-
October 15th, 2005, 03:43 AM
#1
Member
Securing the Box- Force autologin+startup
Hey everyone, I've recently been tasked to secure a couple of workstations by setting them to auto login and boot up with some default apps. When I noticed some people just held down shift to bypass the default login and startup I locked the registry and set the appropriate keys. I just still can't figure out how to securely load programs in the startup folder without those being bypassed too.
-
October 15th, 2005, 03:55 AM
#2
What OS are we talking about??
Are they logging into a domain??
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
October 15th, 2005, 04:38 AM
#3
Member
Oh, I'm sorry. The boxes are running on windows 2000 pro and yes they are logging onto a domain.
-
October 15th, 2005, 05:05 AM
#4
http://www.winguides.com/registry/display.php/13/ auto join windows 2000 to a domain via regedit I would say simple just add it to the start menu start up function. Also, I would take a look gpedit and turn off alotta stuff if its going to be a public terminal. If you need more info just post and ill take a look see
-
October 15th, 2005, 05:15 AM
#5
Well
I dont know how they are bypassing the logon with 2000 unless there is something already configured to log on locally
Cause usually you need a login id and password to login to a w2000 and a domain
Theres an old NT trick I used to use...where you create a username\password ehe same as the domain username \password...and you could have accessto the network\resourses....dosent work too well with the newer versions though
Unless you havent locked down the local admin passwords and accounts.
When you join a domain usually.............accounts are created..domain administrators(local admins), and domain user accounts (local basic users)
So I am not understaning your question...which may e due to the amount of wine I have consumed ...in a short period of time...mind you
More details are needed.....if you want my help
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
October 15th, 2005, 05:30 AM
#6
Member
Oh yes, yes it's set to auto login via the force admin login key in the registry somewhere. It's just that they ARE actually allowed to have local accounts, the admins just want them to log in with the ones he gave them. But yeah, I locked the shift override via the registry, it's just that the start up applications that need to run on startup are being bypassed still. Thanks for your time everyone!
-
October 15th, 2005, 05:57 AM
#7
Drinking wine and hanging out online MLF? shame shame...
As for the question about users bypassing... why do they have both domain and local accounts?
What I would do... merge the two accounts into a single account, each workstation should have nothing more than its original admin account and the last X roaming domain profiles. Then use the startup scripts to push whatever you want onto the users.
For further Win2k security info, check out:
http://www.nsa.gov/snac/downloads_win2000.cfm
Some of that may be overkill, so start with the PDFs before just applying the INFs.
cheers,
catch
-
October 16th, 2005, 02:18 AM
#8
Member
Ok, besides the issue of having cached accounts, I just need some tips on securing the startup folder. We have some people overriding the programs that need to load on startup and I just need to know the various ways that they accomplish this so I can hopefully secure the stations a little more. Thanks for your time guys.
-
October 16th, 2005, 03:38 AM
#9
For some reason you don't seem to want to listen to the answer you've already been given... so here it is straight from the horse's mouth:
How to assign scripts in Windows 2000:
http://support.microsoft.com/default...b;en-us;322241
Automatically Run Programs When Users Log On to Windows 2000 Terminal Services:
http://support.microsoft.com/kb/321707/?sd=RMVP&fr=1
How to Hide the Logon Script Dialog Box on a Windows Client:
http://support.microsoft.com/kb/q176197/
If you don't like those... here is a general logon script FAQ:
http://www.rlmueller.net/LogonScriptFAQ.htm
However, I think you have some serious issues that need to be addressed first.
1. Why do users want to prevent these applications from loading?
a. Are these applications relied upon to somehow limit their activity?
b. If so, why not simply use the security policy?
2. Why are users allowed to have multiple profiles?
a. Is this a legacy solution?
b. Is management to weak to enforce anything else?
c. Do you think that this is somehow better?
It sounds to me like you are trying to have better control over your users' environment and to this end you must utilize the group policy. Applications in the start menu, even if you have them set to launch as a different user can always be prevented from loading.
cheers,
catch
-
October 16th, 2005, 04:06 AM
#10
http://www.amazon.com/gp/reader/1578...66#reader-link
"A manual addressed to the ADP system administrator shall present cautions about functions and privileges that should be controlled when running a secure facility. The procedures for examining and maintaining the audit files as well as the detailed audit record structure for each type of audit event shall be given. The manual shall describe the operator and administrator functions related to security, to include changing the security characteristics of a user. It shall provide guidelines on the consistent and effective use of the protection features of the system, how they interact, how to securely generate a new TCB, and facility procedures, warnings, and privileges that need to be controlled in order to operate the facility in a secure manner. -- ClockworkOrangeBook"
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|