Win2000 security question

[Leffe]

Hi folks,
I?m about to configure a win2000pro industrial PC that will be standing in a factory and controlling some pretty large machines. Anyway this means that quite a lot of people will have access to this PC and so there is a risk that someone will mess it up.

As I?m not familiar with the possibilities or limitations of win2000 I would like to know if it?s possible to create a user account in such a way that it?s impossible to alter just about anything. I mean I don?t want them to be able to even change screensaver or wallpaper not to mention nastier things. Or I?m I forced to buy some special software such as Secure Desktop or something to do this?

Leif?

 

[Fuzznuts]

is it a stand alone machine if so goto start menu run type gpedit.msc

have alook at all the settings in there you will be able to restirct peeps to whatever you wish. if its in a doamin environment then youll need to to do it domain level on a group or user basis.

 

[Woodchuck2000]

If you just let people log on as 'guest' the amount of things they can do are severely limited.
You can further restrict the account by modifying settings in control panel->admin tools->local security policy.

 

[Leffe]

Thanks for the pointers.
I have now looked at gpedit but I must be missing something, how the ¤#?! do I select which user or group the settings should affect?
I want to have three user accounts with different levels of security and those settings seems to apply to everyone, even the administrator.

Will take a look at local security policy now, cause only guest limitations are not enough.


Leif?

 

[Nothinman]

I believe you need Active Directory to have that fine grained of group policy, without AD it just applies to everyone (including admins, isn't that nice).

One workaround we did where I work for Win2K Citrix servers before AD was to make a "PolicyAdmin" account that had write access to the policy files, then allow regular users to read them (so they can be applied) and deny normal Admin accounts any access to the policy files (so they can't be applied), then login as admin and use RunAs to change the policy. It's messy, but it works and it's a lot cheaper and less hassle than AD.

Frankly, I'd be scared to work in a shop that had Windows controlling large machines though.

 

[Fuzznuts]

the kind of control you sound like your after is only going to be avaliabe at domain level youll need a 2k server. of course you could go the linux route but i assume that the software is 2k native

as nothinman said you can hack your way around this but its gonna be messy

 

[Woodie]

You don't need GPOs or a domain to get pretty close to what you want.

Login w/ Administrator privileges.
Go to the Doc&Settings\default User folder. Remove any things there that you don't want them to get to (like, RUN, Command Prompt, any of the accessoriest etc..)
On this standalone workstation, create a unique ID for each user/group of users.
Make sure these users are NOT members of the Power Users or Administrators groups.
Users will be able to change their own desktop settings (wallpaper/icons), but they won't be able to even add a printer!

As you've discovered, the Local Security Policy applies to ALL local users, not just certain users.

 

[Fuzznuts]

I don?t want them to be able to even change screensaver or wallpaper not to mention nastier things

unfortunately he wants control down to that level

 

[Leffe]

Nothinman, I tried to deny all rights for admin on the Grouppolicy/user/registry.pol file and it seemed to work once, then I gave me the rights back to change some settings. Applied deny all rights again and relogged in but now it doesn?t work. I still get all the group policy settings applied but if I try to run gpedit.msc the program confirms that I don?t have right to the registry.pol file. Very strange, the settings take affect even though I?m not allowed access to the file.

Any ideas? I might get away with this solution if I only can get it to work again.


>Frankly, I'd be scared to work in a shop that had Windows controlling large machines though.

Hehe, don?t worry, it?s only the GUI that will be running in a windows environment


Leif...

 

[Nothinman]

then I gave me the rights back to change some settings

Like I mentioned before, we used a seperate account to manage the local policies. I have no idea if Windows caches those things or anything.

 

[Leffe]

I believe it works now, when I deny admin all rights on the GroupPolicy directory I seem to get away with it.

So everyone, thanks for the suggestions.

Now I will make a backup and then try to mess it up

Leif?