Announcement

Collapse
No announcement yet.

Full security with GPO

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Full security with GPO

    Hi ,

    I need to deploy one system at bank ATM Center . We are using Windows 2003 Server. Active Directory is implemented. Now i need a settings in my one client system as below , As i need to install it for a public use in a bank .

    1. User can not click on Start Button , If Click nothing should be happen or else even if user click , user can not go further e.g programs , control panel , run etc.

    2. User can only open a bank's own web site and check his/her balance . User should not be able to surf any site.

    3. User can not use other ICON's on desktop e.g My Doc, My Computer or even he can not do a right click functions even ...

    So how can i establish all this setting's with GPO .

    Kathy

  • #2
    Re: Full security with GPO

    I wouldn't add this to AD at all. Too risky.

    If it just needs internet access to the banks www then make sure it is firewalled for port 80 just to the public IP of the site (plus links etc if required).
    You would probably be better with something like *nix etc as, for a web browser only stance, I'm sure it can be locked down better. The *nix guys (geeks ) may have input on this though.
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: Full security with GPO

      Hi ,

      can anyone elaborate this task in easy steps ...

      Kathy

      Comment


      • #4
        Re: Full security with GPO

        Under the circumstances (bank systems etc) I think you would be best to hire a consultant with adequate indemnity insurance in case they muck things up.
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Full security with GPO

          Hi ,

          If someone tell me at least how to lock all sites accept one , that will also be a good help for this system. How to block via GPO and without GPO. Even that system is in domain or without domain.

          kathy

          Comment


          • #6
            Re: Full security with GPO

            Hi ,

            Can any one tell me how to deploy this task via ISA 2000.

            Kathy

            Comment


            • #7
              Re: Full security with GPO

              When are you finally going to upgrade to the latest ISA server?
              You know, ISA 2004 and 2006 are already released and TMG is coming.
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment


              • #8
                Re: Full security with GPO

                Hi ,


                Thanks !! I am ready to upgrade it to ISA2004 or ISA 2006 , but if someone can tell me that is this scenario is possible or not and what are the steps i need to take for this ....

                Please help ...

                kathy

                Comment


                • #9
                  Re: Full security with GPO

                  Yes it is possible, but as Ossian has rightly pointed out, this is something an experienced consultant should be carrying out.
                  Gareth Howells

                  BSc (Hons), MBCS, MCP, MCDST, ICCE

                  Any advice is given in good faith and without warranty.

                  Please give reputation points if somebody has helped you.

                  "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                  "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                  Comment


                  • #10
                    Re: Full security with GPO

                    in GP check out these locations:
                    user conf ->admin temp -> Control Panel
                    user conf ->admin temp -> Start Menu
                    user conf ->admin temp -> System -> Ctrl + Alt + Delet Options
                    user conf ->admin temp -> Desktop
                    user conf ->admin temp -> Windows Components -> Internet Explorer

                    for website restriction and filtering go for a firewall such as ISA or Cisco ASA or PIX
                    M3HDX
                    ---------------
                    MCSA/MCSE/MCTS
                    Security+

                    Comment


                    • #11
                      Re: Full security with GPO

                      Hi, u should really listen to what these guys say, but for your own knowledge i'll let u know my findings.

                      First I created a new OU called Bank. And added a user called bank.
                      Then I created and linked the following gpo(s).

                      user configuration>administrative templates> system > custom > custom network interface.
                      Set that to enable and put the following:
                      C:\Program Files\Internet Explorer\IEXPLORE.EXE -k

                      user configuration> administrative templates> system>Prevent access to the command prompt>enable

                      user configuration>administrative templates> system >ctrl+alt+del options
                      remove task manager >enable
                      remove lock comptuer> enable
                      remove change password >enable

                      user configuration>administrative templates>windows components>windows explorer>prevent access to drives from my computer, set to enable and choose deny all.

                      User Configuration> Administrative Templates>Windows Components>Internet Explorer>browser menus

                      Enable the following:
                      file menu: disable new menu option
                      file menu: disable open menu option

                      and another
                      user configuration> windows settings> internet explorer maintenance> url's >important ur's
                      and put the home page there, for testing http://www.bankhomepage.com or something.

                      Things should be pretty secure from that config. next you need to configure ur isa server to only allow the url's ur like.
                      for your specific user, or user group.

                      I used the below url to configure my isa 2004 server. maybe isa 2000 is similar.
                      Scenario 2: Limiting a Group of Users to a Collection of Sites
                      http://www.isaserver.org/articles/20...nnamesets.html

                      Worked fine for me.

                      Edit: could also disable the spooler service so that no one can print.
                      Last edited by uk_network; 11th October 2008, 13:58.
                      Please remember to award reputation points if you have received good advice.
                      I do tend to think 'outside the box' so others may not always share the same views.

                      MCITP -W7,
                      MCSA+Messaging, CCENT, ICND2 slowly getting around to.

                      Comment


                      • #12
                        Re: Full security with GPO

                        No mention of removing the taskbar / Start Menu? No mention of replacing the shell with IE instead of Explorer? No mention of mandatory profiles? Restricting removable media? Restricting winkey combinations?
                        Gareth Howells

                        BSc (Hons), MBCS, MCP, MCDST, ICCE

                        Any advice is given in good faith and without warranty.

                        Please give reputation points if somebody has helped you.

                        "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                        "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                        Comment


                        • #13
                          Re: Full security with GPO

                          Originally posted by gforceindustries View Post
                          No mention of removing the taskbar / Start Menu? No mention of replacing the shell with IE instead of Explorer? No mention of mandatory profiles? Restricting removable media? Restricting winkey combinations?

                          the first gpo doesn't even let explorer run at all so NO start menu and NO taskbar. ONLY allows internet explorer to run.
                          Mandatory profiles are irrelevant cos the user has absolutely no access to anything.
                          there is a policy that restricts access to all drives from my computer (removable media falls under this section)
                          With those gpo's the user is severely restricted and can't do anything other than visit the websites allowed.
                          I've tested the winkey combinations and all are restricted by administrator.
                          Last edited by uk_network; 11th October 2008, 18:10.
                          Please remember to award reputation points if you have received good advice.
                          I do tend to think 'outside the box' so others may not always share the same views.

                          MCITP -W7,
                          MCSA+Messaging, CCENT, ICND2 slowly getting around to.

                          Comment

                          Working...
                          X