suggestions still work in this manner?

Also, when I right-click (as Administrator) on my root C: drive or any
other folder for that matter, I don't have the Security tab
available...any idea why this is? I didn't set these systems
up...just being asked to investigate possible solutions

Thanks again!

Tim