Workstation C: security settings

[Dave]

Hi,

We have a win2k domain with winXP workstations. The security settings on
the winXP C: are as follows.

Administrator - Full Control: This folder, subfolders and files
CREATOR OWNER - Full Control: Subfolders and files only
Everyone - Read & Execute: This folder only
SYSTEM - Full Control: This folder, subfolders and files
Users - Read & Execute: This folder, subfolders and files
Users - Create Folders / Append Data: This folder and subfolders
Users - Create Files / Write Data: Subfolders only

I find that this allows the user to use pretty much all of the C drive to
write data to, including installing programs(not in Program Files). Is this
a security risk? If yes, what recommendations can I follow to tighten up
the security?

Thanks!!!
Dave

 

[Lanwench [MVP - Exchange]]

If you don't want to go through the whole boatload of folders/subfolders,
the best way to secure you system is not to grant users local admin rights -
this will stop them installing (most) software, which is often enough.

 

[Steven L Umbach]

Not necessarily. It is much more locked down than W2K which gave the everyone group
too many permissions to the root folder. If you do not want regular users to add
folders and files to the root folder/subfolders then just give them read/list/execute
permissions. Keep in mind they still can write folder/files to their user profile -
my documents, etc. If you want to further lock down the computer/users look into
using Software Restriction Policies in XP Pro. --- Steve

http://support.microsoft.com/?kbid=310791

 

[Dave]

The users are only part of the Users group.

Wouldn't it be possible for a user to install software in a directory that
they created under C:?

 

[Dave]

Steve, I looked at the article that you gave a link to.

Is there a setting under domain Group Policies that does the same?

I'll look more into it and see what I can find.

Thanks!!!

 

[Steven L Umbach]

If you are talking Software Restriction Policies, you can use Group Policy
to manage with the help of an XP Pro domain member as described in the KB
below. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;307900

 

[Mark]

Unless you just WANT the users to have lots of control on their own PCs, it
may be better to run the compatws.inf file using secedit on the workstation
and then set the user back to regular user level.

Supposedly compatws.inf will relax security on a workstation so that legacy
programs can run. Legacy programs are usually the reason to give elevated
security rights to users.

To run the compatws.inf file, go to c:\Windows\security\templates and type
secedit /configure /cfg compatws.inf /db compatws.sdb

Mark.

 

[Dave]

Hi Steve,

I know how to get to the group policy snap in. I just can't find where to
set the software rights for users.

Thanks!!!
Dave

 

[Dave]

Thanks Mark,

I'll look into that.

I don't have any legacy applications. What is the best policy file if I
don't have legacy applications.

Thanks!!!

Dave

 

[Mark]

If your users don't need to run legacy apps and also don't need the ability
to install software, the safest thing to do is to just have them running as
regular users.

 

[Dave]

That's what I have right now. I have all my users including my regular
account set up as User accounts.

I'm just wondering if there's a way to keep users from installing spyware
and trojan horses. That's what I'm really interested in.

Thanks!!!

 

[Steven L Umbach]

You will have to manage that from a Windows XP domain member as described in
the KB below. Then that policy should show up located in computer
configuration/Windows settings/security settings/Software Restriction
Policies. Computer configuration settings will apply to all users logging
into the computer, but you can exempt members of the local administrators
group which whould include members of the domain admins group in a default
installation by configuring the enforcement rule. SRP can also be configured
via local security policy on an XP Pro machine via gpedit.msc. The last link
below is excellent at explaining how to set it up to secure your
workstations. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;307900
http://www.microsoft.com/technet/tr...et/prodtechnol/winxppro/maintain/rstrplcy.asp

 

[Lanwench [MVP - Exchange]]

Not if the software also tries to write to areas of the registry the
logged-in user has no rights to....but Steven's suggestions may be just what
you need.