[THIN] Re: Yahoo messenger
- From: "Lutz, Ken" <KLUTZ@xxxxxxxxxxxxxxxxx>
- To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
- Date: Tue, 16 Dec 2003 07:37:57 -0800
Neil: I'd love to be able to have that much control over my Citrix servers,
but the truth is that I work for a local government with elected officials that
don't always agree on what I can lock down. So I wind up caught in the middle.
I have to try to keep everyone happy while at the same time protecting the
systems. It gets difficult at times. Because of this I also have a number of
applications (in house) that require the ability to write to certain
sub-folders in the program files directory. I try to keeps things locked down
there as best I can.
Ken ...
-----Original Message-----
From: Braebaum, Neil [mailto:Neil.Braebaum@xxxxxxxxxxxxxxxxx]
Sent: Tuesday, December 16, 2003 2:18 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Yahoo messenger
Basically as one of the last steps of a server build, I just set the DACLs so
that only administrators and system have full control - "everyone" else has
read-only.
All the rest, really is more user config (mandatory profiles, GPO stuff,
scripting).
I could do the DACLs thing by template and GPO, but as my server count isn't
particularly high, I haven't yet got around to it. Same with scripting, really,
as it's not particularly onerous at the moment, I don't do anything to automate
it.
As to locking down a new implementation, or build - my basic rationale is that
if I can turn something off, or remove it, or hide it, or prevent access to it
- then I do. I only present things on the desktop that I want them to actually
use.
For most of my users, I actually use a HTA on a published desktop - I leave the
start menu / taskbar, so that they can still switch between apps, but all
that's on the start menu is the HTA / desktop, security (so that they can
change their password) and logout. The more you can tighten down the server,
the more you can control what gets run, and hopefully maintain an expected
level of performance. My thinking is (for terminal server / Citrix
implementations) that every mouse-click, every menu option, every facility
available, has to be virtualised and processed by the server, and that I would
be remiss if I didn't control that as cost-effectively as I could.
Neil
> -----Original Message-----
> From: Andrew Rogers [mailto:Andrew.Rogers@xxxxxxxxxxxxxxxxxx]
> Sent: 16 December 2003 10:09
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Yahoo messenger
>
>
> You'd absolutely bawlk at our servers then, it sounds like
> these are the absolute opposite of yours :)
>
> Is there any script you run to lock everything down, or some
> sort of process you run through?
>
> Andrew
> --o--
>
> >>> Neil.Braebaum@xxxxxxxxxxxxxxxxx 16/12/03 09:39:40 >>>
> They (the users) can only install software locally to a
> terminal server, if they have the ability to modify HKLM
> (normally) and frequently HKCR. Also, if they have write
> access to the local filesystem(s).
>
> If they can't modify the server, they can't install software
> on the server.
>
> Personally, I've always used mandatory profiles, so my users
> can't permanently modify their profile. And as they have
> read-only access to the local filesystems and registry, they
> can't install software - even if I gave them the facility to
> be able to get software (well I suppose they could be emailed
> something, but their mailbox quotas aren't too huge, and they
> don't get internet access).
>
> Not all software installation follows the path that you can
> easily block via GPOs (ie MSI based installers).
>
> If you cannot secure the local server (ie filesystem(s) and
> registry), then there is the other option of tightly
> controlling the applications they are allowed to run.
>
> Neil
***********************************************
This e-mail and its attachments are confidential
and are intended for the above named recipient
only. If this has come to you in error, please
notify the sender immediately and delete this
e-mail from your system.
You must take no action based on this, nor must
you copy or disclose it or any part of its contents
to any person or organisation.
Statements and opinions contained in this email may
not necessarily represent those of Littlewoods.
Please note that e-mail communications may be monitored.
The registered office of Littlewoods Limited and its subsidiaries is 100 Old
Hall Street, Liverpool, L70 1AB. Registered number of Littlewoods Limited is
262152.
************************************************
********************************************************
This Week's Sponsor - 99Point9.Com Emergent Online
EOL Universal Printer 4.0 Has arrived! http://www.99point9.com/public/products/
*********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor - 99Point9.Com Emergent Online
EOL Universal Printer 4.0 Has arrived!
http://www.99point9.com/public/products/
*********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
Other related posts:
