Solved

best practices for locking down windows

Posted on 2004-09-16
11
181 Views
Last Modified: 2013-12-04
I am looking for the best practices for locking down windows. I want to make sure that users do not have the ability to install non-standard applications. I know you can do it my gpo but i wanted to find out if there where any other advisable methods for doing this. i also wanted to see what the pros and cons where for this method. I currently have over 1000 users and they are all local admins on their machines. My particular concern is p2p applications.
0
Comment
Question by:fhmobeid
11 Comments
 
LVL 4

Expert Comment

by:kamichie
ID: 12076479
Set your users up to use a logon script, then us the following website to create regitry tweaks, these can do just abotu anything if your creative enough. Unfourtanetly, I dont think there is a way to disable just P2P applications. You can stop the users from installing all applications, but no any specfic one. However, I would recommend setting your firewall to disallow P2P programs. Also you could write your login script to search for and delete P2P applications.
0
 
LVL 4

Expert Comment

by:kamichie
ID: 12076482
0
 

Author Comment

by:fhmobeid
ID: 12076836
Thanks kamichie...but i am looking for a more robust method of not allowing users the ability to install. Instead of using the login scripts i can accomplish this using group policies. i did find one useful tweak and that was to stop "Restrict Users from Running Specific Applications".

As for blocking p2p at the firewall...how would you do that? Port blocking..dont these apps use non standard ports that are at some point used by other applications. Also i believe some of them even use port 80. I understand that there are applications that can analyse the payload?
0
 
LVL 4

Expert Comment

by:kamichie
ID: 12078826
You could technically use a software based firewall IPCop has a very good program for blocking p2p applications http://www.pcquest.com/content/topstories/secure/103111007.asp. However if this is not an option, try using a proxy based system (i.e. Suid). And finally you could simply set your firewall to limit the number of ports a user uses. I would need to know what kind of firewall your using to help more with this
0
Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

 

Author Comment

by:fhmobeid
ID: 12079180
the firewall is cisco.
0
 
LVL 4

Accepted Solution

by:
kamichie earned 250 total points
ID: 12079292
0
 
LVL 1

Expert Comment

by:jimmybartlett
ID: 12079369
You could use packet shaping to basically make p2p slow down so slow that no matter what port they direct it through it won't work.
If you try to block specific apps, there will always be a new one out. They come out every week. You have to look at the type of traffic, not the process name. (technically, they could just rename their p2p executable and get past the app blocking firewall too.)
here's the packet shaping how-to guide i found:
http://svana.org/kleptog/Packet-Shaping-HOWTO.html
0
 
LVL 16

Assisted Solution

by:kbbcnet
kbbcnet earned 250 total points
ID: 12440581
See MS Article "How To Use Software Restriction Policies in Windows Server 2003"
http://support.microsoft.com/default.aspx?scid=kb;en-us;324036

Of course you probably have already made everyone other than you & admin staff part of the "Users" group, not "Power User" or "Administrator" groups.  This way users can't install programs; however, this will not stop all installations, such as screensavers, wallpapers, spyware, etc.

Additionally, you may want to try a third party solution to assist you in this task such as "Deep Freeze" by Faronics.  See their webpage - http://www.faronics.com/.  This product will basically make an image of the PC's O/S then restore it everytime you reboot....no installation crap to worry about then; just reboot it.  You could run a script to automatically reboot the PC every morning, too.

See if you can configure your Firewall to block 'streaming media' downloads (common in p2p products).

Good luck!
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now