+ Post New Thread
Results 1 to 7 of 7
Learning Network Manager Thread, Am I Missing Something? in Technical; Ok, so I have a brand new domain (2012r2) and w7 clients. I am pushing images out via MDT 2013, ...
  1. #1

    Join Date
    Nov 2009
    Posts
    102
    Thank Post
    66
    Thanked 3 Times in 3 Posts
    Rep Power
    11

    Am I Missing Something?

    Ok, so I have a brand new domain (2012r2) and w7 clients. I am pushing images out via MDT 2013, mainly office 2013 and some general software for curriculum. I have setup GPO's for folder redirection, and created a GPO with a few settings for client lock down that applies to everyone, and 3 GPO's for staff, pupils, and a privilege one (ex RM sorry), these block stuff like regedit, cmd. Again 3 GPO's for IE lock down. I have deployed printers via GPO, this seems quite nice and reliable.
    Out of the box the network seems quite locked down, I am getting some UAC prompts for standard users, stuff like java, and some IE etc.. but is that it, staff and pupils can run anything in c:\program files but nothing else. Is it that 2012R2 is locked down out the box or should I be doing anything else? I have tested installing software with both staff and pupil test accounts and its blocked, also browsing shares, network connections are blocked.
    Should I be doing anything else?

    Thanks in advance
    Jetsy

  2. #2

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,271
    Thank Post
    884
    Thanked 2,749 Times in 2,322 Posts
    Blog Entries
    11
    Rep Power
    785
    The UAC prompts are only for when software tries to write to protected areas like updating java, this can be combated by pushing the updates via GPO constantly and disabling the auto update. You may also need to use GPO to add a few exceptions into the client firewalls to allow certain teraffic like network shares through - this should be on by default but it depends on the setup.

  3. Thanks to SYNACK from:

    jertsy (5th August 2014)

  4. #3

    Join Date
    Nov 2009
    Posts
    102
    Thank Post
    66
    Thanked 3 Times in 3 Posts
    Rep Power
    11
    Quote Originally Posted by SYNACK View Post
    The UAC prompts are only for when software tries to write to protected areas like updating java, this can be combated by pushing the updates via GPO constantly and disabling the auto update. You may also need to use GPO to add a few exceptions into the client firewalls to allow certain teraffic like network shares through - this should be on by default but it depends on the setup.
    What I should have done then, is disable the updates in Java in my reference image. I need to tweak some other stuff so I may re-capture in the near future. I have disabled the client firewall, we have a fortigate firewall via our internet provider though. The reason I did this was to get the system center EP deploying and I was advised to disable by our SIMS support people to allow Solus 3 to work.

    Thanks for the advice SYNACK.

  5. #4

    Join Date
    Mar 2007
    Posts
    1,861
    Thank Post
    93
    Thanked 326 Times in 246 Posts
    Rep Power
    92
    May need to unblock some temp files too. Zip files and pcounter use the temp files folder

  6. Thanks to strawberry from:

    jertsy (5th August 2014)

  7. #5

    Join Date
    Nov 2009
    Posts
    102
    Thank Post
    66
    Thanked 3 Times in 3 Posts
    Rep Power
    11
    Quote Originally Posted by strawberry View Post
    May need to unblock some temp files too. Zip files and pcounter use the temp files folder
    We use papercut here. Is that via file system in GPO?

  8. #6

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,271
    Thank Post
    884
    Thanked 2,749 Times in 2,322 Posts
    Blog Entries
    11
    Rep Power
    785
    Disabling the firewall is really only a diagnostic measure, I would not deploy clients like that, much better to have the firewall up and allow exceptions, a gateway firewall means nothing if someone brings in a USB key with a virus on it and it bounces about your internal network like a ferrit on speed.

    I'd advise pushing java via GPO too as it gets updated every week with the next hundred security vunrabilities. Jave is easy enough to push out if you are not customising it, just get the full installers from java.com, run them and they dump MSIs into the local temp folder that you can deploy.
    Last edited by SYNACK; 5th August 2014 at 08:36 PM.

  9. #7

    Join Date
    Nov 2009
    Posts
    102
    Thank Post
    66
    Thanked 3 Times in 3 Posts
    Rep Power
    11
    Hmmm, good point. I will look at what ports said systems need to operate.
    Cheers



SHARE:
+ Post New Thread

Similar Threads

  1. Am I missing something? (unattended install)
    By cromertech in forum Windows 7
    Replies: 2
    Last Post: 1st March 2010, 10:03 AM
  2. Sims Profiles - am I missing something?
    By Jamman960 in forum MIS Systems
    Replies: 3
    Last Post: 3rd February 2010, 08:31 PM
  3. Am I missing something (xp wireless via GPO)??
    By james14100 in forum Windows
    Replies: 8
    Last Post: 15th September 2009, 07:27 PM
  4. Am I missing something here.
    By FragglePete in forum Windows
    Replies: 2
    Last Post: 14th February 2008, 08:58 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •