Security Question
Discussion
I've got 2 laptops about to arrive at work.The colleague who will be having one of them seems to have litte regard for Anti Virus measures (slows the machine down apparently - tw@t - that's why he keeps uninstalling it !) and has no objection to Kazaa etc on the machine.
I have no problem with him loading some personal software (video editing etc - it is licensed) for use at home as he has no home PC and the laptop will be a work / personal machine.
My question is this :
Is there an easy way for me to let him install his own software, BUT block the installation of Kazaa and other inappropriate software. I am by no means a IT
but I do have an appreciation for Adware and Virus problems and their implications. Can I stop the uninstallation of software like the AV ?
As far as I'm concerned, if the laptop was purely for home use, I'd let him do what he wants, but it's obviously going to be plugged into our network 5 days a week where I can monitor it, but for 2 days & 7 nights I will have no idea what gets installed/run/shared. Am I being a bit paranoid or will this sort of crap spread across a network and cause problems when connected ?
Unfortunately the person involved is my brother, and he has a "Do what I want" type attitude. I've already made it clear that if he does install any crap and problems are caused I will not get involved, but as the designated IT person at work, I just want to cover my back in advance.
I have no problem with him loading some personal software (video editing etc - it is licensed) for use at home as he has no home PC and the laptop will be a work / personal machine.
My question is this :
Is there an easy way for me to let him install his own software, BUT block the installation of Kazaa and other inappropriate software. I am by no means a IT
but I do have an appreciation for Adware and Virus problems and their implications. Can I stop the uninstallation of software like the AV ? As far as I'm concerned, if the laptop was purely for home use, I'd let him do what he wants, but it's obviously going to be plugged into our network 5 days a week where I can monitor it, but for 2 days & 7 nights I will have no idea what gets installed/run/shared. Am I being a bit paranoid or will this sort of crap spread across a network and cause problems when connected ?
Unfortunately the person involved is my brother, and he has a "Do what I want" type attitude. I've already made it clear that if he does install any crap and problems are caused I will not get involved, but as the designated IT person at work, I just want to cover my back in advance.
Apart from using policies, I don't see how you could do it on a standalone machine..
Probably best way to go about things would be to begin using a formal IT policy, thus putting him in breach of contract if he loads such software...
May be worth considering one if you haven't already got one in place anyway..
HTH,
W
Probably best way to go about things would be to begin using a formal IT policy, thus putting him in breach of contract if he loads such software...
May be worth considering one if you haven't already got one in place anyway..
HTH,
W
Bugger !
I was hoping to make less work for myself, without auditing etc.
Can I block software uninstallation, the AV (Norton) is a stand alone product rather than held on the network.
At least that way, I can keep the machine relatively safe.
Can the XP installed firewall block access to some sites - kazaa etc ?
Simon.
I was hoping to make less work for myself, without auditing etc.
Can I block software uninstallation, the AV (Norton) is a stand alone product rather than held on the network.
At least that way, I can keep the machine relatively safe.
Can the XP installed firewall block access to some sites - kazaa etc ?
Simon.
130tdi said:
Bugger !
I was hoping to make less work for myself, without auditing etc.
Can I block software uninstallation, the AV (Norton) is a stand alone product rather than held on the network.
At least that way, I can keep the machine relatively safe.
Can the XP installed firewall block access to some sites - kazaa etc ?
Simon.
Do you know how he's removing it? If he's using add/remove programs, it's fairly easy to remove an installed application from that list.
_DJ_ said:
Do you know how he's removing it? If he's using add/remove programs, it's fairly easy to remove an installed application from that list.
I'm all ears - can you please elaborate.
I can remove the shortcuts on the desktop and start menu, how can I remove the add/remove list.
More to the point, is it easy to then remove any programs if required and they are not in the add/remove list - for me not him.
130tdi said:
Do you know how he's removing it? If he's using add/remove programs, it's fairly easy to remove an installed application from that list.
I'm all ears - can you please elaborate.
I can remove the shortcuts on the desktop and start menu, how can I remove the add/remove list.
More to the point, is it easy to then remove any programs if required and they are not in the add/remove list - for me not him.
OK, there's a load of way to achieve this.
Is you can do without the add/remove applet you can simply either remove, or repermission (i.e deny access to his user account and retain it for yourself) appwiz.cpl which is in %systemroot%/system32.
Alternatively, you could just remove that particular application from add/remove programs which is a tad trickier (a little bit of registry hacking).
The more elegant way to do it is to use a policy to hide add/remove programs but you may not be in a position to do that.
Darren.
The most secure route is through the policy editor, you may like to do as I did, because learning it all takes time.
I created a test account, and played with this till I got the effects I wanted.
I setup my friends P.C so his partner couldn't play wiht anything, she got so annoyed she dosen't go near it now, job done I would say.
You can tie the user down to anything you want, not allowed to add/remove progs, change passwords or anything.
Stick with it and try it one task at a time.......patience my freind you will get there if the need is great enough.
Kevin
I created a test account, and played with this till I got the effects I wanted.
I setup my friends P.C so his partner couldn't play wiht anything, she got so annoyed she dosen't go near it now, job done I would say.
You can tie the user down to anything you want, not allowed to add/remove progs, change passwords or anything.
Stick with it and try it one task at a time.......patience my freind you will get there if the need is great enough.
Kevin
Kevin,
Thanks for the idea.
Excuse my ignorance, can it be locked in such a way as to prevent certain programs ? Is there a book on policies that you can recommend ?
As I mentioned, video editing software will be installed along with maybe a few other things, but it's the malicious ones I'm thinking of, the Kazaa's etc.
We are a smallish company and I end up with the IT role almost by default even though my main role is Business Development. I'm just using the logic that prevention is better than cure if I can save myself a job. I'm trying to be realistic that viruses, spyware etc will cause a problem in the future.
Simon
Thanks for the idea.
Excuse my ignorance, can it be locked in such a way as to prevent certain programs ? Is there a book on policies that you can recommend ?
As I mentioned, video editing software will be installed along with maybe a few other things, but it's the malicious ones I'm thinking of, the Kazaa's etc.
We are a smallish company and I end up with the IT role almost by default even though my main role is Business Development. I'm just using the logic that prevention is better than cure if I can save myself a job. I'm trying to be realistic that viruses, spyware etc will cause a problem in the future.
Simon
130tdi said:
Kevin,
Thanks for the idea.
Excuse my ignorance, can it be locked in such a way as to prevent certain programs ? Is there a book on policies that you can recommend ?
As I mentioned, video editing software will be installed along with maybe a few other things, but it's the malicious ones I'm thinking of, the Kazaa's etc.
We are a smallish company and I end up with the IT role almost by default even though my main role is Business Development. I'm just using the logic that prevention is better than cure if I can save myself a job. I'm trying to be realistic that viruses, spyware etc will cause a problem in the future.
Simon
You can use a policy to define which applications can run, but not which cannot run.
Dj,
Yes, but removing the icons from startup or hiding the exe folders can be used :-)))
MS has some useful info on policy editoring, I just had time to play, so used the MS knowledge base and went for the suck it and see approach.
I for example allowed internet explorer to run, but not have internet access, that way html programmes (help files) would run, but no internet.....the dialup boxes are all greyed out.......lol......
I would print some of the info off, play with one seting at a time in the user profiles and lock it down from there. Remove the guest account, and call the account u want to play with test, can't make mistakes that way....
kevin.
Yes, but removing the icons from startup or hiding the exe folders can be used :-)))
MS has some useful info on policy editoring, I just had time to play, so used the MS knowledge base and went for the suck it and see approach.
I for example allowed internet explorer to run, but not have internet access, that way html programmes (help files) would run, but no internet.....the dialup boxes are all greyed out.......lol......
I would print some of the info off, play with one seting at a time in the user profiles and lock it down from there. Remove the guest account, and call the account u want to play with test, can't make mistakes that way....
kevin.
130tdi said:
Kevin,
Thanks for the idea.
Excuse my ignorance, can it be locked in such a way as to prevent certain programs ? Is there a book on policies that you can recommend ?
As I mentioned, video editing software will be installed along with maybe a few other things, but it's the malicious ones I'm thinking of, the Kazaa's etc.
We are a smallish company and I end up with the IT role almost by default even though my main role is Business Development. I'm just using the logic that prevention is better than cure if I can save myself a job. I'm trying to be realistic that viruses, spyware etc will cause a problem in the future.
Simon
unfortunately, microsoft systems are a little too difficult to administer for most laymen IT dudes
try
www.sothin.net
the professional version allows all kinda cool management, including uninstallation prevention
it's £50 but well worth every penny, works with 1 laptop, or 1001 desktops, networked or not
replaces all configuration with simple tick boxes!!
I would concur that the easiest approach would be to give him login account with limited privilages. If you are happy for him to install certain apps, then you install them for him.
That said, Microshite OS's are easily cracked if you have physical access (ie reseting the administrator password etc).
Steve
That said, Microshite OS's are easily cracked if you have physical access (ie reseting the administrator password etc).
Steve
Not running anti-virus software is just plain stupid. Brother or not, that has to be unacceptable. If he's attaching that laptop to your office network, he is putting everyone at risk. Bottom line is that if someone wants to be irresponsible, they will be. You can put hurdles in their way, like trying to lock down their PC, but ultimately these are only hurdles and they can be overcome by anyone with a bit of determination. Personally I'd try the australian drink-driving tactic of shaming, e.g. "if you infect the office with a virus you're a XXXXing idiot".
ATG said:
Not running anti-virus software is just plain stupid. Brother or not, that has to be unacceptable. If he's attaching that laptop to your office network, he is putting everyone at risk. Bottom line is that if someone wants to be irresponsible, they will be. You can put hurdles in their way, like trying to lock down their PC, but ultimately these are only hurdles and they can be overcome by anyone with a bit of determination. Personally I'd try the australian drink-driving tactic of shaming, e.g. "if you infect the office with a virus you're a XXXXing idiot".
The PC's arrived yesterday and after setting them up, I made your exact comment and made sure I had plenty of witnesses - including the MD.
Now lets wait and see how long it lasts . . . . . .
Thanks for all your assistance.
Simon - not holding his breath
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff