Locking down computers

Locking down computers

Post by CJC » Sat, 07 Jan 2006 00:14:34

Hi there,

This may be too much of a simple question for this board (well I hope
it is easy anyway) but at work we're looking at clamping down on our
PC's and want the following:

- Stop users using Messenger
- Stop users installing programs themselves.

In theory this does not sound hard, but here is the sticking point. We
have to allow users admin privlidges of the computer (not network), due
to an important program we use requires admin privlidges.

Plus our active directory is upon a windows 2000 server, which means
most of the good options which 2003 has we do not have (like disabling

I have looked on the net, but probably missed all the good sites, but I
was hoping to find a solution within Active directory, or maybe a
script to stop it.

The main reason to wanting to do it centrally is so that I do not have
to go round to every PC and disable certain things.

Incase it helps the platforms of the PC's are XP professional.

Any help would be much appreciated.

Many thanks

Locking down computers

Post by comphel » Sat, 07 Jan 2006 01:50:56

"CJC" < XXXX@XXXXX.COM > writes:

If it's an off the shelf program...what is it?

It does.

Have you looked into group policies?

Todd H.


Locking down computers

Post by CJC » Sat, 07 Jan 2006 01:59:05

Hi there thanks for your reply.

It is an in-house application which cannot be altered.

Ive looked into group policies upon local machines and there is a way
to disable messenger, but we cant go round every PC doing an alteration
on each. But then this way to stop it is not available in server 2000
only 2003.

Many thanks for your help.

Locking down computers

Post by comphel » Sat, 07 Jan 2006 02:11:10

"CJC" < XXXX@XXXXX.COM > writes:

Oy. That's a bummer.

I see. I didn't help much, but I am interested in replies to your
question. Messenger is a PITA indeed.

Todd H.

Locking down computers

Post by Frankste » Sat, 07 Jan 2006 02:18:59

Okay, I'm gonna type in caps, not because I'm yelling but because it is so
so important.

EVERY NETWORK MUST HAVE A --WRITTEN-- (and signed by the employee) SECURITY

There are many approaches to network security, network use, and preventing
abuse. ONE is the written policy. ANOTHER is the technical enforcement of
that written policy WHEN POSSIBLE. If technical enforcement is not
possible, you enforce the WRITTEN POLICY of user CONDUCT (to which he as

We trust employees with much more expensive things than using the messenger
service (usually). Let them take on this burden. They are paid to deal with
it. They can handle it. Or... they know the alternative (if you have a
written policy!).


Locking down computers

Post by CJC » Sat, 07 Jan 2006 02:34:22

Thanks for the last two responses.

I am new to this company and if I had my way we would be much stricter.
But they have had a more relaxed attitude. I believe they have a
policy in which is signed when new people start. But it looks as
though its not really taken too seriously.

The reason why we need to stop messenger is due to the management fed
up with seeing it constantly on.

Secondly we need to stop people installing due to the industry we are
in they have to use the internet alot and they seem to download things
from the net often.

The policy is a good idea, maybe we should get everyone to sign an
extension to show we are more serious.

I am actually working on a message to appear when they login saying
what is and is not allowed and by logging in they agree to it. so then
if we see anything we can moan at them.

many thanks again guys

Locking down computers

Post by xpytt » Sat, 07 Jan 2006 04:02:45

The updated policy is a must, but you need to get that app fixed, too.

Take a look at the Internet Storm Center's time to live numbers. Figure
out what a worm would cost you if it shut down your company's PCs, and how
likely that is. If not business loss, at least you are talking a big
productivity hit. Then put together a case to get that app fixed. If folks
are routinely on the Internet, you cannot have them running with admin
privs. That is simply asking for trouble. There is no excuse for users
risking the company's assets that way. I'm sure there will be a lot of push
back, but without some pretty strong action, you are courting disaster.

And when the disaster comes, guess who will get blamed. If you make a
strong case to fix the problem, and it is refused, at least you won't look
like an idiot when the levees break. Managers have every right to decide
that the risk is worth taking, but you have an obligation to inform them of
the risk and the cost of remediation. If they say no, that's fine, at least
you did your job. But if you don't spell it out to them in single syllable
words that managers can understand, you aren't doing what you need to.

In most cases, when an app can't run as a normal user, especially an old
app, it is simply a matter of file protections. Unless the app does
something pretty strange, it should be a pretty simple fix. I'm sure
development feels it has higher (read more fun) priorities, but you need to
get that app fixed.

While you are at it, get something on those PCs that lets you push out login
scripts and policies. If you are going to run a network, you need to have
some ability to influence it.

Messenger, tho a PITA, can be a business asset. If folks aren't using it
for business purposes, block it at the firewall. Even if you can't stop
them launching it, they will quit if they can't do anything useful.


Locking down computers

Post by E. » Sat, 07 Jan 2006 05:25:23

Try delivering via logon script.

You could also look into more inelegant solutions such as forcing win
mess to use a fixed port (registry flick via logon script) then blocking
that port(s) at the firewall.

Have you updated the .adm templates?

Personally what I would be doing is installing the problem app on a test
machine and experimenting with a lockdown in which the app will run
properly. Alternatively, you could try running the app in terminal
services/Citrix which would then allow you to set the local PC rights.

Also look at content filtering, esp with extension/download blocking.
There are a number of content filters, from IPCop running Cop+ to
Dansguardian to hardware based solutions. If no users can download any
executeable code in the first place, it makes if slightly more difficult
to install ;-)

Locking down computers

Post by CJC » Sun, 08 Jan 2006 00:26:44

Thanks for the responses.

XPYTTL: I will ask my manager to speak to the developers to see if
they can fix the software to run for normal user rights but you
mentioned about getting something upon the PCs which lets us push out
login scripts and policies.. Sorry for not knowing, but what do you
recommend. Is it just a piece of software which needs running on each

Regarding the blocking it at the firewall, I believe before I was here
they did try and was unsuccessful apparently due to Messenger being
able to change the port and web address it is using??

E: I will take a look at the dougknox site shortly. Also you
mentioned the win mess to use a fixed port. I have never done this and
would not know where to start. Is there any site you recommend? Plus
thanks a lot for the updates for the active directory I have been
looking for this with no luck. Going to install them later.
Plus I will also recommend using terminal services if we cannot fix

Thanks again guys, really appreciate all your help.

Locking down computers

Post by Unru » Mon, 09 Jan 2006 08:30:25

"CJC" < XXXX@XXXXX.COM > writes:

That is insane. Under linux I would advise using sudo to run that program,
but I have no idea if windows has the same kind of thing.
But what is it about the program that requires admin priviledges? Are you
sure? Once the person is admin, he cannot be stopped from doing anything.
You are finished.

Put a later version onto that server. Sounds cheaper than you spending days
trying to do the impossible.

Locking down computers

Post by Frankste » Mon, 09 Jan 2006 09:20:21

> That is insane. Under linux I would advise using sudo to run that program,

Just to be clear, it does. That's what the "Runas" command does.


Locking down computers

Post by CJC » Tue, 10 Jan 2006 20:31:45

Hi guys,

Got messenger to stop working. What I did was opened up mmc on my
computer, added the group policy object editor snap in and linked up
the organisational unit within Active directory. What this then
allowed me to do was disable the messenger options. Only snag is, is
that I now can only update the policy via a XP computer and not the
server, as if I do it upon the server I get loads of error messages.

Now I have got the XP group policy options. Does anyone know of a way
to stop other executables being ran by users?

Thanks Unrah and Frankster for your messages also, I will try and look
into the Runas command later. But just to clarrify do you think
somehow I could set something up which says when this program is ran
use admin privlidges, or am I getting the wrong end of the stick.

Many thanks for everyones help on this subject.