Solved

Create a very very restrictive account on XP

Posted on 2004-04-02
20
344 Views
Last Modified: 2013-12-04
Hi,

For our billiards organization we have some board-members who activily work on their computer but have a minimal knowlegde of what they are doing. Especcialy when it comes to spyware and viruses etc. Like today for example Access failed to startup due to a number of installed spyware programs.

How to prevent all this programs to be installed?

Maybe this will not cover all problems so I want to ask if the following is advisible and possible.

What I want is the following:
- An account for himself as administrator in which he can all he do what he wants
- An account for the billiards tasks. When he logs in into this account he gets an environment not harmed by any other accounts/programs. Even his account wont be affected by programs installed as administrator. (programs which should be system-wide like a virus-scanner, i will install for him and make sure it gets system-wide installed). In this account he should not be able to install any program.

Maybe it sounds a little paranoid what I suggest, but it comes always to me to repair his windows environment....

Thanx,
Alexander.
0
Comment
Question by:aperdon
  • 10
  • 5
  • 2
  • +1
20 Comments
 
LVL 12

Expert Comment

by:trywaredk
ID: 10739403
Let them logon only as member of the guest group

Builtin and predefined groups in Windows 2000 Pro
http://www.microsoft.com/windows2000/en/professional/help/default.asp?url=/windows2000/en/professional/help/windows_security_default_settings.htm

Builtin and predefined groups in Windows XP
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/proddocs/lsm_local_groups.asp

Why you should not run your computer as an administrator
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/windows_security_whynot_admin.htm

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10739407
Spybot:
http://security.kolla.de/index.php

Ad-aware Standard Edition is THE award winning, free*, multicomponent adware detection and removal utility:
http://www.lavasoft.de/software/adaware/

SpyFerret detects & removes spyware
http://www.onlinepcfix.com/spyware/spyware.htm

Bazooka Adware and Spyware Scanner v1.13.01
http://www.kephyr.com/spywarescanner/

Automatic check of your browser for parasites, adware and spyware
http://www.doxdesk.com/parasite/
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10739409
Sygate free scanning your security: quick, stealth, trojan, tcp, udp, icmp
http://scan.sygatetech.com/

One Usage of the HACKYOURSELF scan: TCP Scan (65534 ports),UDP scan (800+ ports), and Netbios Scan
http://www.hackerwhacker.com/

Shields UP! quickly checks the SECURITY of YOUR computer's connection to the Internet.
https://grc.com/x/ne.dll?bh0bkyd2
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10739412
Use this free online Trend Housecall scanner to find and clean every known virus/rootkits/backdoors:
http://housecall.trendmicro.com/housecall/start_corp.asp

Some viruses can't be removed by housecall. If so, use the free Trend Micro system cleaner:
http://www.trendmicro.com/download/tsc.asp

If you get's an ActiveX error, when loading the HouseCall web page:
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=4317

If you want to secure your one workstation in the future, consider to purchase PC-cillin with builtin firewall:
http://www.trendmicro.com/en/products/desktop/pc-cillin/evaluate/overview.htm
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10739414
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10739416
Getting a personal Firewall
http://www.zensecurity.co.uk/default.asp?URL=personal

Download the free version of Sygate personal firewall
http://smb.sygate.com/support/documents/spf/default.htm
http://smb.sygate.com/download/download.php?pid=spf

Download the free version of ZoneAlarm firewall
http://www.zonelabs.com/store/content/company/zap_za_grid.jsp?lid=ho_za

Comparative reviews of personal firewall software:
http://www.firewallguide.com/software.htm

Firewall Product Selector - Choose yourself which one to compare
http://www.spirit.com/cgi-new/report.pl?dbase=fw&function=view
0
 
LVL 1

Author Comment

by:aperdon
ID: 10739529
Thanx. I guess this is already a lot of materials...

The problem for me is that he is doing some work on his private computer. I can not prevent him doing something strange while it is his computer. What I purely want is when he works for the billiards-stuff he should work in a complete clean environment.

I guess ur comment about guest-account makes quite some sense. Maybe I should advise him to use always that account, unless when he really needs to install something then he should login as administrator. But I really to tell him this very precisely otherwise he wont understand and mess-up again.
0
 
LVL 4

Expert Comment

by:venishjoe
ID: 10740065
Hai,

      You can first create a user with limited account and then Use the Local Security Policy (Present in Control Panel-->Administrative tools---->Local Security Policy)You must logged on as an Administrator to use it.There you can see tons of options, using them you can restrict the user to the maximum extent.

     You can also make use of third party softwares which will be having a good User Interface and deals with the Windows Registry carefully.Using them you can make the account more limited.If you search you will gey many.


