|
View Full Version : Workstation C: security settings
Hi,
We have a win2k domain with winXP workstations. The security settings on
the winXP C: are as follows.
Administrator - Full Control: This folder, subfolders and files
CREATOR OWNER - Full Control: Subfolders and files only
Everyone - Read & Execute: This folder only
SYSTEM - Full Control: This folder, subfolders and files
Users - Read & Execute: This folder, subfolders and files
Users - Create Folders / Append Data: This folder and subfolders
Users - Create Files / Write Data: Subfolders only
I find that this allows the user to use pretty much all of the C drive to
write data to, including installing programs(not in Program Files). Is this
a security risk? If yes, what recommendations can I follow to tighten up
the security?
Thanks!!!
Dave
|
Lanwench [MVP - Exchange] If you don't want to go through the whole boatload of folders/subfolders,
the best way to secure you system is not to grant users local admin rights -
this will stop them installing (most) software, which is often enough.
Dave wrote:
> Hi,
>
> We have a win2k domain with winXP workstations. The security
> settings on the winXP C: are as follows.
>
> Administrator - Full Control: This folder, subfolders and files
> CREATOR OWNER - Full Control: Subfolders and files only
> Everyone - Read & Execute: This folder only
> SYSTEM - Full Control: This folder, subfolders and files
> Users - Read & Execute: This folder, subfolders and files
> Users - Create Folders / Append Data: This folder and subfolders
> Users - Create Files / Write Data: Subfolders only
>
> I find that this allows the user to use pretty much all of the C
> drive to write data to, including installing programs(not in Program
> Files). Is this a security risk? If yes, what recommendations can I
> follow to tighten up the security?
>
> Thanks!!!
> Dave
|
Not necessarily. It is much more locked down than W2K which gave the everyone group
too many permissions to the root folder. If you do not want regular users to add
folders and files to the root folder/subfolders then just give them read/list/execute
permissions. Keep in mind they still can write folder/files to their user profile -
my documents, etc. If you want to further lock down the computer/users look into
using Software Restriction Policies in XP Pro. --- Steve
http://support.microsoft.com/?kbid=310791
"Dave" wrote in message news:uvCTHXK$DHA.1036@TK2MSFTNGP10.phx.gbl...
> Hi,
>
> We have a win2k domain with winXP workstations. The security settings on
> the winXP C: are as follows.
>
> Administrator - Full Control: This folder, subfolders and files
> CREATOR OWNER - Full Control: Subfolders and files only
> Everyone - Read & Execute: This folder only
> SYSTEM - Full Control: This folder, subfolders and files
> Users - Read & Execute: This folder, subfolders and files
> Users - Create Folders / Append Data: This folder and subfolders
> Users - Create Files / Write Data: Subfolders only
>
> I find that this allows the user to use pretty much all of the C drive to
> write data to, including installing programs(not in Program Files). Is this
> a security risk? If yes, what recommendations can I follow to tighten up
> the security?
>
> Thanks!!!
> Dave
>
>
|
The users are only part of the Users group.
Wouldn't it be possible for a user to install software in a directory that
they created under C:?
|
Steve, I looked at the article that you gave a link to.
Is there a setting under domain Group Policies that does the same?
I'll look more into it and see what I can find.
Thanks!!!
"Steven L Umbach" wrote in message
news:I0z%b.420807$na.810061@attbi_s04...
> Not necessarily. It is much more locked down than W2K which gave the
everyone group
> too many permissions to the root folder. If you do not want regular users
to add
> folders and files to the root folder/subfolders then just give them
read/list/execute
> permissions. Keep in mind they still can write folder/files to their user
profile -
> my documents, etc. If you want to further lock down the computer/users
look into
> using Software Restriction Policies in XP Pro. --- Steve
>
> http://support.microsoft.com/?kbid=310791
>
> "Dave" wrote in message
news:uvCTHXK$DHA.1036@TK2MSFTNGP10.phx.gbl...
> > Hi,
> >
> > We have a win2k domain with winXP workstations. The security settings
on
> > the winXP C: are as follows.
> >
> > Administrator - Full Control: This folder, subfolders and files
> > CREATOR OWNER - Full Control: Subfolders and files only
> > Everyone - Read & Execute: This folder only
> > SYSTEM - Full Control: This folder, subfolders and files
> > Users - Read & Execute: This folder, subfolders and files
> > Users - Create Folders / Append Data: This folder and subfolders
> > Users - Create Files / Write Data: Subfolders only
> >
> > I find that this allows the user to use pretty much all of the C drive
to
> > write data to, including installing programs(not in Program Files). Is
this
> > a security risk? If yes, what recommendations can I follow to tighten
up
> > the security?
> >
> > Thanks!!!
> > Dave
> >
> >
>
>
|
If you are talking Software Restriction Policies, you can use Group Policy
to manage with the help of an XP Pro domain member as described in the KB
below. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;307900
"Dave" wrote in message
news:u2gn7JV$DHA.3400@tk2msftngp13.phx.gbl...
> Steve, I looked at the article that you gave a link to.
>
> Is there a setting under domain Group Policies that does the same?
>
> I'll look more into it and see what I can find.
>
> Thanks!!!
>
>
> "Steven L Umbach" wrote in message
> news:I0z%b.420807$na.810061@attbi_s04...
> > Not necessarily. It is much more locked down than W2K which gave the
> everyone group
> > too many permissions to the root folder. If you do not want regular
users
> to add
> > folders and files to the root folder/subfolders then just give them
> read/list/execute
> > permissions. Keep in mind they still can write folder/files to their
user
> profile -
> > my documents, etc. If you want to further lock down the computer/users
> look into
> > using Software Restriction Policies in XP Pro. --- Steve
> >
> > http://support.microsoft.com/?kbid=310791
> >
> > "Dave" wrote in message
> news:uvCTHXK$DHA.1036@TK2MSFTNGP10.phx.gbl...
> > > Hi,
> > >
> > > We have a win2k domain with winXP workstations. The security settings
> on
> > > the winXP C: are as follows.
> > >
> > > Administrator - Full Control: This folder, subfolders and files
> > > CREATOR OWNER - Full Control: Subfolders and files only
> > > Everyone - Read & Execute: This folder only
> > > SYSTEM - Full Control: This folder, subfolders and files
> > > Users - Read & Execute: This folder, subfolders and files
> > > Users - Create Folders / Append Data: This folder and subfolders
> > > Users - Create Files / Write Data: Subfolders only
> > >
> > > I find that this allows the user to use pretty much all of the C drive
> to
> > > write data to, including installing programs(not in Program Files).
Is
> this
> > > a security risk? If yes, what recommendations can I follow to tighten
> up
> > > the security?
> > >
> > > Thanks!!!
> > > Dave
> > >
> > >
> >
> >
>
>
|
Unless you just WANT the users to have lots of control on their own PCs, it
may be better to run the compatws.inf file using secedit on the workstation
and then set the user back to regular user level.
Supposedly compatws.inf will relax security on a workstation so that legacy
programs can run. Legacy programs are usually the reason to give elevated
security rights to users.
To run the compatws.inf file, go to c:\Windows\security\templates and type
secedit /configure /cfg compatws.inf /db compatws.sdb
Mark.
"Dave" wrote in message
news:uvCTHXK$DHA.1036@TK2MSFTNGP10.phx.gbl...
> Hi,
>
> We have a win2k domain with winXP workstations. The security settings on
> the winXP C: are as follows.
>
> Administrator - Full Control: This folder, subfolders and files
> CREATOR OWNER - Full Control: Subfolders and files only
> Everyone - Read & Execute: This folder only
> SYSTEM - Full Control: This folder, subfolders and files
> Users - Read & Execute: This folder, subfolders and files
> Users - Create Folders / Append Data: This folder and subfolders
> Users - Create Files / Write Data: Subfolders only
>
> I find that this allows the user to use pretty much all of the C drive to
> write data to, including installing programs(not in Program Files). Is
this
> a security risk? If yes, what recommendations can I follow to tighten up
> the security?
>
> Thanks!!!
> Dave
>
>
|
Hi Steve,
I know how to get to the group policy snap in. I just can't find where to
set the software rights for users.
Thanks!!!
Dave
|
Thanks Mark,
I'll look into that.
I don't have any legacy applications. What is the best policy file if I
don't have legacy applications.
Thanks!!!
Dave
|
If your users don't need to run legacy apps and also don't need the ability
to install software, the safest thing to do is to just have them running as
regular users.
"Dave" wrote in message
news:#oiMoPW$DHA.808@TK2MSFTNGP12.phx.gbl...
> Thanks Mark,
>
> I'll look into that.
>
> I don't have any legacy applications. What is the best policy file if I
> don't have legacy applications.
>
> Thanks!!!
>
> Dave
>
>
|
That's what I have right now. I have all my users including my regular
account set up as User accounts.
I'm just wondering if there's a way to keep users from installing spyware
and trojan horses. That's what I'm really interested in.
Thanks!!!
|
You will have to manage that from a Windows XP domain member as described in
the KB below. Then that policy should show up located in computer
configuration/Windows settings/security settings/Software Restriction
Policies. Computer configuration settings will apply to all users logging
into the computer, but you can exempt members of the local administrators
group which whould include members of the domain admins group in a default
installation by configuring the enforcement rule. SRP can also be configured
via local security policy on an XP Pro machine via gpedit.msc. The last link
below is excellent at explaining how to set it up to secure your
workstations. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;307900
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/maintain/rstrplcy.asp
"Dave" wrote in message
news:#uY8hOW$DHA.320@TK2MSFTNGP10.phx.gbl...
> Hi Steve,
>
> I know how to get to the group policy snap in. I just can't find where to
> set the software rights for users.
>
> Thanks!!!
> Dave
>
>
|
Lanwench [MVP - Exchange] Not if the software also tries to write to areas of the registry the
logged-in user has no rights to....but Steven's suggestions may be just what
you need.
Dave wrote:
> The users are only part of the Users group.
>
> Wouldn't it be possible for a user to install software in a directory
> that they created under C:?
|
|
|
|