What folders need write permission?

alantc

I look after a network in a school and want to lock the PCs down as much as possible. I know there will be certain folders that the users will need write access to, temp etc. I'm going to suss them out by looking in tweak ui 'special folders'. Are there any others that I can't just remove write permissions.

ie. right now I intend on having only read permission for the entire program files folder.

Any advice before I break things!?

seamus

alantc wrote:

ie. right now I intend on having only read permission for the entire program files folder.

Unfortunately plenty of programs will modify information within its own Program Files folder. Assuming though that you only want specific programs on the machine, you should safe to set access to read only on a test machine, and then see which programs it breaks.

An idea may also be to set a quota policy for users on the drive where the profiles are stored. Use a local or group policy to lock down IE settings - set the IE cache to 20MB and give each user a quota of 50-100MB. At best it will help prevent most games from the last five years from being installed on the machines.

alantc

Forget to mention, it's a primary school so the issue is teachers clicking on "integrated search toolbar" and crap like that rather than the students doing anything. I'm not using a domain, just a workgroup of XP computer.

Should I be using a domain? What I have is working nice at the moment.

Capt'n Midnight

I take it you have AV, Firewalls, Microsoft antispyware, spybot, spywareblaster etc. Setup internet zones and turn off scripting,install google bar to block some popups. use http://www.schooner.com/~loverso/no-ads/ to block adds and some spam sites.

Don't bother with a domain if you are happy with the way it works - really only useful if you want to use user level control to shared files etc. - yes you can use active directory to push out profiles etc. but more trouble than worth as a screw up is applied to all machines. Have you priced a domain - far better things to spend primary school money on.

Install the programs as admin, but far too many apps need odd folder permissions but regmon/filemon from sysinternals may be of use.

There are LOTS more tweaks to lock down IE on windows but it's a constant battle , even with up to date patches you have to accept that there will almost certainly be at least one vunerability that allows an attacker to take complete control of your computer just by visiting their web site ( previous exploits have been done with just specially crafted image files, BMP, JPG, PNG etc. )

alantc

Capt'n Midnight wrote:

I take it you have AV, Firewalls, Microsoft antispyware, spybot, spywareblaster etc. Setup internet zones and turn off scripting,install google bar to block some popups. use http://www.schooner.com/~loverso/no-ads/ to block adds and some spam sites.

I'm installing firefox on the computers. I think I can do without the no ads file because I have mikes ad blocking host file on each PC and the NCTE have content filtering that has advertising mentioned. I haven't seen the effects of the NCTE ad filtering because we picked the most restrictive filtering (which we're changing) and we couldn't even get onto google!

Don't bother with a domain if you are happy with the way it works - really only useful if you want to use user level control to shared files etc. - yes you can use active directory to push out profiles etc. but more trouble than worth as a screw up is applied to all machines. Have you priced a domain - far better things to spend primary school money on.

I didn't know a domain would cost more! I didn't see a need as the teachers won't be using computers in other classrooms.

We don't want the students to need to log in so the lab PCs are just autologin with the exact same software on each. The lab PCs are just windows 98 with a registry backup being restored on bootup. IF anything really bad goes wrong I just image them again.

Install the programs as admin, but far too many apps need odd folder permissions but regmon/filemon from sysinternals may be of use.

I'll check it out.

There are LOTS more tweaks to lock down IE on windows but it's a constant battle , even with up to date patches you have to accept that there will almost certainly be at least one vunerability that allows an attacker to take complete control of your computer just by visiting their web site ( previous exploits have been done with just specially crafted image files, BMP, JPG, PNG etc. )

Is firefox good enough to get around this?

I'll be installiung AVG next week on all the PCs but I wasn't intending on getting any spyware checker. I was hoping removing write permissions would just make it ineffective.

The classroom PCs are using windows XP sp2 firewall but the windows 98 PCs have no firewall. Our connection vie NCTE is firewalled but I haven't gotten around to asking how effective. (the school only got broadband friday before last)


And thanks!

Capt'n Midnight

no-ads is better than host files as uses wild cards so bocks some stuff it never saw before also you can download windows update patches from atkami.net (SP) but not see the ads. but they are complementary , you could setup a proxy too

FF generally has less holes than IE - but get the NoScript extension too. some of the holes in IE bypass the OS so permissions alone won't get them all. Also FF isn't an OS component so can should be easier for the OS to ringfence / run as lower permissions.

Domain means a windows server license AND client access liceneses for each of the clients. And XP Home isn't supposed to work with domains

alantc

Capt'n Midnight wrote:

FF generally has less holes than IE - but get the NoScript extension too. some of the holes in IE bypass the OS so permissions alone won't get them all. Also FF isn't an OS component so can should be easier for the OS to ringfence / run as lower permissions.

How much does noscript affect browsing? I haven't used it myself and I don't want the teachers to ever be changing settings (ie. to update the whitelist).

Domain means a windows server license AND client access liceneses for each of the clients. And XP Home isn't supposed to work with domains

We have win2k3 server and CALs for each PC. I thought we needed these even for just file and print sharing. All the PCs use Win98 SE or WinXP SP2.

Capt'n Midnight

You can share about 10 connections from 98/NT/windows workstation for file and print sharing. If you have printers with an IP address you can print directly to them. A jet direct box will convert IP to parallel port if you don't have a network capable printer.

noscript blocks scripts on a per site basis , you can override it easily but it stops scripts running without asking you

LoGiE

If you already have the licences then a domain would be the prefered option imo. You could simply use group policy to stop people changing settings and installing rubbish. You could even hide the entire c: drive and permit access to only selected programs if you wanted too. It might also be a good idea to spend an extra bit of money for decent server based AV so as each pc doesn't try and updated itself hogging your net connection.

alantc

I'm intending on purchasing AVG network edition for each PC this week. (have the order form filled out beside me!) Though I'm not too worried about the PCs hogging the net concetion.. updates are usually less than 1mb and I don't expect much net usage. If I ignore net usage they'll update themselves and I assume if updates are done from the server I'll have to press "go".

Bear in mind this is a primary school. There is no IT curriculum and teachers generally don't do very much with the computers. Come to think of it though, I don't even know what speed connection we have. I'll have a read up on domains during the week.

If I set up a domain will I have to use the windows login box or will I still be able to have a nice picture beside the name of the teacher so she can click on it and enter her password. Again, there's no need for roaming profiles (is that what they're called?) I already have My Documents set to a network drive.

You can share about 10 connections from 98/NT/windows workstation for file and print sharing. If you have printers with an IP address you can print directly to them. A jet direct box will convert IP to parallel port if you don't have a network capable printer.

We have a jetdirect box but we changed the printers to usb ones. So now I have a printer pool running from the server. Also there's ~36 computers. I don't think there were even file shares when i came to the school. Good to know though.

Capt'n Midnight

Just check the licenses on AVG and other canidate AV's, many are free for educational institutes/non-profit orgs. While a management util is nice, I've never found them work well enough to justify the cost. And usually there is a lot of pain if you change any settings that cause the management tool to break, windows XP SP2 being a recent example.

If the teachers have pictures then you are using XP Home on the PC's so all you can do is file/print share. You can also get logon script to run by adding a batch file to startup.

if exist \\server\netlogon\logon.bat \\server\netlogon\logon.bat

alantc

When I was lookling at licenses, educational wasn't free for any I looked at. Though AVG did have a pretty good educational discount.

I'm sure it's XP-pro, and sure you can have the pictures beside the name on xp pro anyway.

This topic sure wandered! Good though.

It seems I'll want write access on the tweak xp "special folders"
windows registry files.
Someone mentioned system folder to me.
Virus scanner directory.
Firefox cache.
Pandion (jabber) directory - or turn off logs.

Capt'n Midnight

If you allow these then more or less full control - trojans save in the startup folder / path / system folders
It seems I'll want write access on the tweak xp "special folders"
windows registry files. - permissions are per key alreasy HKCU etc.
Someone mentioned system folder to me.
Virus scanner directory. run as service
Firefox cache. it's under the user profile so they have control
Pandion (jabber) directory - or turn off logs.

Pics with Pro !?
Then again our XP pro is only used with domains

SouperComputer

ive used these in schools to good effect:

http://www.rogev.com/products/pci2000.htm

LoGiE

I still think if you have the time and know how set up a domain. All of this talk of tweaks and registry files!

Firstly you need to get an accurate count on how many versions of windows your running and how many of them there are.
With a domain you won't have pictures like Home or workgroups it's a Ctrl -alt-del followed by a user name and password.

Think along the lines of 1 Domain controller running Windows 2003 server and active directory 2003 ,
1 File server with folders created for each user
20 - 35 Client PC's that users log into, with there My Documents pointing at there own share ( You could use a vbscript to do do this by user name) and restrict access to everything else using group policy.

Have you looked at the likes of Sophos or EPO from McAfee for your anti virus? Both of the above are installed on a server and roll out the AV client as machines are detected. The server will be updated automatically then it updates all the clients

You say the school has just got broadband. How is it shared out to other computers?