Need recommendations on locking down Win NT 4

Toggle sidebar Toggle sidebar
T

ThurzNite

Senior member
Nov 15, 1999
977
0
0
I need suggestions on what directories to lock via permissions. We used to give only read permissions to \winnt and subdirectories, but we're running into problems. Should we leave them as they are? We don't want the users to mess around w/the vitals and we don't want them installing their own programs. Are there any registry tweaks? Thanx.
Jay
 

Windows NT is not a very good multiuser operating system. For what purpose are multiple people using the OS? How are they logging in, remote or local?

I suggest you comb this site http://www.ntsecurity.net. I remember they have a list on there somewhere telling what perms to set on what files to make the file system secure for multi-user.

 
L

Ladi

Platinum Member
Apr 21, 2000
2,084
0
0
NT's actually pretty good for multiuser. There's a thread somewhere up top (whel, I guess, down below now) that someone's been asking for tips on how to secure NT. Basically, if you set up your user profiles/groups/permissions properly, you won't have any problems at all. You can lock down control panel, installation of new apps, limit write access to 'home' directories, etc. Even limit what applications can be run. It takes some tweaking, often people go with 3rd party apps to help, but it is possible.

~Ladi

hrm...Does seem like I answer an awful lot of your questions, Thurz ;)
 
T

ThurzNite

Senior member
Nov 15, 1999
977
0
0
Dwell and others: I just noticed that my post was misleading. As Ladi and a few others know, I'm setting up 8 new computers.
I'm about to run Ghost (gotta make boot disks first).
Each computer will then goto 1 user. So when I said "users" I mean a whole bunch of people using their own computers. Nobody here shares their computer, except the interns and students, but I'm not dealing with them right now.
So basicially, we've had some problems w/people changing settings on their computers, like the desktop, display properties, screen savers, etc.
What I'm most concerned about is them installing programs. Some of them have figured out how to install programs that conflict w/what we preinstall for them, then they come whining to us that their computer is broke and blame us.
Ladi, what you speak of is pretty much what I'm looking for, and Kwatt is probably needing the same thing. I will check out http://www.ntsecurity.net in a bit and see what I can learn there. The user profiles that Kwatt linked looks good, but I need something that I can understand, perhaps a template. Ladi, any ideas?
Jay
 
L

Ladi

Platinum Member
Apr 21, 2000
2,084
0
0
S

stash

Diamond Member
Jun 22, 2000
5,468
0
0
Listen carefully, this may get confusing....

To prevent users from installing programs, you must set the permissions on the directory that they are installing from to not execute. However, with downloading from the web, they could put it anywhere. Heres what to do: First, get rid of netscape if its on there, and install IE5....trust me, this is a LOT simpler with IE. Next go to tools, internet options, advanced. Find the box that says clear temp files on browser close. Next you'll want to install tweakui. Make the user an administrator temporarily, and hide the drives. Then make the user a standard user. Next, you must find the desktop folder in their profile (c:\winnt\profiles\user\desktop\ and set the NTFS permissions to read, execute, but NO write. Then under the same profile, find the temporary internet directory and set the permissions to read write, but NO execute.

Now when they download, they will only see the desktop as a place to save, but if you set NTFS right, they wont be able to. For executable install programs, they can still "run from" the internet, which downloads it to that temp dir, then executes. If you set the temp Inet dir to write, but not execute, they will get an error after the file downloads, then tries to run. Then when they close the browser, the temp file will be deleted.

There are MANY MANY hacks for locking NT, and it CAN be done, very well. There is a whole hive of registry hacks you can do to get rid of right click access in both NT and IE, get rid of portions of the start menu (run, find), get rid of access to IE options, not allow changing of the desktop (icon positions, wallpaper), getting rid of common save dialog boxes, get rid of lock computer, task manager and change password buttons....On and on.

When i used to work at a university library, when i was done with a machine, there would be 2 icons--one for IE so they can do research on the web (but no downloading and installing programs!!) and one for a program to access the online card catalog system..NOTHING else...no my computer (nothing for them there anyway), no recycle, nothing.

Theres a lot of work that can be put into it, but realize that it can be done, and its very satisfying to see. Good luck.

 
K

Kwatt

Golden Member
Jan 3, 2000
1,602
12
81
ThurzNite
I may have found what we've been looking for.
Part of it is on SP6a and part I found here.
http://www.elkantler.net/security/security.htm

I'm trying it on a computer that has nothing on it so If lock it up I'll reformat and reinstall NT.

I'll let you know how it turns out.

If you don't hear from me for a day or two I'll be ranting and raving and reinstalling.:)

EDIT: looks like part is on Office 97 disk also and I don't have it:(
I'll keep looking
 
K

Kwatt

Golden Member
Jan 3, 2000
1,602
12
81
I have not had a chance to install yet. It looks like it will do the job.

Be careful it appears you can lock yourself out even if your the Admin. I'm still looking into it. May try to install in the morning. If I think I have enough info.

I sure would like to hear from someone that has used it.

Found it on Win95 disk in \admin\apptools\poledit\

Kwatt
 
E

err

Platinum Member
Oct 11, 1999
2,121
0
76
As Stash said, there are Many many ways you can do to secure WinNT ...(btw: well done post by Stash, definetely try it)

First off, you have to play around with the NTFS permission definetely ... secondly, you can use policy editor to lock down NT.

If you have users on Win9x machine, use Policy editor (poledit.exe) to lock down the machine. Create a mandatory policies if you have to, so that users can't mess with their desktop. Creating a mandatory policy is as easy as changing the file extension of the policy file.

For instance, change config.pol to config.man and you got a mandatory policy file there.

You can also rely on a third party program such as foolproof
http://www.foolproof.com

I know it is very effective on hundreds of computer in the local university here. They locked down Win95 & Win2000 very well.

Good luck

eRr
 
T

ThurzNite

Senior member
Nov 15, 1999
977
0
0
It's looking like Policies are the way to go, besides manually tweaking things (which I don't know enough about). I'll go pick up a book on Policies and see what I can do.
As for IE, my superiors believe that there are more security problems w/IE than Navigator, so we go w/Navigator. Also, they said that since IE is more widely used, there will be more people trying to hack it. I know there's gotta be some problems w/Navigator, but I can't seem to argue to get IE back on, even if it will prevent users from installing programs.
 
S

stash

Diamond Member
Jun 22, 2000
5,468
0
0
You need to get a program called tweakui. Make sure you get the version for NT-its readily available on the web, just do a search in altavista or something. Now as far as hiding drives, you can only hide drives if you are an administrator. This means going into musrmgr as the real admin and making the user you are trying to lock out an administrator temporarily. Then run tweak as that user and hide the drives you want. Then, as the real admin, take the admin priveleges back from the locked out user.

Hope this explains it, let me know if you need more help.
 
T

ThurzNite

Senior member
Nov 15, 1999
977
0
0
Sounds good. It's not worth my trouble to goto all the computers to do this, but on the new ones we get, I'll be sure to hide the drives. Thanx!
 
T

ThurzNite

Senior member
Nov 15, 1999
977
0
0
Okidoke...I've done lots of reading and feel confident enough to tackle policies. I still need to learn more about profiles, but I need to talk to supervisor first.
With the policy editor, I can use templates. Where can I find more templates to download?
Jay
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom