Locking down a pc/laptop
I know there are other posts on this topic but I wanted to see if there were new ideas on locking down a pc.
In addition to not making a user a local admin, I want to also prevent them from:
- Running exe/msi files from the user's AppData (eg, spotify installs itself in AppData)
- Uninstall programs. It appears even a non-admin can uninstall an application if it doesn't affect critical system files (eg, Adobe Reader X1).
Keep in mind that any suggestions for regkeys and group policies should affect only non-admin and not admins who need to be able to do their thing without being hampered by policy.
In addition to not making a user a local admin, I want to also prevent them from:
- Running exe/msi files from the user's AppData (eg, spotify installs itself in AppData)
- Uninstall programs. It appears even a non-admin can uninstall an application if it doesn't affect critical system files (eg, Adobe Reader X1).
Keep in mind that any suggestions for regkeys and group policies should affect only non-admin and not admins who need to be able to do their thing without being hampered by policy.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Is the machine on a domain, or a standalone?
ASKER
Laptop joined to domain and will work offline half the time.
Group policy is like an open-face fishing reel: easy to foul and hard to untangle.
What you have to keep in mind is that some settings are not reversed by setting back to "undefined" (depends on which part of the registry the settings are located in). Also, there is an order of processing that goes LSDOU which stands for Local > Site > Domain > Organizational Unit. That means that policies that are set on the local machine are trumped by policies at the Site level in Active Directory, site policies are in turn overridden by Domain and, finally, policies at the OU level will be applied. If you have a policy setting switched off on the local machine, it may be overridden when the computer is connected to the domain network. If you can specify exactly which settings are being set and at which level, we may be able to help.
What you have to keep in mind is that some settings are not reversed by setting back to "undefined" (depends on which part of the registry the settings are located in). Also, there is an order of processing that goes LSDOU which stands for Local > Site > Domain > Organizational Unit. That means that policies that are set on the local machine are trumped by policies at the Site level in Active Directory, site policies are in turn overridden by Domain and, finally, policies at the OU level will be applied. If you have a policy setting switched off on the local machine, it may be overridden when the computer is connected to the domain network. If you can specify exactly which settings are being set and at which level, we may be able to help.
Oh, and to further complicate matters, some settings go in the User section (HKCU) and some in the computer section (HKLM) and the behavior can get very bizarre if conflicting settings are set in both hives.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Another option if you have the budget would be a third party privilege manager such as CyberArk Endpoint Privilege Manager: https://www.cyberark.com/products/privileged-account-security-solution/endpoint-privilege-manager/
ASKER
Here's how my AD is setup.
Default Domain Policy (GPO)
-- Current Computers (OU)
---- Disable UAC (GPO)
Default Domain Policy does not have anything UAC related.
Disable UAC (GPO)
Computer > Policies > Security > Local > User Account Control
Behavior of elevation prompt = Elevate without prompting
Detect Application = Enabled
Run all administrators in Admin Approval Mode = Enabled
Result is that the registry gets set but the GUI is still enabled. When an admin attempts to install a program, a Windows Installer message "The administrator has set policies on this computer to prevent this installation". Right click on the installer and the UAC prompt appears.
Thanks for the links. I set the UAC settings back to their defaults.
Default Domain Policy (GPO)
-- Current Computers (OU)
---- Disable UAC (GPO)
Default Domain Policy does not have anything UAC related.
Disable UAC (GPO)
Computer > Policies > Security > Local > User Account Control
Behavior of elevation prompt = Elevate without prompting
Detect Application = Enabled
Run all administrators in Admin Approval Mode = Enabled
Result is that the registry gets set but the GUI is still enabled. When an admin attempts to install a program, a Windows Installer message "The administrator has set policies on this computer to prevent this installation". Right click on the installer and the UAC prompt appears.
Thanks for the links. I set the UAC settings back to their defaults.
ASKER
In the step-by-step guide (https://technet.microsoft.com/en-us/library/cc709691.aspx) under "What is User Account Control" and end of the fourth paragraph, there is a little blurb:
What is per-user software? Isn't all software for all users on the pc?
In my first example, a standard user was able to uninstall Adobe Reader.
Standard users cannot perform these tasks and they can only install per-user software.
What is per-user software? Isn't all software for all users on the pc?
In my first example, a standard user was able to uninstall Adobe Reader.
per-user just refers to software that puts it's registry entries under HKCU\Software (as opposed to HKLM\Software). Software that installs with settings stored in HKCU may be available for all users to run but preferences and other registry-based settings will be different for each user (i.e. whomever the current user is will have his own settings in the registry). I'm not sure where Adobe Reader puts its settings but most newer software favors HKCU.
ASKER
I had similar experiences with the others who left comments in that link.