PC Manager Meeting

1
PC Manager Meeting

• March 23, 2005

2
Today

• Updates
• Next Meeting
• Windows Policy
• Security
• Licenses
• Email
• This Month
• Using Admin Rights Only When Needed - Andy
  Romero (Andy Romero)

3
Next Meeting

• April 27th
• Securing IE (Joe Klemencic)

4
Windows Policy

• Next Meeting 4/6, 130-230, WH5SW
• OU for GPOs
• Kiosk Setup Discussion

5
Security

• Security Awareness Day was a success. More brown
  bags (esp. the user and desktop security courses
  and Spyware) in the future!
• CST Cookbook
• 'cookbook' section on the security web site.
• Call for short security HowTos
• Example How to reset XP/2003 local passwords
• Send the doc or link.
• DOE Baselines
• Standard Unix/Linux draft done, with Windows to
  follow.
• Best for each section to start documenting their
  standard baseline to be prepared for the future.
• CIS Benchmarks for testing

6
Security

• McAfee problem with LHA handling similar to the
  Symantec UPX handling last month.
• Remember that Nessus is available to sysadmins to
  scan their systems. Make use of it!
• Peer review going on right now. Expect changes on
  the horizon.

7
Licenses

• Symantec Visit
• April 14th, 1-230pm, WH8XO
• Training
• Reminder! Areas still have training days
  available!

8
Email Update

• Anti-Spam
• Better rules
• Web page to report spam

9
Main Topic

• Using Admin Rights Only When Needed
• Andy Romero

10
Least Privilege Computing with Windows XP
11
Summary

• Least Privilege Computing - Overview
• How to Reduce a Users Privilege
• Creating an Admin Shell
• Dealing With Naughty Applications
• Separate Accounts for Special Tasks

12
Least Privilege Computing

• A user should be granted the least privilege
  level necessary to perform required tasks.

13
Least Privilege Computing..why

• Prevents processes, including malware processes,
  run by a user from damaging the O/S.
• Prevents processes, including malware processes,
  run by a user from damaging things that belong to
  other users of the computer (user profiles).
• Is a Proactive measure .... prevents problems
  from happening
• Uses well designed/tested built-in facilities
• Increased Uptime
• Reduced support calls, rebuilds and security
  investigations.
• Eliminates meetings

14
Least Privilege Computing

• Pure Least Privilege Computing is not practical
• Analyze the users set of applications in detail
• Customize every system parameter imaginable so
  only that set of applications will run.

15
Least Privilege Computing

• Practical Least Privilege Computing
• Run Windows XP (SP2)
• Remove General User Accounts from Privileged
  Groups
• Administrators
• Power Users
• Backup Operators

16
Whats Protected

• Operating System Files
• Program Files
• Other Users Profiles
• Important Areas of the Registry

17
How to reduce a users privilege

• Avoid Embarrassment, Make sure you know the
  Administrator accounts password, also add your
  workstation support team admins group to the
  local Administrators group.
• Remove the user from Administrators, Power Users
  and Backup Operators
• GUI (lusrmgr.msc)
• net localgroup Administrators sparky /delete
• net localgroup PowerUsers sparky /delete
• GPO - Startup Script

18
Setting up an admin shell

• After you reduce your normal accounts privilege,
  you need to configure an admin shell
• Add your admin account to your workstations
  local Administrators group
• Log in using your admin account and do the
  following
• Double-Click on My Computer
• Select Tools-FolderOptions-View
• Check Launch Folder Windows In a Separate
  Process
• Click Apply
• Click Apply to All Folders
• Click OK
• Log in using your normal account

19
Setting up an admin shell

• Create a simple script for launching your admin
  shell (RunExplorerAsAdmin.bat)runas
  /userfermi\USERNAME-admin "C\Windows\explorer.
  exe
• Run the script
• Create an Admin_Tools folder and add shortcuts
• Add a background bitmap to your Admin ShellKey
  HKCU\Software\Microsoft\Internet
  Explorer\ToolbarValue (Regsz)
  Backbitmapltpathgt\ltfilenamegt

20
Dealing With Naughty Applications

• Some Applications Refuse to Runfor un-privileged
  users
• worst offenders http//www.threatcode.com/
• Dont Freak-Out...a fix is usually possible
• Registry / File-System ACL tweak

21
Dealing With Naughty Applications(Helpful Tools)

• http//www.sysinternals.com/ntw2k/utilities.shtml
• Process Explorer
• FileMon
• RegMon

22
SummarySimple Rules For Proper Account Usage

• Normal User Accounts
• Should NEVER be members of a privileged group
• Should be used for doing general tasks(e-mail,
  web-surfing, documenting, debugging ...)
• Admin Accounts
• Are members of the Administrators group
• Should NEVER be used for doing general tasks
• Should NEVER be used to run un-trusted
  Apps/Installers
• When an admin runs a program, the author of the
  program, indirectly, becomes an administrator.

23
Separate Accounts for Special Tasks

• Finance Management (banking...etc)
• Why a special acct ?
• General accounts profile may contain dangerous
  slime
• Characteristics
• non-Admin
• Pre-built User Profile, which cant be broken
  (mandatory)
• NEVER use this acct for general computing (e-mail
  ....)
• Shared Visitor Account
• When...Why
• conference and home systems
• prevent multiple users from trashing visitor
  profile
• Characteristics
• non-Admin
• Pre-built User Profile, which cant be broken
  (mandatory)
• Caution
• Warning Banner, Locally Saved Data Will Self
  Destruct !!

24
Creating A Mandatory Profile

• Login using the special account
• Configure Applications (IE, Office .... etc)
• Login as Administrator
• ProfileCopy the special accounts profile
• Secure the copied profile
• rename NTUSER.DAT to NTUSER.MAN
• Lockdown the copied profile folder tree
• Set the profile path of the special acct

25

• fini