how can I protect an NT system?

[chandr]

Hi,

we have a number of standalone PCs running 3D Studio Max 3.1 under windows NT 4. College policy dictates that these must be standalones. At the moment members of staff can log in as administrators and students can log in as guest without a password. Each machine is split up into 6 partitions, one for each course. Recently some new students have been messing about with the systems which is causing a lot of frustration and extra work for staff and students alike. how I can I set the systems up so that if students log in as guests then they:

1) can only see certain "allowed" apps
2) cannot install or uninstall any software
3) cannot mess with the system settings (even the screen saver)
4) cannot delete any part of the hard drive not allocated to them
5) can only see "allowed" partitions.
6) can only save to "allowed" partitions


I've used the NT adminstrative user tools but cannot figure out how to set the guest account to behave like this.

help!!

thanx

spooky

BTW I am not an NT expert by any stretch of the imagination so be gentle with me folks!

[pointd]

1 - Setup the Desktop and Programs menu for the Guest account manually and remove any shortcuts etc from the "All Users" profile.

2 - Don't know

3 - In the root of the Guest profile rename user.dat to user.man. This will let them change settings for the duration of the login but these will revert back to the original when they logoff.

4 5 & 6 - These are all functions of the NTFS file system supported by NT4. If it is currently FAT then you will need to convert to NTFS. You can then set the appropriate permissions for the Guest account to the files/folders/partitions as necessary.

[chandr]

Hi pointd,

thanx for your reply. with regards to your response:

1) will this prevent users (guests) from trawling the HD via the explorer or dektop to access software? or does it just limit the apps that are "apparently" visisble?

2) this one still has me tearing my hair out!!

3) Thanx for that one - seems to be working so far!

4 5 & 6 our drives are NTFS but using the disk administrator I don't seem able to be able to simply set a certain partition (each drive has 6) to be out of limits to anyone logged on as guest.

any ideas?

thanx

spooky

[pointd]

1) They would still be able to use Explorer to see what is there but if this is NTFS then you should be able to set write/execute but not read permissions.

2) Have a look at Policy Editor. You are looking for poledit.exe. If it isn't already installed it will be on your CD. You will need that and a couple of other files (common.adm and winnt.adm spring to mind but don't quote me on that). poledit.exe is the forerunner of the Windows 2000 Group Policy Editor. Failing that there are 3rd party apps available that will prevent installations. I think RegRun is one of these but I'm not sure.

3) You're welcome

4 5 & 6) Don't use Disk Administrator but open My Computer and right click on the drive, select Properties and then the Security tab.

[KHT]

For apps that you don`t want a guest or any user to use, you can deny access to the directory that the app is in through the security tab.

As far as hiding drive letters, it is easy to still access the drive via the command line, (ex....E:\ is hidden, one can simply click start\run type in..E:\ and they are in)...right click the drive you want to protect and in the security tab on the drive...deny access to the group you don`t want there. Anything on the drive will be denied through inheritable permissions.

The guest account shouldn`t be able to add or remove programs. Make sure the user is in the Guest group and not in Users

Also, create a security console using mmc. Click start\run\ type "mmc". Click the console button and click "add\remove snap" in. Select Group policy and then "save as" the console on the desk top.

Expand Local computer policy\User configuration\Administrative templates\Windows components\Windows installer. Enable- "disable media source for any install" This will add a higher level of security to application installation and the user will get a "feature can not be found" message if they try to install from a CD, floppy, etc.

[chandr]

Thanx pointd and KHT,

will try these next week and let u know!

thanx

spooky

[pointd]

As these machines are NT4 machines you will not be able to "Create a security console using mmc". Using poledit however you can lock down the desktops and user environment quite well. This and the drive security we have both suggested should be enough.

[KHT]

You`re right, I missed he is using NT.