[WEB4LIB] RE: NT/2000 security question (technical content)

Dobbs, Aaron DobbsA at apsu.edu
Mon Mar 12 14:50:36 EST 2001 

Sorry to post this to the list, private replies have bounced...
Okay,
Sorry to take so long, I wanted to verify technical accuracy.  I configured
a machine to do what I think you want.

This is specifically in System Policy Editor on an NT4 PDC to control the
appearence of a W2KPro workstation.  

Don't forget in your System Policy there are 3 settings for each option:
	a check means apply this line in the Policy  "Apply this"
      a gray square means if this is applied elsewhere accept what's there
"Don't Care"
	a clear box (all white) means if this is applied elsewhere unapply
it "Do NOT apply this"
These distinctions are very important.  If you clear a box (all white) it
will unapply the change everywhere.  This may be the problem for you, I've
been burned by it a few times as well.

Addressing specifically 'securing' Network Neighborhood:  I'm assuming
"hiding" will work for your implementation:  
In System Policy Editor the option to hide Net-Neighborhood is under: 
	Shell --> Restrictions
with the following options (or something textually close)("*" are what I
have set):
*	Remove folders from Start
*	Remove Folders from Settings
*	Remove Run from Start
*	Remove Find from Start
*	Hide Drives in My Computer
*	Hide Network Neighborhood  <-- checking this box made
net-neighborhhod unavailable on the W2KPro machine (in My Computer &
browsing the drives - I had already disallowed the run command)
	No all network in Net-Neighborhood (redundant - didn't set)
	No workgroup in Net-Neighborhood (redundant - didn't set)
*	Hide all items on Desktop
*	Disable Shutdown command
*	Don't Save Settings on exit
	
Addressing specifically 'securing' the My Computer window: (again assuming
hiding will be enough)
In System Policy Editor the option to hide Net-Neighborhood is under:
	Shell --> Restrictions
with the following options (or something close):
*	Remove folders from Start
*	Remove Folders from Settings <-- to hide control panel access in My
Computer and the Start menu
*	Remove Run from Start 
*	Remove Find from Start
*	Hide Drives in My Computer <-- to hide the dirves (Control Panel
will still be available)
*	Hide Network Neighborhood  
	No all network in Net-Neighborhood (redundant as above)
	No workgroup in Net-Neighborhood (redundant as above)
*	Hide all items on Desktop <-- to remove the My Computer Icon (I
found no other way to do this - it's empty due to the other restrictions but
I just didn't want it there) also removes all other icons - my workaround
was to put a shortcut in the taskbar for the programs I wanted available.
*	Disable Shutdown command
*	Don't Save Settings on exit

Again, these are options in the System Policy Editor User setings not
Machine settings.  We have one user assigned to each public machine, but you
could set it up as one user logging in to all the workstataions.  (I find it
more flexible to do one user for each machine)

Hope this helps.
Reply direct to me for clarifications on these notes :-)'

-Aaron
:-)'


-----Original Message-----
From: Tom Edelblute [mailto:thomas at anaheim.lib.ca.us]
Sent: Friday, March 09, 2001 6:29 PM
To: Multiple recipients of list
Subject: [WEB4LIB] RE: NT/2000 security question


OK I just spoke with my project leader and my problem was not clear to
him, so let me be more specific.  

When setting up our Windows 2000 workstations, my people have not
successfully locked down Network Neighborhood and My Computer using the
NT Server System Polciy Editor in the same way we can for NT
Workstations. Therefore, let me ask if Network Neighborhood and My
Computer can be secured on a Windows 2000 workstation when using an NT
Server?

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tom Edelblute
Public Access Systems Coordinator
Anaheim Public Library   phone: (714) 765-1759
500 West Broadway        fax:   (714) 765-1730
Anaheim CA 92805         e-mail: thomas at anaheim.lib.ca.us

"Dobbs, Aaron" wrote:
> 
> A couple of quick thoughts:
> 
> W2K Server will handle the profiles of all users and machines fine.
> NB: the tools are, mostly, found in different places than where you'd
expect
> on an NT4 Server.
> NB!: the W2K machine will have to be a Domain Controller.  If you install
a
> W2K Server on the network it will automatically become the PDC.  No if's
> and's or but's.  Logically this makes sense, but be sure to be ready for
> this when it happens.  (I would consider taking down the "real" or current
> PDC and promoting a BDC first then installing the W2K box on the network
--
> just in case something goes horribly wrong.)
> 
> NT4 can handle the profiles for W2K Professional machines when the
> workstation is correctly configured (so I'm told)  But, I am also told
that
> moving production to a pure or "native" W2K domain structure (all DCs are
> W2K and in native mode) makes administration a breeze.  In an
instructional
> environment (contrived, yes) I agree W2K is much easier and far more
robust
> and granular in its permissions; but don't forget vendor compatibility
> issues.
> 
> If you've the budget (and a compatible vendor) my suggestion would be to
> switch to 100% W2K machines (Server & Workstation) for the following
> reasons:
>   If you install the machines from a network share the OS provides a
> "persistent" file system. (if a user deletes explorer.exe on a workstation
-
> a required file for Windows to run - the OS realizes it is missing a file,
> looks for the network share it used for the original install, copies the
> file to itself, and then runs as if it were always there.  Same with M$
> applications, if you installed it from a network share and a user deletes
> word.exe the next time someone tries to use word.exe the OS notices that
it
> should be there, goes and gets the file from the original installation
> network share (assuming the share is still there), installs it again and
> runs it for the user.)
>   Users can be assigned software, if you say user 1234 can use a software
> package the system will install the software from a network share (if you
> tell it to) for that user and allow the user to run it.  If later you
decide
> that user 1234 should not be able to run the software the OS will remove
the
> software from the user's profile.  Very neat stuff.
> 
> -Aaron
> :-)'
> Please pipe M$ bashing replies to /dev/null :-)'
> 
> Yes they are corporate in all the negative senses,
> but they do make (bloated) products that work without
> requiring end user/administrator kernel recompilation :-)'
> 
> -----Original Message-----
> From: Tom Edelblute [mailto:thomas at anaheim.lib.ca.us]
> Sent: Thursday, March 08, 2001 5:18 PM
> To: Multiple recipients of list
> Subject: [WEB4LIB] NT/2000 security question
> 
> We have an NT server using policy editor and mandatory profiles for
> security.  This has worked fine for us on the NT workstations.
> 
> We have now received our first shipment of Windows 2000 workstations and
> are having problems securing everything we want to using the policy
> editor on the NT server.
> 
> One of the solutions that has been proposed is to buy a 2000 server.
> Does anyone know if it is possible to use a 2000 policy editor with NT
> workstation?  Would it be necessary to convert all the NT Workstations
> to 2000 Workstations?  Or will the 2000 Policy editor be able to
> accomodate NT Workstations without problem?  Anybody have any thoughts?
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Tom Edelblute
> Public Access Systems Coordinator
> Anaheim Public Library   phone: (714) 765-1759
> 500 West Broadway        fax:   (714) 765-1730
> Anaheim CA 92805         e-mail: thomas at anaheim.lib.ca.us

More information about the Web4lib mailing list