Solved

best practices for locking down windows

Posted on 2004-09-16
11
182 Views
Last Modified: 2013-12-04
I am looking for the best practices for locking down windows. I want to make sure that users do not have the ability to install non-standard applications. I know you can do it my gpo but i wanted to find out if there where any other advisable methods for doing this. i also wanted to see what the pros and cons where for this method. I currently have over 1000 users and they are all local admins on their machines. My particular concern is p2p applications.
0
Comment
Question by:fhmobeid
11 Comments
 
LVL 4

Expert Comment

by:kamichie
ID: 12076479
Set your users up to use a logon script, then us the following website to create regitry tweaks, these can do just abotu anything if your creative enough. Unfourtanetly, I dont think there is a way to disable just P2P applications. You can stop the users from installing all applications, but no any specfic one. However, I would recommend setting your firewall to disallow P2P programs. Also you could write your login script to search for and delete P2P applications.
0
 
LVL 4

Expert Comment

by:kamichie
ID: 12076482
0
 

Author Comment

by:fhmobeid
ID: 12076836
Thanks kamichie...but i am looking for a more robust method of not allowing users the ability to install. Instead of using the login scripts i can accomplish this using group policies. i did find one useful tweak and that was to stop "Restrict Users from Running Specific Applications".

As for blocking p2p at the firewall...how would you do that? Port blocking..dont these apps use non standard ports that are at some point used by other applications. Also i believe some of them even use port 80. I understand that there are applications that can analyse the payload?
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 4

Expert Comment

by:kamichie
ID: 12078826
You could technically use a software based firewall IPCop has a very good program for blocking p2p applications http://www.pcquest.com/content/topstories/secure/103111007.asp. However if this is not an option, try using a proxy based system (i.e. Suid). And finally you could simply set your firewall to limit the number of ports a user uses. I would need to know what kind of firewall your using to help more with this
0
 

Author Comment

by:fhmobeid
ID: 12079180
the firewall is cisco.
0
 
LVL 4

Accepted Solution

by:
kamichie earned 250 total points
ID: 12079292
0
 
LVL 1

Expert Comment

by:jimmybartlett
ID: 12079369
You could use packet shaping to basically make p2p slow down so slow that no matter what port they direct it through it won't work.
If you try to block specific apps, there will always be a new one out. They come out every week. You have to look at the type of traffic, not the process name. (technically, they could just rename their p2p executable and get past the app blocking firewall too.)
here's the packet shaping how-to guide i found:
http://svana.org/kleptog/Packet-Shaping-HOWTO.html
0
 
LVL 16

Assisted Solution

by:kbbcnet
kbbcnet earned 250 total points
ID: 12440581
See MS Article "How To Use Software Restriction Policies in Windows Server 2003"
http://support.microsoft.com/default.aspx?scid=kb;en-us;324036

Of course you probably have already made everyone other than you & admin staff part of the "Users" group, not "Power User" or "Administrator" groups.  This way users can't install programs; however, this will not stop all installations, such as screensavers, wallpapers, spyware, etc.

Additionally, you may want to try a third party solution to assist you in this task such as "Deep Freeze" by Faronics.  See their webpage - http://www.faronics.com/.  This product will basically make an image of the PC's O/S then restore it everytime you reboot....no installation crap to worry about then; just reboot it.  You could run a script to automatically reboot the PC every morning, too.

See if you can configure your Firewall to block 'streaming media' downloads (common in p2p products).

Good luck!
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question