Link to home
Start Free TrialLog in
Avatar of Justin H
Justin HFlag for United States of America

asked on

Locking down workstations in a domain environment

I have domain in which I need to enable certain restrictions on the workstations.

It would be nice to be able to set the default IE browser page, some of the trusted security settings, and furthermore the ability to access certain sites only.

Currently, I have to set the trusted sites permissions with each profile that logs in (very time consuming) and also we use the content advisor to block out site that are unwarranted, however it only works partially well.  I am noticing that some users are gettings smarter by disabling the password in the regeditor.

Is there a way I can apply a group policy to lock out the regeditor and or installation of software on certain workstations, yet have an administrator account be able to access it?

What are your recommendations on blocking certain websites and web content filtering?

I unfortunately cannot apply a DNS filter, because we provide would have to do it at the server level that manages the DNS, and our corporate office should have the ability to go to any site...but other workstations cannot.  The DNS filter I looked at would only provide a all or nothing solution.  Any ideas and also how to apply the group policy to remove regedit, and the other settings mentioned?
Avatar of BobintheNoc
BobintheNoc
Flag of United States of America image

Software Restriction policies can be set to prevent applications named whatever you place in the policy from running.  This is where you'd set your list of 'restricted' applications--anything attempted to run from this list will come up with a denied dialog.



Avatar of elmagoal
elmagoal

take a look at this link it should help you set IE.
http://technet.microsoft.com/en-us/library/bb457144.aspx
Via a GPO you can set the trusted sites option, default page, etc.

If the user isn't a local admin they wont be able to install software or run regedit

a 3rd party software such as http//websense.com is really the way to do that. They have great software and a free trial.

The GPO you want for IE settings is User Configuration --> Policies -->Windows settings --> Internet Explorer maintenance.  
Avatar of Justin H

ASKER

I have about 100 machines that need adminstering, can this all be done once and applied somehow to all?
ASKER CERTIFIED SOLUTION
Avatar of Adam Brown
Adam Brown
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
TRUSTED SITES:
Configure this on a per user basis and do this as a group policy per groups of users, (meaning different OUs for this)>
http://www.windowsitpro.com/article/tips/jsi-tip-6644-how-can-i-use-group-policy-to-add-a-site-to-the-trusted-sites-zone-.aspx

REGISTRY EDITS:
Make them users on that local machine, not power users or local administrators. Administrators are really the only ones with authority to edit registry, if I am not mistaken.

INSTALLS:
-Look under “Computer Configuration\Administrative Templates\Windows Components\Windows Installer”.
-Double-click on “Prohibit User Installs”
-Choose “Enabled”
-Now select “Prohibit User Installs” from the drop-down box.

Now only administrators install.
to add to ChiefIt commend.
You need to be very carefull and test all apps if you want to make all your users none admins on the local machines.  Some applications like bloomberg need register keys and folder permision to function on that scenario.  
elmagoal:

That is the best piece of advice, yet.

Least User Authorization prevents users from installing or editing registry in the first place. They should be USERS, not local administrators on the PCs,
Yes, i would like to have given restricted access to the users that log in, however our SaaS software that we use requrires some added priveladges to run...is there a way to only make those work and lock out the rest of the apps perhaps?
Yes:

Usually, you can grant priveleges to the program files folder for that given program you want to run at elevated privileges...

So, if I have a program called "dog". I go into C:\program files\ and grant the user privileges I want on the "dog" folder.. If multiple users use this program, you can gran administrative rights to the authenticated users group on the "dog" folder.

There is one program that assists with this. It is called Beyond Trust....



Beyond trust web site:
http://www.beyondtrust.com/

Let me tell you why least user authorization is important. You see that with admin privleges, the users can edit registry and install programs. That's all an malicious software writer needs to contaminate that PC. It's estimated that 98.5% of all malicious attacks can be eliminated by abiding with least user authorization. Now if that same user has local admin rights on ALL PCs, you can easily infect an entire network of PCs....

Let me tell you a little about the conficker virus. The conficker virus comes as an attachement and is installed on a PC. It uses a Dictionary attack to guess domain admin passwords or local admin passwords. Once guessed, it will try to infecte a DC. If the DC is infected, the DC will use the remote procedure call (RPC) to inect the ENTIRE domain that the credentials have access to. Services will stop, data corruption is embeded, and many registry hacks are created and more worms or trojans are downloaded.

These are the types of things you prevent with LUA....
Here are some other ideas for IT security:

An article I wrote for you guys to look at and consider:

https://www.experts-exchange.com/Networking/Security/A_3197-IDEAS-FOR-SAFEGUARDING-IT-ASSETS-for-home-and-enterprise.html