[THIN] Re: Users installing programs

  • From: Frank Monroe <Frank.Monroe@xxxxxxxxxxx>
  • To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
  • Date: Thu, 9 Sep 2004 08:01:14 -0500

It depends if the software they are installing writes to that key.  It may
not.  But, if you change the mode to Full Compatibility it also prevents
write access to HKCR and prevents users from writing to system directories
such as program files as well.  Once that is done, they still may be able to
install programs to their network drive(s) or into their profile.  But, they
can't install anything to the server the will affect other users.  They will
also not be prompted for activex controls when in Internet Explorer.
-----Original Message-----
From: Bill Beckett [mailto:Bill.beckett@xxxxxxxxxxxxxxxxx] 
Sent: Thursday, September 09, 2004 8:52 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: Users installing programs


Does that actually work anyway? I have HKLM\Software as read only for
everyone except for SYSTEM and administrators and users still install
programs
 
-----Original Message-----
From: Frank Monroe [mailto:Frank.Monroe@xxxxxxxxxxx] 
Sent: Thursday, September 09, 2004 8:40 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: Users installing programs


You could.  But if you put the compatibility mode to Full Security, its
already locked down because users are not added to the terminal server users
group.
-----Original Message-----
From: Sheflin, Andrew [mailto:ASheflin@xxxxxxxxxxxxx] 
Sent: Thursday, September 09, 2004 8:35 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Users installing programs


You can also lock down the permissions in the registry for HKLM/software.
 
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf
Of Frank Monroe
Sent: Thursday September 09, 2004 8:01 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: Users installing programs
 
Are these servers NT4 or Windows 2000/2003?.  If they are 2000 or above, go
into terminal services configuration and change your permission
compatibility mode to Full Security.  This will stop them from installing
programs.  You may have to tweak some registry key's security for some
existing programs so that they continue to work.  But fixing that is trivial
if you use regmon. 
-----Original Message-----
From: Jim Abshire [mailto:Jim.Abshire@xxxxxxxxxxx] 
Sent: Wednesday, September 08, 2004 3:54 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Users installing programs
 I have a question, I work for a property management company and we provide
Internet via Citrix to students. I have tried desperately to lock down the
servers but they seem to still be able to install Internet based programs,
(e.g. AOL instant messenger, Poker Party, etc) to name a few. Is there a way
to lock the server down tight so this cannot continue without prohibiting
the users to run necessary programs such as Office?
 
Jim Abshire 
Network Administrator 
Dinerstein Management 
713-570-0373 
 
---SECURITY DISCLAIMER--- This information including any attachments may
contain legally privileged and/or highly confidential information. If you
are not the intended recipient(s), or the employee responsible for delivery
of this message to the intended recipient(s), you are hereby notified that
any dissemination, distribution or copying of this communication and or
attachments is strictly prohibited under State and Federal Laws. If you have
received this communication in error, please immediately notify the sender
and follow appropriate actions for disposal. 

Other related posts: