Is it possible to secure a multi-user Windows machine?

Discussion in 'other security issues & news' started by delerious, Nov 12, 2006.

Thread Status:
Not open for further replies.
  1. delerious

    delerious Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    130
    Here's what I want to do:

    I want to have a Windows 2000 or XP machine with multiple users on it -- an Administrator and a couple of normal users in the Users group (I won't have anyone in the Power Users group). One of the normal users will just be an account for me (so that I don't have to log in as Administrator), and the other normal user will be for people who come over and want to use the computer.

    I'm wondering if it is possible to set up Windows so that a normal user cannot change any system-wide settings or damage anything besides his own user files?

    Sometimes it is actually possible for a normal user to change settings that they shouldn't be able to change. For example, I used to run BlackIce and I could change all the program settings as a normal user. Also, earlier today I logged in as a normal user and was able to deactivate the AntiVir real-time protection. Talk about poor security, those things should only be changeable by the Administrator! But there is a way to get around that problem -- you have to adjust the permissions on the GUI executables so that normal users cannot run them. But is there a better way to deal with that problem? Otherwise every time I install something I'll have to remember to check if a normal user can change any of the system-wide program settings, and if so, then I'll have to change the permissions so that normal users can't run the GUIs.

    And Windows lets normal users change certain other settings that apply to the entire system (which ideally only the Administrator would be allowed to modify). I remember making a change to a certain TCP/IP setting as a normal user, and then was surprised after I logged in as Administrator and saw that the setting was still changed. Normal users can also adjust the system volume and screen resolution (those ideally should be user-specific settings, but unfortunately they are for all users).

    Is it possible to configure Windows so that normal users can only make changes that affect themselves, and not any system-wide settings? I thought I could set up a multi-user computer and not have to worry about one user making changes that affect other users, but it seems to be much more difficult to achieve in Windows than I thought it would be.
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    Don't have much time now, but yes.
    The answer is Restriction Policies. I'll elaborate when I have more time, this week is hectic.
    Mrk
     
  3. delerious

    delerious Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    130
    Thanks Mrkvonic. I look forward to your reply, when you have more time.
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    What you need to do is read articles about Restriction Policies. In Windows XP Pro, you can access them via Start > Run > gpedit.msc.
    The restriction policies are what most HIPS programs do for you via GUI, set rules or restrictions for different parts of your operating system. These settings can be per machine or per user. In your case, you probably want to set global or per machine settings.
    These settings can be simple things - like disabling history or command line or control panel access or even complicated rules like preventing a connection tab in IE, preventing execution of files that are not whitelisted, and much more.
    Start reading, start experimenting to see the effect the restrictions have. Although they require some time to setup fully and properly, they are a cheap and effective way of securing a machine.

    http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx

    Mrk
     
  5. delerious

    delerious Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    130
    Unfortunately it looks like the Software Restriction Policies are only available for Windows XP. I'm running Windows 2000. I only mentioned XP because I figured that if there was a solution for XP, it would also apply to 2000. Guess I was wrong about that. Thanks for the reply, though.
     
Loading...
Thread Status:
Not open for further replies.