0byt2 Posted June 20, 2010 Share Posted June 20, 2010 Hi guys. I have been lurking on the forums for a while and now I decided to post a quick question. I am using qemu to set up a virtual machine (XP SP3), and I want to set it up with some common restrictions like for example, no access to CMD and disallowing batch files... I dont know exactly how to secure a box so I was hoping to get some help from you guys. If you can give me some ideas on what do disallow, block and disable (within the range of common practices) would be great. Also I know that there are some programs that give you the options to tweak those things in an easy way, I dont remember the name anymore so if you could point me some of them it would be good as well. I know gpedit, but Im not sure if I can control everything from there alone or if I would have to dive in to the registry. Thanks in advance. Quote Link to comment Share on other sites More sharing options...
joeypesci Posted June 20, 2010 Share Posted June 20, 2010 Pretty much all the restrictions would be in gpedit. And on a domain it would be domain group policy. So in your case, if the test machine isn't in a domain it would just be the local group policy to lock stuff down. Almost all the options have really good explanations of what they do. Could also take a look at youtube as that as some good vids sometimes. Or ITIdiots old videos are good. I like ITIdiots. http://www.itidiots.com/itidiots2/ Episode 8 and 9. Although they speak about domain group policy but you should be able to get the idea from watching that. Fun training vids instead of the boring professional ones. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted June 23, 2010 Share Posted June 23, 2010 http://www.itidiots.com/itidiots2/ Episode 8 and 9. Although they speak about domain group policy but you should be able to get the idea from watching that. Fun training vids instead of the boring professional ones. Great video, I learned quite a lot with these guys. Thanks for posting that up. Quote Link to comment Share on other sites More sharing options...
0byt2 Posted June 30, 2010 Author Share Posted June 30, 2010 (edited) hey guys, im still looking for how to do this. Gpedit applies the policies to all users when used on a local environment, which is not desired, ex. I would like to be able to remove the shutdown button for user "restricted" but not for user "admin"... as I am not going to be running a domain I can only use the local restrictions of Gpedit... can you point me out to any info on how to do that via de Registry or something simmilar? I think i found the information I was looking... This explains how to workaround the limitation of GPedit: http://www.theeldergeek.com/gp07.htm Edited June 30, 2010 by 0byt2 Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted June 30, 2010 Share Posted June 30, 2010 (edited) hey guys, im still looking for how to do this. Gpedit applies the policies to all users when used on a local environment, which is not desired, ex. I would like to be able to remove the shutdown button for user "restricted" but not for user "admin"... as I am not going to be running a domain I can only use the local restrictions of Gpedit... can you point me out to any info on how to do that via de Registry or something simmilar? I think i found the information I was looking... This explains how to workaround the limitation of GPedit: http://www.theeldergeek.com/gp07.htm One way for achieving that, is via the active directory in Windows server 2003/2008. you will need to create an OU and place the user account that you want to disable the shutdown buttom for, inside that OU then you will need to create a group policy that will disable the shutdown buttom and link it to the OU you created. If you are not sure what I am talking about, you will need to watch that ITIDIOTS.COM show, they walk you through step by step how to do what I am talking about. Edited June 30, 2010 by Infiltrator Quote Link to comment Share on other sites More sharing options...
h3%5kr3w Posted July 5, 2010 Share Posted July 5, 2010 +1 to infiltrator. Just remember this: When working in an AD (Active Directory) environment, ALL POLICIES ARE HIERARCHIAL! Therefore, you have to watch and structure your policies to fit. In other words, if you have a user that is a group member of users and of Active Directory Administrators, and you have a policy say... disabling access to a folder, that user can still access the folder, because even though they are a 'user' member, the policy is sidestepped because that user is also part of the 'AD ADMINS' group. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted July 6, 2010 Share Posted July 6, 2010 (edited) +1 to infiltrator. Just remember this: When working in an AD (Active Directory) environment, ALL POLICIES ARE HIERARCHIAL! Therefore, you have to watch and structure your policies to fit. In other words, if you have a user that is a group member of users and of Active Directory Administrators, and you have a policy say... disabling access to a folder, that user can still access the folder, because even though they are a 'user' member, the policy is sidestepped because that user is also part of the 'AD ADMINS' group. Very interesting point you made there. I must have overlooked that one. Edited July 6, 2010 by Infiltrator Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.