running w7 as limited

[gore]

the WTF fairy

LOL! I don't think I've ever quite heard it put that way before lol. Thanks man, I needed a good laugh and that did it for me.

As for the OP; Dude WTF... First rule of being root / admin, is that users are idiots who shouldn't be allowed to do a DAMN THING that isn't required for whatever job they have!

This used to be a Nightmare to enforce back before Windows 7 became an option, and I.... I actually kinda like Windows 7.... Which is weird for me, because I don't like Windows in general.

But Windows 7, they finally stole the right UI to make it look nice, and they even have a "run as" thing that doesn't take learning DOS BS no one ever uses anymore, and even I was shocked to see that when the original version of Unreal Tournament wouldn't work on Windows 7, I simply clicked on a button that it said would check to see if there was a way to run it in another manner, and it worked!

A few clicks, and it said running Unreal Tournament in a Windows 9X manner would let it work, so I tried it, and to my complete and utter astonishment, it worked!

I still think Unix had the right idea about "su" and "sudo" a long time ago, because you can truly get down to it and limit everything you want, which still isn't the same in Windows, but they are finally catching up to the OS they say is "old, archaic, and outdated".... lol.

I like how Microsoft refers to Unix as something that's out dated technology, and totally archaic, and yet, it has features they are just now catching up to.

[Cider]

Yes Yes Gore ofc users shouldnt be allowed to run anything not allowed, I was merely looking for the easiest and simplest solution to admining that if an admin were to sit at the PC in question.

[gore]

Didn't mean it as an insult or anything dude, I was using Protocol #BOFH is all

[westin]

On my network, very few people are local admins. I could probably count them on one hand. [They are using a couple of crappy apps that require admin access to function] No one runs as domain admin unless they are doing tasks that require that authority.

I run as a normal user with local admin rights, but still must elevate my rights to install software, or make changes. I use runas to manage active directory, group policy, DNS, etc.

As bludgeon implied, this keeps people from installing unapproved software.

I also lock most accounts down to where they can only run software that is in a list of approved executables, and prevent any executable from running out of a temp folder.

Since I have been doing this, I have not had one infection. Sure, quite a few users regard me as a nazi, but they are still able to get their work done, and I can focus on more important issues.

[Cider]

Didn't mean it as an insult or anything dude, I was using Protocol #BOFH is all

I also lock most accounts down to where they can only run software that is in a list of approved executables, and prevent any executable from running out of a temp folder.

This is possibly the brainwave I was looking for - applocker I take it?

http://www.microsoft.com/windows/ent...aspx#applocker

[westin]

This is possibly the brainwave I was looking for - applocker I take it?

http://www.microsoft.com/windows/ent...aspx#applocker

That would work, but I actually use GPOs to do this. User Policies > Admin Templates > System > Run only approved Windows executables. [If I remember correctly]

And then I use Software Restriction Policies [in a separate GPO] to keep anything from running out of %temp% and %tmp%. This one can cause problems installing some software, so I keep it as a separate GPO, for easy removal.

[Cider]

That would work, but I actually use GPOs to do this. User Policies > Admin Templates > System > Run only approved Windows executables. [If I remember correctly]

And then I use Software Restriction Policies [in a separate GPO] to keep anything from running out of %temp% and %tmp%. This one can cause problems installing some software, so I keep it as a separate GPO, for easy removal.

Thanks Westin - I went through this a while back but as I dont really admin any GPO's its slipped the mind.

[gore]

Telling EVERY poster to use XP is not only not going to work, it's getting annoying. If they wanted to use XP, they'd use it. And support for XP, and security patches being released for it, it NOT going to last that much longer, so it's also bad advice.

Replying to every post saying to use XP doesn't help at all.

[Cider]

lol what the hell :P +10 to gore ^^

[gore]

Danke schoen

You noticed too huh? Even the thread I had where I was working on a machine got that reply about using XP instead lol.