microsoft.public.windowsxp.security_admin

Hi Steve,
Thanks for the response. I wish that our organisation only had a few
"troublseome" applications that I could analyse with the tool you
recommended, to relax the relevant permissions at my leisure. Unfortunately,
when I tried the lockdown a few months ago, to a limited number of users (30)
and applications, the number of help desk calls generated was unmanageable,
as well as the inconvenience caused to users. So we ended up giving back
users full admin rights (I know, I know - but I inherited this situation) so
that we could all "get back to our day jobs". The majority of the problems
were due to the users having insufficeint permissions to local files and
folders. Hence my original query regarding "Power Users" without the rights
to install software - as my main concern at the moment is preventing users
installing software.
I'll look further at the LUABuglight, but I suspect this will be a long,
hard job.

Thanks,
Kieron
--
KieronH


"Steve Riley [MSFT]" wrote:

> That's still not good enough. There are some exploits (I'll leave the
> research up to you, heh) that allow power users to elevate to
> administrators. That's why we've removed power users from Windows Vista.
>
> Instead, demote your users to standard user. Then, for troublesome
> applications, profile them using Aaron Margosis's LUA BugLight tool. This
> will allow you to relax permissions on particular registry keys and files so
> that these apps will run under standard user accounts.
>
> http://blogs.msdn.com/aaron_margosis/archive/2006/08/07/LuaBuglight.aspx
>
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
> "KieronH" wrote in message
> news:D09DCD1F-8D92-4D42-AF26-009343861FC2@microsoft.com...
> > Hi Shenan,
> > Thanks for the speedy reply.
> > I too am a firm believer in the "least priveledges required" rule -
> > unfortunately we run so many different applications, it would take me many
> > months to identify the user requirements for each application. The Power
> > Users group membership ,without the ability to install software, would be
> > a
> > lot more secure than the position we are in currently - i.e. all users are
> > local Administrators.
> > Thanks,
> > Kieron
> > --
> > KieronH
> >
> >
> > "Shenan Stanley" wrote:
> >
> >> KieronH wrote:
> >> > I'm trying to lockdown Windows XP Pro workstations in our Domain.
> >> > I've tried removing users from the PC's local "Administrartors"
> >> > group, but this generated lots of problems running applications,
> >> > most of which were associated with insufficient permissions to
> >> > local files and folders.
> >> > I would like to add all domain users to the local "Power Users"
> >> > group (which should be easy to achieve) but remove their ability to
> >> > install software.
> >> > Is there an easy way anyone knows of of removing this "right" from
> >> > the Power Users group?
> >>
> >> When dealing with security - give least privs first and GRANT what is
> >> necessary beyond that. Do not try to work in the opposite direction.
> >> You
> >> will end up giving to many rights and possibly - not even know you did it
> >> until things go wrong.
> >>
> >> If they have software that is not working when they are simply 'users' on
> >> the workstation, you should try and discover why (likely file/folder
> >> permissions to the program folders and/or to the All Users profile
> >> directory - MAYBE permissions to a given registry key...) and fix that
> >> instead of continuing to grant the users more rights than they should
> >> have.
> >>
> >> --
> >> Shenan Stanley
> >> MS-MVP
> >> --
> >> How To Ask Questions The Smart Way
> >> http://www.catb.org/~esr/faqs/smart-questions.html
> >>
> >>
> >>
>