3

What are some good methods to protect staff machines from the staff who use them? I am looking for something that is totally seamless, that the user would not notice...something that would not hinder performance of the machine and would allow the user read/write access to My Documents, his/her desktop, and a couple of folders in Program Files.

My current setup works well, but there is something about it I am not crazy about:

I have partitioned the drive on the staff machines and am storing all static folders on the D partition. The C partition is protected by Windows Steadystate (Disk Protection only, no restrictions yet) and gets restored at each restart.

As I said, this works, but is there an easier way? In the past we have lost some critical staff machines at the worst possible times to malware.

John Gardeniers
  • 27,458
  • 12
  • 55
  • 109
cop1152
  • 2,656
  • 3
  • 21
  • 32

4 Answers4

8

It's really pretty simple: Don't give the users "Administrator" rights and you're 95% of the way to keeping clean, happy machines.

Don't give them "Power Users" under Windows XP or earlier, either, because that's effectively the same as "Administrator" (it's very, very easy to get to "Administator" from "Power Users").

Not having "Administrator" rights will be no problem for Microsoft Office. It shouldn't be a problem for any application with a "Designed for Windows XP" or newer logo placard (as running as a limited user is part of the logo requirements). It's going to be incumbent upon you to make sure that other applications function properly, but the trade-off in your time making sure the app works versus cleaning up junked-up PCs later is worth it. There are tools that can help you, too. A great one is Aaron Margosis "LUA Buglight" (see http://nonadmin.editme.com/LUABuglight).

If you find that you need to apply security permission changes to get some programs to work, look at using the file system security settings of group policy to do your dirty-work (assuming you're on an AD domain). Then, at least, you can learn which permissions need to be set once and have group policy consistently re-apply them for you on new computers.

If you're not doing it already, get the user data off the PCs and onto a server computer. Look at using "Folder Redirection" and roaming user profiles to help you with this (assuming, again, you're on an AD domain). Ideally, PCs should be stateless enough that a user can get up, logon to another PC, and have all their data files available. (Application software being available is another story, but there's a "story" for that with software installation policy, too.) I won't go into a big link-fest with these items here, just to keep this answer somewhat on-topic.

If you really want to stop unwanted third-party software, combined with keeping "Administator" rights away from users you might consider using "Software Restriction Policies" (see http://technet.microsoft.com/en-us/library/bb457006.aspx and http://technet.microsoft.com/en-us/library/cc782792(WS.10).aspx). With software restriction policies in place, a non-administrator user can't execute code outside of the allowed paths (or based on digital signature). Things like Google Chrome, which install in a per-user location (and malicious software of that ilk) won't even function. It's a great feature, and arguably one of the most under-utilized.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • +1 you always give great advice EA. I am still growing into my job title and have come to rely on advice from people like you. I am reading the articles now. Again, thanks. – cop1152 Jun 25 '09 at 14:43
  • Heh heh... It's what I have to "give back" for years of working in dysfunctional IT organizations. Some lessons have to be learned, but those that can be taught I try and teach. *smile* – Evan Anderson Jun 25 '09 at 14:45
  • EA, I can also always rely on you to answer before me and with a better explanation. Thanks for snaking the rep points. – MathewC Jun 25 '09 at 14:52
  • *smile* It's the 7 years of teaching MCSE classes coming out. If I learned anything teaching it was how to answer a lot of questions about Windows and Active Directory quickly and verbosely enough to make it make sense. I've still need a few points to get to splattne's score yet, but I'm working on it. – Evan Anderson Jun 25 '09 at 14:55
  • I wouldn't mind having a 'direct line' to Evan..you know...for emergencies. – cop1152 Jun 25 '09 at 16:06
  • 1
    @cop1152: That exists-- but it costs money. *smile* Have a look at my profile. – Evan Anderson Jun 25 '09 at 16:31
  • +1 to no admin rights. It really does prevent 95% of problems. – JS. Jun 25 '09 at 17:01
  • +1 for clear and well-thought out answer. – SQLChicken Jul 07 '09 at 13:54
  • The only thing I would add is to not try to protect technical users. If you have engineers or developers, they'll be very frustrated with the restrictions and either figure out how to work around them (leaving the system less protected than it would be if they configured it completely themselves) or end up requisitioning machines that live outside your clean network. Give them reliable backup and unbreakable network storage, and let them go nuts with their own machines. The resulting increase in productivity will more than make up for any downtime they cause themselves. – Ben Voigt Feb 20 '12 at 00:47
3

You might also consider redirecting their My Documents and other folders to network locations so you don't have to mess with your partitioning scheme and can simply Steadystate the entire disk.

http://technet.microsoft.com/en-us/library/cc977970.aspx

Also consider use of products like Bluecoat proxy servers to protect your Internet traffic from malicious sites. The proxy can not only can for signatures using AV protection at the web gateway but you can also block sites using websense style category filtering to block access to known malware sites.

Kevin Kuphal
  • 9,134
  • 1
  • 35
  • 41
1

Best way to protect machines against staff is stringent permission lockdowns and making sure you're not dolling out administrative rights like candy. If they need to do something with NEAR admin rights assign them to power users group. Make sure your antivirus solution is up to date and running as well.

SQLChicken
  • 1,307
  • 8
  • 10
1

Make sure that your virus scanner is configured to scan any removable devices plugged into computers. I've had a vendor give us an SD card with Conficker on it because they apparently have poor antivirus policies at their organization. Surprisingly, this was from THE LARGEST company we do business with, a company with well over $100 billion in revenue and 300,000 employees.

phuzion
  • 2,213
  • 1
  • 19
  • 23