On 2007-02-27 Rocky wrote: > Actually this is for my client with a small network that requires not > to install anything from the client station.They are frequently > infected by worm/Trojan viruses because most of them had admin rights.
Have them use normal user accounts for day-to-day work. If some software refuses to run with LUA the steps described in [1] may help. > A limited user accounts can also install a softwares by changing the > directory location like C:\. Changing the default permissions on C:\ has been a Best Practice for years. Even Microsoft themselves suggested it in one of their security bulletins [2]. I usually grant full access to administrators and SYSTEM, and read access to authenticated users. The only software that caused any trouble with this setup is the Corel Graphics Suite, which had to be configured to not use C:\ for the Bitmap Tile Manager's swap. > So if there's no way to restrict this on registry/gpedit would just > recommend to get a 3rd party software. Third party software won't help you either. It is simply not possible to restrict local admins without revoking their admin privileges. [1] http://www.planetcobalt.net/sdb/submission.shtml [2] www.microsoft.com/technet/security/bulletin/ms02-064.mspx Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
