TweakUI and Security

TheMSsForum.com: The Microsoft Software Forum

Hello All,

I run a small network for the employee's social club of a large company
which consisting of 1 Windows Server 2003 SP1 and several client computers
running Windows XP Pro.

The client computers are mainly provided for members of the social club to
pass their downtime such as lunch breaks by surfing the Internet and thought
to have been severely restricted using GP's so as to prevent modification of
the client computer, networking and server systems and hopefully to assist
in the prevention computer virus infection and the installation of illegal
software. Members are also prevented from logging on to the local computer
using GP.

Restrictions thought to have been enforced include only granting members
access to their own directories, the Intranet and the Internet and cannot
see the local hard drives, all system control panels hidden except where
only personal choice options are available such as selecting the autotype
feature in Internet Explorer, no access to the command prompt , etc etc

From what I can see their is no way to create new folders and store files on
the local computer nor the ability to install unauthorised software but
every so often when I scan the client hard drives they seem to doing exactly
that!

Of greatest concern is that during one of these scans I came across
"TweakUI".

I think I came across somewhere that TweakUI cannot be prevented from
running on the local computers and that all you can do is ensure continueing
refresh of the active directories group policies.


My questions is;

"What settings can I check are in place regarding the relevant GP's within
AD to ensure TweakUI or any similar software cannot be used to break the
integrity of the computer network?"

Thanking you for your assistance

David Sharman
Regional Computer Services
Top

Re: TweakUI and Security by Steven

Steven
Thu Sep 07 22:52:14 CDT 2006

Group Policy alone should not be used to restrict a user's access to a
computer. Make sure that NTFS permissions do not allow users to write to
places that you do not want them to and in a default installation a user can
write to their user profile under documents and settings, the documents and
settings\all users\shared documents folder, and the drive/root folder if you
check the special permissions to it. In addition to NTFS you can use
Software Restriction Policies to prevent unauthorized software from being
run with path/hash/certificate rules and having a default unrestricted or
disallowed security level. The link below explains much more on SRP and when
configuring them checking the application log for SRP events can help you
tweak SRP rules and keep in mind that desktop/menu shortcut .lnk files are
by default restricted by SRP in file types.

Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx

"David Sharman" <dsharman@bigpond.net.au> wrote in message
news:%23$Ubv3c0GHA.772@TK2MSFTNGP05.phx.gbl...
> Hello All,
>
> I run a small network for the employee's social club of a large company
> which consisting of 1 Windows Server 2003 SP1 and several client computers
> running Windows XP Pro.
>
> The client computers are mainly provided for members of the social club to
> pass their downtime such as lunch breaks by surfing the Internet and
> thought to have been severely restricted using GP's so as to prevent
> modification of the client computer, networking and server systems and
> hopefully to assist in the prevention computer virus infection and the
> installation of illegal software. Members are also prevented from logging
> on to the local computer using GP.
>
> Restrictions thought to have been enforced include only granting members
> access to their own directories, the Intranet and the Internet and cannot
> see the local hard drives, all system control panels hidden except where
> only personal choice options are available such as selecting the autotype
> feature in Internet Explorer, no access to the command prompt , etc etc
>
> From what I can see their is no way to create new folders and store files
> on the local computer nor the ability to install unauthorised software but
> every so often when I scan the client hard drives they seem to doing
> exactly that!
>
> Of greatest concern is that during one of these scans I came across
> "TweakUI".
>
> I think I came across somewhere that TweakUI cannot be prevented from
> running on the local computers and that all you can do is ensure
> continueing refresh of the active directories group policies.
>
>
> My questions is;
>
> "What settings can I check are in place regarding the relevant GP's within
> AD to ensure TweakUI or any similar software cannot be used to break the
> integrity of the computer network?"
>
> Thanking you for your assistance
>
> David Sharman
> Regional Computer Services
>


Top