Regards
Venish.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10740675
>"Maybe I should advise him to use always that account, unless when he really needs to install something then he should login as administrator. But I really to tell him this very precisely otherwise he wont understand and mess-up again."

Print this one, and tell him about it

Why you should not run your computer as an administrator
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/windows_security_whynot_admin.htm
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10740816
Yeah, lot's- ton's of links. As stated above, place his account in the Guests or Users group, they are locked down quite a bit, and he won't be able to install programs. You don't even need to tell him to log in as admin, show him how to use RunAs. Write down how to use it in a text file on his desktop, make sure he can rememeber the password by himself, you don't want that written down. and he cannot lock himslef out of anything if he gets it wrong. http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/AD_runas.asp
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/windows_security_whynot_admin.htm
Run as is easier to run with a right-click... highlight the icon of what you want to run, hold down shift, right-click the icon, select RunAs...  Put in username and password for the elivated account.  Don't tell him it's the admin account, just get him fimilar with runas, and it's "magic" That is the best way. If that PC has internet access, he'll REQUIRE Antivirus software, and regular updates/scheduled scans. GL!
-rich

0
 
LVL 1

Author Comment

by:aperdon
ID: 10773606
Thanks, these comments really helps a lot.

How can I isolate his account from other (like adminstrator) accounts. When he works for me I want him to use the account (a Guest account) as created by me for him. When he uses the computer for himself he should be not limited in whatever he does, but I will warn him for the nasty problems. I will show him how to use run-as etc. But what he does then should not have any effect on the account I created for him. Only a virus-scanner should be effective in that account too and Access / Outlook Express etc.. So it should be restrictive in 2ways.
- He is not able to perform any (malicious) installation in that account
- The account is completely isolated from other accounts.

The problem is that it is his private computer but I dont want to have any stupid problems when he does some work for me.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10781802
Actually you could solve the issue in a more normal way.

Make a security policy (written on a paper in word) to be decided by your organisation:
For security reasons nobody (including the board members) are not allowed to connect a homecomputer to your domain network.

If they needs an administrative computer connected to the domain network, you/they have to purchase a computer to that. And they are not allowed to remove this computer from your organisation.

Ask them to follow your advices about the risks in virus/spyware/trojans/spam/firewall/etc with their homecomputer as well.
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html
0
 
LVL 1

Author Comment

by:aperdon
ID: 10782003
I guess I dont understand ur comment.
He works for me on his computer at his home in his private time connected to the internet by his connection.
He volunteered to do the job. But what he does on his computer not-related to the job should have not any effect on 1. he is able to work and 2. on the files (virus) he sends to us containing the results (MS Access mdb file)
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10782042
:o) Sorry I guessed that is was a "huge" organisation ("For our billiards organization we have some board-members"), or should I say corporate network.

Back to YOUR issue:

Forget about the administrator and guest account on his computer, if your only problem is that your computer is getting infected ONLY by opening the mdb-file HE emailed to you (is that correctly understood?)

If so there's no wait out of purswading him to follow YOUR advices to protect HIS computer from all the malware. It's in his own interest.

And you have to follow them too.
0
 
LVL 1

Author Comment

by:aperdon
ID: 10782100
Is is both being infected as wel as not-able to work due to his way he's using internet and not willing to change. I cant force him to change, only give him advices. My experience says that he will ignore the advises. So  when ignoring my advices it will end up in me visiting him again, cleaning his PC, install the software again and hope it will work a long time again, and last but not least the results will be delayed for some time... especially now at the end of the season it is far from welcome this delay.
0
 
LVL 12

Accepted Solution

by:
trywaredk earned 50 total points
ID: 10782198
Well -it's not easy to solve your issue. Still forget about the guest an administrator account.

Next time you visit him, tell him that you can't clean his pc, but you might have a solution if you can get the computer home to yourself for about 2-3 days, and let him walk to you to get it back.

:o) I hope his computer will stop working 10 times a day, so he can't use his internet connection, and that he would reconsider his ignorance.
0
 
LVL 1

Author Comment

by:aperdon
ID: 10782324
Ha ha your last comment I will tell him!!
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 50 total points
ID: 10783260
It seems this user has the mentality of corperate IT managers. It will take a major disaster in order for him to listen, and when that major disaster does occur, he'll get sooo mad at you for NEVER warning him previously!  

I say get him to buy a browser like Opera, or give him Mozilla. These Browsers should help keep various spy-ware adware from getting on his PC.  He'll need AV for sure, and a Firewall like ZA wouldn't hurt either. I recommend McAfee as a AV. Schedule M$ regular updates also
-rich
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now