[OPLINTECH] Win7 lockdown

Shivelri@OPLIN.org shivelri at oplin.org
Sat Feb 5 14:49:25 EST 2011 

I have been working on isolating the reg dword names to lock down win7 as steady state would.

The problem I'm having currently is how to automate(script) the process so that anyone in the admin account will be able to disable/enable the lockdown.

Richard Shively
Network Administrator
Greene County Public Library

On Feb 5, 2011, at 12:00 PM, oplintech-request at lists.oplin.org wrote:

> Send OPLINTECH mailing list submissions to
>    oplintech at lists.oplin.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>    http://mail.oplin.org/mailman/listinfo/oplintech
> or, via email, send a message with subject or body 'help' to
>    oplintech-request at lists.oplin.org
> 
> You can reach the person managing the list at
>    oplintech-owner at lists.oplin.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of OPLINTECH digest..."
> Today's Topics:
> 
>   1. lockdown Save As on Windows 7 public computers (Marlene Pelyhes)
>   2. Re: lockdown Save As on Windows 7 public computers (Nathan Eady)
>   3. Re: lockdown Save As on Windows 7 public computers
>      (Marlene Pelyhes)
>   4. lockdown Network Place on Windows 7 public computers
>      (Marlene Pelyhes)
> Hi
> 
> I would like to deploy windows 7 computers for public computer use.
> 
> When you click "Save AS" on a MS Office document, windows
> brings up Windows Explorer with directory and Network links.
> Has anyone locked that down to provide accesss to onlye
> public areas  such as Desktop and FlashStick?
> 
> Thanks
> Marlene Pelyhes
> IT Manager
> Mentor Public Library
> 440 255-8811 ext 228
> marlene dot pelyhes at mentorpl dot org
> 
> 
> 
> 
> Marlene Pelyhes <mpl_marlenep at yahoo.com> writes:
> 
>> I would like to deploy windows 7 computers for public computer use.
>> 
>> When you click "Save AS" on a MS Office document, windows
>> brings up Windows Explorer with directory and Network links.
>> Has anyone locked that down to provide accesss to onlye
>> public areas  such as Desktop and FlashStick?
> 
> Fundamentally, limiting the locations that show up in the MS Office
> Save As dialog wouldn't actually "lock down" anything.  That's just
> one out of hundreds of ways to save a file in a particular location.
> Trying to limit how the user can employ each of hundreds of different
> interfaces to store files in various places would be prohibitively
> time-consuming and difficult, if not theoretically impossible.
> 
> If you want to actually prevent access to non-public areas, then the
> user(s) in question shouldn't have the relevant access permissions.
> If you are running Explorer with admin privileges, you can right-click
> on any filesystem object (e.g., a directory folder), click Properties,
> find the Security tab (or Permissions tab or whatever they're calling
> it these days), and investigate who has what permissions.  (There are
> other ways to do this too, but the security/permissions tab in the
> Properties dialog is probably the easiest one to learn.)
> 
> By default, any given object will inherit whatever permission rules
> its parent directory ("folder") has, but you can also assign
> additional permissions (on a per-user or per-group basis) to an object
> that its parent directory does not have, and some permissions (e.g.,
> Read access) can be revoked on an object even if the user has them on
> the parent.  Other permissions, such as Full Control, are always
> inherited; if you give the user Full Control of an entire drive, for
> example, you cannot take it away for just certain areas on that drive.
> What you can do is only give them Full Control over specific
> directories where you want them to have it.  
> 
> Note that for network fileshares the permissions are controlled on the
> file server that hosts the share, not on the workstation.
> 
> As a general rule, the most secure way to handle permissions is to
> deny the user everything by default and grant them only the specific
> things you need them to be able to do, but the tradeoff is that this
> means you have to discover and ennumerate, one by one, each and every
> location that the users (or programs the users needs to use) need to
> be able to access.  
> 
> The quick-and-dirty way is to start with the default permissions and
> only make the changes you need to make to prevent specific abuses you
> discover.  This is significantly less secure, but it also has less
> tendency to cause unexpected consequences at first.  (Applications can
> sometimes surprise you with all the many and various places they want
> to write data during the course of normal operation.  This is not
> nearly as bad as it used to be in the early days of Windows XP when
> many programs had been hastily ported over from Windows 98, but the
> problem has not entirely gone away, either.)  
> 
> If we were talking about introducing new computers, I'd be strongly
> inclined to recommend the secure way (give the user no permissions
> except what you specifically know they need, developing and
> maintaining a list of what is actually needed and why as you go), but
> since you're talking about already-deployed computers the choice is
> less clear-cut.  There are arguments to be made either way.
> 
> -- 
> Nathan Eady
> Galion Public Library
> 
> Hi
> 
> Disregard question...
> 
> I found the settings in GPO
> UserConfiguration\AdminTemplate\Windows Components\Windows Explorer:
> Hide these specified drives in My Computer
> 
> Prevent access to drives from My Computer 
> 
> No Computers Near me in Network Locations
> 
> Thanks!
> 
> Marlene Pelyhes
> Mentor Public Library
> 
> 
> --- On Fri, 2/4/11, Marlene Pelyhes <mpl_marlenep at yahoo.com> wrote:
> 
>> From: Marlene Pelyhes <mpl_marlenep at yahoo.com>
>> Subject: lockdown Save As on Windows 7 public computers
>> To: oplintech at lists.oplin.org
>> Date: Friday, February 4, 2011, 1:41 PM
>> Hi
>> 
>> I would like to deploy windows 7 computers for public
>> computer use.
>> 
>> When you click "Save AS" on a MS Office document, windows
>> brings up Windows Explorer with directory and Network
>> links.
>> Has anyone locked that down to provide accesss to onlye
>> public areas  such as Desktop and FlashStick?
>> 
>> Thanks
>> Marlene Pelyhes
>> IT Manager
>> Mentor Public Library
>> 440 255-8811 ext 228
>> marlene dot pelyhes at mentorpl dot org
>> 
>> 
>>       
>> 
> 
> 
> 
> 
> Hi
> 
> I would like to deploy windows 7 computers for public
> computer use.
> 
> When you click "Save AS" on a MS Office document, windows
> brings up a Network link which displays the network.
> 
> Has anyone locked public computers so that patrons can
> only save documents to the Desktop or a removable drive ie. FlashStick?
> 
> GPO allows me to remove the C Drive using Windows Components/Windows Explorer but there is no option for "Entire Network"
> 
> Thanks
> Marlene Pelyhes
> IT Manager
> Mentor Public Library
> 440 255-8811 ext 228
> marlene dot pelyhes at mentorpl dot org
>> 
>> 
>>       
>> 
> 
> 
> 
> 
> _______________________________________________
> OPLINTECH mailing list
> OPLINTECH at lists.oplin.org
> http://mail.oplin.org/mailman/listinfo/oplintech

More information about the OPLINTECH mailing list