-->

Mindofal Inc. Consulting Services

Author:  Alvin Artis

SCOPE:  The intent of this document is not meant to be all encompassing or definitive as the only means to accomplish the required objectives.  It is intended to be useful in assisting a qualified technician to accomplish certain clear goals in securing a corporate network from accidental or mischievous errors that may compromise the security of the same.  All data should be saved to a Network Share that is regularly backed up, not to the Users Local PC.  Secondly, no user should have Local Logon Privileges.  Thirdly, users should not have the ability to view or discover Data that is not appropriate for them, nor save and remove any Data via any means.

 Lock down each machine, so users cannot logon locally, Forcing logon with domain account.

Solution:  Remove the Local User Account from each PC.  Rename the Local Administrator Account on each PC and set a “Password”.    The Local Admin account should be the same on each PC.  Do NOT Delete their Local Accounts until you are sure that they do not have any important items saved under that account.. .i.e. Internet Explorer Links, Bookmarks, …

 

2. Users cannot save any data to the local machine.

Removing  “write” permissions from each user on Local Drives , C:, D:, etc…  is not recommended, the system is constantly using “temp files”, etc…and might not function properly if all “write permissions” are removed…instead…

Solutions 1)  It is far better to map a directory on your File Server, and using “Active Directory Users and Computers” set this directory as their Home directory (Drive).  Using Folder Redirection (Group Policy) you can also point their My Documents folder to a Shared location.

2)      Preventing Users from writing to Removable drives (USB, CD-R etc..) can also be done through Group Policy at the Domain Level, or Organizational Unit Level.

3)      Additionally we want to use Group Policy to prevent users from Navigating their Local drives, forcing them to save to their prescribed Network Shares.

In order to use  Group Policy to BLOCK Writing to a USB Drive an Administrative Template must be added to the Group Policy for the Domain or specific Organizational Unit.

 

1.) Download the file,“write_protect_removable_drives.adm”.  This file is an Administrative Template that you will import into your Active Directory.  Save the file on your Domain Controller (PDC Emulator) in the “C:\windows\inf\ directory”.  Next, we will open our Group Policy Editor. 

 

2.) Open the Active Directory Users and Computers MMC (Microsoft Management Console) on your DC.  Select the Domain, and with it highlighted, Right –Click (a menu pops up) and Select “Properties”. First we will import this Template.

  The Tab on the Right is the one we want to Select, “Group Policy”.   This will take us to a window that allows us to Add, Delete, or Edit whichever Group Policy we Select.  In this example, there is only the Default Domain Policy.  This Policy will affect ALL Users and Computers that we assign it to in the entire Domain.  In a more specific case, i.e… Instead of “right-clicking” on the Primary Domain in Active Directory Users and Computers, we could expand the node and right click on a specific “Group” or “Organizational Unit” and Add or modify the Group Policy for that specific Organization Unit.

 

   At this window we Select and highlight Default Domain Policy.  Next we Select,  “Edit” and arrive at…..our Group Policy Editor.

 

 

 

 

Group Policy Editor window

The Group Policy Editor is a very powerful component of Active Directory.  From this interface we have the ability to set “Custom Policies” for the Entire Forest, Specific Domains, Domain Controllers, Organizational  Units, etc… But first, in this instance we have to customize it. The Microsoft Windows Default Policy Editor is missing a Template that will help us achieve our goal. Portable USB drives are very handy, but they can be used to upload malicious code to your computer (either deliberately or accidentally), or to copy confidential information from your computer and take it away.  We will now Select and right-click on:

 //Computer configuration>Administrative Templates .. Select “Add/Remove templates” ..

 

 When you Select “Add”, ...Browse to the C:\windows\system\inf\ directory and choose the file we placed there earlier…(write_protect_removal_drives.adm).  Click “OK”.  (In some cases after Clicking OK you will see a new Administrative Template, “Custom Policy Settings” , but WILL NOT see anything in the right hand pane.  Don’t Panic! .. Right Click anywhere in the “Right Pane” and Select  “View”>“Filtering”…Unselect “Only show objects that can be fully manged”.

The Right Pane now shows a Policy, “Write protection”,  double-clicking on the entry brings us to….

  Select “Enabled, Choose “On” from the drop down menu and click OK!  When we close the Group Policy Editor, we will have effectively BLOCKED the ability of Users in the Group Policy Object from WRITING to USB drives!

 

 

Step #2 --- Blocking Write to CD ROMs  In Group Policy Object that we have opened…let’s navigate to:  User Configuration>Administrative Templates>Windows Components> Windows Explorer…. Notice the many options available in the right pane.  We will double-click on “Remove CD Burning Features” > Enable > “OK”

This selection effectively removes CD burning features from within Windows.  It is important to note that it does not prevent Third-party software from being used.

Step #3 --- Prevent Access to Drives from My Computer  -- In the same location that we are in (User Configuration>Administrative Templates>Windows Components> Windows Explorer) scroll upwards in the right pane until you locate “Prevent Access to Drives from My Computer”.  This key offers a few options.  Disabling Drives,  A:, C:, D:, should suffice.

 

3. Users when accessing shared drives can only see drives/folders they have access to.

Solution:    Through Active Directory Group Policy you can effectively disable Network Browsing for users.  Forcing  them to either type in the shared directory manually or access it through a mapped drive.  An easy way to hide a shared folder is to append an “$” on the end of the name.  i.e.  \\dellsrv\users$  would be a hidden share, not visible through Network Neighborhood browsing.  I do not know of a way to prevent users from seeing ONLY the folders that they have access to.  To Disable Network Browsing through “My Network Places”, navigate to User Configuration>Administrative Templates>Windows Components> Windows Explorer, (where we are already) and enable the policy “NO Entire Network in my Network places”..

 

 

4. Users are restricted to a set of possible websites based on group membership.

Solution:  A proxy Server, MS Internet Security and Acceleration Server (ISA).  MS ISA Server is a full featured Proxy Server, Routing and Remote Access Server, and  Firewall managed from a Local or Remote Interface.  All web traffic passes through it as the firewall rules that you create allow or deny.  Rules may be created based on Protocol, User Groups, Time, etc… with Logging and Reporting.  There are alternative Proxy Servers i.e. LINUX Based, UNTANGLE.  I doubt if they are as Full featured as ISA Server.

5. Users web activity is tracked based on their username.

Solution:  A proxy Server, MS Internet Security and Acceleration Server (ISA). 

6. All VPN requests are logged.

Solution:  A proxy Server, MS Internet Security and Acceleration Server (ISA). 

 

7. Each time a VPN connection is requested, email notification is sent to admin account.

Solution:  None

 

8. Each time a specific shared folder on the server is accessed, email notification is sent to admin account.

Solution:  NONE.  No Software that I am aware of at this time offers that functionality.  Microsoft offers a feature called “Auditing” that will log these events in Event Viewer.

 

9. An administrator would like special software installed that would allow them to view in real-time the desktop of any machine on the network. I am looking into a software called NEtOp that has this functionality, as well as looking for other solutions.

Solution:  MS Systems Management Server.  This Server based software has utilities for remote viewing,  Remote Control, Centralized software deployment, and maintains a searchable  database of ALL PC Hardware and Software resources in the Domain.  SMS is a far more  robust software than NetOp.  I personally haven’t used NetOp in the past 7-8 years but I do know that it was very popular at one time. There have been a number of Remote Control Software options over the years, LogMein, Remote Administrator, VNC, GotoMyPC, etc…These tools are usually used as “Help Desk” options OR for Remote Administration.  I have not researched at this time the legal or ethical issues that may be crossed, for misuse of Remote Control software for “spying” purposes.

In Conclusion, I hope this step-by-step illustrated tutorial will assist you in achieving your requirements.  It has been tested and evaluated successfully in a Windows 2003 Server based network environment, with MS Windows XP SP2-3, MS Vista Premium, MS Windows 7 Ultimate workstations.

Next, Part Two -- MS Internet Security and Acceleration Server Configuration (ISA), Custom Firewall Rules.

 

This article will also appear on my Website. Http://www.mindofal.com under “Support Articles”.

Special Thanks to the Group Policy Custom Administrative Template downloaded from:

Http://www.petri.co.il