Locking down computers

Hi there,

This may be too much of a simple question for this board (well I hope
it is easy anyway) but at work we're looking at clamping down on our
PC's and want the following:

- Stop users using Messenger
- Stop users installing programs themselves.

In theory this does not sound hard, but here is the sticking point. We
have to allow users admin privlidges of the computer (not network), due
to an important program we use requires admin privlidges.

Plus our active directory is upon a windows 2000 server, which means
most of the good options which 2003 has we do not have (like disabling
messenger)

I have looked on the net, but probably missed all the good sites, but I
was hoping to find a solution within Active directory, or maybe a
script to stop it.

The main reason to wanting to do it centrally is so that I do not have
to go round to every PC and disable certain things.

Incase it helps the platforms of the PC's are XP professional.

Any help would be much appreciated.

Many thanks

Re: Locking down computers

"CJC" writes:

> Hi there,
>
> This may be too much of a simple question for this board (well I hope
> it is easy anyway) but at work we're looking at clamping down on our
> PC's and want the following:
>
> - Stop users using Messenger
> - Stop users installing programs themselves.
>
> In theory this does not sound hard, but here is the sticking point. We
> have to allow users admin privlidges of the computer (not network), due
> to an important program we use requires admin privlidges.

If it's an off the shelf program...what is it?

> Plus our active directory is upon a windows 2000 server, which means
> most of the good options which 2003 has we do not have (like
> disabling messenger)
>
> I have looked on the net, but probably missed all the good sites, but I
> was hoping to find a solution within Active directory, or maybe a
> script to stop it.
>
> The main reason to wanting to do it centrally is so that I do not have
> to go round to every PC and disable certain things.
>
> Incase it helps the platforms of the PC's are XP professional.

It does.

Have you looked into group policies?

--
Todd H.
http://www.toddh.net/

Re: Locking down computers

Hi there thanks for your reply.

It is an in-house application which cannot be altered.

Ive looked into group policies upon local machines and there is a way
to disable messenger, but we cant go round every PC doing an alteration
on each. But then this way to stop it is not available in server 2000
only 2003.

Many thanks for your help.

Re: Locking down computers

"CJC" writes:
> Hi there thanks for your reply.
>
> It is an in-house application which cannot be altered.

Oy. That's a bummer.

> Ive looked into group policies upon local machines and there is a way
> to disable messenger, but we cant go round every PC doing an alteration
> on each. But then this way to stop it is not available in server 2000
> only 2003.
>
> Many thanks for your help.

I see. I didn't help much, but I am interested in replies to your
question. Messenger is a PITA indeed.

--
Todd H.
http://www.toddh.net/

Re: Locking down computers

Okay, I'm gonna type in caps, not because I'm yelling but because it is so
so important.

EVERY NETWORK MUST HAVE A --WRITTEN-- (and signed by the employee) SECURITY
POLICY AS TO WHAT IS ALLOWED AND DISALLOWED.

There are many approaches to network security, network use, and preventing
abuse. ONE is the written policy. ANOTHER is the technical enforcement of
that written policy WHEN POSSIBLE. If technical enforcement is not
possible, you enforce the WRITTEN POLICY of user CONDUCT (to which he as
agreed).

We trust employees with much more expensive things than using the messenger
service (usually). Let them take on this burden. They are paid to deal with
it. They can handle it. Or... they know the alternative (if you have a
written policy!).

-Frank

"CJC" wrote in message
news:1136474074.556284.155340@g44g2000cwa.googlegroups.com.. .
> Hi there,
>
> This may be too much of a simple question for this board (well I hope
> it is easy anyway) but at work we're looking at clamping down on our
> PC's and want the following:
>
> - Stop users using Messenger
> - Stop users installing programs themselves.
>
> In theory this does not sound hard, but here is the sticking point. We
> have to allow users admin privlidges of the computer (not network), due
> to an important program we use requires admin privlidges.
>
> Plus our active directory is upon a windows 2000 server, which means
> most of the good options which 2003 has we do not have (like disabling
> messenger)
>
> I have looked on the net, but probably missed all the good sites, but I
> was hoping to find a solution within Active directory, or maybe a
> script to stop it.
>
> The main reason to wanting to do it centrally is so that I do not have
> to go round to every PC and disable certain things.
>
> Incase it helps the platforms of the PC's are XP professional.
>
> Any help would be much appreciated.
>
> Many thanks
>

Re: Locking down computers

Thanks for the last two responses.

I am new to this company and if I had my way we would be much stricter.
But they have had a more relaxed attitude. I believe they have a
policy in which is signed when new people start. But it looks as
though its not really taken too seriously.

The reason why we need to stop messenger is due to the management fed
up with seeing it constantly on.

Secondly we need to stop people installing due to the industry we are
in they have to use the internet alot and they seem to download things
from the net often.

The policy is a good idea, maybe we should get everyone to sign an
extension to show we are more serious.

I am actually working on a message to appear when they login saying
what is and is not allowed and by logging in they agree to it. so then
if we see anything we can moan at them.

many thanks again guys

Re: Locking down computers

The updated policy is a must, but you need to get that app fixed, too.

Take a look at the Internet Storm Center's time to live numbers. Figure
out what a worm would cost you if it shut down your company's PCs, and how
likely that is. If not business loss, at least you are talking a big
productivity hit. Then put together a case to get that app fixed. If folks
are routinely on the Internet, you cannot have them running with admin
privs. That is simply asking for trouble. There is no excuse for users
risking the company's assets that way. I'm sure there will be a lot of push
back, but without some pretty strong action, you are courting disaster.

And when the disaster comes, guess who will get blamed. If you make a
strong case to fix the problem, and it is refused, at least you won't look
like an idiot when the levees break. Managers have every right to decide
that the risk is worth taking, but you have an obligation to inform them of
the risk and the cost of remediation. If they say no, that's fine, at least
you did your job. But if you don't spell it out to them in single syllable
words that managers can understand, you aren't doing what you need to.

In most cases, when an app can't run as a normal user, especially an old
app, it is simply a matter of file protections. Unless the app does
something pretty strange, it should be a pretty simple fix. I'm sure
development feels it has higher (read more fun) priorities, but you need to
get that app fixed.

While you are at it, get something on those PCs that lets you push out login
scripts and policies. If you are going to run a network, you need to have
some ability to influence it.

Messenger, tho a PITA, can be a business asset. If folks aren't using it
for business purposes, block it at the firewall. Even if you can't stop
them launching it, they will quit if they can't do anything useful.

...


"CJC" wrote in message
news:1136482462.779981.173270@g43g2000cwa.googlegroups.com.. .
> Thanks for the last two responses.
>
> I am new to this company and if I had my way we would be much stricter.
> But they have had a more relaxed attitude. I believe they have a
> policy in which is signed when new people start. But it looks as
> though its not really taken too seriously.
>
> The reason why we need to stop messenger is due to the management fed
> up with seeing it constantly on.
>
> Secondly we need to stop people installing due to the industry we are
> in they have to use the internet alot and they seem to download things
> from the net often.
>
> The policy is a good idea, maybe we should get everyone to sign an
> extension to show we are more serious.
>
> I am actually working on a message to appear when they login saying
> what is and is not allowed and by logging in they agree to it. so then
> if we see anything we can moan at them.
>
> many thanks again guys
>

Re: Locking down computers

CJC wrote:
> Hi there,
>
> This may be too much of a simple question for this board (well I hope
> it is easy anyway) but at work we're looking at clamping down on our
> PC's and want the following:
>
> - Stop users using Messenger
> - Stop users installing programs themselves.

http://www.dougknox.com/xp/tips/xp_messenger_remove.htm
Try delivering via logon script.

You could also look into more inelegant solutions such as forcing win
mess to use a fixed port (registry flick via logon script) then blocking
that port(s) at the firewall.
>
> In theory this does not sound hard, but here is the sticking point. We
> have to allow users admin privlidges of the computer (not network), due
> to an important program we use requires admin privlidges.
>
> Plus our active directory is upon a windows 2000 server, which means
> most of the good options which 2003 has we do not have (like disabling
> messenger)

Have you updated the .adm templates?
http://www.microsoft.com/downloads/details.aspx?FamilyID=927 59D4B-7112-4B6C-AD4A-BBF3802A5C9B&displaylang=en

> I have looked on the net, but probably missed all the good sites, but I
> was hoping to find a solution within Active directory, or maybe a
> script to stop it.
>
> The main reason to wanting to do it centrally is so that I do not have
> to go round to every PC and disable certain things.
>
> Incase it helps the platforms of the PC's are XP professional.
>
> Any help would be much appreciated.
>
> Many thanks

Personally what I would be doing is installing the problem app on a test
machine and experimenting with a lockdown in which the app will run
properly. Alternatively, you could try running the app in terminal
services/Citrix which would then allow you to set the local PC rights.

Also look at content filtering, esp with extension/download blocking.
There are a number of content filters, from IPCop running Cop+ to
Dansguardian to hardware based solutions. If no users can download any
executeable code in the first place, it makes if slightly more difficult
to install ;-)
E.

Re: Locking down computers

Thanks for the responses.

XPYTTL: I will ask my manager to speak to the developers to see if
they can fix the software to run for normal user rights but you
mentioned about getting something upon the PCs which lets us push out
login scripts and policies.. Sorry for not knowing, but what do you
recommend. Is it just a piece of software which needs running on each
machine?

Regarding the blocking it at the firewall, I believe before I was here
they did try and was unsuccessful apparently due to Messenger being
able to change the port and web address it is using??

E: I will take a look at the dougknox site shortly. Also you
mentioned the win mess to use a fixed port. I have never done this and
would not know where to start. Is there any site you recommend? Plus
thanks a lot for the updates for the active directory I have been
looking for this with no luck. Going to install them later.
Plus I will also recommend using terminal services if we cannot fix
program.

Thanks again guys, really appreciate all your help.

Re: Locking down computers

"CJC" writes:

>Hi there,

>This may be too much of a simple question for this board (well I hope
>it is easy anyway) but at work we're looking at clamping down on our
>PC's and want the following:

>- Stop users using Messenger
>- Stop users installing programs themselves.

>In theory this does not sound hard, but here is the sticking point. We
>have to allow users admin privlidges of the computer (not network), due
>to an important program we use requires admin privlidges.

That is insane. Under linux I would advise using sudo to run that program,
but I have no idea if windows has the same kind of thing.
But what is it about the program that requires admin priviledges? Are you
sure? Once the person is admin, he cannot be stopped from doing anything.
You are finished.


>Plus our active directory is upon a windows 2000 server, which means
>most of the good options which 2003 has we do not have (like disabling
>messenger)

Put a later version onto that server. Sounds cheaper than you spending days
trying to do the impossible.


>I have looked on the net, but probably missed all the good sites, but I
>was hoping to find a solution within Active directory, or maybe a
>script to stop it.

>The main reason to wanting to do it centrally is so that I do not have
>to go round to every PC and disable certain things.

>Incase it helps the platforms of the PC's are XP professional.

>Any help would be much appreciated.

>Many thanks

Re: Locking down computers

> That is insane. Under linux I would advise using sudo to run that program,
> but I have no idea if windows has the same kind of thing.

Just to be clear, it does. That's what the "Runas" command does.

-Frank

Re: Locking down computers

Hi guys,

Got messenger to stop working. What I did was opened up mmc on my
computer, added the group policy object editor snap in and linked up
the organisational unit within Active directory. What this then
allowed me to do was disable the messenger options. Only snag is, is
that I now can only update the policy via a XP computer and not the
server, as if I do it upon the server I get loads of error messages.

Now I have got the XP group policy options. Does anyone know of a way
to stop other executables being ran by users?

Thanks Unrah and Frankster for your messages also, I will try and look
into the Runas command later. But just to clarrify do you think
somehow I could set something up which says when this program is ran
use admin privlidges, or am I getting the wrong end of the stick.

Many thanks for everyones help on this subject.