NEED User Accounts Solution!!Please HELP

Posted on 2006-11-30
Medium Priority
Last Modified: 2013-12-04
I have 15 win xp hosts on a network with 3 servers, one being for the active directory. Recently a keylogger was found on numerous machines on the network(atomiclog). Therefore we want to lock down user accounts a little more. We use a sonicwall hardware firewall and then we have spysweeper running on all the hosts. First off is it possible to replace the current spyware solution with something better such as a device or something made for corporate networks? It would also be nice for everyone to be able to logon to each computer and have available their e-mail and everything else like a roaming account would provide but without the slow logon process. I was thinking of setting up the user accounts like roaming profiles and using folder redirection. But how would this affect outlook and how would you set up that. I was also looking at products by Faronics (www.faronics.com). They have software called deep freeze and another program called anti-executable. If I did the roaming profile thing then the deepfreeze would be great to use but if not I think anti-exe would be better. If you use soemthing else like these to help maintain your systems please say so. I am looking for a complete solution here basically becuase the network is getting to be too much to handle by administering on each machine and giving everyone admin privlieges. Thanks for the help
Question by:gsco
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2

Assisted Solution

bigjimbo813 earned 80 total points
ID: 18049951
I restrict all desktop users to Local Power User accounts. This way the users are still able to map network shares and printers.

Personally I have only used anti-spyware tools on a per user basis. If a user calls in and complains about performance, or I catch suspicious network activity, the issue will be resolved. Primarily by using limited user accounts, this can help reduce the infestation of computers.

If I am not mistaken most corporate editions of AV help fight spyware also. Currently I am using Symantec AV 10.1 and it's working great.
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 160 total points
ID: 18055353
LUP as pointed out above is 99.999% effective against spyware and viri, we moved users to the users group and halved the helpdesk work load in 1 day!
MS is doing this in Vista, about 10-15 years later than other OS's, but it's the first BIG step they have made in security in a long time

You should still have virus scanners on the PC's, and especially your servers like Email(anti-spam too) and Web. Roaming profiles and folder redirection don't accomplish much if they still have admin rights. There are plenty of tools available to help you automate tasks that require higher privileges: http://nonadmin.editme.com/UsefulTools
LVL 16

Assisted Solution

by:Kevin Hays
Kevin Hays earned 160 total points
ID: 18055485
I restrict all my users to just the normal "domain users" group and that is it.  They don't get the privilege of being power user on their machine.  I have roaming profiles setup so each user can go from workstation to workstation and login.  Login times are not a problem.  My DNS is setup correctly, application data and my documents are also being redirected so the long login times that most people have heard are not a problem.

Mapping drives, printers, I do that for them via login scripts.
Installing software, I do that via group policy and software packages.
Defragging HD's, I do that via Defrag Manager 4.0 on a scheduled task.
Spyware, Sunbelt Counterspy has a corporate spyware scanner that is deployed and maintained in one central location.  Very handy.  I've not used this before though.

So you could have roaming profiles, redirection of application data and my documents (outlook email via exchange) and drop them down to just users.  Of course I have other things to tray and stop spam, spyware and viruses as well, but that is the basics.

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more


Accepted Solution

rjmedina earned 1600 total points
ID: 18055588
Ok, you've brought up quite a few questions and concerns, I'll try to touch on them all:

1. Your KeyLogger issue and locking down accounts.  You definitely want to keep the users from installing software.  They'll fight you on this but these days it's the best way to protect them from themselves.  Anyway, as bigjimbo813 suggested above the easy way to do this is to only allow users power user to their local machine.  If you really want to lock it down, only allow them user access.  Utimately, you'll save time by doing this.  Instead of figuring out what a user did to screw up their machine, you'll be able to spend more time on being proactive - making sure that they have all that they need to do their jobs.

2. Protecting the Enterprise -

a) Spyware - I'm a personal fan of the Webroot products (Spysweeper).  They have an enterprise product as well (http://www.webroot.com/enterprise/products/?WRSID=dd4c581414678b21d73f16b65216257f).  
b) Antivirus - You'll always need this; but you probably already know that
c) Anti-Spam or RBL or both - We use a Real Time Black List subscription to block most SPAM.  Its great because it's simply a list of known spam origins and blocks all mail coming from any malicious source.  In addition to the RBL we Trend Micro's mail scanning tool.
d) Web Content Filtering/Proxy - Filter where your users go on the internet.  The primary source of attacks is no longer just email.  Filtering tools such as Websense will save your users from themselves.
e) Configure IE to be more secure via GPO.  Force your users to go through a web filter/proxy by configuring IE to use the proxy or if you have an advanced router use WCCP to route all 80 and 443 traffic through your web filtering tool.

3. Roaming accounts and how it will affect email.  Since it sounds like you're in a fairly small environment 15 users and 3 servers, then you probably don't have alot of network traffic so take the plunge - setup the roaming profiles and create outlook profiles using prf files (http://www.slipstick.com/outlook/prftips.htm).  If network performance becomes a problem then you might want to consider something else, but you should give it a try.  Roaming profiles while not perfect will still save you time, if your users like to play musical computers.

4. Maintenance is a pain.  So instead of spending hours visiting every machine, take some time to learn how to create msi packages with wise or another packaging product and push the software to your workstations via GPO.  

5. A complete solution probably won't come in a single package from a vendor.  We use Trend Micro, Symantec, RBL, web-filtering/proxy - all from different vendors and it's not because we want to confuse ourselves.  We do this because each one specializes in the service that they provide.  There is also the school of thought that if you have all your eggs in one basket and it's compromised, you're up the creek.  

Hope this helps.
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 160 total points
ID: 18055708
To summarize, and use my favorite saying: Security is Process, not a Product.
As indicated above as well, security is about trade-off's, folks in the users group or guest group are very limited in what they can do, such as install printers and programs, and as put forth above, there are other ways to accomplish those tasks such as login scripts and scheduled tasks.

Author Comment

ID: 18056832
Could you explain more on how to setup the outlook profiles? What folders should I redirect when I switch over the accounts? Thanks for all the help
LVL 16

Assisted Solution

by:Kevin Hays
Kevin Hays earned 160 total points
ID: 18057256
If you are using an exchange server and outlook then you just simply use roaming profiles which you can set in the ADUC profile tab as \\servername\profiles\%username%

In group policy under user configuration section you would simply redirect the my documents and application data to a shared resource on a folder.  When the user moves from station to station and as long as outlook is installed on each machine it will pull the correct mailbox.

If you are going to use roaming profiles then you should use folder redirection.

I'll explain in more detail, time to head home for now though.

Author Comment

ID: 18072199
kshays, could you go more in depth please?

Assisted Solution

rjmedina earned 1600 total points
ID: 18072499
To flat out tell you how to setup roaming profiles isn't really possible because you need to make choices that will work best for your network.  Therefore, I've done a little research to provide you will some very good descriptions of what is involved in setting up roaming profiles:

First some documents that speak to why you would want to implement roaming profiles, security issues, a bit about how, etc.  


this document speaks about what is involved in making profiles "mobile" and folder redirection (good background info):


Second, what Microsoft has to say on the issue:


Third, Configuring Outlook for roaming profiles - Microsoft's Whitepaper on the subject.  More importantly though, this website is a wealth of knowledge on configuring Office and I use it often.


Fourth, A good cautionary source on Roaming profiles - what they are, what they're not and what oddities to expect from using roaming profiles.  Keep in mind that this source is a blog and this is mostly options and experiences of others - not necessarily fact.


Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses
Course of the Month11 days, 12 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question