I just spent the morning looking around at resources and doing some things to lock down a new W2K TS. This box is a member server in a W3K domain, and is hosting an app that end users hit. We needed to make it so that was the only thing they could do on the box, but we still needed admin access. So here's what I did. I'm looking for any gotchas on this before it swings into production... New OU, termservers. 2 GPs for that OU. 1 is a lockdown, strips everything except that app. 2 is an Admin access, which disables everything in the lockdown for those times that we need to do something to the box. Set Admin GP at top w/no override, lockdown second. Appropriate rights assignments. Seems to work pretty well. Any glaring issues? Found a couple of interesting nasties while trying to lockdown the box, though. Why the heck is it SO difficult to prevent IE from running? We don't want a browser to open on this box for users at all. Couldn't find any way to lock it down within the policy, and didn't want to get involved with IEAK at this point. So, I put it on the list of apps that you can't run. Also added the one app we want to the list of apps you can run. (along with all the other lockdown tweaks in the policy) That should do it, right? Wrong. Picture this. Locked down desktop, with a log off command and one icon for the app we want to run. Can't do much, except hit F1. Hit F1, up comes a help box. On the top bar is "Web Help". Click on that, a browser opens. Nice. Let's you do anything at that point. Even though it's on the prohibited list, it still runs. OK, lock down NTFS on iexplore.exe. Removed users, etc., left admins, system. Still the same problem. Cute. IE runs in the system context when launched from help. Removed perms for system account and that finally did it. Nasty. Not exactly the context I want a web browser running from...
********************** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 985 0975 x5083 ********************** List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
