Question for NewScience (Re: Is it possible to secure a multi-user Windows machine?)

  • Thread starter Thread starter delerious
  • Start date Start date
D

delerious

Hey NewScience:

It's been a while since anyone posted to my "Is it possible to secure a
multi-user Windows machine?" thread, so I figured I'd start a new one.

I found out that there is a way to get group policy to work for specific
users on a single workstation computer. You have to set the permissions
on the C:\WINNT\system32\GroupPolicy folder -- anyone who can access it
will have the group policy settings applied to them, and anyone who can't
access it won't have the group policy settings applied to them. Now this
won't work for you, since you said you have 8 different types of users,
but it might work for me, since I'll only have 2 types of users: trusted
and untrusted. Given that there is a way to apply group policy only to
certain users, I'm wondering if I still need to use your .REG file method?

Are there things that you can do with the .REG files that you just cannot
do in the group policy editor? (BTW, are you running 2000 or XP? I'm
running 2000 Pro.) Or is it possible to do everything in the group policy
editor, but you use the .REG files since that makes it easier to
"automate" with many different types of users?
 
It is probably possible to use Group Policy. As far as changing permissions
on the folder and having no problems with the user(s) that cannot access the
folder, that is something you would have to test.

However, I would not do this on a network server, since the system depends
on the Policy file for completion of the login (this may hold true for local
access as well, you would have to test).

The reason I went with the REG file route, was I found more flexibility,
some options are not available in Group Policies to set/unset/not configure,
and I wanted to eventually use Microsoft Shared Toolkit.

All the scripts used in Microsoft Shared Toolkit can be modified and offer
all kinds of options in tweaking a user's environment. You can add you own
sections and registry settings based on a set of 'script files'.

Eventually, I will move my user types into MS Shared Toolkit and control
users from there.

As far as the REG files, as I mentioned, I like the flexibility and more
options available then Group Policies. Plus it was easier to migrate same
options to Windows XP systems with REG files.

If you look at Group Policy files, all they contain (.adm files) is a series
of instructions to set options in the registry.
 
NewScience said:
It is probably possible to use Group Policy. As far as changing
permissions
on the folder and having no problems with the user(s) that cannot access
the
folder, that is something you would have to test.

However, I would not do this on a network server, since the system depends
on the Policy file for completion of the login (this may hold true for
local
access as well, you would have to test).
Click to expand...

Can you elaborate a little on the logon process and its use of the policy
file? Which file specifically does it require?

The reason I went with the REG file route, was I found more flexibility,
some options are not available in Group Policies to set/unset/not
configure,
and I wanted to eventually use Microsoft Shared Toolkit.
Click to expand...

Off the top of your head, can you remember anything that isn't available
in the group policy editor?

All the scripts used in Microsoft Shared Toolkit can be modified and offer
all kinds of options in tweaking a user's environment. You can add you own
sections and registry settings based on a set of 'script files'.

Eventually, I will move my user types into MS Shared Toolkit and control
users from there.

As far as the REG files, as I mentioned, I like the flexibility and more
options available then Group Policies. Plus it was easier to migrate same
options to Windows XP systems with REG files.

If you look at Group Policy files, all they contain (.adm files) is a
series
of instructions to set options in the registry.
Click to expand...

I've been looking at the group policy editor, along with the things that
you mentioned in the previous thread, and it looks like you can do just
about everything you mentioned in the group policy editor. The only thing
I'm not sure about is how you said you can lock users into their
C:\Documents and Settings\[USERNAME] folder. Is this the same as the
following registry key you mentioned?

[HKEY_USERS\LimitedUser\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000001

That not only removes "My Computer", but also the Recycle Bin and "My
Network Places", right? So then the only thing they have access to is "My
Documents", which is actually a subset of their C:\Documents and
Settings\[USERNAME] folder.

Thanks for your help.
 
NonEnum question:

This does not seem to remove Recycle Bin or Network Places on my system when
I set the NonEnum key for My Computer.

However, I'm logged in as an Admin user.

delerious said:
NewScience said:
It is probably possible to use Group Policy. As far as changing
permissions
on the folder and having no problems with the user(s) that cannot access
the
folder, that is something you would have to test.

However, I would not do this on a network server, since the system depends
on the Policy file for completion of the login (this may hold true for
local
access as well, you would have to test).
Click to expand...

Can you elaborate a little on the logon process and its use of the policy
file? Which file specifically does it require?

The reason I went with the REG file route, was I found more flexibility,
some options are not available in Group Policies to set/unset/not
configure,
and I wanted to eventually use Microsoft Shared Toolkit.
Click to expand...

Off the top of your head, can you remember anything that isn't available
in the group policy editor?

All the scripts used in Microsoft Shared Toolkit can be modified and offer
all kinds of options in tweaking a user's environment. You can add you
own
sections and registry settings based on a set of 'script files'.

Eventually, I will move my user types into MS Shared Toolkit and control
users from there.

As far as the REG files, as I mentioned, I like the flexibility and more
options available then Group Policies. Plus it was easier to migrate same
options to Windows XP systems with REG files.

If you look at Group Policy files, all they contain (.adm files) is a
series
of instructions to set options in the registry.
Click to expand...

I've been looking at the group policy editor, along with the things that
you mentioned in the previous thread, and it looks like you can do just
about everything you mentioned in the group policy editor. The only thing
I'm not sure about is how you said you can lock users into their
C:\Documents and Settings\[USERNAME] folder. Is this the same as the
following registry key you mentioned?

[HKEY_USERS\LimitedUser\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000001

That not only removes "My Computer", but also the Recycle Bin and "My
Network Places", right? So then the only thing they have access to is "My
Documents", which is actually a subset of their C:\Documents and
Settings\[USERNAME] folder.

Thanks for your help.
Click to expand...
 
Back
Top