Show me the best way to configure Limited User A/C.

Discussion in 'other security issues & news' started by chew, Jan 20, 2006.

Thread Status:
Not open for further replies.
  1. chew

    chew Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    515
    Location:
    GeordieLand.
    Folks, I want to enhance my Limited User a/c security to the max but am not really sure what exactly the steps I need to take. I mainly log on as LUA with it's default setting without changing anything. So couId you show / advise me on the best way to configure my LUA so the security is to the max please. I do not surf dodgy sites but feel I just need to tighten the security further that's all. The only download I do on my LUA are to update my Firefox extensions, Update AV & Ewido security defs, save documents to LUA's documents and perform CCleaner & MRU Blaster. Please advise. Cheers Chew
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hi,
    Restriction Policies for that account will be extra security.
    Mrk
     
  3. chew

    chew Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    515
    Location:
    GeordieLand.
    Thanks Mrkvonic. But where I do I find the restricted Policies to configure? Cheers Chew
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hi,
    Type gpedit.msc in run.
    You'll get to policies management console.
    There you can configure computer or user rules.
    For instance, you can prevent the changing of the homepage, running of exectuables etc. This may be a daunting task at first, but go slowly, read what each option means, and you'll get it.
    To help you get started, here's a few nice ones:

    Local configuration

    These are GLOBAL settings

    Adminstrative templates
    Windows components
    Internet Explorer
    Security Features
    Go over these and lock some of these features if you like - no changing the homepage, no changing the internet options etc.

    User configuration

    These are USER settings

    You probably want to lock the homepage and desktop.
    You probably want to prevent installation and downloads of files.

    Administrative Templates
    Windows Components
    Internet Explorer

    In the right pane you can see now
    Disable the General / Security / Programs etc page - select them all, the user will have no right click option access to IE properties.

    Toolbars
    You might wanna disable custom toolbars?

    Security Features
    Mk Protocol Security Restriction
    Restrict ActiveX install
    Restrict file download
    Local Machine Zone Lockdown Security
    Protection from zone elevation

    Now under Microsoft Management Console:
    You might wanna see several options here - what the local user can or cannot see.

    Windows Installer
    You might wanna prevent removable media for source install.

    Windows Update
    You might wanna force it.

    Under Start Menu and Taskbar
    Loads of nice options, try them.

    Desktop
    You can prohibit changing and moving icons, desktop wallpaper, path to my documents etc.

    Control Panel
    You can prevent access to control panel or hide certain items from it.

    System
    THIS IS VERY IMPORTANT.
    Prevent access to registry editing tools.
    Run only / Don't run ... specific Windows applications - here you can allow only certain applications to be run. NOW BE CAREFUL. IF YOU MAKE THESE CHANGES UNDER LOCAL SETTINGS - THEY WILL AFFECT EVERY USER. MAKE THEM ONLY FOR LOCAL USER. MAKE SURE THAT ADMINISTRATOR HAS MMC.EXE ALLOWED - SO YOU CAN ACCESS AND EDIT THESE OPTIONS. IN WORST CASE, YOU WILL HAVE TO BOOT TO SAFE MODE TO MAKE CHANGES.
    However, this is neat.
    This option only limits Windows Explorer files.
    You can still run them using cmd.exe - so you might wanna not let the local user have this. Plus this does not 'hurt' the Task Manager processes, so your drivers will load.
    Turn Off Autoplay.

    Additionally, there are some very nice tricks:

    First, the user can see his own set of policies by typing rsop.msc in run. You can disable that. You can also disable the command (cmd) and regedit to prevent any tampering. Command lines can also get around some of the restrictions on executables (for desktop), so you might wanna consider this.
    You might also want to disable the mmc.exe (the management console) for the limited user, so they cannot access and try to change anything.

    For your own sake, you can use the policies to disable / enable services, shut down the messenger, prevent tracking of recently opened documents, clear page file on shutdown etc.

    That's it for now.

    Enjoy.

    Mrk
     
  5. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Just to add, this is something I have started delving into and it is VERY effective, I've locked down IE, so users cannot change cookie and security settings, or install additional toolbars.

    Does take a lot of time in testing to make sure things work correctly.
     
  6. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
Loading...
Thread Status:
Not open for further replies.