[THIN] Re: Installing Programs on the Server

Points taken...However, my original point was that a typical user
(non-administrator) does not have write access to HKLM\Software Key.
Assuming a Windows 2000 Box with SP 3 your permission set for
HKLM\Software is? 

Administrators and System = Full Control
Users and TS Users = Read

(Let's assume you have removed Power Users)

Let's also assume you have created a Global Group named FARM_ACCESS and
a local group named FARM_ACCESS.  Add your GG to LG.

You "lock" down access to "Log on Local" and "Access this computer via
the network" with the FARM_ACCESS and Admins only.  (Normal stuff)

You modify the NTFS permissions on C: to (LG)Farm_access=RO (although
some directories will require change), LocalAdmins=Full,
System=Full.....Let's assume for this exercise that FARM_ACCESS has RO
to Program Files and Administrators + System have Full Control.

The user that logs on has NO administrative rights and NO access to
install programs on the Terminal Server.

For your IE policies you have customized the security settings for
Internet and performed all the "normal" modifications:
Downloads
  Disable File Downloads
  Disable Font Downloads
Active X
  Download unsigned controls = Disabled
  Unsafe controls = Disabled
Misc
  Disable Drag and Drop
  Disable launching applications

Etc...............

In addition, you have made the typical GP adjustments like.........
1.  Deny Access to local drives
2.  Blah...Blah...Blah...

The user should not be able to download or install anything on the
server.

Except, they can goto Hotbar.com and the installation WILL run.  Even
with these restrictions in place the Active X component will install the
program.

As stated earlier, my resolution to this (rather than completely
disallowing internet access), was to leave the Hotbar directory intact
and set Everyone to Deny.  This resolved the problem.  

You should also disable access to the site in Proxy Server or your
Firewall.  I did this on the Proxy Side.

I am interested to know how this program was able to install with all
these restrictions in effect.  I meant to take additional time to
research this but got sidetracked.

Thanks.
Murphy

 
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Braebaum, Neil
Sent: Thursday, February 06, 2003 7:57 AM
To: 'thin@xxxxxxxxxxxxx'


Comments inline...

> -----Original Message-----
> From: Brian Murphy [mailto:bem9127@xxxxxxxxx]
> Sent: 06 February 2003 13:49
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Installing Programs on the Server
> Importance: Low
> 
> You don't seem to need admin rights to install the Hotbar. It uses an 
> ActiveX control for the installation via the website.

Then you need admin rights, and / or conducive DACLs on both (probably)
the local filesystem, and hives of the registry that *users* shouldn't
be able to modify.

> I have seen the problem before.  You can't restrict ActiveX in IE 
> unless you want your users to be prompted every
> 5 seconds when browsing the internet.

You can, unless you don't want to exercise some semblance of control
over what happens with communal server resource. ActiveX can be
restricted by various means - often done at firewall level, never mind
any local restrictions.

> My resolution to the
> problem was to leave the Hotbar directory intact under C:\Program 
> Files and then change the NTFS permissions to "Deny" Everyone.  Then 
> you need to remove the registry key under HKLM\Software and I believe 
> a corresponding key under HKCU\Software

You would allow a normal user to modify HKLM in the first place???

> This will keep them from being able to reinstall because the 
> installation will fail when it tries to reinstall into Program Files.

Stop them in the first place - unless you have a business need for them
to have free reign - in which case perhaps terminal server is not the
most appropriate choice - perhaps a normal desktop / PC solution would
be better.

It's decidedly difficult to manage a scenario where terminal server
users can modify the local server - and it destroys a lot of the
advantages.

Neil

***********************************************************************
This e-mail and its attachments are intended for the above named
recipient(s) only and are confidential and may be privileged.
If they have come to you in error you must take no action based on them,
nor must you copy or disclose them or any part of their contents to any
person or organisation; please notify the sender immediately and delete
this e-mail and its attachments from your computer system.

Please note that Internet communications are not necessarily secure and
may be changed, intercepted or corrupted. We advise that you understand
and observe this lack of security when e-mailing us and we will not
accept any liability for any such changes, interceptions or corruptions.


Although we have taken steps to ensure that this e-mail and its
attachments are free from any virus, we advise that in keeping with good
computing practice the recipient should ensure they are actually virus
free.

Copyright in this e-mail and attachments created by us belongs to
Littlewoods. 

Littlewoods takes steps to prohibit the transmission of offensive,
obscene or discriminatory material.  If this message contains
inappropriate material please forward the e-mail intact to
postmaster@xxxxxxxxxxxxxxxxx and it will be investigated. 
Statements and opinions contained in this e-mail may not necessarily
represent those of Littlewoods.

Please note that e-mail communication may be monitored.

Registered office: 
Littlewoods Retail Limited,
Sir John Moores Building,
100 Old Hall Street,
Liverpool,
L70 1AB
Registered no: 421258  

http://www.littlewoods.com
***********************************************************************
********************************************
This Week's Sponsor: triCerat Inc.
Let triCerat simplify the administration of your Terminal Servers.
http://www.triCerat.com
********************************************

For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode
use the below link:
http://thethin.net/citrixlist.cfm

********************************************
This Week's Sponsor: triCerat Inc.
Let triCerat simplify the administration 
of your Terminal Servers.
http://www.triCerat.com
********************************************

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts: