slajoh01
join:2005-04-23
| Preventing users on a Domain from installing apps??
Hi,
I have around 80 XP workstations on my network.
I have a Windows 2003 Server with AD and all of my users are part of the Domain Users Group.
Now, I have noticed that users are installing programs downloaded from the Internet. How can lock this action down (quickly as possible) if users are in the Domain Users group?
In other words, at home on my own PC, theres two accounts. ADMIN and RESTRICTED USER (which is myself) for daily tasks.
Now on Restricted Users account, of course, it doesn NOT allow me to INSTALL applications unless I use the RUN AS...
How can do the same for users as for my network above?
Because I noticed, even if users are part of the DOMAIN USERS GROUP, they still have access to install programs. |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL
 ·Comcast
 ·Vonage
·Insight Communicat..
edit:
March 27th, @08:26AM
| Since you have AD, you are already on the way. There is restrictions in IE, that you will have to set, and also work with other Permissions in the GPO.
»search.microsoft.com/results.asp···irectory |
|
slajoh01
join:2005-04-23 | Ok, one question here.
How can I prevent users from browsing the net but ONLY connecting to their programs (sessions) to only to do their work....But NOT browsing. |
|
boognish
Premium
join:2001-09-26
Baton Rouge, LA
clubs: | Use a proxy server like squid or if they don't need internet access at all block them off at the firewall. That way they can browse internally, but can't play on the net.
--
don't get 2 close 2 my fantasy |
|
slajoh01
join:2005-04-23 | How can I do this configuring a Linksys BEFSX41 Firewall router? Thats the only type of firewall I have. |
|
boognish
Premium
join:2001-09-26
Baton Rouge, LA
clubs:
edit:
March 27th, @12:09PM
| Don't know can't you just block out bound port 80 and 443, but you could just put in a bogus gateway if they don't need any sort of access off your network.
--
don't get 2 close 2 my fantasy |
|
Drex
Beer..It's What's For Dinner
Premium
join:2000-02-24
La Place, LA
 ·AT&T Southeast
| said by boognish  :Don't know can't you just block out bound port 40 and 443, but you could just put in a bogus gateway if they don't need any sort of access off your network. I think you mean port 80, right?
--
I gave up drinking and eating bad food. And in 14 days, I had lost 2 weeks. |
|
boognish
Premium
join:2001-09-26
Baton Rouge, LA
clubs: | Yep, going to fix that now. |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL | reply to slajoh01
You cannot do it with that router. You will have to using either Monowall, Smoothwall, or Clark Connect. The router that you have is only good for using in your Home network, not a Business network. |
|
EGeezer
Spring is here
Premium
join:2002-08-04
Central Ohio
clubs:
·RoadRunner Cable
·AT&T CallVantage
| Concur. With 80 client workstations on a W2K3 domain, use business class equipment and applications. the Sonicwalls, Ciscos and the open source apps you mention are more appropriate.
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... ) |
|
B
Premium,MVM
join:2000-10-28
| Sorry but I think you guys are just wrong.
The BEFSX41 seems MORE than capable enough of providing this kind of restriction. There's an entire section on Internet Access Policies (by MAC address) as described in the spec sheet and linked user manual at
»www.linksys.com/servlet/Satellit···76636538
-- B
--
In a realm outside causality and function |
|
amungus
Premium
join:2004-11-26
America
clubs:
·Cox HSI
| reply to slajoh01
Well, there is one fun way to kill internet access via group policy... set IE to use a proxy of 0.0.0.0 
Other software will still be able to get out, but IE will go nowhere  ...Now, as long as none of the software you need to use has any "hooks" with IE, or isn't using IE at all, you'd be fine. Keep in mind this wouldn't prevent someone from coming in with a USB drive and portable firefox!
Here's a screenshot that might help.
Open group policy management, find the container you want to edit, right click the script, choose edit...
Of course, there are so many things you can set with GP... you may wish to consider something else than this...
You may want to consider setting many many many things... If you're unsure, read up on it as much as you can, and then start making decisions about where/when to restrict/allow certain things.
Best advice - plan things out as best you can BEFORE you go ahead with any of it... |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL | reply to B
MAC address policies on Consumer Grade equipment can be worked around, and will not restrict persons from downloading, etc. You have to use the correct Proxies, and GPO on a workstation to do it effectively. |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Netcong, NJ
| said by Greg_Z :MAC address policies on Consumer Grade equipment can be worked around, and will not restrict persons from downloading, etc. You have to use the correct Proxies, and GPO on a workstation to do it effectively. Just curious, short of changing the MAC address, how do you bypass that? |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL
·Comcast
·Vonage
·Insight Communicat..
| MAC scheming, will not restrict users from downloading & doing other stuff. It will only restrict at the router, from using certain ports, or connecting equipment, that is not listed in the MAC table. Also, besides the equipment described is nothing more then consumer grade. You need a product such as Smoothwall, Monowall, or Clark Connect, if you want to restrict users. |
|
KoolMoe
Aw Man
Premium
join:2001-02-14
Annapolis, MD
clubs:
·SUNROCKET
·Speakeasy
| reply to slajoh01
Forgive my noobness, but if your users are running as Domain Users only, then how are they installing applications?
I hear whining from our users monthly about how it sucks they can't install programs - they're all running as Domain Users. In fact, that group seems naturally so restrictive that we have to give them a local admin account to run things like Quickbooks, as it won't run under their domain login.
(side rant: I find it absolutely ridiculous and maddening that ANY program still requires being run with admin privileges in order to work correctly)
We don't use GPOs much at all - a couple basic IE settings is all. I thought running as a Domain User meant you could not do things like running installers, so if your users are, perhaps they've got their mitts on an admin account?
KM |
|
B
Premium,MVM
join:2000-10-28
edit:
March 28th, @11:53AM
| reply to Greg_Z
Greg you're giving misinformation out.
First, you may not like Cisco/Linksys gear, but repeatedly calling it "Consumer Grade" as if that means anything in particular is a pointless exercise in personal bias. Yes, its feature set is not as complete as an enterprise router or firewall and its build quality may suck. But in this case it's probably perfectly suitable.
Smoothwall, Monowall, or ClarkConnect? Seriously? You'd rather run one of those software apps on an old PC than use a Linksys appliance for a small business? OK... Again, that's your opinion.
But MAC filtering works the same no matter what equipment you do it on. If you set it up so that my PC's Ethernet card can't reach the Internet... it can't reach the Internet! (Unless I change/spoof the MAC address or change NIC cards.) There's no magic in doing it on a PIX.
In other words, how does "MAC scheming" NOT restrict users from downloading? If you block their Internet access (that is, ALL those "certain ports"), it's blocked.
To KoolMoe, it's possible, and unfortunately common, for a Domain User to have administrative rights over his or her given PC. They will have ordinary user rights to server-based and other domain resources, but can install apps and do other damage as if they were administrator...
Edit: Yes, proxying is a more controlled way to limit Internet access, but that has its limitations and may be something the OP isn't interested in doing at present.
-- B
--
In a realm outside causality and function |
|
mboy
Premium
join:2001-04-13
Little Falls, NJ
| Linksys as business Grade?
Cisco, of course, but not linksys.
I would DEF not consider that Enterprise Class by any means.
MAYBE switches, but not routing!
I would look at Snapgear for inexpensive, yet powerful enterprise routing/firewalling. |
|
B
Premium,MVM
join:2000-10-28
| I can't imagine why. For a small business with a handful of servers and ordinary network architecture, there's nothing a Snapgear or Sonicwall (or software firewall distribution if you really like that sort of thing) can do that the OP's Linksys BEFSX41 can't, and with equal security.
I think for many IT people it's a matter of pride and of prejudice to disrespect and dismiss Linksys and Netgear out of hand, no puns intended. The things work.
-- B
--
In a realm outside causality and function |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL
·Comcast
·Vonage
·Insight Communicat..
| reply to B
I would rather run monowall, Smoothwall, or Clark Connect on a machine, but not old. The packages out for them now, especially Clark Connect's latest release are written for 2.4ghz machines with at least 1gb of RAM, and 200gb of drive space for user use. Using the three packages listed, are more robust, then a POS off the shelf Linksys router. And just because Cisco owns the company, does not put those routers that you purchase at BB, or anywhere else in the same league as the Enterprise equipment. |
|
