Hosting Provided By

RE: How to block users from installing other apps

From: Sakaba <Sakaba(at)alexandria.cc>
Date: Fri Jul 04 2003 - 10:15:01 EDT

Not that I disagree with what you are saying but I think as a caveat its important to note that there are a number of tools that run off a simple floppy and allow the user to reboot their machine and change the local admin password. Then they simply login as local admin on the machine and add their domain account to the local admin group.

Example: http://home.eunet.no/~pnordahl/ntpasswd/

So don't add D-users to the local admin account but don't be surprised if your more IT aware users do it themselves.

Peace,
sakaba

-----Original Message-----
From: VNV Jeep [mailto:vnvjeep@hotmail.com] Sent: Friday, July 04, 2003 1:07 AM
To: janehan22@yahoo.com
Cc: focus-ms@securityfocus.com
Subject: RE: How to block users from installing other apps

Jane... I would *HIGHLY* recommend you do not add domain users to the local Admin group. Bad bad bad, very bad. I agree with your help desk manager...
you don't want to do this. Yes, it will only cause damage to the local machine, but it could have bigger impacts around your domain...

What can happen?

1.) They can download illegal software & install it.
2.) If you have any software/OS standardization, this will be shot.
3.) They can run & execute viruses, which have the capability to delete

system files in the OS (which they normally can't delete but since they're admin, anything goes).
4.) By running viruses/trojans, and being successfully executed, they have the capability to traverse the network and hit other workstations/servers on
the domain.

5.) They can stop & start services.
6.) They can uninstall standard software you may have on there.
7.) They can make network card property changes...

I could go on & on...

Do you need help?

It's not hard to manipulate permissions for your apps so that these users can run under a restricted user account. You don't need filemon/regmon to do this. (you might in an extremely rare occasion, but have not had to use them yet). What works 99% of the time is this:

1.) Go into the program files\<appname folder> and give local users modify rights.
2.) Go into the HKLM\software\<appname folder> and do the same.

That's it.

Good luck,
Mike

|-----Original Message-----

Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail

--
---------------------------------------------------------------------------
---




-----------------------------------------------------------------------------
------------------------------------------------------------------------------

Received on Fri Jul 4 10:34:49 2003

This message: [ Message body ]
Next message: Mike Lyman: "RE: How to block users from installing other apps"
Previous message: jazzmanvibration(at)hotmail.com: "Re: How to block users from installing other apps"
In reply to: VNV Jeep: "RE: How to block users from installing other apps"
In reply to Christian Freas: "RE: How to block users from installing other apps"
Next in thread: Dennis Bauer: "RE: How to block users from installing other apps"
Reply: Dennis Bauer: "RE: How to block users from installing other apps"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:33 EDT