[THIN] Re: Yahoo messenger
- From: "Steve Raffensberger" <sraffens1@xxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Tue, 16 Dec 2003 10:23:44 -0500
Before you give up, try this...
Run CACLS from the root down on the file system and dump the results to a
file.
Search the file for "everyone". The offending permission(s) should show up.
Raff
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On
Behalf Of Andrew Rogers
Sent: Tuesday, December 16, 2003 9:56 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Yahoo messenger
this is NT4 - and i seem to have a rogue everyone - full somewhere.. thought
i found it from the shared drive, but that doesnt seem to have got rid of
it! hohum, leave it as is i guess :(
Andrew
--o--
>>> sraffens1@xxxxxxxxxxx 16/12/03 14:28:16 >>>
You may be falling into the same trap that I did. When I changed permissions
on "Program Files" to read-only for users via CACLS script, I thought I was
locking it down. Then, some user installed WinRAR from the web. That forced
me to look at it more closely and, sure enough, "Program Files" was still
set to "change" for "Terminal Server Users". No more surprise installs after
setting it to read-only.
Now they copy program files to their HOME directory and execute them from
there.
Raff
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On
Behalf Of Andrew Rogers
Sent: Tuesday, December 16, 2003 6:38 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Yahoo messenger
Interestingly, just run a few experiments on one of our servers - it seems
if I give Domain Users only the R flag (as in Read, yes?) they suddenly have
permission to delete, rename, edit the file!? What the hecks going on there?
:o
Andrew
--o--
>>> Neil.Braebaum@xxxxxxxxxxxxxxxxx 16/12/03 10:17:38 >>>
Basically as one of the last steps of a server build, I just set the
DACLs so that only administrators and system have full control -
"everyone" else has read-only.
All the rest, really is more user config (mandatory profiles, GPO stuff,
scripting).
I could do the DACLs thing by template and GPO, but as my server count
isn't particularly high, I haven't yet got around to it. Same with
scripting, really, as it's not particularly onerous at the moment, I
don't do anything to automate it.
As to locking down a new implementation, or build - my basic rationale
is that if I can turn something off, or remove it, or hide it, or
prevent access to it - then I do. I only present things on the desktop
that I want them to actually use.
For most of my users, I actually use a HTA on a published desktop - I
leave the start menu / taskbar, so that they can still switch between
apps, but all that's on the start menu is the HTA / desktop, security
(so that they can change their password) and logout. The more you can
tighten down the server, the more you can control what gets run, and
hopefully maintain an expected level of performance. My thinking is (for
terminal server / Citrix implementations) that every mouse-click, every
menu option, every facility available, has to be virtualised and
processed by the server, and that I would be remiss if I didn't control
that as cost-effectively as I could.
Neil
> -----Original Message-----
> From: Andrew Rogers [mailto:Andrew.Rogers@xxxxxxxxxxxxxxxxxx]
> Sent: 16 December 2003 10:09
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Yahoo messenger
>
>
> You'd absolutely bawlk at our servers then, it sounds like
> these are the absolute opposite of yours :)
>
> Is there any script you run to lock everything down, or some
> sort of process you run through?
>
> Andrew
> --o--
>
> >>> Neil.Braebaum@xxxxxxxxxxxxxxxxx 16/12/03 09:39:40 >>>
> They (the users) can only install software locally to a
> terminal server, if they have the ability to modify HKLM
> (normally) and frequently HKCR. Also, if they have write
> access to the local filesystem(s).
>
> If they can't modify the server, they can't install software
> on the server.
>
> Personally, I've always used mandatory profiles, so my users
> can't permanently modify their profile. And as they have
> read-only access to the local filesystems and registry, they
> can't install software - even if I gave them the facility to
> be able to get software (well I suppose they could be emailed
> something, but their mailbox quotas aren't too huge, and they
> don't get internet access).
>
> Not all software installation follows the path that you can
> easily block via GPOs (ie MSI based installers).
>
> If you cannot secure the local server (ie filesystem(s) and
> registry), then there is the other option of tightly
> controlling the applications they are allowed to run.
>
> Neil
***********************************************
This e-mail and its attachments are confidential
and are intended for the above named recipient
only. If this has come to you in error, please
notify the sender immediately and delete this
e-mail from your system.
You must take no action based on this, nor must
you copy or disclose it or any part of its contents
to any person or organisation.
Statements and opinions contained in this email may
not necessarily represent those of Littlewoods.
Please note that e-mail communications may be monitored.
The registered office of Littlewoods Limited and its
subsidiaries is 100 Old Hall Street, Liverpool, L70 1AB.
Registered number of Littlewoods Limited is 262152.
************************************************
********************************************************
This Week's Sponsor - 99Point9.Com Emergent Online
EOL Universal Printer 4.0 Has arrived!
http://www.99point9.com/public/products/
*********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor - 99Point9.Com Emergent Online
EOL Universal Printer 4.0 Has arrived!
http://www.99point9.com/public/products/
*********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor - 99Point9.Com Emergent Online
EOL Universal Printer 4.0 Has arrived!
http://www.99point9.com/public/products/
*********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor - 99Point9.Com Emergent Online
EOL Universal Printer 4.0 Has arrived!
http://www.99point9.com/public/products/
*********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor - 99Point9.Com Emergent Online
EOL Universal Printer 4.0 Has arrived!
http://www.99point9.com/public/products/
*********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
Other related posts:
