Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Securing the Box- Force autologin+startup

  1. #1

    Securing the Box- Force autologin+startup

    Hey everyone, I've recently been tasked to secure a couple of workstations by setting them to auto login and boot up with some default apps. When I noticed some people just held down shift to bypass the default login and startup I locked the registry and set the appropriate keys. I just still can't figure out how to securely load programs in the startup folder without those being bypassed too.

  2. #2
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    What OS are we talking about??

    Are they logging into a domain??

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  3. #3
    Oh, I'm sorry. The boxes are running on windows 2000 pro and yes they are logging onto a domain.

  4. #4
    Senior Member
    Join Date
    Oct 2005
    Posts
    197
    http://www.winguides.com/registry/display.php/13/ auto join windows 2000 to a domain via regedit I would say simple just add it to the start menu start up function. Also, I would take a look gpedit and turn off alotta stuff if its going to be a public terminal. If you need more info just post and ill take a look see
    meh. -ech0.

  5. #5
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Well

    I dont know how they are bypassing the logon with 2000 unless there is something already configured to log on locally

    Cause usually you need a login id and password to login to a w2000 and a domain

    Theres an old NT trick I used to use...where you create a username\password ehe same as the domain username \password...and you could have accessto the network\resourses....dosent work too well with the newer versions though

    Unless you havent locked down the local admin passwords and accounts.


    When you join a domain usually.............accounts are created..domain administrators(local admins), and domain user accounts (local basic users)

    So I am not understaning your question...which may e due to the amount of wine I have consumed ...in a short period of time...mind you

    More details are needed.....if you want my help

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  6. #6
    Oh yes, yes it's set to auto login via the force admin login key in the registry somewhere. It's just that they ARE actually allowed to have local accounts, the admins just want them to log in with the ones he gave them. But yeah, I locked the shift override via the registry, it's just that the start up applications that need to run on startup are being bypassed still. Thanks for your time everyone!

  7. #7
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Drinking wine and hanging out online MLF? shame shame...

    As for the question about users bypassing... why do they have both domain and local accounts?

    What I would do... merge the two accounts into a single account, each workstation should have nothing more than its original admin account and the last X roaming domain profiles. Then use the startup scripts to push whatever you want onto the users.

    For further Win2k security info, check out:

    http://www.nsa.gov/snac/downloads_win2000.cfm

    Some of that may be overkill, so start with the PDFs before just applying the INFs.

    cheers,

    catch

  8. #8
    Ok, besides the issue of having cached accounts, I just need some tips on securing the startup folder. We have some people overriding the programs that need to load on startup and I just need to know the various ways that they accomplish this so I can hopefully secure the stations a little more. Thanks for your time guys.

  9. #9
    Banned
    Join Date
    May 2003
    Posts
    1,004
    For some reason you don't seem to want to listen to the answer you've already been given... so here it is straight from the horse's mouth:

    How to assign scripts in Windows 2000:
    http://support.microsoft.com/default...b;en-us;322241

    Automatically Run Programs When Users Log On to Windows 2000 Terminal Services:
    http://support.microsoft.com/kb/321707/?sd=RMVP&fr=1

    How to Hide the Logon Script Dialog Box on a Windows Client:
    http://support.microsoft.com/kb/q176197/

    If you don't like those... here is a general logon script FAQ:
    http://www.rlmueller.net/LogonScriptFAQ.htm

    However, I think you have some serious issues that need to be addressed first.

    1. Why do users want to prevent these applications from loading?
    a. Are these applications relied upon to somehow limit their activity?
    b. If so, why not simply use the security policy?

    2. Why are users allowed to have multiple profiles?
    a. Is this a legacy solution?
    b. Is management to weak to enforce anything else?
    c. Do you think that this is somehow better?

    It sounds to me like you are trying to have better control over your users' environment and to this end you must utilize the group policy. Applications in the start menu, even if you have them set to launch as a different user can always be prevented from loading.

    cheers,

    catch

  10. #10
    http://www.amazon.com/gp/reader/1578...66#reader-link

    "A manual addressed to the ADP system administrator shall present cautions about functions and privileges that should be controlled when running a secure facility. The procedures for examining and maintaining the audit files as well as the detailed audit record structure for each type of audit event shall be given. The manual shall describe the operator and administrator functions related to security, to include changing the security characteristics of a user. It shall provide guidelines on the consistent and effective use of the protection features of the system, how they interact, how to securely generate a new TCB, and facility procedures, warnings, and privileges that need to be controlled in order to operate the facility in a secure manner. -- ClockworkOrangeBook"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •