[WEB4LIB] RE: NT/2000 security question

[Tom Edelblute]

OK I just spoke with my project leader and my problem was not clear to
him, so let me be more specific.  

When setting up our Windows 2000 workstations, my people have not
successfully locked down Network Neighborhood and My Computer using the
NT Server System Polciy Editor in the same way we can for NT
Workstations. Therefore, let me ask if Network Neighborhood and My
Computer can be secured on a Windows 2000 workstation when using an NT
Server?

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tom Edelblute
Public Access Systems Coordinator
Anaheim Public Library   phone: (714) 765-1759
500 West Broadway        fax:   (714) 765-1730
Anaheim CA 92805         e-mail: thomas at anaheim.lib.ca.us

"Dobbs, Aaron" wrote:
> 
> A couple of quick thoughts:
> 
> W2K Server will handle the profiles of all users and machines fine.
> NB: the tools are, mostly, found in different places than where you'd expect
> on an NT4 Server.
> NB!: the W2K machine will have to be a Domain Controller.  If you install a
> W2K Server on the network it will automatically become the PDC.  No if's
> and's or but's.  Logically this makes sense, but be sure to be ready for
> this when it happens.  (I would consider taking down the "real" or current
> PDC and promoting a BDC first then installing the W2K box on the network --
> just in case something goes horribly wrong.)
> 
> NT4 can handle the profiles for W2K Professional machines when the
> workstation is correctly configured (so I'm told)  But, I am also told that
> moving production to a pure or "native" W2K domain structure (all DCs are
> W2K and in native mode) makes administration a breeze.  In an instructional
> environment (contrived, yes) I agree W2K is much easier and far more robust
> and granular in its permissions; but don't forget vendor compatibility
> issues.
> 
> If you've the budget (and a compatible vendor) my suggestion would be to
> switch to 100% W2K machines (Server & Workstation) for the following
> reasons:
>   If you install the machines from a network share the OS provides a
> "persistent" file system. (if a user deletes explorer.exe on a workstation -
> a required file for Windows to run - the OS realizes it is missing a file,
> looks for the network share it used for the original install, copies the
> file to itself, and then runs as if it were always there.  Same with M$
> applications, if you installed it from a network share and a user deletes
> word.exe the next time someone tries to use word.exe the OS notices that it
> should be there, goes and gets the file from the original installation
> network share (assuming the share is still there), installs it again and
> runs it for the user.)
>   Users can be assigned software, if you say user 1234 can use a software
> package the system will install the software from a network share (if you
> tell it to) for that user and allow the user to run it.  If later you decide
> that user 1234 should not be able to run the software the OS will remove the
> software from the user's profile.  Very neat stuff.
> 
> -Aaron
> :-)'
> Please pipe M$ bashing replies to /dev/null :-)'
> 
> Yes they are corporate in all the negative senses,
> but they do make (bloated) products that work without
> requiring end user/administrator kernel recompilation :-)'
> 
> -----Original Message-----
> From: Tom Edelblute [mailto:thomas at anaheim.lib.ca.us]
> Sent: Thursday, March 08, 2001 5:18 PM
> To: Multiple recipients of list
> Subject: [WEB4LIB] NT/2000 security question
> 
> We have an NT server using policy editor and mandatory profiles for
> security.  This has worked fine for us on the NT workstations.
> 
> We have now received our first shipment of Windows 2000 workstations and
> are having problems securing everything we want to using the policy
> editor on the NT server.
> 
> One of the solutions that has been proposed is to buy a 2000 server.
> Does anyone know if it is possible to use a 2000 policy editor with NT
> workstation?  Would it be necessary to convert all the NT Workstations
> to 2000 Workstations?  Or will the 2000 Policy editor be able to
> accomodate NT Workstations without problem?  Anybody have any thoughts?
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Tom Edelblute
> Public Access Systems Coordinator
> Anaheim Public Library   phone: (714) 765-1759
> 500 West Broadway        fax:   (714) 765-1730
> Anaheim CA 92805         e-mail: thomas at anaheim.lib.ca.us