Prevent users installing software

G

Guest

Hello to all,

I would be most grateful if anyone could give me some guidance on how to
prevent users from installing software and changing settings on a standalone
windows xp laptop or PC.

Basically, the users will only have Internet access and will be taking the
laptops away with them from the workplace, but must have basic user accounts.

The other way, although this may not be within the realms of this thread.
Our cleint has a windows 2003 server and the new laptops must not have access
to exisitng network resources also. How could I set this up on the domain
controller whereby users can access the internet, but not be able to access
the exisiting network resources. I was wondering if I could join the laptops
to the existing domain and create a group for these users and then deny this
group access to the existing network resources, and prevent them from being
able to change settings and install software through group policy. However,
where in group policy does this occur and would it be best to create
mandatory profiles?

Any idea and guidance would really be appreciated about how to set this up.

Many thanks to all,
Jeff
 
L

Leythos

Hello to all,

I would be most grateful if anyone could give me some guidance on how to
prevent users from installing software and changing settings on a standalone
windows xp laptop or PC.

Basically, the users will only have Internet access and will be taking the
laptops away with them from the workplace, but must have basic user accounts.

The other way, although this may not be within the realms of this thread.
Our cleint has a windows 2003 server and the new laptops must not have access
to exisitng network resources also. How could I set this up on the domain
controller whereby users can access the internet, but not be able to access
the exisiting network resources. I was wondering if I could join the laptops
to the existing domain and create a group for these users and then deny this
group access to the existing network resources, and prevent them from being
able to change settings and install software through group policy. However,
where in group policy does this occur and would it be best to create
mandatory profiles?

Any idea and guidance would really be appreciated about how to set this up.

Many thanks to all,

Computers that are part of a "Workgroup" and never having been part of
the "Domain" that don't have complementary accounts on the domain, don't
have access to the Server files, but they could get access to DHCP and
internet depending on how you have your Internet firewall setup.
 
D

Danny Sanders

I would be most grateful if anyone could give me some guidance on how to
prevent users from installing software and changing settings on a
standalone
windows xp laptop or PC.

If they are not administrators on their laptops, for the most part, they
can't install software.


The other way, although this may not be within the realms of this thread.
Our cleint has a windows 2003 server and the new laptops must not have
access
to exisitng network resources also. How could I set this up on the domain
controller whereby users can access the internet, but not be able to
access
the exisiting network resources.

Depending on what "network resources" you are talking about you would have
to *give* them access before they can access it.


hth
DDS W 2k MVP MCSE
 
S

Steven L Umbach

For workgroup computers your best bet is to try out the free Shared Computer
Toolkit from Microsoft that may be able to do most if not all of what you
want. It takes advantage of Group Policy settings that normally can not be
implemented per user on a stand alone computer.

http://www.microsoft.com/windowsxp/sharedaccess/default.mspx --- Shared
Computer Toolkit

Though I believe the Shared Computer Toolkit can be implemented in an Active
directory domain in my opinion I would first try using Group Policy features
and access control lists to do what you want. In particular you can use
Software Restriction Policies to manage what users can install and run on
their computers. I suggest that you try a test computer first as SRP can be
difficult to tweak and you need to keep in mind that shortcuts [.lnk files]
are restricted by SRP by default and allowances may need to be made for that
depending on how far you lockdown the users. Usually events will be recorded
in the application log when SRP kicks in that can help troubleshoot
problems.

As far as access control lists you need to make sure that the users [or
group they are in] do not have any permissions to shares in the domain which
means either explicitly add their group with deny permissions or do not user
authenticated users/everyone/users in the permissions list but use specific
groups that are allowed access [best method IMHO] using principle of least
privilege. You can also use the user rights for "access this computer from
the network" and "deny access to this computer from the network" to control
what users/groups have access to computer shares keeping in mind that a deny
user right overrides the corresponding allow user right. User rights are
part of Group Policy under computer configuration/Windows settings/security
settings/local policies/user rights. A more advanced topic is using ipsec to
control what computers have access to other computers in the domain but
ipsec policies take a lot of planning and testing before implementing and
allowances for exceptions for domain controllers or big problems can occur.
The links below may help get you started. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
--- Software Restriction Policies
http://www.microsoft.com/smallbusiness/support/checklist/default.mspx
http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch04n.mspx
--- Threats and Countermeasures user rights overview
 
G

Guest

Thanks Guys,

Apart from these users members of the public need to be able to access the
internet if they take their own laptops to the mobile classroom.

I thought that being on a workgroup users would have access to network
resources and the whole point of being on a domain was to prevent this!!!

Many thanks
 
D

Danny Sanders

I thought that being on a workgroup users would have access to network
resources and the whole point of being on a domain was to prevent this!!!

The whole point of a "network" is to share resources. If a domain prevented
network access there would be no need for a domain.

A domain provides a central point where you can manage accounts and
resources.

hth
DDS W 2k MVP MCSE
 
G

Guest

Thanks Danny,

Sorry I confused myself there.

Sometime ago a friend said that Windows XP Home can access all network
resources and this means less security on XP Home.

So even though XP Professional has the capability of connecting to a domain
and Active Directory, and providing more security this way. Can an XP Home PC
still access the network resources then? Does XP Home have NTFS permissions?

Thanks
 
D

Danny Sanders

Access to "network" resources are applied to the user accounts. It really
doesn't matter what OS they are on.

NTFS is a file system. You can format your hard drive as NTFS on any
operating system that will support it. Once formatted NTFS, you can use NTFS
permissions to control access to that hard drive's folders.

NTFS permissions are more secure than other file systems like FAT. XP
home/Professional supports NTFS and FAT.

In a usual domain setup there is a file server that would be formatted NTFS.
On that server you would share out a folder and use NTFS permissions to
allow a user account the rights to Full Control - Modify - Write - Read -
etc.

A user tries connect to that folder. If you have not given him access they
get access denied. If you did give them access they are allowed to connect.
If you only gave them read access thy can only read the document, they can't
write to it.

With FAT file system on the server (If I remember correctly) you get
prompted for a password. If you know the password you are allowed to access
the folder. But you can't control who can write to the file with FAT
permissions.
So even though XP Professional has the capability of connecting to a
domain
and Active Directory, and providing more security this way. Can an XP Home
PC
still access the network resources then? Does XP Home have NTFS
permissions?


XP home can access resources on a "network". If you format the XP home hard
drive as NTFS, XP home will have NTFS permissions.

NTFS permissions come from the shared folder on the sharing computer's NTFS
formatted partition. The connecting computer does not have to be formatted
NTFS to access that shared folder. If it is formatted FAT *those*
permissions are in effect when *that* computer shares a folder.

hth
DDS W 2k MVP MCSE
 
S

Steven L Umbach

By default in a domain configuration the only thing that is stopping any
user from accessing domain resources is credentials. In other words a user
on a Windows 98 computer or Apple Mac laptop could potentially access files
on a domain file server if they new the logon/password of a domain user that
had access to the file server. The administrator of the domain could
implement ipsec require policy for that file server that would make it
impossible for non domain users to access the domain file server because
ipsec by default requires that the domain computers authenticate with each
other via Kerberos before network communications can begin. Other concerns
[particularly if ipsec is not used] is that a public user computer could be
infected with a worm that could attempt to infect the whole network
including domain computers via file and print sharing. That can happen even
if the credentials of the other users are not known if the worm exploits a
vulnerability of the operating system like blaster did for RPC. That is one
reason it is very important to keep your computers current with critical
security updates that could expose your computers to such threats. ---
Steve
 
G

Guest

Thanks Danny,

Danny Sanders said:
Access to "network" resources are applied to the user accounts. It really
doesn't matter what OS they are on.

NTFS is a file system. You can format your hard drive as NTFS on any
operating system that will support it. Once formatted NTFS, you can use NTFS
permissions to control access to that hard drive's folders.

NTFS permissions are more secure than other file systems like FAT. XP
home/Professional supports NTFS and FAT.

In a usual domain setup there is a file server that would be formatted NTFS.
On that server you would share out a folder and use NTFS permissions to
allow a user account the rights to Full Control - Modify - Write - Read -
etc.

A user tries connect to that folder. If you have not given him access they
get access denied. If you did give them access they are allowed to connect.
If you only gave them read access thy can only read the document, they can't
write to it.

With FAT file system on the server (If I remember correctly) you get
prompted for a password. If you know the password you are allowed to access
the folder. But you can't control who can write to the file with FAT
permissions.



XP home can access resources on a "network". If you format the XP home hard
drive as NTFS, XP home will have NTFS permissions.

NTFS permissions come from the shared folder on the sharing computer's NTFS
formatted partition. The connecting computer does not have to be formatted
NTFS to access that shared folder. If it is formatted FAT *those*
permissions are in effect when *that* computer shares a folder.

hth
DDS W 2k MVP MCSE




.
 
M

MAC

Hi,

Just wondering if this can be done.

Background:
There are multiple Windows XP PCs with autologon enabled in a domain
with Active Directory enforcing the user profiles and policies. Users
cannot install software. User profile is deleted upon logging off and
the autologon creates a new profile.

Can one write a script file to log off the autologon account, then log
on with adminstratrative account, log off and then the autologon user
account will reassert itself? If so, how?

Yes this is a weird thing to ask. Noticed that after Acrobat Reader
7.0.7 was deployed to these PC an error message keeps popping up and
the only way to get rid of it is logging in as a local administrator
once. Don't know what active directory policy would prevent this. Hope
some does so a script file won't be needed. Used InstallShield Tuner
7.0 for Adobe Acrobat to customize the install like accepting the EULA
agreement and the same result occurs .

Thanks,
MAC
 
T

Thota Umesh

Yes it can be down. u can lockdown ur system or strip its limitations to the
maximum.
Using roaming profiles the profiles can be deleted during logoff too.
And there are many ways to do ur logon and logoff sequence work u can use
macro's to scripts. many are available.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top