How do you guys handle security in NT4 domain??

TheMSsForum.com: The Microsoft Software Forum

I already posted this in another NG. Sry. No1 replied thats why I posted
here. I'm new at posting, I'll remember next time to post in multiple ngs
the right way....



Hello,

Just started looking at this ng. I was wondering in an NT4 domain , do
you guys rely on group policies only for security at the workstations? about
three yrs ago our company final thought it might be a good idea to implement
security for the night shift users. I went through setting up group policies
for the night shift. I restricted their logins to run only 3 company
programs and removed all the unnecessary stuff such as regedit, run, etc. It
"seemed" like group policies were enough, however i found out its easy to
get to DOS prompt, other programs,network neighborhood, and local drives. In
addition to group policies, i had to change NTFS permissions on various
exe's and dll's to further "lockdown" the NT4 workstations. I was just
wondering if any1 else does the same thing.

Just in case any1 wants to know, here's our setup :

NT4 Domain
90% of local workstations are NT4 SP6a (not all are patched. However, all
test machines where fully patched.)
1 pdc, 2BDC SP6a patched.
95% of user profiles are mandatory.


thanks for any replies

--willc
Top

Re: How do you guys handle security in NT4 domain?? by jcochran

jcochran
Thu Apr 15 12:41:46 CDT 2004

On Thu, 15 Apr 2004 13:22:55 -0400, "willc" <will@nospam.net> wrote:

> Just started looking at this ng. I was wondering in an NT4 domain , do
>you guys rely on group policies only for security at the workstations? about
>three yrs ago our company final thought it might be a good idea to implement
>security for the night shift users. I went through setting up group policies
>for the night shift. I restricted their logins to run only 3 company
>programs and removed all the unnecessary stuff such as regedit, run, etc. It
>"seemed" like group policies were enough, however i found out its easy to
>get to DOS prompt, other programs,network neighborhood, and local drives. In
>addition to group policies, i had to change NTFS permissions on various
>exe's and dll's to further "lockdown" the NT4 workstations. I was just
>wondering if any1 else does the same thing.

We run all users as local admin on the workstations, so we're about as
far the opposite side of the equation as you can get. But policies
don't handle everything and a smart user can bypass a lot of
restrictions. The best security is an audit trail and a clear
employee policy for disciplinary action based on misuse of the
systems.

Jeff
Top

Re: How do you guys handle security in NT4 domain?? by willc

willc
Thu Apr 15 13:39:21 CDT 2004

Thanks for replying.
I hate making users local admins....When i find a user who needs to be a
local admin I make him/her one until i am able to redo their profile. Lots
of times i find that when a user needs local admin rights it's cuz that user
was a domain admin or local admin on another pc and their profile was
roaming. All i do is delete network profile and redo the user profile. I
also make sure the profile is mandatory. Mandatory are a hassle, but in our
environment i think its worth it. We aren't running any programs that
require local admin rights.. on our win2k pro some programs require users
more local rights, putting them in power users solves it.. i don't like that
either, but its better than editing reg keys so they can have rights to
them.

You are right about having an audit trail and clear employee policy. I never
see the employee policy happening at my job. They just don't understand the
importance of firing "curious" wannabe internal hackers.



"Jeff Cochran" <jcochran.nospam@naplesgov.com> wrote in message
news:4089c8e4.17652763@msnews.microsoft.com...
> On Thu, 15 Apr 2004 13:22:55 -0400, "willc" <will@nospam.net> wrote:
>
> > Just started looking at this ng. I was wondering in an NT4 domain ,
do
> >you guys rely on group policies only for security at the workstations?
about
> >three yrs ago our company final thought it might be a good idea to
implement
> >security for the night shift users. I went through setting up group
policies
> >for the night shift. I restricted their logins to run only 3 company
> >programs and removed all the unnecessary stuff such as regedit, run, etc.
It
> >"seemed" like group policies were enough, however i found out its easy to
> >get to DOS prompt, other programs,network neighborhood, and local drives.
In
> >addition to group policies, i had to change NTFS permissions on various
> >exe's and dll's to further "lockdown" the NT4 workstations. I was just
> >wondering if any1 else does the same thing.
>
> We run all users as local admin on the workstations, so we're about as
> far the opposite side of the equation as you can get. But policies
> don't handle everything and a smart user can bypass a lot of
> restrictions. The best security is an audit trail and a clear
> employee policy for disciplinary action based on misuse of the
> systems.
>
> Jeff


Top