workstation lockdown
Results 1 to 8 of 8

Thread: workstation lockdown

  1. #1
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    741

    workstation lockdown

    I am running into an issue where I need a lot of different security ideas to bring to a client of mine and am hoping someone can help

    background: client is a non-for-profit organization. has a video monitor system to keep watch on ppl through out the compound. There is a PC in a central monitoring system that has been having various users accessing the internet and surfing non-work friendly websites. Most of which includes porn and other websites.

    Site uses windows 2000 server with AD running, there are roughly 30 computers that connect and authenticate to this server. a couple of which are dummy terminals.

    Problem: The computer that ppl are connecting to when I showed up on site doesnt NOT need internet access only intranet access to remotely connect to a local camera system. When I arrived onsite computer would login using
    login: administrator with no password.

    I joined it to the domain and gave the folder that controls the program for the camera system full control so that it can read and write to itself. Then set a local

    Solution:
    I am looking for one of multiple solutions or ideas as to what you think would be best:

    Should I create a GPO for just that PC that states it is not allowed to connect to the internet?

    Is there a way to make the PC startup, login automatically, open just that program in a console mode which I could lock and make it so noone without a password would be able to exit it?

    Can I add it to a dumb terminal and block internet access?

    Any other ideas?


    On a side note does anyone know of a program similar to websense that would be either really cheap or free to implement to filter out websites?
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  2. #2
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    I would first set a password for the admin account. you NEVER want average users to have admin powers. then setup a new account for people to log in as and deny that account access to everything but the program they need ot view the camera.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  3. #3
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    741
    I have reset the password as I stated but what is the best way to deny access to everything else?
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Remove the default gateway and prevent users from accessing the network properties.

    It will chat away merrily withthe local subnet but will have no idea where to find the internet...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    hmm... well first off throw them in the "guest group" this will cut back their rights ALOT. then go o things like inernet explorer and go into the security settings and deny that group access. do the same for each major application you dont want them to use. Being in gues will make it so they cant change this stuff, and they wont be able to download/install other things to use. There is probably a more efficient way but Id have to have a 2000 box in front of me and mess around with it for a bit, Ive gotten to familiar with xp lol.


    edit**

    haha I guess tigers way will work too.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  6. #6
    Junior Member
    Join Date
    Nov 2003
    Posts
    12
    you can disable access to any windows program in group policy...in Active directory
    jazz is a state of mind...

  7. #7
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,052
    Yeah you can use policies but htey are easy to get around. Are all the clients 2k systems? 9x machines are really tough to secure.

  8. #8
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Originally posted here by Tiger Shark
    Remove the default gateway and prevent users from accessing the network properties.

    It will chat away merrily withthe local subnet but will have no idea where to find the internet...

    Nothing more to add to that.

    Seriously, just configure the interface TCP/IP prefs manually and don't give it a gateway.
    Assuming the users don't have the privileges to add a route or such, this is almost* as good as having a deny rule on a firewall...


    *At least better than trying to disable all and any program that might acces the internet with group policies...


    Ammo
    Credit travels up, blame travels down -- The Boss

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •