I would like to point out that most users are not savvy enough to know
how to do this. Also if they are then that would be one person out of
how many. I know the risks with this and I actually have all the event
logs from all the machines ported to the servers that I run. I know if
one has its admin password changed right away and then re-image that
machine. All the users know that if they have data on that machine and
they do something of that nature I will rebuild to the last known good
configuration. (know that I do a backup of their machines every night
so data loss is not the question.) I have an image after every software
install that I do. This makes the process a little less painful because
I have remote client running on all machines in the forest that I run.
So if they make the change it is noticeable and can be corrected really
fast.

Dennis

-----Original Message-----
From: Sakaba [mailto:Sakaba (at) alexandria (dot) cc [email concealed]]
Sent: Friday, July 04, 2003 8:15 AM
To: VNV Jeep; janehan22 (at) yahoo (dot) com [email concealed]
Cc: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: How to block users from installing other apps

Not that I disagree with what you are saying but I think as a caveat its
important to note that there are a number of tools that run off a simple
floppy and allow the user to reboot their machine and change the local
admin password. Then they simply login as local admin on the machine
and add their domain account to the local admin group.

Example: http://home.eunet.no/~pnordahl/ntpasswd/

So don't add D-users to the local admin account but don't be surprised
if your more IT aware users do it themselves.

Peace,
sakaba

-----Original Message-----
From: VNV Jeep [mailto:vnvjeep (at) hotmail (dot) com [email concealed]]
Sent: Friday, July 04, 2003 1:07 AM
To: janehan22 (at) yahoo (dot) com [email concealed]
Cc: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: How to block users from installing other apps

Jane... I would *HIGHLY* recommend you do not add domain users to the
local Admin group. Bad bad bad, very bad. I agree with your help desk
manager... you don't want to do this. Yes, it will only cause damage to
the local machine, but it could have bigger impacts around your
domain...

What can happen?

1.) They can download illegal software & install it.
2.) If you have any software/OS standardization, this will be shot.
3.) They can run & execute viruses, which have the capability to delete
system files in the OS (which they normally can't delete but since
they're admin, anything goes).
4.) By running viruses/trojans, and being successfully executed, they
have the capability to traverse the network and hit other
workstations/servers on the domain.
5.) They can stop & start services.
6.) They can uninstall standard software you may have on there.
7.) They can make network card property changes...

I could go on & on...

It's not hard to manipulate permissions for your apps so that these
users can run under a restricted user account. You don't need
filemon/regmon to do this. (you might in an extremely rare occasion,
but have not had to use them yet). What works 99% of the time is this:

1.) Go into the program files\<appname folder> and give local users
modify rights.
2.) Go into the HKLM\software\<appname folder> and do the same.

That's it.

Good luck,
Mike

|-----Original Message-----
|From: Jane Han [mailto:janehan22 (at) yahoo (dot) com [email concealed]]
|Sent: Thursday, July 03, 2003 11:47 AM
|To: Dennis Bauer; focus-ms (at) securityfocus (dot) com [email concealed]
|Subject: RE: How to block users from installing other apps
|
|
|Thanks for all help.
|
|I downloaded regmon and filemon and going to find
|which permission need to apply to the reg keys and
|files level.
|
|Currently, I met some resistance from help desk
|manager, which many changes could be done at users'
|level if we need to change reg and file permission.
|he challenged me that the only damage can be caused
|only at local computer, not at domain.
|
|If someone can list all damages that caused by
|assigning domain users to the local administrators
|group, I would greatly appreciate it.
|
|Thanks in advance,
|
|Jane
|
|
|
|--- Dennis Bauer <dbauer (at) Mines (dot) EDU [email concealed]> wrote:
|> Have you tried regmon and filemon to see what you
|> need to open for users
|> to be able to run the apps?
|>
|>
|> -----Original Message-----
|> From: Jane Han [mailto:janehan22 (at) yahoo (dot) com [email concealed]]
|> Sent: Wednesday, June 25, 2003 2:22 PM
|> To: focus-ms (at) securityfocus (dot) com [email concealed]
|> Subject: How to block users from installing other
|> apps
|>
|>
|> Due to several customized inhouse applications, the
|> users need to be local aministrator to lauch the applications. Since

|> most users are local admin, they can download and install
|> applications such
|> as games, AOL instant messages...from internet.
|>
|> Is it possible to block users from installing
|> applications through Group Policy in this case? or
|> disable internet explorer?
|>
|> Any solutions or suggestions?
|>
|>
|> Thanks in advance,
|> Jane
|>
|>
|> __________________________________
|> Do you Yahoo!?
|> SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com
|>
|>
|---------------------------------------------------------------
|---------
|> -----
|>
|---------------------------------------------------------------
|---------
|> ------
|>
|
|
|__________________________________
|Do you Yahoo!?
|SBC Yahoo! DSL - Now only $29.95 per month!
|http://sbc.yahoo.com
|
|---------------------------------------------------------------
|--------------
|---------------------------------------------------------------
|---------------
|

_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail

------------------------------------------------------------------------

---
--
------------------------------------------------------------------------

---
---

------------------------------------------------------------------------

-----
------------------------------------------------------------------------

------

------------------------------------------------------------------------
-----
------------------------------------------------------------------------
------

[ reply ]