• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 192
  • Last Modified:

best practices for locking down windows

I am looking for the best practices for locking down windows. I want to make sure that users do not have the ability to install non-standard applications. I know you can do it my gpo but i wanted to find out if there where any other advisable methods for doing this. i also wanted to see what the pros and cons where for this method. I currently have over 1000 users and they are all local admins on their machines. My particular concern is p2p applications.
0
fhmobeid
Asked:
fhmobeid
2 Solutions
 
kamichieCommented:
Set your users up to use a logon script, then us the following website to create regitry tweaks, these can do just abotu anything if your creative enough. Unfourtanetly, I dont think there is a way to disable just P2P applications. You can stop the users from installing all applications, but no any specfic one. However, I would recommend setting your firewall to disallow P2P programs. Also you could write your login script to search for and delete P2P applications.
0
 
kamichieCommented:
0
 
fhmobeidAuthor Commented:
Thanks kamichie...but i am looking for a more robust method of not allowing users the ability to install. Instead of using the login scripts i can accomplish this using group policies. i did find one useful tweak and that was to stop "Restrict Users from Running Specific Applications".

As for blocking p2p at the firewall...how would you do that? Port blocking..dont these apps use non standard ports that are at some point used by other applications. Also i believe some of them even use port 80. I understand that there are applications that can analyse the payload?
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
kamichieCommented:
You could technically use a software based firewall IPCop has a very good program for blocking p2p applications http://www.pcquest.com/content/topstories/secure/103111007.asp. However if this is not an option, try using a proxy based system (i.e. Suid). And finally you could simply set your firewall to limit the number of ports a user uses. I would need to know what kind of firewall your using to help more with this
0
 
fhmobeidAuthor Commented:
the firewall is cisco.
0
 
kamichieCommented:
0
 
jimmybartlettCommented:
You could use packet shaping to basically make p2p slow down so slow that no matter what port they direct it through it won't work.
If you try to block specific apps, there will always be a new one out. They come out every week. You have to look at the type of traffic, not the process name. (technically, they could just rename their p2p executable and get past the app blocking firewall too.)
here's the packet shaping how-to guide i found:
http://svana.org/kleptog/Packet-Shaping-HOWTO.html
0
 
kbbcnetCommented:
See MS Article "How To Use Software Restriction Policies in Windows Server 2003"
http://support.microsoft.com/default.aspx?scid=kb;en-us;324036

Of course you probably have already made everyone other than you & admin staff part of the "Users" group, not "Power User" or "Administrator" groups.  This way users can't install programs; however, this will not stop all installations, such as screensavers, wallpapers, spyware, etc.

Additionally, you may want to try a third party solution to assist you in this task such as "Deep Freeze" by Faronics.  See their webpage - http://www.faronics.com/.  This product will basically make an image of the PC's O/S then restore it everytime you reboot....no installation crap to worry about then; just reboot it.  You could run a script to automatically reboot the PC every morning, too.

See if you can configure your Firewall to block 'streaming media' downloads (common in p2p products).

Good luck!
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now