What’s the deal?
I thought I should post a quick description of what this site is about. Here I’ll post day to day tips and tricks and just keep a log of the system admin work I do. There are a few things that I’ll document which I have found little complete documentation on. I try to logically and methodically go step-by-step through a process from start to end. I always try an explain why something is done the way it is. Although this makes for a lengthier post, I think you will find it valuable in the long run. There is no point just copying and pasting chunks of config files and not understanding what it does.
November 04 2007 06:31 pm
N.H. on 06 Dec 2007 at 1:24 pm #
nice piece on disallowing .exe’s with GPO, i had to point out to my sysadmin today that he could restrict executables with the GPO for flash drives after i VNC’d to my house and ended up with a “proxy” and free reign…i told him about this article and sent a link to him and i said “this problem isn’t just games on a flash drive, its a whole unrestricted computer on a flash drive”.
In the end he still has the problem of students copying over the .exe to the local disk and running the .exe . Only hope then is having the program on a blacklist…too bad windows GPO doesn’t support restriction of copying of certain file types from certain drives
ryan on 06 Dec 2007 at 4:18 pm #
Hi,
Group Policy does allow you to set security restrictions on the file system if these have not been done initially.
Just go to “Computer Configuration > Windows Settings > Security Settings > File System”.
In here you can add drives and folders and apply file level security on them. The easiest option would be to add C:\ and only allow full access to administrators and only read access to students.
This could break a few things if there are applications that require write permission to the local HDD. In these cases, you can again add a new folder rule (EG: C:\Program Files\Dodgey App) and allow full control over that folder. Students still could copy their programs to there, but there is a lesser chance that it will get found. You can also add individual files and apply security settings on thouse, (EG: C:\Program Files\Dodgey App\db.txt) so if it is a log or database file that needs write permissions, then you can just add the file.
Hope this helps
Ryan
N.H. on 12 Dec 2007 at 3:21 am #
unfortunatly with the schools poorly planned infrastructure all the work required to disallow and then allow only specific applications write access would take days of deskwork and on top of that new applications that a faculty or staff needs to use are installed almost daily on one or more computers througout the district…it just means i’m always gaunteed unlimited access to any resource as long as i have a flash drive or CD on hand and the district doesn’t decide to lock my account out completely
thanks anyway ill keep that in mind if i ever build my own network!
Tom on 31 Jan 2010 at 5:05 pm #
Windows and the applications can often give you a hard time when you try to secure the environment. Least or minimum rights is always preferred, imho.
On a site note, Full Control when speaking in windows permission is rarely needed as this makes you capable of taking ownership, giving permissions to other, etc. So Read/Write for the students should be pretty ok for those things they HAVE to write to.
Cheers
Abbas on 12 Feb 2010 at 11:56 pm #
I just came across your site and like the ideology on understanding how and why stuff works instead of cramming things up. It makes you more creative and eulogistic by creating more sense. From a technical point of view and level of Linux knowledge you’ve, I would recommend you to go for RHCE, if you ever plan for it.
Kudos and cheers.
ryan on 13 Feb 2010 at 3:59 am #
Appreciate the kind words, Ill try to keep it up!
Ryan