GPO to prevent user "hardening"

  • Thread starter Thread starter corky
  • Start date Start date
C

corky

We have users here that are "hardening" their computers. The problem
is that it is preventing the IT staff from doing certain things, such
as audits and management. Some are installing third-party firewalls,
some are turning off services, and so on. One problem is that many of
the users are testers, so they install and remove software fairly
often, so I can't limit them to only approved software.

Anyone have any suggestions as to how to prevent this via GPO?

Thanks.
 
It sounds as if they are local administrators on their computers and
probably computer savy if the are testers so I would say there really is no
effective way to stop them. If you are a local administrator, even just by
domain account membership, it is very easy to create a local machine account
administrator and bypass user configuration Group Policy anyway. If you were
using XP Pro you might have a lot better luck using Software Restriction
Policies that are machine based until they figure out they can work around
that by disjoining their machines from the domain. Maybe asking nicely and
explaining the situation would be appropriate in this case. --- Steve
 
corky said:
We have users here that are "hardening" their computers. The problem
is that it is preventing the IT staff from doing certain things, such
as audits and management. Some are installing third-party firewalls,
some are turning off services, and so on. One problem is that many of
the users are testers, so they install and remove software fairly
often, so I can't limit them to only approved software.

Anyone have any suggestions as to how to prevent this via GPO?
Click to expand...

Not really - you've essentially got two diverse requirements here
-- the users need to be able to do what they like to the system and are set
up as administrators
-- but you don't want them doing administrative tasks.
 
Corky,

Possibly a workaround for your problem if it's security of your network that
concerns you -

Can you isolate those users from your main network by linking them through a
single node, and constrain what can be done from/through that node


As a tester I used to experience lots of hassle because the network
administrators were updating systems for security, and applying patches -
and I was trying to document problems using automated testing facilities
Many of my regression tests failed because of such simple things such as a
change in a dll version
- basic process is test - and retest and retest in a stable environment,
then @ pre-pre-release, test on an updated (common user environment)

Hardening of the systems may not be directed at the administrators, it may
just be the first thing a tester does is apply all the tweaks they have
accumulated to the PC they use - I know I always checked The UK'd ness of
the PC setup, and then the setup of the applications/office systems.

You'd be surprised at the number of large UK organisations that have a
standard PC image with all the software installed in US, no security mode
I even worked at a bank where the database environment security facilities
had been DISABLED, and our development and testing environments were
regularly accessed by almost any member of the bank staff who had a PC

James Button
 
Back
Top