Click here to get back home

Strategy for securing user account
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Strategy for securing user account a 02-26-2006
Posted by a on February 26, 2006, 11:36 am
Please log in for more thread options
 Hi everybody,

I need to be able to start a console application in the security context of
a user with very limited rights, on a Win 2003 computer:
- file write only to several directories
- file read only to other directories
- no create process abilities
- no network access

and probably other additional restrictions.

My question is, what is the right approach in creating a group, user
account and configuring all values to make sure I don't leave any security
holes while granting it a minimum of rights to be able to perform its task.
It is not obvious how to do this just from inspecting the various security
settings and policies.

This application will be started by a Windows service by callinig the Win32
API CreateProcessAsUser, so there is no need for direct user interaction
with this application.

Any information or pointers to resources will be appreciated.

Thanks,

A



Posted by S. Pidgorny on February 28, 2006, 3:12 am
Please log in for more thread options
 It seems that you're looking at the kiosk-type lock down of the system. For
that purpose, Shared Computer Toolkit for Windows XP is the tool of choice:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sct/default.mspx

and download is at

http://www.microsoft.com/downloads/details.aspx?familyid=7256D456-E3DA-42EA-857D-92B716077A84

Hwever, if you look at the most restricted user account, I'd start with a
group that is explicitely denied access to entire file system, and then I'd
give explicit rights to read/execute dependencies only. Some experimenting
is required.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-



> Hi everybody,
>
> I need to be able to start a console application in the security context
> of a user with very limited rights, on a Win 2003 computer:
> - file write only to several directories
> - file read only to other directories
> - no create process abilities
> - no network access
>
> and probably other additional restrictions.
>
> My question is, what is the right approach in creating a group, user
> account and configuring all values to make sure I don't leave any security
> holes while granting it a minimum of rights to be able to perform its
> task. It is not obvious how to do this just from inspecting the various
> security settings and policies.
>
> This application will be started by a Windows service by callinig the
> Win32 API CreateProcessAsUser, so there is no need for direct user
> interaction with this application.
>
> Any information or pointers to resources will be appreciated.
>
> Thanks,
>
> A
>



Posted by a on February 28, 2006, 11:49 am
Please log in for more thread options
Thanks for the info. I'll check out this tool, and most likely I'll use a
combination of both the tool and the manual permissions setup

Thanks,

A


> It seems that you're looking at the kiosk-type lock down of the system.
> For that purpose, Shared Computer Toolkit for Windows XP is the tool of
> choice:
>
> http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sct/default.mspx
>
> and download is at
>
>
http://www.microsoft.com/downloads/details.aspx?familyid=7256D456-E3DA-42EA-857D-92B716077A84
>
> Hwever, if you look at the most restricted user account, I'd start with a
> group that is explicitely denied access to entire file system, and then
> I'd give explicit rights to read/execute dependencies only. Some
> experimenting is required.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
>
>
>> Hi everybody,
>>
>> I need to be able to start a console application in the security context
>> of a user with very limited rights, on a Win 2003 computer:
>> - file write only to several directories
>> - file read only to other directories
>> - no create process abilities
>> - no network access
>>
>> and probably other additional restrictions.
>>
>> My question is, what is the right approach in creating a group, user
>> account and configuring all values to make sure I don't leave any
>> security holes while granting it a minimum of rights to be able to
>> perform its task. It is not obvious how to do this just from inspecting
>> the various security settings and policies.
>>
>> This application will be started by a Windows service by callinig the
>> Win32 API CreateProcessAsUser, so there is no need for direct user
>> interaction with this application.
>>
>> Any information or pointers to resources will be appreciated.
>>
>> Thanks,
>>
>> A
>>
>
>



Posted by Jon Phipps on February 28, 2006, 3:58 pm
Please log in for more thread options
I would recommend this tool, I use it at work for securing student desktops.
This saves me much headache in trying to figure out how they disabled
something, what they installed that crapped the machine etc. The only thing
I have found is that if you want to secure a domain account it the app must
be run on the DC and the account secured there.

Jon
> Thanks for the info. I'll check out this tool, and most likely I'll use a
> combination of both the tool and the manual permissions setup
>
> Thanks,
>
> A
>
>
>> It seems that you're looking at the kiosk-type lock down of the system.
>> For that purpose, Shared Computer Toolkit for Windows XP is the tool of
>> choice:
>>
>>
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sct/default.mspx
>>
>> and download is at
>>
>>
http://www.microsoft.com/downloads/details.aspx?familyid=7256D456-E3DA-42EA-857D-92B716077A84
>>
>> Hwever, if you look at the most restricted user account, I'd start with a
>> group that is explicitely denied access to entire file system, and then
>> I'd give explicit rights to read/execute dependencies only. Some
>> experimenting is required.
>>
>> --
>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> -= F1 is the key =-
>>
>>
>>
>>> Hi everybody,
>>>
>>> I need to be able to start a console application in the security context
>>> of a user with very limited rights, on a Win 2003 computer:
>>> - file write only to several directories
>>> - file read only to other directories
>>> - no create process abilities
>>> - no network access
>>>
>>> and probably other additional restrictions.
>>>
>>> My question is, what is the right approach in creating a group, user
>>> account and configuring all values to make sure I don't leave any
>>> security holes while granting it a minimum of rights to be able to
>>> perform its task. It is not obvious how to do this just from inspecting
>>> the various security settings and policies.
>>>
>>> This application will be started by a Windows service by callinig the
>>> Win32 API CreateProcessAsUser, so there is no need for direct user
>>> interaction with this application.
>>>
>>> Any information or pointers to resources will be appreciated.
>>>
>>> Thanks,
>>>
>>> A
>>>
>>
>>
>
>



Posted by a on March 3, 2006, 3:49 am
Please log in for more thread options
Thanks for your reply.

>I would recommend this tool, I use it at work for securing student
>desktops. This saves me much headache in trying to figure out how they
>disabled something, what they installed that crapped the machine etc. The
>only thing I have found is that if you want to secure a domain account it
>the app must be run on the DC and the account secured there.
>

Yes, you are right - it is a nice tool and it does exactly what I need.

A



Similar ThreadsPosted
User Account Created - 624 And User Account Enabled - 626 for Hel October 13, 2005, 1:56 pm
how to use the user account and the computers account to ... March 9, 2007, 10:38 am
NT4 user account recovery June 3, 2005, 6:29 am
Unknown User Account or Spyware? September 11, 2005, 12:14 pm
Win2003 loses AD user account September 28, 2005, 8:39 am
User Account and Rights questions January 28, 2006, 10:03 am
User account - password attribute ? February 21, 2006, 4:23 pm
Find SID for a local user Account March 6, 2006, 3:05 pm
Tracking user account activity. March 30, 2006, 12:27 pm
user account get locks frequently March 26, 2007, 6:33 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap