Hi we have a major issue where pupils are able to access the c drive even though we have group policies in place to restrict access to the c drive. What they do is enable web toolbar in word and then in the bar type in a command that allows them to access utils like command.com What i have also noticed is that they have found a way around the security and are able to install games to the c drive. I think they are able to install these game via command.com
all our pcs are xp pro
I think viewing the C: drive is quite useful for users. However, the only place they need to be able to write to is the c:\documents and settings\<username>
(There are a few exceptions such as c:\windows\temp and the help folder)
You can set these permissions in group policy. Basically propagate SYSTEM:F and ADMINISTRATOR:F, EVERYONE:R and then add the items listed above as EVERYONE:C.
Nail that Jelly to the ceiling!
-Kev
If it gets out of hand, ditch Office until you can find the relevant settings to fix it - StarOffice and OpenOffice both come as MSIs so can be easily deployed using a GPO.
You could also use software restriction to stop the little darlings running cmd.exe
The Office ADM templates allow you to lock this down. Another favorite of the little darlings is to use the 'Get clipart online' option if they have been denied access to the internet. The system, not the user then opens IE and authenticates web access. Clever. ADM templates fix this too.
I've never noticed this in GP before. Where and how do you do this? Thanks.Originally Posted by kevinmcaleer
There are many flaws in GP's and ways to bypass them. Looking in the logs i can see all sorts of very hand methods to bypass GP security; the pupils are very annoying. Anyway, the answer is to either ditch office like someone mentioned, or get another security tool, see wicky for details on apps for this purpose.
website: Security tools on the wicky!
Some of these are likely to help.
thanks for the range of selections folks.
i did find this site this morning
http://www.addbalance.com/word/webtoolbar.htm
i am hoping to test it on a few client pc's next week.
jonny_valentine you mentioned that there are many flaws in GP's and way to bypass them. Do you know of any utilities or sites that expand on this?
In the computers configuration, Windows Settings, Security Settings and then file System, Just add the files you want to protect or unprotect.
for the full official article see:
http://www.microsoft.com/technet/pro...c888be525.mspx
Pupils can't get round file permissions, once they are set, they are set. Registry settings can also be protected with permissions, thus preventing entries from being changed.
you really can lock down workstations with this, if you implement the correct settings.
-Kev
projector1: I dont know off hand of any websites that go through all the flaws in GPO's, i could post some impero logs of a few pupils' computer activity showing step by step, how they bypass certain policies, but someone would probably moan saying im advertising.
One quick simple hak (i thought was an old & obvious one) that you all may wanna try is, goto m$ word, write something, right click and add hyperlink, type c: and click ok. Then follow the link in word to the c: drive. There may be a policy to stop this but from the ones ive got in place at one school, you wouldnt think the above could be done, since the c: drive is hidden and so on, but it does work.
The wiki had links on to software that can stop this kind of thing, but someone called mark, kindly removed the links because it was on there twice, once under internet security/monitoring and once under desktop security.. this is obviously not allowed even though the software does cover both.. :?
uncalled for jonny....
also i have sorted that out if check your pm or read top of the wiki page you will see what i have done.The wiki had links on to software that can stop this kind of thing, but someone called mark, kindly removed the links because it was on there twice, once under internet security/monitoring and once under desktop security.. this is obviously not allowed even though the software does cover both.. :?
hope that is sorted
Russ
I editid the wiki page because Johnny entered his company 4 times when 1 entry would have been enough. And indeed answered the question just as well with just the one link as it did with many.
All the other main software suites at the top of the wiki also do other things, but were not linked to in every section of the page.
The blurb entered by johhny about his software was not factual but pure salesmanship.
Johnny is being entirely antagonistic towards me in his posting for what reason?
I object to your wiki revision Russ. If your going to mention Johnny's software so many times, and remember we don't have a genuine review of the software as we have there of the others, just Johnny's sales blurb, you MUST give equal weight to everything else. The wiki page is supposed to be about Ranger remember. It seems to me that you are making exceptions because of his bullying tactics.
I wanted to keep this private and did pm Dos_Box about it. But now it's public I had to explain myself.
Many thanks for that Kev. The wonders and depths of GP - about time I read a book on it I think!
You might want to peek at Windows Server Hacks or the Active Directory Cookbook books by O'Reily. They both cover Group Policies in detail.
oh, i see so edugeek is now rangergeek???
Russ: you know im right ;p
Mark: didnt mean to cause a fuss, sorry. I've edited the wiki myself, i think maybe the top part should be completely removed and put each in its respective subject? That way there arent any repeats, i duno. Imo, it would be better to know which catagory each came under.
(ps. 2 times not 4)
Geoff: nice one, im off to waterstones!
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote