2a3b4c
asked on
How can I restrict local administrators from getting trojan horses, hijackers, etc?
The users in my domain are all administrators on their machines.
I want to keep things like that, but to restrict some options, so trojan horses won't be able to install themselves when the users surf the net.
Are there any registry locking utils or something like that?
Thanx!
I want to keep things like that, but to restrict some options, so trojan horses won't be able to install themselves when the users surf the net.
Are there any registry locking utils or something like that?
Thanx!
Which OS u r using ?
ASKER
I am using 2000/XP computers, on a 2003 domain.
I ment that the each user is a local administrator on his machine - sorry for the lack of details.
We have about 250 users, and most of them need the local administrator's permissions for their day to day work. They need to be able to change network configuration, Install programs, etc. Therefor, I can't disable the Run lists or use the User account.
I ment that the each user is a local administrator on his machine - sorry for the lack of details.
We have about 250 users, and most of them need the local administrator's permissions for their day to day work. They need to be able to change network configuration, Install programs, etc. Therefor, I can't disable the Run lists or use the User account.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Key question - WHY do they need local admin rights? What is it that they can't do without them? There may well be a way to assign these rights to key components for certain domain users without allowing full admin rights which may sort out your issue? Let us know
Deb :)
Deb :)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I've given up on getting control panel to open directly, under a user with lower priv's- instead someone can click on this vbs (convert to vbe if your encoding it) and type in "control panel" or if control panel appears when you click my computer, it will be listed in the left pane under my computer.
Option explicit
dim oShell
set oShell= Wscript.CreateObject("WScr
' Replace the path with the program you wish to run c:\ etc...
oShell.Run "runas /noprofile /user:%computername%\admin
WScript.Sleep 100
'Replace the string yourpassword below with
'the password used on your system. Include tilde
oShell.Sendkeys "yourpasswordhere~"
Wscript.Quit
Or you can make vbs files that call computer managment... just change the 5th line to:
oShell.Run "runas /noprofile /user:%computername%\admin
I know I procrastinate about not running as a local admin for day to day activities, however now I am able to do very easily. I'll work on making it more secure, well than just encoded vbs files. I'll get something going soon that is free, as opposed to the "runas professional" style software packages out there. I really wish that I could of found an easy way to call the control panel directly, without having to kill explorer to do it, I can't seem to pass the "contol panel" text to iexplore correctly, or even to get ::{21EC2020-3AEA-1069-A2DD
-rich
Option explicit
dim oShell
set oShell= Wscript.CreateObject("WScr
' Replace the path with the program you wish to run c:\ etc...
oShell.Run "runas /noprofile /user:%computername%\admin
WScript.Sleep 100
'Replace the string yourpassword below with
'the password used on your system. Include tilde
oShell.Sendkeys "yourpasswordhere~"
Wscript.Quit
Or you can make vbs files that call computer managment... just change the 5th line to:
oShell.Run "runas /noprofile /user:%computername%\admin
I know I procrastinate about not running as a local admin for day to day activities, however now I am able to do very easily. I'll work on making it more secure, well than just encoded vbs files. I'll get something going soon that is free, as opposed to the "runas professional" style software packages out there. I really wish that I could of found an easy way to call the control panel directly, without having to kill explorer to do it, I can't seem to pass the "contol panel" text to iexplore correctly, or even to get ::{21EC2020-3AEA-1069-A2DD
-rich
I don't understand one thing. You say all the users are administrators and you are using domain controllers. Then what is the meaning of keeping domain controllers in ur network. Domain Controllers are used for centralized management.
NOTE : Any malware process will take rights or previleges of current user as administrator to execute and melt itself into registry.
I suggest you :-
1. Use Group Policy on domain controllers and do the following settings for registry :-
Disable Run Once List
Disable Run list.
2. Use user accounts for protection. Ask then to use user accounts instead of Administrators.
Thankx
SystmProg