Presentation is loading. Please wait.

Presentation is loading. Please wait.

PC Manager Meeting March 23, 2005. Today Updates Next Meeting Windows Policy Security Licenses This Month: Using Admin Rights Only When Needed -

Published byBeatrix Merritt Modified over 8 years ago

Similar presentations

Presentation on theme: "PC Manager Meeting March 23, 2005. Today Updates Next Meeting Windows Policy Security Licenses This Month: Using Admin Rights Only When Needed -"— Presentation transcript:

1 PC Manager Meeting March 23, 2005

2 Today Updates Next Meeting Windows Policy Security Licenses Email This Month: Using Admin Rights Only When Needed - Andy Romero (Andy Romero)

3 Next Meeting April 27 th Securing IE (Joe Klemencic)

4 Windows Policy Next Meeting 4/6, 1:30-2:30, WH5SW OU for GPOs Kiosk Setup Discussion

5 Security Security Awareness Day was a success. More brown bags (esp. the user and desktop security courses and Spyware) in the future! CST Cookbook 'cookbook' section on the security web site. Call for short security HowTos Example: How to reset XP/2003 local passwords Send the doc or link. DOE Baselines Standard Unix/Linux draft done, with Windows to follow. Best for each section to start documenting their standard baseline to be prepared for the future. CIS Benchmarks for testing CIS

6 Security McAfee problem with LHA handling similar to the Symantec UPX handling last month. Remember that Nessus is available to sysadmins to scan their systems. Make use of it! Peer review going on right now. Expect changes on the horizon.

7 Licenses Symantec Visit April 14 th, 1-2:30pm, WH8XO Training Reminder! Areas still have training days available!days

8 Email Update Anti-Spam Better rules Web page to report spam

9 Main Topic Using Admin Rights Only When Needed Andy Romero

10 Least Privilege Computing with Windows XP

11 Summary Least Privilege Computing - Overview How to Reduce a User’s Privilege Creating an “Admin Shell” Dealing With Naughty Applications Separate Accounts for Special Tasks

12 Least Privilege Computing A user should be granted the least privilege level necessary to perform required tasks.

13 Least Privilege Computing..why Prevents processes, including malware processes, run by a user from damaging the O/S. Prevents processes, including malware processes, run by a user from damaging things that belong to other users of the computer (user profiles). Is a Proactive measure.... prevents problems from happening Uses well designed/tested built-in facilities Increased Uptime Reduced support calls, rebuilds and security investigations. Eliminates meetings

14 Least Privilege Computing Pure Least Privilege Computing is not practical Analyze the user’s set of applications in detail Customize every system parameter imaginable so only that set of applications will run.

15 Least Privilege Computing Practical Least Privilege Computing Run Windows XP (SP2) Remove General User Accounts from Privileged Groups Administrators Power Users Backup Operators

16 What’s Protected Operating System Files Program Files Other Users’ Profiles Important Areas of the Registry

17 How to reduce a user’s privilege Avoid Embarrassment, Make sure you know the Administrator account’s password, also add your workstation support team admins group to the local Administrators group. Remove the user from Administrators, Power Users and Backup Operators GUI (lusrmgr.msc) net localgroup Administrators sparky /delete net localgroup PowerUsers sparky /delete GPO - Startup Script

18 Setting up an “admin shell” After you reduce your normal account’s privilege, you need to configure an “admin shell” Add your –admin account to your workstation’s local Administrators group Log in using your –admin account and do the following Double-Click on My Computer Select: Tools-FolderOptions-View Check: Launch Folder Windows In a Separate Process Click: Apply Click: Apply to All Folders Click: OK Log in using your normal account

19 Setting up an “admin shell” Create a simple script for launching your admin shell (RunExplorerAsAdmin.bat) runas /user:fermi\%USERNAME%-admin "C:\Windows\explorer.exe“ Run the script Create an Admin_Tools folder and add shortcuts Add a background bitmap to your Admin Shell Key: HKCU\Software\Microsoft\Internet Explorer\Toolbar Value: (Regsz) Backbitmap= \

20 Dealing With Naughty Applications Some Applications Refuse to Run for un-privileged users worst offenders: http://www.threatcode.com/ Don’t Freak-Out...a fix is usually possible Registry / File-System ACL tweak

21 Dealing With Naughty Applications (Helpful Tools) http://www.sysinternals.com/ntw2k/utilities.shtml Process Explorer FileMon RegMon

22 Summary Simple Rules For Proper Account Usage Normal User Accounts Should NEVER be members of a privileged group Should be used for doing general tasks (e-mail, web-surfing, documenting, debugging...) Admin Accounts Are members of the Administrators group Should NEVER be used for doing general tasks Should NEVER be used to run un-trusted Apps/Installers When an admin runs a program, the author of the program, indirectly, becomes an administrator.

23 Separate Accounts for Special Tasks Finance Management (banking...etc) Why a special acct ? General account’s profile may contain dangerous slime Characteristics non-Admin Pre-built User Profile, which can’t be broken (mandatory) NEVER use this acct for general computing (e-mail....) Shared Visitor Account When...Why conference and home systems prevent multiple user’s from trashing visitor profile Characteristics non-Admin Pre-built User Profile, which can’t be broken (mandatory) Caution Warning Banner, “Locally Saved Data Will Self Destruct” !!

24 Creating A Mandatory Profile Login using the special account Configure Applications (IE, Office.... etc) Login as Administrator ProfileCopy the special account’s profile Secure the copied profile rename NTUSER.DAT to NTUSER.MAN Lockdown the copied profile folder tree Set the profile path of the special acct

25 fini

Download ppt "PC Manager Meeting March 23, 2005. Today Updates Next Meeting Windows Policy Security Licenses This Month: Using Admin Rights Only When Needed -"

Similar presentations

Comergence 3/14/13. What Does Comergence Do? Comergence provides streamlined processing and centralized storage of Correspondent applications nationwide.

Comergence 3/14/13. What Does Comergence Do? Comergence provides streamlined processing and centralized storage of Correspondent applications nationwide.
Welcome Overview of this Session Introduction The Migration –Active Directory (replacing Novell) –Email & Calendar – from iPlanet to Outlook –Network.

Welcome Overview of this Session Introduction The Migration –Active Directory (replacing Novell) – & Calendar – from iPlanet to Outlook –Network.
Managing User Settings with Group Policy

Managing User Settings with Group Policy
Installing SAS 9.3 Raymond R. Balise Health Research and Policy.

Installing SAS 9.3 Raymond R. Balise Health Research and Policy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:

Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:
Guide to MCSE 70-290, Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.

Guide to MCSE , Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Working with SharePoint Document Libraries. What are document libraries? Document libraries are collections of files that you can share with team members.

Working with SharePoint Document Libraries. What are document libraries? Document libraries are collections of files that you can share with team members.
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
PC Manager Meeting January 25, 2006. Today Updates –Next Meeting –Meeting Maker Upgrade –Windows Policy –Training –Licensing –Security –Tool Of The Month.

PC Manager Meeting January 25, Today Updates –Next Meeting –Meeting Maker Upgrade –Windows Policy –Training –Licensing –Security –Tool Of The Month.
11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.

11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.
70-270: MCSE Guide to Microsoft Windows XP Professional Chapter 5: Users, Groups, Profiles, and Policies.

70-270: MCSE Guide to Microsoft Windows XP Professional Chapter 5: Users, Groups, Profiles, and Policies.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Best Practices in Moodle Administration Best Practices in Moodle Administration A variety of topics from technical to practical Jonathan Moore Vice President.

Best Practices in Moodle Administration Best Practices in Moodle Administration A variety of topics from technical to practical Jonathan Moore Vice President.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

Similar presentations

Ads by Google