Solved

NEED User Accounts Solution!!Please HELP

Posted on 2006-11-30
9
298 Views
Last Modified: 2013-12-04
I have 15 win xp hosts on a network with 3 servers, one being for the active directory. Recently a keylogger was found on numerous machines on the network(atomiclog). Therefore we want to lock down user accounts a little more. We use a sonicwall hardware firewall and then we have spysweeper running on all the hosts. First off is it possible to replace the current spyware solution with something better such as a device or something made for corporate networks? It would also be nice for everyone to be able to logon to each computer and have available their e-mail and everything else like a roaming account would provide but without the slow logon process. I was thinking of setting up the user accounts like roaming profiles and using folder redirection. But how would this affect outlook and how would you set up that. I was also looking at products by Faronics (www.faronics.com). They have software called deep freeze and another program called anti-executable. If I did the roaming profile thing then the deepfreeze would be great to use but if not I think anti-exe would be better. If you use soemthing else like these to help maintain your systems please say so. I am looking for a complete solution here basically becuase the network is getting to be too much to handle by administering on each machine and giving everyone admin privlieges. Thanks for the help
0
Comment
Question by:gsco
  • 2
  • 2
  • 2
  • +2
9 Comments
 
LVL 9

Assisted Solution

by:bigjimbo813
bigjimbo813 earned 20 total points
ID: 18049951
I restrict all desktop users to Local Power User accounts. This way the users are still able to map network shares and printers.

Personally I have only used anti-spyware tools on a per user basis. If a user calls in and complains about performance, or I catch suspicious network activity, the issue will be resolved. Primarily by using limited user accounts, this can help reduce the infestation of computers.

If I am not mistaken most corporate editions of AV help fight spyware also. Currently I am using Symantec AV 10.1 and it's working great.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 40 total points
ID: 18055353
LUP as pointed out above is 99.999% effective against spyware and viri, we moved users to the users group and halved the helpdesk work load in 1 day!
http://richrumble.blogspot.com/2006/08/anti-admin-vs-anti-virus.html
MS is doing this in Vista, about 10-15 years later than other OS's, but it's the first BIG step they have made in security in a long time
http://www.experts-exchange.com/Security/Q_22070457.html#a18015711

You should still have virus scanners on the PC's, and especially your servers like Email(anti-spam too) and Web. Roaming profiles and folder redirection don't accomplish much if they still have admin rights. There are plenty of tools available to help you automate tasks that require higher privileges: http://nonadmin.editme.com/UsefulTools
-rich
0
 
LVL 16

Assisted Solution

by:kshays
kshays earned 40 total points
ID: 18055485
I restrict all my users to just the normal "domain users" group and that is it.  They don't get the privilege of being power user on their machine.  I have roaming profiles setup so each user can go from workstation to workstation and login.  Login times are not a problem.  My DNS is setup correctly, application data and my documents are also being redirected so the long login times that most people have heard are not a problem.

Mapping drives, printers, I do that for them via login scripts.
Installing software, I do that via group policy and software packages.
Defragging HD's, I do that via Defrag Manager 4.0 on a scheduled task.
Spyware, Sunbelt Counterspy has a corporate spyware scanner that is deployed and maintained in one central location.  Very handy.  I've not used this before though.

So you could have roaming profiles, redirection of application data and my documents (outlook email via exchange) and drop them down to just users.  Of course I have other things to tray and stop spam, spyware and viruses as well, but that is the basics.

Kevin
0
 
LVL 5

Accepted Solution

by:
rjmedina earned 400 total points
ID: 18055588
Ok, you've brought up quite a few questions and concerns, I'll try to touch on them all:

1. Your KeyLogger issue and locking down accounts.  You definitely want to keep the users from installing software.  They'll fight you on this but these days it's the best way to protect them from themselves.  Anyway, as bigjimbo813 suggested above the easy way to do this is to only allow users power user to their local machine.  If you really want to lock it down, only allow them user access.  Utimately, you'll save time by doing this.  Instead of figuring out what a user did to screw up their machine, you'll be able to spend more time on being proactive - making sure that they have all that they need to do their jobs.

