Locking down workstations in a domain environment

jhuntin
jhuntin used Ask the Experts™
on
I have domain in which I need to enable certain restrictions on the workstations.

It would be nice to be able to set the default IE browser page, some of the trusted security settings, and furthermore the ability to access certain sites only.

Currently, I have to set the trusted sites permissions with each profile that logs in (very time consuming) and also we use the content advisor to block out site that are unwarranted, however it only works partially well.  I am noticing that some users are gettings smarter by disabling the password in the regeditor.

Is there a way I can apply a group policy to lock out the regeditor and or installation of software on certain workstations, yet have an administrator account be able to access it?

What are your recommendations on blocking certain websites and web content filtering?

I unfortunately cannot apply a DNS filter, because we provide would have to do it at the server level that manages the DNS, and our corporate office should have the ability to go to any site...but other workstations cannot.  The DNS filter I looked at would only provide a all or nothing solution.  Any ideas and also how to apply the group policy to remove regedit, and the other settings mentioned?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Software Restriction policies can be set to prevent applications named whatever you place in the policy from running.  This is where you'd set your list of 'restricted' applications--anything attempted to run from this list will come up with a denied dialog.



Commented:
take a look at this link it should help you set IE.
http://technet.microsoft.com/en-us/library/bb457144.aspx
Via a GPO you can set the trusted sites option, default page, etc.

If the user isn't a local admin they wont be able to install software or run regedit

a 3rd party software such as http//websense.com is really the way to do that. They have great software and a free trial.

The GPO you want for IE settings is User Configuration --> Policies -->Windows settings --> Internet Explorer maintenance.  
CompTIA Network+

Prepare for the CompTIA Network+ exam by learning how to troubleshoot, configure, and manage both wired and wireless networks.

Author

Commented:
I have about 100 machines that need adminstering, can this all be done once and applied somehow to all?
Senior Systems Admin
Top Expert 2010
Commented:
Absolutely. As long as the computers are members of the domain. You'll do this through Group Policy Objects (GPOs) that are linked to the organizational units in your AD environment. If you haven't worked with GPOs before, this site has what looks to be a good guide on the subject (Haven't dug through it yet): http://www.dedoimedo.com/computers/policies.html

http://www.grouppolicy.biz/2010/03/how-to-use-group-policy-to-configure-internet-explorer-security-zone-sites/ Has information on assigning sites to a specific zone.

The default browser page is configured in User Configuration\Windows Settings\Internet Explorer Maintenance\URLs

Blocking software is done through Software Restriction Policies under Computer Configuration\Windows Settings\Security Settings\Software Restrictions

If you create a GPO with all the settings you want, you then link it to the OU that all your users are in (or computers if it's a computer configuration setting) and the changes will be made the next time affected users log in.

Commented:
TRUSTED SITES:
Configure this on a per user basis and do this as a group policy per groups of users, (meaning different OUs for this)>
http://www.windowsitpro.com/article/tips/jsi-tip-6644-how-can-i-use-group-policy-to-add-a-site-to-the-trusted-sites-zone-.aspx

REGISTRY EDITS:
Make them users on that local machine, not power users or local administrators. Administrators are really the only ones with authority to edit registry, if I am not mistaken.

INSTALLS:
-Look under “Computer Configuration\Administrative Templates\Windows Components\Windows Installer”.
-Double-click on “Prohibit User Installs”
-Choose “Enabled”
-Now select “Prohibit User Installs” from the drop-down box.

Now only administrators install.

Commented:
to add to ChiefIt commend.
You need to be very carefull and test all apps if you want to make all your users none admins on the local machines.  Some applications like bloomberg need register keys and folder permision to function on that scenario.  

Commented:
elmagoal:

That is the best piece of advice, yet.

Least User Authorization prevents users from installing or editing registry in the first place. They should be USERS, not local administrators on the PCs,

Author

Commented:
Yes, i would like to have given restricted access to the users that log in, however our SaaS software that we use requrires some added priveladges to run...is there a way to only make those work and lock out the rest of the apps perhaps?

Commented:
Yes:

Usually, you can grant priveleges to the program files folder for that given program you want to run at elevated privileges...

So, if I have a program called "dog". I go into C:\program files\ and grant the user privileges I want on the "dog" folder.. If multiple users use this program, you can gran administrative rights to the authenticated users group on the "dog" folder.

There is one program that assists with this. It is called Beyond Trust....



Commented:
Beyond trust web site:
http://www.beyondtrust.com/

Let me tell you why least user authorization is important. You see that with admin privleges, the users can edit registry and install programs. That's all an malicious software writer needs to contaminate that PC. It's estimated that 98.5% of all malicious attacks can be eliminated by abiding with least user authorization. Now if that same user has local admin rights on ALL PCs, you can easily infect an entire network of PCs....

Let me tell you a little about the conficker virus. The conficker virus comes as an attachement and is installed on a PC. It uses a Dictionary attack to guess domain admin passwords or local admin passwords. Once guessed, it will try to infecte a DC. If the DC is infected, the DC will use the remote procedure call (RPC) to inect the ENTIRE domain that the credentials have access to. Services will stop, data corruption is embeded, and many registry hacks are created and more worms or trojans are downloaded.

These are the types of things you prevent with LUA....

Commented:
Here are some other ideas for IT security:

An article I wrote for you guys to look at and consider:

http://www.experts-exchange.com/Networking/Security/A_3197-IDEAS-FOR-SAFEGUARDING-IT-ASSETS-for-home-and-enterprise.html

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial