No announcement yet.

Best Practices for Security on Domain PCs?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Best Practices for Security on Domain PCs?

    Hi, I'm the network administrator for a school district. A few weeks ago, one of our admin staff got a virus on their PC and that virus somehow stole the user's passwords and they had passwords to the school's bank site. Well, the "hacker" used that info to attempt to steal $600,000 from the school.

    After this happened, the bank hired a security company to come to the school and scan the network for problems. One problem they saw is I make everyone local administrators of their machines. I use group policy to lock down the PCs so they can't change their PC. But, if I don't give them local administrator rights, then everytime they to go a site that needs a plugin, they'll get denied and the class won't be able to continue.

    My previous job, I was told to just add domain users to the local administrators. Here I've done that since I started. Now, I'm told it's wrong.

    I need a 100% iron clad outline of exactly how to build a domain PC that is built to best practices, yet users can actually work on them. Are there any best practice guides like that? Our labs don't have anything special in them. Just Internet Explorer and Office.

  • #2
    Re: Best Practices for Security on Domain PCs?

    What OS version?
    What domain level?

    IMHO, given the attack you have suffered, consider
    a) more training for yourself
    b) a good security consultant to lock things down
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    IT Trainer / Consultant
    Ossian Ltd

    ** Remember to give credit where credit is due and leave reputation points where appropriate **


    • #3
      Re: Best Practices for Security on Domain PCs?

      To allow installation rights to non local admins (Ie create a custom group on your AD or utilize power user)

      Granting Power Users the SeLoadDriverPrivilege can be done through
      group policy in the following setting:

      Computer Configuration/Policies/Windows Settings/Security Settings/Local
      Policies/User Rights Assignment/Load and Unload Device drivers
      - Granting ie Power Users or Domain Users full control to the "c:\windows\downloaded program
      files" folder
      - Granting Power Users full control to the "HKLM\Software\Microsoft\Code
      Store Database" registry key.

      Though it would be better to find out which users regularly need ActiveX install Updates, and set them in that group. Other users might not required this as much, so keep control to the IT guys, and don't give it to them.

      The above presumes you have Windows XP clients, and a Server 2003 or 2008 environment. As Ossian stated, more info would be better.
      Last edited by Dutch; 16th October 2012, 01:29.


      • #4
        Re: Best Practices for Security on Domain PCs?

        Personally I'd lock everything down, and periodically deploy the ActiveX as updates come out. Most common plugins like Flash can be downloaded as an MSI for GPO deployment. In a school environment there's no way I'd allow any users to do things themselves.

        I have to ask why your consultant isn't giving solutions, just reporting problems. I'd expect any competent security professional to at least provide recommended solutions to the issues he found, not least because he'll want to quote for the work to put things right.
        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
        Cruachan's Blog