Announcement

Collapse
No announcement yet.

explain to me how to make XP workstation secure from staff installing software?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • explain to me how to make XP workstation secure from staff installing software?

    One of the reasons for our recent upgrade to a SBS2008 server was an improvement on centralized management. The PCs that were upgraded to Windows& are secure...users can install nothing but XP machines are another story.

    If you use the http://connect feature users are installed as either (admin) or standard...and standard can still install software. If I install users the traditional way through the wizard in windows and assign them as USERS they can still install software!

    How am I supposed to keep staff that share PC from doing the "wrong" thing if I cannot even limit what they can and cannot install?

    Can someone explain to me the logic here, what I am doing wrong and what the true way to lock all non admin users out of a client from downloading and install crap?

    Thanks.

    Shawn

  • #2
    Re: explain to me how to make XP workstation secure from staff installing software?

    Originally posted by carboncow View Post
    the true way to lock all non admin users out of a client from downloading and install crap?
    What you got is a people management problem. As such, you really cannot solve it by technical measures. People will find ways around limits.

    Chat up with your boss. Outline the reasons you do wish to deny software installation by users. Then write an acceptable user policy and let the users be aware of it. Poll workstation software installs every now and then. If unauthorized software installs are found, let HR people sort it out.

    Oh yeah, ask the users why they wish to install app-such-and-such. Maybe they have a valid business reason. Maybe they are not aware there is already an approved solution available.

    -vP

    Comment


    • #3
      Re: explain to me how to make XP workstation secure from staff installing software?

      Couldn't agree more with the above: there are no technical solutions to managerial problems!
      However, see as long ago as 2006, people were questioning the wisdom of giving everyone admin rights over their computer http://msmvps.com/blogs/bradley/arch.../14/94986.aspx
      Today with phishing and other malware sites it is even more important to only give the absolute minimum rights to get the work done: VISTA/WIN7 and UAC (User Access Control) help in this respect.
      Last edited by teiger; 13th September 2010, 10:19. Reason: typo
      TIA

      Steven Teiger [SBS-MVP(2003-2009)]
      http://www.wintra.co.il/
      sigpic
      Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

      We donít stop playing because we grow old, we grow old because we stop playing.

      Comment


      • #4
        Re: explain to me how to make XP workstation secure from staff installing software?

        This report from beyondtrust is well worth a read. There are figures for exactly how many vulnerabilities you can mitigate against by not having users be local admins. It's useful to be able to present that sort of data to management when justifying your request.

        Sadly, when it comes to user behvaioural issues, stick always beats carrot. Unless you get managment/HR on board and willing to take action against people in violation of the policies, you will always have problems.
        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
        sigpic
        Cruachan's Blog

        Comment


        • #5
          Re: explain to me how to make XP workstation secure from staff installing software?

          To stop users installing software on a windows XP machine, just use GPO's to remove write premissions to the C drive (exculding temp folders and Data bases).

          You could also make the registry reload on boot, so the users can install what they want, but on a boot, the computer is reset to standard. RAMBO was one application that used to do this.

          There are hundards of ways to make it so a user can not install anything on the work station, its just a matter of picking one. I would highly recommend Group Policy as it allows for simple Central managment.

          http://technet.microsoft.com/en-us/l.../bb742376.aspx <-- MS GPO "step by step"
          http://www.theeldergeek.com/group_po...ws_xp_prof.htm <-- The Eldar Geek guide
          http://forums.techarena.in/small-bus...ver/745800.htm <-- Basiclly asks this same question.

          GPO's are rather simple to setup once you get the hang of them, just do all your testing on a virtual server, or if thats not a option, at the very lest on a test user group.

          Also, I am not seeing how this is a management problem, its the secruity staffs job to make the doors to the building are locked, its the IT Staff to make sure the computers are locked.

          Locking a XP machine so that users can not install programs is a long process, but rather simple and is just a matter of picking the correct GPO's.
          Good to be back....

          Comment


          • #6
            Re: explain to me how to make XP workstation secure from staff installing software?

            Originally posted by Wofen View Post
            Also, I am not seeing how this is a management problem, its the secruity staffs job to make the doors to the building are locked, its the IT Staff to make sure the computers are locked.
            Determined users will find ways around things, a notable example is proxy bypass websites which users will use to access social networking websites. If there are no policies and procedures in place then IT can do nothing, as it is a management responsibility to deal with user's behaviour.

            This is especially an issue where users have previously been allowed to do whatever they like. Telling them actually, no you can't do that, always leads to issues. A security policy is of little use if it is not adhered to and enforced.
            Last edited by Ossian; 14th September 2010, 13:50.
            BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
            sigpic
            Cruachan's Blog

            Comment


            • #7
              Re: explain to me how to make XP workstation secure from staff installing software?

              Originally posted by cruachan View Post
              Determined users will find ways around things, a notable example is proxy bypass websites which users will use to access social networking websites. If there are no policies and procedures in place then IT can do nothing, as it is a management responsibility to deal with user's behaviour.

              This is especially an issue where users have previously been allowed to do whatever they like. Telling them actually, no you can't do that, always leads to issues. A security policy is of little use if it is not adhered to and enforced.
              True, you will never stop determind users... Same as you will never stop a hacker, does that mean you do not try?

              Do you have a firewall, how about AV? Its the same as user restictions.

              You can block access to all know proxy websites via most net nanny type software.
              You can restrict access to IE options, then set proxy servers via GPO to a monitored proxy server.

              You can remove access to the C drive completely, then only give the staff a Network share that can not run exeicutables.

              Its honistly amazed me that IT admins are say that you cant stop people installing software on a windows XP machine. I really hope this is a joke that I am not getting the punchline of.

              Lets fire all the police officers and just let the lawers deal with everyone .... (basiclly what you are saying to do).

              The only policy you need is a policy to fire someone if found trying to by-pass secruity. Its like a fence, you put it there, tell everyone to stay inside, or they will be fired. Put not putting a fence up, and then telling everyone they will be fired if they leave that area is alittle silly.

              http://lmgtfy.com/?q=User+restrictions+using+GPO (the first 3 results will answer different parts of your question)

              Wofen

              PS: I would like to hear the converstation with you CEO when you told him you can not lock down a workstation. Must have a tounge of gold if you where not fired on the spot.
              Last edited by Wofen; 15th September 2010, 03:52.
              Good to be back....

              Comment


              • #8
                Re: explain to me how to make XP workstation secure from staff installing software?

                You might want to start looking at these docs for info on securing your workstations

                http://www.nsa.gov/ia/guidance/secur...html#microsoft

                Comment


                • #9
                  Re: explain to me how to make XP workstation secure from staff installing software?

                  Moved to XP forum
                  Tom Jones
                  MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                  PhD, MSc, FIAP, MIITT
                  IT Trainer / Consultant
                  Ossian Ltd
                  Scotland

                  ** Remember to give credit where credit is due and leave reputation points where appropriate **

                  Comment


                  • #10
                    Re: explain to me how to make XP workstation secure from staff installing software?

                    Originally posted by Wofen View Post
                    True, you will never stop determind users... Same as you will never stop a hacker, does that mean you do not try?
                    <snip>
                    PS: I would like to hear the converstation with you CEO when you told him you can not lock down a workstation. Must have a tounge of gold if you where not fired on the spot.
                    Both technical and behavioural checks are required and I never said otherwise. No AV product, firewall or web proxy is infallible, and there are plenty of applications that will install without requiring local admin rights.

                    Carrying on with the proxy bypass scenario as an example, imagine a user spends all day on Facebook or Twitter and their boss asks you to stop this. You block the websites, but they find a proxy bypass website. You block that, but another springs up (as is very common with proxy bypass websites).

                    Do you carry on the game of cat and mouse, because you have nothing better to do? Or do you consult with HR and your acceptable use policy, find that this user is in breach, get them a slap on the wrist and get on with your other work?
                    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                    sigpic
                    Cruachan's Blog

                    Comment


                    • #11
                      Re: explain to me how to make XP workstation secure from staff installing software?

                      Originally posted by Wofen View Post
                      Its honistly amazed me that IT admins are say that you cant stop people installing software on a windows XP machine. --- The only policy you need is a policy to fire someone if found trying to by-pass secruity.
                      Firing employees might or might not be possible, it depends on your juridistiction. Instead of harsh penalties, one should increase the chance to catch rule-breakers. When users are aware that any unauthorized applications are automatically detected, they are usually not too eager to install crap.

                      Having antivirus and firewall do give one defense in depth. But for most of the cases, users do not intend to install malicious software. What they intend to do is to install that fancy dancing bear screen saver. Come on, it was supposed to be just a funny thing, right? In most of the cases, users are tricked to install malware - and in those cases a FW or AV can save your day.

