eWEEK Labs recent feature on the benefits (and complexities) of locking down Windows systems elicited many reader responses ("Lock out Problems," Nov. 28). Most readers were in favor of the practice, if not entirely capable of implementing it at their own organizations—for a variety of reasons. Whats your system lockdown story?
Write us at firstname.lastname@example.org.
- Need to know
The approach Ive taken is basically regarding change management and helping to improve system availability.
If users can install software, change the system configuration or delete files, so can malicious software they run intentionally or accidentally.
System lockdown has some very harsh and serious connotations. "Need to know" or "least privilege" is essentially what youre describing. We need to encourage users to be granted only privileges to run their applications—anything more is excessive.
Someone clearly needs to have the ability to install software or reconfigure a system, but these are not common day-to-day tasks for typical users. More awareness is needed for users, software developers and operating system vendors to segregate these tasks.
- Users get it
I totally agree with this article. I have been locking down machines using Active Directory and Group Policy for almost a year using Windows Server 2003. In the past, I just used the local Group Policy settings, which took longer to set up because each PC had to be configured.
I did have a hard time at first with users rebelling because their PCs were restricted, and some still are upset about it. But many users are more aware of security because their own home PCs can easily get infected. I get less flak about system lockdown than I used to.
I do wish legacy apps were as easily adaptable to Active Directory as the newer ones. Unless the user has administrator rights, certain apps wont work. Ive looked at everything to try to resolve this.
Teresa Van Tine
Charlevoix Area Hospital
- In search of Group Policy
Im an IT manager with admittedly limited training in the nuances of Group Policy and Active Directory. I wear many hats in our organization, so I dont have time to get the training I really need.
Im responsible for managing a Microsoft Small Business 2003 Server with about 25 different client PCs attached in our office. We have the recurring problems youve described, although not too many, as we do run some sophisticated anti-virus, anti-spam and anti-spyware tools.
Are there any forums that provide a list of some nuts-and-bolts examples of actual Group Policy entries you spoke of that I, or any other IT manager, could implement to lock down our environments?
eWEEK Labs responds: During the course of doing research and testing for the system lockdown story, we found the following sites to be especially useful:
• Group Policy Wiki: grouppolicy.editme.com
• Microsoft Windows 2000 Group Policy white paper: www.microsoft.com/windows2000/techinfo/ howitworks/management/grouppolwp.asp
• Microsoft TechNet Windows Server 2003 Group Policy page: www.microsoft.com/technet/prodtechnol/windowsserver2003/ technologies/featured/gp/default.mspx
- Policy justification
Thank you for your insightful article about locking down PCs to prevent malware, spyware and adware infections. I have been promoting and using this method for years. Your article will provide me with much-needed backup to counter what users (even ones in IT) think are draconian policies.
Not having admin rights protects us from so much more than malware. Users cant install stuff, and many viruses cant propagate. Couldnt live without it—the money and time it saves is priceless.
Now, if we could just lobby software developers—Microsoft included—to write better software.
Manager, Computer Services
Westchester Community College
- On the home front
Great article, and a lockdown like youre describing is possible in a corporate environment. But what about at home?
My daughter is in high school, with a school-issued PalmPilot and syncing software via Palm Desktop and Documents To Go. The problem: Documents To Go will not fully sync all files unless I grant her computer administrator rights. (Were using Windows XP Service Pack 2 and all critical updates applied.)
Im rapidly losing count of the number of times Ive felt like strangling vendors whose software requires administrator rights to run but that doesnt perform any functions that actually require those rights.