2. Protecting the Enterprise -

a) Spyware - I'm a personal fan of the Webroot products (Spysweeper).  They have an enterprise product as well (http://www.webroot.com/enterprise/products/?WRSID=dd4c581414678b21d73f16b65216257f).  
b) Antivirus - You'll always need this; but you probably already know that
c) Anti-Spam or RBL or both - We use a Real Time Black List subscription to block most SPAM.  Its great because it's simply a list of known spam origins and blocks all mail coming from any malicious source.  In addition to the RBL we Trend Micro's mail scanning tool.
d) Web Content Filtering/Proxy - Filter where your users go on the internet.  The primary source of attacks is no longer just email.  Filtering tools such as Websense will save your users from themselves.
e) Configure IE to be more secure via GPO.  Force your users to go through a web filter/proxy by configuring IE to use the proxy or if you have an advanced router use WCCP to route all 80 and 443 traffic through your web filtering tool.

3. Roaming accounts and how it will affect email.  Since it sounds like you're in a fairly small environment 15 users and 3 servers, then you probably don't have alot of network traffic so take the plunge - setup the roaming profiles and create outlook profiles using prf files (http://www.slipstick.com/outlook/prftips.htm).  If network performance becomes a problem then you might want to consider something else, but you should give it a try.  Roaming profiles while not perfect will still save you time, if your users like to play musical computers.

4. Maintenance is a pain.  So instead of spending hours visiting every machine, take some time to learn how to create msi packages with wise or another packaging product and push the software to your workstations via GPO.  

5. A complete solution probably won't come in a single package from a vendor.  We use Trend Micro, Symantec, RBL, web-filtering/proxy - all from different vendors and it's not because we want to confuse ourselves.  We do this because each one specializes in the service that they provide.  There is also the school of thought that if you have all your eggs in one basket and it's compromised, you're up the creek.  

Hope this helps.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 40 total points
ID: 18055708
To summarize, and use my favorite saying: Security is Process, not a Product.
As indicated above as well, security is about trade-off's, folks in the users group or guest group are very limited in what they can do, such as install printers and programs, and as put forth above, there are other ways to accomplish those tasks such as login scripts and scheduled tasks.
-rich
0
 

Author Comment

by:gsco
ID: 18056832
Could you explain more on how to setup the outlook profiles? What folders should I redirect when I switch over the accounts? Thanks for all the help
0
 
LVL 16

Assisted Solution

by:kshays
kshays earned 40 total points
ID: 18057256
If you are using an exchange server and outlook then you just simply use roaming profiles which you can set in the ADUC profile tab as \\servername\profiles\%username%

In group policy under user configuration section you would simply redirect the my documents and application data to a shared resource on a folder.  When the user moves from station to station and as long as outlook is installed on each machine it will pull the correct mailbox.

If you are going to use roaming profiles then you should use folder redirection.

I'll explain in more detail, time to head home for now though.
0
 

Author Comment

by:gsco
ID: 18072199
kshays, could you go more in depth please?
0
 
LVL 5

Assisted Solution

by:rjmedina
rjmedina earned 400 total points
ID: 18072499
To flat out tell you how to setup roaming profiles isn't really possible because you need to make choices that will work best for your network.  Therefore, I've done a little research to provide you will some very good descriptions of what is involved in setting up roaming profiles:

First some documents that speak to why you would want to implement roaming profiles, security issues, a bit about how, etc.  

http://www.informit.com/articles/article.asp?p=383856&seqNum=1&rl=1

this document speaks about what is involved in making profiles "mobile" and folder redirection (good background info):

http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-2003.html

Second, what Microsoft has to say on the issue:

http://technet2.microsoft.com/WindowsServer/en/library/b41402c2-c982-4bfb-891e-91b47f211e181033.mspx?mfr=true

Third, Configuring Outlook for roaming profiles - Microsoft's Whitepaper on the subject.  More importantly though, this website is a wealth of knowledge on configuring Office and I use it often.

http://office.microsoft.com/en-us/ork2003/HA011403051033.aspx?pid=CH011424651033

Fourth, A good cautionary source on Roaming profiles - what they are, what they're not and what oddities to expect from using roaming profiles.  Keep in mind that this source is a blog and this is mostly options and experiences of others - not necessarily fact.

http://blogs.msdn.com/oldnewthing/archive/2005/06/30/434209.aspx
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Suggested Solutions

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
This video discusses moving either the default database or any database to a new volume.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now