Preventing Spyware installation on a network.

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

I'm looking for information on setting that can be made to prevent users from
having spyware installed on their machines using 2000. The main problem is
that all the users need to have administrative access for some of their
applications to work. Are there some settings that I can change in IE or
elsewhere that would at least help prevent this for most users? Any
suggestions on how I can lock down a system without revoking admin
priveledges?

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Any
> suggestions on how I can lock down a system without revoking admin
> priveledges?


There is no way to do this that I'm aware of.

You might consider applying the compatws.inf security template. It will
"loosen" Win 2k's security to where those applications may be able to run
while logged on as a regular user.

I would try it on one computer and test the results before running it on all
your computers.
See:
http://support.microsoft.com/default.aspx?scid=kb;en-us;269259&Product=win2000


hth
DDS W 2k MVP MCSE

"ntelscho" <ntelscho@discussions.microsoft.com> wrote in message
news:94FE6D84-E429-4BF4-8538-74D49B617FCB@microsoft.com...
> I'm looking for information on setting that can be made to prevent users
from
> having spyware installed on their machines using 2000. The main problem is
> that all the users need to have administrative access for some of their
> applications to work. Are there some settings that I can change in IE or
> elsewhere that would at least help prevent this for most users? Any
> suggestions on how I can lock down a system without revoking admin
> priveledges?

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

ntelscho wrote:
> I'm looking for information on setting that can be made to prevent
> users from having spyware installed on their machines using 2000. The
> main problem is that all the users need to have administrative access
> for some of their applications to work. Are there some settings that
> I can change in IE or elsewhere that would at least help prevent this
> for most users?

You can customise the security settings for the various zones to prevent
accidental and/or "Click 'n' drool" installs from websites.

> Any suggestions on how I can lock down a system
> without revoking admin priveledges?

I'd consider these two things as mutually exclusive goals. Where do you want
to draw your compromise?

--
--
Rob Moir, Microsoft MVP for servers & security
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html

Kazaa - Software update services for your Viruses and Spyware.

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Essentially the problem is that many of the users are using an application
that if admin priviledges are taken away does not allow them to print. I'm
looking for a way around this yet I still want to be able to protect them
from spyware.

"Robert Moir" wrote:

> ntelscho wrote:
> > I'm looking for information on setting that can be made to prevent
> > users from having spyware installed on their machines using 2000. The
> > main problem is that all the users need to have administrative access
> > for some of their applications to work. Are there some settings that
> > I can change in IE or elsewhere that would at least help prevent this
> > for most users?
>
> You can customise the security settings for the various zones to prevent
> accidental and/or "Click 'n' drool" installs from websites.
>
> > Any suggestions on how I can lock down a system
> > without revoking admin priveledges?
>
> I'd consider these two things as mutually exclusive goals. Where do you want
> to draw your compromise?
>
> --
> --
> Rob Moir, Microsoft MVP for servers & security
> Website - http://www.robertmoir.co.uk
> Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
>
> Kazaa - Software update services for your Viruses and Spyware.
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

You could enforce settings of Web Content Zones for the computer using Group
Policy/computer configuration. The link below is a good guideline to use to configure
Web Content Zones. Not all advanced settings can be configured via Group Policy.
Disabling install on demand is a good idea. You should then use Group Policy to
restrict users from accessing and changing IE options. Domain level policy for user
configuration will not apply to users who logon to their computers locally which an
administrator can do since they have the power to create local accounts. Local Group
Policy can also be configured on a local computer and it will apply to all users on
the local computer though if a user knows how they could reconfigure Local Group
Policy. --- Steve

http://mvps.org/winhelp2002/unwanted.htm
"ntelscho" <ntelscho@discussions.microsoft.com> wrote in message
news:94FE6D84-E429-4BF4-8538-74D49B617FCB@microsoft.com...
> I'm looking for information on setting that can be made to prevent users from
> having spyware installed on their machines using 2000. The main problem is
> that all the users need to have administrative access for some of their
> applications to work. Are there some settings that I can change in IE or
> elsewhere that would at least help prevent this for most users? Any
> suggestions on how I can lock down a system without revoking admin
> priveledges?

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

On Tue, 14 Sep 2004 11:39:04 -0700, "ntelscho"
<ntelscho@discussions.microsoft.com> wrote:

>I'm looking for information on setting that can be made to prevent users from
>having spyware installed on their machines using 2000. The main problem is
>that all the users need to have administrative access for some of their
>applications to work. Are there some settings that I can change in IE or
>elsewhere that would at least help prevent this for most users? Any
>suggestions on how I can lock down a system without revoking admin
>priveledges?

You really can't. It's either locked down or the user has local admin
rights. You may be able to tweak the rights and find they don't need
admin if they have appropriate access, but that depends on the
application.

Otherwise, products like Adaware installed on each system are about
your next best choice.

Jeff

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

On Tue, 14 Sep 2004 14:00:40 -0700, "ntelscho"
<ntelscho@discussions.microsoft.com> wrote:

>Essentially the problem is that many of the users are using an application
>that if admin priviledges are taken away does not allow them to print. I'm
>looking for a way around this yet I still want to be able to protect them
>from spyware.

Using IE zones works as far as protecting them in IE, but spyware
installed from other locations, via email for example, isn't stopped.

Jeff

>> ntelscho wrote:
>> > I'm looking for information on setting that can be made to prevent
>> > users from having spyware installed on their machines using 2000. The
>> > main problem is that all the users need to have administrative access
>> > for some of their applications to work. Are there some settings that
>> > I can change in IE or elsewhere that would at least help prevent this
>> > for most users?
>>
>> You can customise the security settings for the various zones to prevent
>> accidental and/or "Click 'n' drool" installs from websites.
>>
>> > Any suggestions on how I can lock down a system
>> > without revoking admin priveledges?
>>
>> I'd consider these two things as mutually exclusive goals. Where do you want
>> to draw your compromise?
>>
>> --
>> --
>> Rob Moir, Microsoft MVP for servers & security
>> Website - http://www.robertmoir.co.uk
>> Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
>>
>> Kazaa - Software update services for your Viruses and Spyware.
>>
>>
>>