We have all of our desktop users set up as normal users
(not administrators or power users). This means that they
can't install software using normal installers or write
to the winnt|windows folder or the program files folder.
In my experience, this is enough to prevent most infections,
be they virus or spyware, from doing anything that can't be
fixed by a reboot. We are able to do this because 1) we have
a relatively uniform set of users (only administrative staff),
2) my group has enough staff to go by in person and install
extra software when people need it, and 3) our department
manager backs me up in setting this restriction.
We also have other security provisions in place: we disable
the server service (so no open shares without passwords) and
we turn off active scripting (vbscript/javascript/whatever)
and activex in IE for all but a few known sites (e.g., BLU,
HRMS, BAIRS, et al.). We're able to propagate these settings
using active directory and group policies, but it requires a
not insignificant amount of time and savvy to maintain them.
It also requires being politically able to tell users
"no, you'll have to use Netscape or Mozilla to view that
javascript-infested site."
So, yes, it is possible, but I wouldn't say Microsoft makes
it easy. Every time I set up a new XP workstation I am
appalled anew that Microsoft forces you to create an initial
user in the administrators group and start work as that user,
with no warnings about the dangers of unlimited OS access.
Jan
-------------------------------------------------------------------
Jan Pardoe, Manager janp@eecs.berkeley.edu
Administrative Computing Group 510-643-7848 (voice)
EECS, UC Berkeley 510-642-5775 (fax)
Mike Hunter <mhunter@berkeley.edu> writes:
>Every time I read about spyware infections, I say to myself "why was
>windows configured to allow new programs?" But it occurs to me that I
>don't really know for sure if that's possible. Are there any departments
>on campus that have users configured with strong enough restrictions that
>make spyware not a problem, or is that simply impossible (or highly
>impractical) on windows? Not being a end-user sys-admin, it's easy for me
>to fantasize about how I would configure user workstations to be able to run
>only the applications necessary for business requirements, and I know in
>the real world people want to be able to download the blah-blah plugin to
>play this year's "santa's elf bowling" game....
>
>Mike
>
>------------------------------------------------------------------------
>The following was automatically added to this message by the list server:
>
>For information about Micronet, including subscribing to
>or unsubscribing from its mailing list and finding out
>about upcoming meetings, please visit the Micronet Web site:
><http://micronet.berkeley.edu/>.
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Tue Nov 16 17:06:59 2004
This archive was generated by hypermail 2.1.8 : Tue Nov 16 2004 - 17:07:08 PST