[gptalk] Re: Securing directories from Users

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 28 Mar 2008 09:02:32 -0700

Yes, the Beyondtrust product is a great choice for determining which apps
need admin access to work. But I do agree with Jamie that the problem of
securing the file system becomes much less challenging if the user is not
administrator on their machine. In addition, if they are administrator, and
even the least bit curious, then its important to know that Group Policy is
absolutely worthless in controlling them since they can undo anything that
you impose on them. 

 

So I would definitely the first step of figuring out what you can do to
remove local admin. access from your users, for a lot of reasons. This free
auditing tool can help with that for sure.


Darren

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Joel Calhoun
Sent: Friday, March 28, 2008 8:57 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Securing directories from Users

 

There was a recent post on Jakob Heidelberg's blog that addressed this issue
by pointing out what looked like a useful piece of free software.

http://heidelbergit.blogspot.com/2008/03/easily-leave-users-with-least-privi
lege.html



On Fri, Mar 28, 2008 at 9:53 AM, Nelson, Jamie R
<Jamie.Nelson@xxxxxxxxxxxxxxxxxxx> wrote:

The easiest thing to do is take away their local admin rights on their
PCs. This can cause some application compatibility issues, but it is
better to try and work those out then continuing to give users those
elevated rights. Applications that still "require" admin rights
(according to the vendor) to run can usually be fixed with the Microsoft
Application Compatibility Toolkit.

If that is not an option for you, you can configure file/folder security
natively in Group Policy under Computer Configuration > Windows Settings
> Security Settings > File System.

Jamie Nelson | Systems Engineer | Systems Support, Information
Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax
405.553.5687 | http://www.integrisok.com



-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Sunshine Baines
Sent: Thursday, March 27, 2008 7:48 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Securing directories from Users

I would like to secure the directories on my user's workstations,
without taking away functionality.  I don't want them to be able to
write or delete to the windows and some other directories. Should I do
this through NTFS or group policies?


Thanks,
Sunshine
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by logging into the freelists.org Web interface. Archives for the list
are available at http://www.freelists.org/archives/gptalk/
************************



This e-mail may contain identifiable health information that is subject to
protection under state and federal law. This information is intended to be
for the use of the individual named above. If you are not the intended
recipient, be aware that any disclosure, copying, distribution or use of the
contents of this information is prohibited and may be punishable by law. If
you have received this electronic transmission in error, please notify us
immediately by electronic mail (reply).

***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************

 

Other related posts: