Solved

best practices for locking down windows

Posted on 2004-09-16
11
186 Views
Last Modified: 2013-12-04
I am looking for the best practices for locking down windows. I want to make sure that users do not have the ability to install non-standard applications. I know you can do it my gpo but i wanted to find out if there where any other advisable methods for doing this. i also wanted to see what the pros and cons where for this method. I currently have over 1000 users and they are all local admins on their machines. My particular concern is p2p applications.
0
Comment
Question by:fhmobeid
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 4

Expert Comment

by:kamichie
ID: 12076479
Set your users up to use a logon script, then us the following website to create regitry tweaks, these can do just abotu anything if your creative enough. Unfourtanetly, I dont think there is a way to disable just P2P applications. You can stop the users from installing all applications, but no any specfic one. However, I would recommend setting your firewall to disallow P2P programs. Also you could write your login script to search for and delete P2P applications.
0
 
LVL 4

Expert Comment

by:kamichie
ID: 12076482
0
 

Author Comment

by:fhmobeid
ID: 12076836
Thanks kamichie...but i am looking for a more robust method of not allowing users the ability to install. Instead of using the login scripts i can accomplish this using group policies. i did find one useful tweak and that was to stop "Restrict Users from Running Specific Applications".

As for blocking p2p at the firewall...how would you do that? Port blocking..dont these apps use non standard ports that are at some point used by other applications. Also i believe some of them even use port 80. I understand that there are applications that can analyse the payload?
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 4

Expert Comment

by:kamichie
ID: 12078826
You could technically use a software based firewall IPCop has a very good program for blocking p2p applications http://www.pcquest.com/content/topstories/secure/103111007.asp. However if this is not an option, try using a proxy based system (i.e. Suid). And finally you could simply set your firewall to limit the number of ports a user uses. I would need to know what kind of firewall your using to help more with this
0
 

Author Comment

by:fhmobeid
ID: 12079180
the firewall is cisco.
0
 
LVL 4

Accepted Solution

by:
kamichie earned 250 total points
ID: 12079292
0
 
LVL 1

Expert Comment

by:jimmybartlett
ID: 12079369
You could use packet shaping to basically make p2p slow down so slow that no matter what port they direct it through it won't work.
If you try to block specific apps, there will always be a new one out. They come out every week. You have to look at the type of traffic, not the process name. (technically, they could just rename their p2p executable and get past the app blocking firewall too.)
here's the packet shaping how-to guide i found:
http://svana.org/kleptog/Packet-Shaping-HOWTO.html
0
 
LVL 16

Assisted Solution

by:kbbcnet
kbbcnet earned 250 total points
ID: 12440581
See MS Article "How To Use Software Restriction Policies in Windows Server 2003"
http://support.microsoft.com/default.aspx?scid=kb;en-us;324036

Of course you probably have already made everyone other than you & admin staff part of the "Users" group, not "Power User" or "Administrator" groups.  This way users can't install programs; however, this will not stop all installations, such as screensavers, wallpapers, spyware, etc.

Additionally, you may want to try a third party solution to assist you in this task such as "Deep Freeze" by Faronics.  See their webpage - http://www.faronics.com/.  This product will basically make an image of the PC's O/S then restore it everytime you reboot....no installation crap to worry about then; just reboot it.  You could run a script to automatically reboot the PC every morning, too.

See if you can configure your Firewall to block 'streaming media' downloads (common in p2p products).

Good luck!
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question