Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

best practices for locking down windows

Posted on 2004-09-16
11
Medium Priority
?
189 Views
Last Modified: 2013-12-04
I am looking for the best practices for locking down windows. I want to make sure that users do not have the ability to install non-standard applications. I know you can do it my gpo but i wanted to find out if there where any other advisable methods for doing this. i also wanted to see what the pros and cons where for this method. I currently have over 1000 users and they are all local admins on their machines. My particular concern is p2p applications.
0
Comment
Question by:fhmobeid
8 Comments
 
LVL 4

Expert Comment

by:kamichie
ID: 12076479
Set your users up to use a logon script, then us the following website to create regitry tweaks, these can do just abotu anything if your creative enough. Unfourtanetly, I dont think there is a way to disable just P2P applications. You can stop the users from installing all applications, but no any specfic one. However, I would recommend setting your firewall to disallow P2P programs. Also you could write your login script to search for and delete P2P applications.
0
 
LVL 4

Expert Comment

by:kamichie
ID: 12076482
0
 

Author Comment

by:fhmobeid
ID: 12076836
Thanks kamichie...but i am looking for a more robust method of not allowing users the ability to install. Instead of using the login scripts i can accomplish this using group policies. i did find one useful tweak and that was to stop "Restrict Users from Running Specific Applications".

As for blocking p2p at the firewall...how would you do that? Port blocking..dont these apps use non standard ports that are at some point used by other applications. Also i believe some of them even use port 80. I understand that there are applications that can analyse the payload?
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 4

Expert Comment

by:kamichie
ID: 12078826
You could technically use a software based firewall IPCop has a very good program for blocking p2p applications http://www.pcquest.com/content/topstories/secure/103111007.asp. However if this is not an option, try using a proxy based system (i.e. Suid). And finally you could simply set your firewall to limit the number of ports a user uses. I would need to know what kind of firewall your using to help more with this
0
 

Author Comment

by:fhmobeid
ID: 12079180
the firewall is cisco.
0
 
LVL 4

Accepted Solution

by:
kamichie earned 1000 total points
ID: 12079292
0
 
LVL 1

Expert Comment

by:jimmybartlett
ID: 12079369
You could use packet shaping to basically make p2p slow down so slow that no matter what port they direct it through it won't work.
If you try to block specific apps, there will always be a new one out. They come out every week. You have to look at the type of traffic, not the process name. (technically, they could just rename their p2p executable and get past the app blocking firewall too.)
here's the packet shaping how-to guide i found:
http://svana.org/kleptog/Packet-Shaping-HOWTO.html
0
 
LVL 16

Assisted Solution

by:kbbcnet
kbbcnet earned 1000 total points
ID: 12440581
See MS Article "How To Use Software Restriction Policies in Windows Server 2003"
http://support.microsoft.com/default.aspx?scid=kb;en-us;324036

Of course you probably have already made everyone other than you & admin staff part of the "Users" group, not "Power User" or "Administrator" groups.  This way users can't install programs; however, this will not stop all installations, such as screensavers, wallpapers, spyware, etc.

Additionally, you may want to try a third party solution to assist you in this task such as "Deep Freeze" by Faronics.  See their webpage - http://www.faronics.com/.  This product will basically make an image of the PC's O/S then restore it everytime you reboot....no installation crap to worry about then; just reboot it.  You could run a script to automatically reboot the PC every morning, too.

See if you can configure your Firewall to block 'streaming media' downloads (common in p2p products).

Good luck!
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question