Jump to content

Help Setting Up A Testing Pc

0byt2

By 0byt2
in Questions

 Share

Recommended Posts

0byt2 Newbie

0byt2

Posted
Posted

Hi guys.

I have been lurking on the forums for a while and now I decided to post a quick question.

I am using qemu to set up a virtual machine (XP SP3), and I want to set it up with some common restrictions like for example, no access to CMD and disallowing batch files...

I dont know exactly how to secure a box so I was hoping to get some help from you guys. If you can give me some ideas on what do disallow, block and disable (within the range of common practices) would be great.

Also I know that there are some programs that give you the options to tweak those things in an easy way, I dont remember the name anymore so if you could point me some of them it would be good as well. I know gpedit, but Im not sure if I can control everything from there alone or if I would have to dive in to the registry.

Thanks in advance.

Link to comment
Share on other sites
joeypesci Newbie

joeypesci

Posted
Posted

Pretty much all the restrictions would be in gpedit. And on a domain it would be domain group policy.

So in your case, if the test machine isn't in a domain it would just be the local group policy to lock stuff down.

Almost all the options have really good explanations of what they do.

Could also take a look at youtube as that as some good vids sometimes.

Or ITIdiots old videos are good. I like ITIdiots.

http://www.itidiots.com/itidiots2/

Episode 8 and 9. Although they speak about domain group policy but you should be able to get the idea from watching that. Fun training vids instead of the boring professional ones.

Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted
http://www.itidiots.com/itidiots2/

Episode 8 and 9. Although they speak about domain group policy but you should be able to get the idea from watching that. Fun training vids instead of the boring professional ones.

Great video, I learned quite a lot with these guys. Thanks for posting that up.

Link to comment
Share on other sites
0byt2 Newbie

0byt2

Posted
  • Author
Posted (edited)

hey guys, im still looking for how to do this.

Gpedit applies the policies to all users when used on a local environment, which is not desired, ex. I would like to be able to remove the shutdown button for user "restricted" but not for user "admin"...

as I am not going to be running a domain I can only use the local restrictions of Gpedit... can you point me out to any info on how to do that via de Registry or something simmilar?

I think i found the information I was looking...

This explains how to workaround the limitation of GPedit:

http://www.theeldergeek.com/gp07.htm

Edited by 0byt2
Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted (edited)

hey guys, im still looking for how to do this.

Gpedit applies the policies to all users when used on a local environment, which is not desired, ex. I would like to be able to remove the shutdown button for user "restricted" but not for user "admin"...

as I am not going to be running a domain I can only use the local restrictions of Gpedit... can you point me out to any info on how to do that via de Registry or something simmilar?

I think i found the information I was looking...

This explains how to workaround the limitation of GPedit:

http://www.theeldergeek.com/gp07.htm

One way for achieving that, is via the active directory in Windows server 2003/2008. you will need to create an OU and place the user account that you want to disable the shutdown buttom for, inside that OU then you will need to create a group policy that will disable the shutdown buttom and link it to the OU you created.

If you are not sure what I am talking about, you will need to watch that ITIDIOTS.COM show, they walk you through step by step how to do what I am talking about.

Edited by Infiltrator
Link to comment
Share on other sites
h3%5kr3w Newbie

h3%5kr3w

Posted
Posted

+1 to infiltrator.

Just remember this: When working in an AD (Active Directory) environment, ALL POLICIES ARE HIERARCHIAL! Therefore, you have to watch and structure your policies to fit. In other words, if you have a user that is a group member of users and of Active Directory Administrators, and you have a policy say... disabling access to a folder, that user can still access the folder, because even though they are a 'user' member, the policy is sidestepped because that user is also part of the 'AD ADMINS' group.

Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted (edited)
+1 to infiltrator.

Just remember this: When working in an AD (Active Directory) environment, ALL POLICIES ARE HIERARCHIAL! Therefore, you have to watch and structure your policies to fit. In other words, if you have a user that is a group member of users and of Active Directory Administrators, and you have a policy say... disabling access to a folder, that user can still access the folder, because even though they are a 'user' member, the policy is sidestepped because that user is also part of the 'AD ADMINS' group.

Very interesting point you made there. I must have overlooked that one.

Edited by Infiltrator
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...