Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7526
  • Last Modified:

Removing local administrator rights from end users

In an attempt to stop spyware/adware installations on our end user's PCs, as well as other installations of software by end-users, we have decided to remove administrator and power user status on all Windows XP workstations.  

I have been told by many administrators that because this stops users from installing software, that spyware/adware can't be installed if the user does not have these rights.

My only problem is proxy settings for laptop users.  When a field user is at a hotel they need to be able to get to the internet without a proxy.  When they are at our site they need to put in a proxy setting to get to the internet.  How can we have users be able to change proxy settings while at the same time locking down the workstations to other installs and changes?and  keep them as a restricted user?   Some background - at this time we are not on Active Directory.  Workstations are windows XP pro.

Thanks,
0
Lotus30306
Asked:
Lotus30306
  • 2
  • 2
2 Solutions
 
davidis99Commented:
"we have decided to remove administrator and power user status on all Windows XP workstations...because this stops users from installing software."

Not really.  A great deal of spyware is designed to bypass standard Windows limitations on user accounts, either by installing itself to non-standard folders (e.g. NOT in the \program files\ or \windows\ folders), while some spyware gets installed simply by browsing a website that when reading the page, installs the spyware to the PC.  

For laptop users, I'd suggest you standardize on one or two methods for remote access - one being a standard dialup service for areas where there is no broadband access, the second being a VPN client on the laptops to allow them to connect back to the office to work using their standard proxy.   Typically, the maker of your firewall will include VPN client licenses and software with your firewall purchase, but if not, there are third party VPN client programs available for purchase (some of which are options from your firewall manufacturer.)
0
 
Rich RumbleSecurity SamuraiCommented:
Get fimilar with RunAs, and try my VBS/VBE tips here: http://xinn.org/RunasVBS.html

You can typically open the NETWORK  .CPL file with runas "Ncpa.cpl" is the file name
http://support.microsoft.com/kb/313808/EN-US/

But this somtimes fails, so you have to open IE as the localadmin, and have them either go to a saved favorite, or have them type in "network connections" in the URL line. This will give them admin of the network connections panel. All of the other CPL files can infact be called with runas, directly... this one, and control panel itself seem to be "immune" to direct calls via runas. You can make short cut's also to open control panel as another user, but then they have to know the admin pass... with the script's I have listed, once they are Encoded, then they cannot read the password any longer.

Option explicit
dim oShell
set oShell= Wscript.CreateObject("WScript.Shell")
' Replace the path with the program you wish to run c:\ etc...
oShell.Run "runas /noprofile /user:%computername%\administrator ""c:\Program Files\Internet Explorer"\iexplore.exe -e -nohome"""
WScript.Sleep 100
'Replace the string yourpassword below with
'the password used on your system. Include tilde
oShell.Sendkeys "yourpasswordhere~"
Wscript.Quit

This open's IE as a blank page, but has admin priv's so it's imparitive they close the window once the changes are made.
You may need to use this for the favorite
::{21EC2020-3AEA-1069-A2DD-08002B30309D}
That sequece open control panel. (include the ::'s and braces)

You can even have a script add them to the local admin's group for a set period, and remove them without them knowing what happened...

FYI, this will stop 20% of the spy-ware your users get (moving them down to user or even guest) I'd suggest trying to get them to use FireFox or another browser when ever possible. That will cut spy-ware by 99%
-rich
0
 
Lotus30306Author Commented:
davidis99,

We use dial up when no high speed connection is available.  When a high speed connection is available (wireless or wired) we use Cisco's VPN client to connect to our network.  However, if we hard code our proxy settings into IE, then the user can't get to the login screen for the high speed provider.  Some places still allow you to get to the login page even with our proxy (very nice) but not always (so the user has to go back and forth which we want to lock down).  

Does anyone out there manage 20 or more field users and if so how are they allowing these users high speed access while at the same time using a proxy and locking the machines down so most installs are not possible?

Thanks,
0
 
Lotus30306Author Commented:
Rich,

I am really confused by your answer and how it would help me change proxy settings for IE for users with limited access on their machine.  I don't like the idea of putting the admin password in a script file.

Is there a way to lock down the machines yet allow users to change proxy settings?

0
 
Rich RumbleSecurity SamuraiCommented:
There are other utilities that will encrypt the password so you can use runas, my example they are encoded, which is easily reversed- however it's beyond most end-users abilities to do so. Also, the account shouldn't be THE local admin's, but a member of the local admins group- since most people set the same administrator pass for the local admin on all pc's. This would give them access to their own machine only if they did manage to reverse the encoding.
RunAs professional is such a utility, but users can't be trusted to do these settings on their own, so perhaps a script that does it can be used, and if they are on dial-up, then can click the script and it will remove the proxy settings. http://www.mast-computer.com/c_3-s_38-l_en.html (pricey) http://www.mast-computer.com/c_9-l_en.html

Our users have XP with proxy, we are using the proxy config available in the 4.1.6 client code (the concentrator must also be up2date)

http://www.cisco.com/en/US/products/sw/secursw/ps2308/prod_release_note09186a00802d398a.html (look for proxy settings)
Browser Proxy Configuration
Browser proxy configuration is ONLY available using the Release 4.1.6 VPN Concentrator code.
During mode config, the VPN Client negotiates a new mode config attribute to determine whether to change the value of a user's browser proxy setting. The VPN Client adminstrator controls the setting of the attribute through a parameter in the PCF file. This feature is being implemented for Windows (all platforms) only and for Internet Explorer only.
You can configure the VPN Concentrator to push proxy configuration settings into Microsoft Internet Explorer when Windows clients connect to it. The settings are on the Client Config tab of Group configuration. You can configure the VPN Concentrator to not modify proxy settings ("Do not modify proxy settings") , to push settings to disable existing proxy configuration ("No Proxy Settings"), to push settings to auto-detect a proxy ("Auto-Detect Proxy settings"), and to push explicit proxy settings ("Use Proxy Server/Port listed below").
With the "Use Proxy Server/Port listed below" setting, you can push a proxy server address, a proxy exception list, and whether the browser will exclude the proxy for local adresses.
After disconnecting, proxy settings are restored to what they were before the VPN connection was established. If a workstation is improperly shut down or rebooted while a VPN connection is established, proxy settings will be restored on boot-up.

We also run a logon script to set the proxy settings up when they are connected locally. http://www.windowsitpro.com/WindowsScripting/Article/ArticleID/42105/42105.html
We use similar code in our script. This script can be run using the runas vbe files I describe.
-rich
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now