?
Solved

Managing Windows XP Lockdowns from win2k server

Posted on 2005-03-18
12
Medium Priority
?
214 Views
Last Modified: 2013-12-03
Hi,
I'm currently trying to restrict access on users desktops to both the local machine and to what software can be run. I was wanting to use software restriction policies but am unclear how (if possible) I can manage these from Windows 2k Server, directly through AD or through some sort of script.
I only want the users to have access to office primarily, acrobat reader, winzip.
In conjunction with this does anyone know what permissions are generally needed on a users machine where say I only want them to have write access to one folder "username" on the root of the C drive. i.e. Does the user still need permissions to Temp, the outlook temp directory etc
Thanks,
R
0
Comment
Question by:richkeegan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
12 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 13572638
Windows Creating and editing group policy

Group policies can be applied on a domain or an Organisational Unit, to apply a group policy in a 2003 domain environment, do the following.

On a domain controller open "Active directory Users and computers"

NOTE: As said above you can apply a GP to an OU in this instance we will deal with a domain GP, if you are concerned with a GP for an OU insert the "OU name" instead of the "Domain Name"

1. Locate the domain (top of the Tree) and right click it, then select "Properties"
2. Select the group policy Tab.
3. You will see the Default domain policy (and any other policies applied at this level)
4. You can create another domain policy by clicking "New" giving it a name and configuring it"
5. Ensure the default domain policy is highlighted and select "Edit" (unless you are working on another policy)
6. The Group policy object editor will open.
7. You can now edit the policy and close the editor when you are finished.
8. Back in the domain properties click "apply" and "OK"

Troubleshooting Group Policy in Windows Server 2003
http://www.microsoft.com/downloads/details.aspx?FamilyId=B24BF2D5-0D7A-4FC5-A14D-E91D211C21B2&displaylang=en

Group Policy Infrastructure White Paper
http://www.microsoft.com/downloads/details.aspx?FamilyId=D26E88BC-D445-4E8F-AA4E-B9C27061F7CA&displaylang=en

COMMON POLICIES

Set Proxy Server: user configuration >windows settings >internet explorer maintenance >connection >proxy settings
    NOTE Proxy IP can be set in DHCP options also (See option 252 on the scope)

Logon Scripts
User Configuration > Windows Settings > Scripts > Logon
The script lives here (\\domain controller\sysvol\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\User\Scripts\Logon)
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 13572640
Add Windows XP Templates for Group Policy

OPTION 1

Windows XP contains the following updated administrative template files:

    * System.adm. Used for core settings.
    * Wmplayer.adm. Used for Windows Media settings.
    * Conf.adm. Used for NetMeeting® conferencing software.
    * Inetres.adm. Used for Internet Explorer.

To upgrade .adm files:

   1. Locate the desired .adm files on a Windows XP machine. (These are located in the Windows/INF directory.)
   2. Copy system.adm and any other .adm files to a file share.
   3. Go to the Windows 2000 Server-based computer and open a GPO in the Group Policy snap-in.
   4. Right click Administrative templates and select Add/Remove Templates as shown in Figure 2 below.

Add/Remove Templates

   5. When the Add/Remove Templates dialog box appears, remove the Windows 2000-based .adm files and add the Windows XP-based .adm files.
   6. Repeat for each GPO.

OPTION 2

To upgrade a Windows 2000 GPO, follow these steps on a Windows XP-based domain member:  
1.      Click Start, click Run, type mmc, and then click OK.
2.      On the File menu, click Add/Remove Snap-in.
3.      In the Add/Remove Snap-in dialog box, click Add.
4.      In the Add Standalone Snap-in dialog box, click Group Policy, and then click Add.
5.      In the Select Group Policy Object dialog box, Local Computer appears as the target object. Click Browse, select the GPO that you want to upgrade, and then click OK. Note that when you click Browse, a delay might occur while Windows searches for the policy objects in the domain.
6.      Click Close. Click OK.
You can now adjust the policy settings in this Policy object by using the Group Policy console from the Windows XP-based client.
The GPO is actually updated with the new administrative template (.adm) files when you click or expand Computer Configuration or User Configuration under the title of the Policy object. You can upgrade a single Policy object at a time by using this method.
Note: The Windows XP Group Policy snap-in works only in Windows XP Professional.
The Windows XP Group Policy snap-in implements a new feature that displays the operating system version that is required by an Administrative Template policy setting in the side pane in Extended view. The Windows 2000 Group Policy snap-in cannot display this version information, but can be used to modify the administrative template settings after being upgraded.
New Security settings are also supported in Windows XP. These are available by using the Windows XP Group Policy snap-in; they are not displayed by using the Windows 2000 Group Policy snap-in whether or not they are configured. Editing Security Microsoft recommends that you edit upgraded GPOs from Windows XP-based clients. You can perform subsequent management of these GPOs (such as linking them to domains or organizational units) from the Windows 2000 Active Directory management tools.


References
http://www.jsifaq.com/SUBJ/tip4600/rh4649.htm
http://support.microsoft.com/?kbid=307900
http://www.petri.co.il/upgrade_windows_2000_gpo_with_xp_features.htm

Downloads
http://www.microsoft.com/downloads/details.aspx?FamilyID=92759d4b-7112-4b6c-ad4a-bbf3802a5c9b&displaylang=en
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 13572649
>> I only want them to have write access to one folder "username"

Windows pretty much looks after itseld -but all users have access to

c:\documents and settings\<their username>
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 13572651
Hi,

I'm currently trying to restrict access on users desktops to both the local machine and to what software can be run. I was wanting to use software restriction policies but am unclear how (if possible) I can manage these from Windows 2k Server, directly through AD or through some sort of script.

It is not possible to manage those policies from Win2k server because windows 2k server was developed before Windows XP came So MS has changed the way software restriction policy and applies from Windows XP and higher version of Windows. Till SP 4 MS has not released the client-side-extension for Windows 2000 operating system that can be used to process Software Restriction Policy.

>>>I only want the users to have access to office primarily, acrobat reader, winzip.
What all other applications they are running ? try to set NTFS permissions on they using a batch file and then process this batch file uisng the Group Policy. So whenever they try to access certain EXE files blocked by you they will get "Access is deniend" error.

>>>In conjunction with this does anyone know what permissions are generally needed on a users machine where say I only want them to have write access to one folder "username" on the root of the C drive. i.e.

Only "Read" and "Write", "List Folder Contents" and if they want to modify something then "Modify" also. Does this folder contain sub-folders. You want them not to write anything in sub-folders?

>>>Does the user still need permissions to Temp, the outlook temp directory etc

By default users have Full Control on their profile and you do not need to change permissions on Temp folder located in their profile. If you are talking about \Winnt\Temp folder then they need atleast Read permissions and in some cases write permissions if they run any application which require to write something on Temp folder.

Let me know.

Thanks
SystmProg

0
 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 13572670
This is what you need if you can't manage Software Restrictions using windows 2000: -

We want to lock down some publicly accessible workstations. Our main objective is to totally control which programs users can run. Is Application Security (Appsec) sufficient for this need?
http://www.windowsitpro.com/Article/ArticleID/39684/39684.html
0
 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 13572723
Here i got one idea: -

1. First install WININSTLE software from Windows 2000 CD from \VALUEADDED\3RDPARTY\MGMT\WININSTLE on Windows XP machine.
2. Then run this software from Windows XP machine and perform a "Before Snapshot" of the configuration of machine. This will scan your computer and will ask you many questions regarding and creating MSI file.
3. After scan completes it will ask you to run the application. So you do not run application here and then use Windows Gpedit.msc snap-in to configure Software Restriction policy and make necessary changes you want. After making changes restart the XP machine and boot and test it whether users can run the selected applications or not and also check restrictions you applied works or not.
4. After checking everything you run the WININSTLE software again. Now this software will check what all changes have been made into system and will record everything to a safe place. After it completes it will create a MSI file.
5. Now got Windows 2000 Server Open Active Directory Users and Computers. Open Group Policy on which you want to configure Software Restriction > open Software Installation and then Deploy this MSI file created from WININSTLE here. So it will apply to only Windows XP users and not 2k. When clients start their computer this MSI will install on their system.

How it is so easy !!!

Let me know.
0
 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 13572725
0
 

Author Comment

by:richkeegan
ID: 13573745
Hi,
Pete Long - your answer on gpos works perfectly thanks! I will definitely split half the points with you. Now I just need to figure the permissions.
I've redirected my documents to the network and basically I only want the user to be able to put stuff in one folder C:\username, not to the desktop or anywhere else. I don't want them to be able to browse to any other folder on the machine ideally. But I'm unclear if certain apps like office run under the permissions of the user or their own, hence if i just remove machinename\users from the security profile then will this have repercussions elsewhere?
0
 
LVL 35

Accepted Solution

by:
Nirmal Sharma earned 1000 total points
ID: 13581533
>>>But I'm unclear if certain apps like office run under the permissions of the user or their own, hence if i just remove machinename\users from the security profile then will this have repercussions elsewhere?

If users can run the application successfully then that means this application runs under the security context of user account only and not either Administrator or SYSTEM Account. Your requirement is them not to write anything on their computer except the C:\username folder. Right? If yes then give the permission for them................for any other drive in the system give them no permission and for System Drive let them have Read permission (by default users have read permission on system drive).

Users have Full Control for their profile..........but you want them not to write on their Desktop then you need to define Read permission for user explicitly.

Let me know if you are not clear.
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 1000 total points
ID: 13581726
richkeegan

I see what you are trying to do - but experience tells me its a BAAAD Idea - try to stop users writing ANYTHING to their hard drive - Try standing in front of your Cheif Executive when his hard drive has failed and he has lost five years work.

cause it will be YOUR!! fault your the IT bloke! get all your users to save to a home drive on the network (that way you can back the stuff up and keep an eye on it)

And in AD users and computers set it up on their profile (no need for gpos or scripts) on the profile tab connect drive H: to
\\servername\home\%username% this will crete the directory for you with all the correct permissions - tell tell the users the H: drive is on their PC and turn syncronisation on and they will never know anyway :)
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses
Course of the Month14 days, 9 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question