Re: Preventing users on a Domain from installing apps?? in No, I Will Not Fix Your #@$!! Computer http://www.dslreports.com/forum/r20233238 en Fri, 29 Aug 2008 21:11:34 EDT Fri, 29 Aug 2008 21:11:34 EDT Re: Preventing users on a Domain from installing apps?? http://www.dslreports.com/forum/remark,20256905 B :
said by dave See Profile :

Member of Domain Users group and member of the local Administrators group are not mutually exclusive.

At work, I'm in both groups on my desktop machines - which gives me the intended and necessary ability to do what the heck I like on my desktop machines, and very little on the domain.

Which means, in the current case, that the OP needs to check the group memberships that are assigned on the machine in question, not just those assigned in AD.
Yeah, that's what I was saying earlier:

To KoolMoe, it's possible, and unfortunately common, for a Domain User to have administrative rights over his or her given PC. They will have ordinary user rights to server-based and other domain resources, but can install apps and do other damage as if they were administrator...
One way is to launch Control, userpasswords2 and check the local Administrators group... This can be particularly useful for roaming laptops or distant workers (or wild and reckless techies like Dave :) ) who simply can't be feasibly administered centrally.

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,20256905 Mon, 31 Mar 2008 10:30:42 EDT Re: Preventing users on a Domain from installing apps?? http://www.dslreports.com/forum/remark,20255858 yaplej : True, but when you create the GPO that installs the application you also might set the directory permissions so that users do have read/write/modify access to the application directory. You also might set the registry permissions for that application also if needed.

If your putting crap in the %windir% though I cannot at least safely give them read/write/modify permissions to that directory. It really makes it hard if your app is trying to read/write/delete stuff there to make the application work with limited permissions.]]> http://www.dslreports.com/forum/remark,20255858 Mon, 31 Mar 2008 01:02:07 EDT Re: Preventing users on a Domain from installing apps?? http://www.dslreports.com/forum/remark,20253367 dave : Member of Domain Users group and member of the local Administrators group are not mutually exclusive.

At work, I'm in both groups on my desktop machines - which gives me the intended and necessary ability to do what the heck I like on my desktop machines, and very little on the domain.

Which means, in the current case, that the OP needs to check the group memberships that are assigned on the machine in question, not just those assigned in AD.]]> http://www.dslreports.com/forum/remark,20253367 Sun, 30 Mar 2008 15:45:04 EDT Re: Preventing users on a Domain from installing apps?? http://www.dslreports.com/forum/remark,20251192 BosstonesOwn : While I agree with you , there are ways around the network restrictions. Mac address blocking is easy. Especially if they are installing wares. Sniff and look for a mac going off the network for any data, clone all the macs bits except 1 and 9 outta 10 times you found a server or device group that is able to get out. Or simple just change the last bit and your unblocked.

The only way is layers one is to null gateway them. bad gateway , or have them use a fake gateway to a pc with no net connection , so they can't figure it out with sniffing. The proxy trick is null if they have decent tech skills. Even 0.0.0.0 proxies can be tunneled out of. But blocking all but certain ports is another layered approach that works in conjunction.

I personally null gateway the boxes anyway especially if they are servers that don't need to go out to the internet. Feed them bad dns entries except for local server names. When I need to update them I use the management nic. Enable it and let the box go do updates. Many of the people don't understand why my servers and workstations have 2 nics. And I use the back up hot swap routers as management.
--
"It's always funny until someone gets hurt......and then it's absolutely friggin' hysterical!"]]> http://www.dslreports.com/forum/remark,20251192 Sun, 30 Mar 2008 05:56:41 EDT Re: Preventing users on a Domain from installing apps?? http://www.dslreports.com/forum/remark,20245162 Joe12345678 :
said by yaplej See Profile :

I still dont understand why some developers think its a good idea to place files in the windows directory, or in HKLM. What kind of crap is that? Keep your application files in the darn application directory, and HKCU.
limited uses can't write to program files]]> http://www.dslreports.com/forum/remark,20245162 Fri, 28 Mar 2008 23:01:22 EDT Re: Preventing users on a Domain from installing apps?? http://www.dslreports.com/forum/remark,20243662 yaplej : KoolMoe got it right. If they only have Domain User rights then they should not be able to install anything. Thats probably the first thing you need to confirm. Doing everything else would come secondary.

I still dont understand why some developers think its a good idea to place files in the windows directory, or in HKLM. What kind of crap is that? Keep your application files in the darn application directory, and HKCU.]]> http://www.dslreports.com/forum/remark,20243662 Fri, 28 Mar 2008 18:46:06 EDT Re: Preventing users on a Domain from installing apps?? http://www.dslreports.com/forum/remark,20243443 Greg_Z : I would rather run monowall, Smoothwall, or Clark Connect on a machine, but not old. The packages out for them now, especially Clark Connect's latest release are written for 2.4ghz machines with at least 1gb of RAM, and 200gb of drive space for user use. Using the three packages listed, are more robust, then a POS off the shelf Linksys router. And just because Cisco owns the company, does not put those routers that you purchase at BB, or anywhere else in the same league as the Enterprise equipment.]]> http://www.dslreports.com/forum/remark,20243443 Fri, 28 Mar 2008 18:04:13 EDT Re: Preventing users on a Domain from installing apps?? http://www.dslreports.com/forum/remark,20242666 B : I can't imagine why. For a small business with a handful of servers and ordinary network architecture, there's nothing a Snapgear or Sonicwall (or software firewall distribution if you really like that sort of thing) can do that the OP's Linksys BEFSX41 can't, and with equal security.

I think for many IT people it's a matter of pride and of prejudice to disrespect and dismiss Linksys and Netgear out of hand, no puns intended. The things work.

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,20242666 Fri, 28 Mar 2008 15:55:59 EDT Re: Preventing users on a Domain from installing apps?? http://www.dslreports.com/forum/remark,20242085 mboy : Linksys as business Grade?

Cisco, of course, but not linksys.

I would DEF not consider that Enterprise Class by any means.

MAYBE switches, but not routing!

I would look at Snapgear for inexpensive, yet powerful enterprise routing/firewalling.]]> http://www.dslreports.com/forum/remark,20242085 Fri, 28 Mar 2008 14:35:06 EDT Re: Preventing users on a Domain from installing apps?? http://www.dslreports.com/forum/remark,20241053 B : Greg you're giving misinformation out.

First, you may not like Cisco/Linksys gear, but repeatedly calling it "Consumer Grade" as if that means anything in particular is a pointless exercise in personal bias. Yes, its feature set is not as complete as an enterprise router or firewall and its build quality may suck. But in this case it's probably perfectly suitable.

Smoothwall, Monowall, or ClarkConnect? Seriously? You'd rather run one of those software apps on an old PC than use a Linksys appliance for a small business? OK... Again, that's your opinion.

But MAC filtering works the same no matter what equipment you do it on. If you set it up so that my PC's Ethernet card can't reach the Internet... it can't reach the Internet! (Unless I change/spoof the MAC address or change NIC cards.) There's no magic in doing it on a PIX.

In other words, how does "MAC scheming" NOT restrict users from downloading? If you block their Internet access (that is, ALL those "certain ports"), it's blocked.

To KoolMoe, it's possible, and unfortunately common, for a Domain User to have administrative rights over his or her given PC. They will have ordinary user rights to server-based and other domain resources, but can install apps and do other damage as if they were administrator...

Edit: Yes, proxying is a more controlled way to limit Internet access, but that has its limitations and may be something the OP isn't interested in doing at present.

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,20241053 Fri, 28 Mar 2008 11:51:09 EDT Re: Preventing users on a Domain from installing apps?? http://www.dslreports.com/forum/remark,20240922 KoolMoe : Forgive my noobness, but if your users are running as Domain Users only, then how are they installing applications?

I hear whining from our users monthly about how it sucks they can't install programs - they're all running as Domain Users. In fact, that group seems naturally so restrictive that we have to give them a local admin account to run things like Quickbooks, as it won't run under their domain login.

(side rant: I find it absolutely ridiculous and maddening that ANY program still requires being run with admin privileges in order to work correctly)

We don't use GPOs much at all - a couple basic IE settings is all. I thought running as a Domain User meant you could not do things like running installers, so if your users are, perhaps they've got their mitts on an admin account?
KM]]> http://www.dslreports.com/forum/remark,20240922 Fri, 28 Mar 2008 11:27:30 EDT Re: Preventing users on a Domain from installing apps?? http://www.dslreports.com/forum/remark,20239961 Greg_Z : MAC scheming, will not restrict users from downloading & doing other stuff. It will only restrict at the router, from using certain ports, or connecting equipment, that is not listed in the MAC table. Also, besides the equipment described is nothing more then consumer grade. You need a product such as Smoothwall, Monowall, or Clark Connect, if you want to restrict users.]]> http://www.dslreports.com/forum/remark,20239961 Fri, 28 Mar 2008 07:58:12 EDT Re: Preventing users on a Domain from installing apps?? http://www.dslreports.com/forum/remark,20238892 sporkme :
said by Greg_Z See Profile :

MAC address policies on Consumer Grade equipment can be worked around, and will not restrict persons from downloading, etc. You have to use the correct Proxies, and GPO on a workstation to do it effectively.
Just curious, short of changing the MAC address, how do you bypass that?]]> http://www.dslreports.com/forum/remark,20238892 Thu, 27 Mar 2008 23:20:17 EDT Re: Preventing users on a Domain from installing apps?? http://www.dslreports.com/forum/remark,20237812 Greg_Z : MAC address policies on Consumer Grade equipment can be worked around, and will not restrict persons from downloading, etc. You have to use the correct Proxies, and GPO on a workstation to do it effectively.]]> http://www.dslreports.com/forum/remark,20237812 Thu, 27 Mar 2008 20:35:07 EDT Re: Preventing users on a Domain from installing apps?? http://www.dslreports.com/forum/remark,20235271 amungus : Well, there is one fun way to kill internet access via group policy... set IE to use a proxy of 0.0.0.0 ;)
Other software will still be able to get out, but IE will go nowhere :) ...Now, as long as none of the software you need to use has any "hooks" with IE, or isn't using IE at all, you'd be fine. Keep in mind this wouldn't prevent someone from coming in with a USB drive and portable firefox!

Here's a screenshot that might help.
Open group policy management, find the container you want to edit, right click the script, choose edit...

Of course, there are so many things you can set with GP... you may wish to consider something else than this...
You may want to consider setting many many many things... If you're unsure, read up on it as much as you can, and then start making decisions about where/when to restrict/allow certain things.

Best advice - plan things out as best you can BEFORE you go ahead with any of it...
Click for full size
]]> http://www.dslreports.com/forum/remark,20235271 Thu, 27 Mar 2008 14:22:10 EDT Re: Preventing users on a Domain from installing apps?? http://www.dslreports.com/forum/remark,20235224 B : Sorry but I think you guys are just wrong.

The BEFSX41 seems MORE than capable enough of providing this kind of restriction. There's an entire section on Internet Access Policies (by MAC address) as described in the spec sheet and linked user manual at
»www.linksys.com/servlet/Satellit···76636538

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,20235224 Thu, 27 Mar 2008 14:15:25 EDT Re: Preventing users on a Domain from installing apps?? http://www.dslreports.com/forum/remark,20234687 EGeezer : Concur. With 80 client workstations on a W2K3 domain, use business class equipment and applications. the Sonicwalls, Ciscos and the open source apps you mention are more appropriate.
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )]]> http://www.dslreports.com/forum/remark,20234687 Thu, 27 Mar 2008 13:00:54 EDT Re: Preventing users on a Domain from installing apps?? http://www.dslreports.com/forum/remark,20234600 Greg_Z : You cannot do it with that router. You will have to using either Monowall, Smoothwall, or Clark Connect. The router that you have is only good for using in your Home network, not a Business network.]]> http://www.dslreports.com/forum/remark,20234600 Thu, 27 Mar 2008 12:46:56 EDT Re: Preventing users on a Domain from installing apps?? http://www.dslreports.com/forum/remark,20234326 boognish : Yep, going to fix that now.]]> http://www.dslreports.com/forum/remark,20234326 Thu, 27 Mar 2008 12:09:13 EDT Re: Preventing users on a Domain from installing apps?? http://www.dslreports.com/forum/remark,20234244 Drex :
said by boognish See Profile :

Don't know can't you just block out bound port 40 and 443, but you could just put in a bogus gateway if they don't need any sort of access off your network.
I think you mean port 80, right?
--
I gave up drinking and eating bad food. And in 14 days, I had lost 2 weeks.]]> http://www.dslreports.com/forum/remark,20234244 Thu, 27 Mar 2008 11:59:05 EDT Re: Preventing users on a Domain from installing apps?? http://www.dslreports.com/forum/remark,20234161 boognish : Don't know can't you just block out bound port 80 and 443, but you could just put in a bogus gateway if they don't need any sort of access off your network.
--
don't get 2 close 2 my fantasy]]> http://www.dslreports.com/forum/remark,20234161 Thu, 27 Mar 2008 11:47:08 EDT Re: Preventing users on a Domain from installing apps?? http://www.dslreports.com/forum/remark,20233646 slajoh01 : How can I do this configuring a Linksys BEFSX41 Firewall router? Thats the only type of firewall I have.]]> http://www.dslreports.com/forum/remark,20233646 Thu, 27 Mar 2008 10:20:36 EDT Re: Preventing users on a Domain from installing apps?? http://www.dslreports.com/forum/remark,20233486 boognish : Use a proxy server like squid or if they don't need internet access at all block them off at the firewall. That way they can browse internally, but can't play on the net.
--
don't get 2 close 2 my fantasy]]> http://www.dslreports.com/forum/remark,20233486 Thu, 27 Mar 2008 09:42:47 EDT Re: Preventing users on a Domain from installing apps?? http://www.dslreports.com/forum/remark,20233473 slajoh01 : Ok, one question here.
How can I prevent users from browsing the net but ONLY connecting to their programs (sessions) to only to do their work....But NOT browsing.]]> http://www.dslreports.com/forum/remark,20233473 Thu, 27 Mar 2008 09:40:00 EDT Re: Preventing users on a Domain from installing apps?? http://www.dslreports.com/forum/remark,20233238 Greg_Z : Since you have AD, you are already on the way. There is restrictions in IE, that you will have to set, and also work with other Permissions in the GPO.
»search.microsoft.com/results.asp···irectory]]> http://www.dslreports.com/forum/remark,20233238 Thu, 27 Mar 2008 08:23:48 EDT Preventing users on a Domain from installing apps?? http://www.dslreports.com/forum/remark,20233009 slajoh01 : Hi,

I have around 80 XP workstations on my network.
I have a Windows 2003 Server with AD and all of my users are part of the Domain Users Group.

Now, I have noticed that users are installing programs downloaded from the Internet. How can lock this action down (quickly as possible) if users are in the Domain Users group?

In other words, at home on my own PC, theres two accounts. ADMIN and RESTRICTED USER (which is myself) for daily tasks.
Now on Restricted Users account, of course, it doesn NOT allow me to INSTALL applications unless I use the RUN AS...

How can do the same for users as for my network above?
Because I noticed, even if users are part of the DOMAIN USERS GROUP, they still have access to install programs.]]> http://www.dslreports.com/forum/remark,20233009 Thu, 27 Mar 2008 06:27:47 EDT