                      Maintaining a highly locked down WinXP install base is possible, but it sure is a pain in the ass. Think in-house developers. Restricting developers' accounts as ordinary user accounts breaks stuff like Visual Studio. Think big bosses in the organizations who demand iTunes or whatever app is popular to sync the most recent techno toy.

                      I would like to hear the converstation with you CEO when you told him you can not lock down a workstation.
                      Been there, done that. Except: s/can/should/g. Funny thing that, the brass were more interested in codes of conducts and whatnot.

                      -vP

                      Comment


                      • #12
                        Re: explain to me how to make XP workstation secure from staff installing software?

                        Originally posted by cruachan View Post
                        Both technical and behavioural checks are required and I never said otherwise. No AV product, firewall or web proxy is infallible, and there are plenty of applications that will install without requiring local admin rights.

                        Carrying on with the proxy bypass scenario as an example, imagine a user spends all day on Facebook or Twitter and their boss asks you to stop this. You block the websites, but they find a proxy bypass website. You block that, but another springs up (as is very common with proxy bypass websites).

                        Do you carry on the game of cat and mouse, because you have nothing better to do? Or do you consult with HR and your acceptable use policy, find that this user is in breach, get them a slap on the wrist and get on with your other work?
                        Ummm, actuly I would see that they are on a Proxy bypass websight, then Remote assistance to there computer and take a screen shot, but this is me. Otherwise I would expect the admin to monitor the proxy software and watch for people who are spending large amounts of time on a proxy server (or more importantly with IE/FF running, and them NOT on my proxy server).
                        As far as I see it, going to the CEO to complane about someone without evidence is a good way to get yourself sued for slander. Without evidence, its your words againts theres, and without evidence, its a illegal clame. If that person was to get fired you could be sued in excess of 10 million USD (The most you can recieve for unfair dismissal).

                        By the way you where talking I was taking it as a "Dont bother with restrictions, just use punishment". If this is not the case, I appolgise as I have mistaken what you have ment. But from what I can see you are using the Same logic as punishing Kids for find porn on the internet when the admin has done nothing to stop them.

                        I would say 3 changes will stop 99% of users installing software.
                        1) Remove access to the C drive, if access is needed, create a temp folder that is clear every log off.
                        2) Remove all rights to edit the registry. This is simple, but most often forgotten.
                        3) Standard GPO restrictions (Software White)

                        Sure, a user could change the SRP and modify the calls to the exeicutable... but if they are doing that, they should be the IT admin.

                        Now, there is part of the problem that is managment based, thats getting the ok to be allowed to do all this. But I have yet to find a CEO that complanes when you can show proof that the staff have been wasting X hours a day.

                        Also, if you get any problems from your CEO, remind him of the legal reasons we do this. If a staff member is trafficing illegal media over your network, YOU (as head of the network) are responable to a extent. If your network is being used as a spam haven, YOU are responable. If your network is found to be traffic illagel goverment documents, you are the one put in jail unless you can prove who did it.

                        Think about how meny law suites they have been becuse someone send something stupid to a co-worker. Most of these can be avoided by some simple network and permission planning.

                        Wofen

                        PS: I appolgise for my english in advance, my spelling is never good and worse with a hole in my tooth.
                        Good to be back....

                        Comment


                        • #13
                          Re: explain to me how to make XP workstation secure from staff installing software?

                          If you really want to maintain a secure xp workstation use deep freeze a pain in the ass program to anyone other than the person who installed it on the workstation. With all this security it is the admin who installs deep freeze must set their own times when it can update and also set what programs are to be normally used and saved on the deskstop without it being deleted after every shutdown and startup. Basically everything that was not set up intially post activation, everything there after does get unistalled and deleted reverting to your own original setup taking care of you security problem. This program also works really well with viruses, malware, spyware etc....... and yes even your staff.

                          Comment


                          • #14
                            Re: explain to me how to make XP workstation secure from staff installing software?

                            Originally posted by Wofen View Post
                            By the way you where talking I was taking it as a "Dont bother with restrictions, just use punishment". If this is not the case, I appolgise as I have mistaken what you have ment. But from what I can see you are using the Same logic as punishing Kids for find porn on the internet when the admin has done nothing to stop them.
                            As I see it you have to have both, using your earlier analogy the IT staff are the police and management/HR the Courts. You can't necessarily block everything, so you need the stick to beat users with when something does slip through.
                            BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                            sigpic
                            Cruachan's Blog

                            Comment

                            Working...
                            X