Stupid malware!
February 19, 2010 8:34 AM Subscribe
Is it possible to use group policy editor to lock down IE even if the users are local admins?
I work in IT for an organization that is pretty liberal about our internet policy. However, we have had huge problems with malware, which we believe is stemming from users downloading games and stuff and inadvertently installing crap at the same time. Right now we're experimenting with blocking certain sites, but I really feel like doing it that way is like playing whack-a-mole; as soon as you block one site, they find something else. I think it would be easier to use group policy editor to lock down IE and block Active X, downloading, etc. Except from certain trusted sites.
Complicating the issue is the fact that one of our applications requires that the users have local admin rights. My boss thinks that the users being local admins would prevent us from blocking anything, but I'm not so sure. I've been tasked with researching this.
I am aware that people could just install Firefox from a thumb drive, or otherwise get around it, but we're really not worried about that. We're going on a "Locks are to keep out honest people" philosophy.
I should also mention that we're on XP Pro, SP3, and IE version 6 (yeah, I know.)
I work in IT for an organization that is pretty liberal about our internet policy. However, we have had huge problems with malware, which we believe is stemming from users downloading games and stuff and inadvertently installing crap at the same time. Right now we're experimenting with blocking certain sites, but I really feel like doing it that way is like playing whack-a-mole; as soon as you block one site, they find something else. I think it would be easier to use group policy editor to lock down IE and block Active X, downloading, etc. Except from certain trusted sites.
Complicating the issue is the fact that one of our applications requires that the users have local admin rights. My boss thinks that the users being local admins would prevent us from blocking anything, but I'm not so sure. I've been tasked with researching this.
I am aware that people could just install Firefox from a thumb drive, or otherwise get around it, but we're really not worried about that. We're going on a "Locks are to keep out honest people" philosophy.
I should also mention that we're on XP Pro, SP3, and IE version 6 (yeah, I know.)
Best answer: Yep, they'll see the options grayed-out in the GUI, but as local admins they will be able to change them via the registry. Most users arent savvy enough to do this. You can rename regedit to something else too, like 484833.exe if youre worried. Or delete it.
Complicating the issue is the fact that one of our applications requires that the users have local admin rights.
Have you tried running it in the power users group? Knocking them down from admin to pu would help you a bit in this scenario. Does this app need to write or modify anything in c:\windows? If not then take away their rights to modify/write to that folder. Take away their rights to modify/write their startup folder and the all users startup folder. Disable active-x. This isnt as secure as running as user and selectively giving whatever permissions they need for this application, but it will help.
Also its worth mentioning that one of the biggest malware vectors right now is Acrobat PDF reader. Disable javascript on that thing, disable the web plugin if you dont need it, and always have it download the pdf locally. Flash too, you'll just need to keep that updated frequently as well as acrobat.
posted by damn dirty ape at 8:57 AM on February 19, 2010 [2 favorites]
Complicating the issue is the fact that one of our applications requires that the users have local admin rights.
Have you tried running it in the power users group? Knocking them down from admin to pu would help you a bit in this scenario. Does this app need to write or modify anything in c:\windows? If not then take away their rights to modify/write to that folder. Take away their rights to modify/write their startup folder and the all users startup folder. Disable active-x. This isnt as secure as running as user and selectively giving whatever permissions they need for this application, but it will help.
Also its worth mentioning that one of the biggest malware vectors right now is Acrobat PDF reader. Disable javascript on that thing, disable the web plugin if you dont need it, and always have it download the pdf locally. Flash too, you'll just need to keep that updated frequently as well as acrobat.
posted by damn dirty ape at 8:57 AM on February 19, 2010 [2 favorites]
I am aware that people could just install Firefox from a thumb drive
Have you considered blocking the USB from mounting drives? This can be done via the registry. Not sure if its in GP. Most users dont need USB drives.
and IE version 6 (yeah, I know.)
As far as group policy goes, you'll have a lot of options with IE6. IE6 isnt all bad. Keep it patched and update/disable those plugins.
posted by damn dirty ape at 9:00 AM on February 19, 2010
Have you considered blocking the USB from mounting drives? This can be done via the registry. Not sure if its in GP. Most users dont need USB drives.
and IE version 6 (yeah, I know.)
As far as group policy goes, you'll have a lot of options with IE6. IE6 isnt all bad. Keep it patched and update/disable those plugins.
posted by damn dirty ape at 9:00 AM on February 19, 2010
Oh, one more thing. I havent played with this part of GP in a long time, but you can tell it to not run executables with certain names. If youre worried about Firefox you can tell it not to run anything named firefox.exe. Savvy users can work around this, but most will just click OK and go back to IE.
posted by damn dirty ape at 9:03 AM on February 19, 2010
posted by damn dirty ape at 9:03 AM on February 19, 2010
Response by poster: Have you tried running it in the power users group?
I know this idea has come up before, but it was abandoned. I'm not sure why. The wierd thing is that this issue has been kicked around for a while by people higher up than me, but for some reason they keep getting hung up on, "Block all websites, grrr!" But we are talking about call center and front desk employees, and I think that's pretty harsh for a job where people don't always have something to do, and is a pretty low-paying shit job anyway. The managers of the depts in question don't have a problem with web-surfing, and neither does the IT director, it's just a few people in between. I think there's a lot of other options, and these answers seem to back that up.
posted by cottonswab at 9:31 AM on February 19, 2010
I know this idea has come up before, but it was abandoned. I'm not sure why. The wierd thing is that this issue has been kicked around for a while by people higher up than me, but for some reason they keep getting hung up on, "Block all websites, grrr!" But we are talking about call center and front desk employees, and I think that's pretty harsh for a job where people don't always have something to do, and is a pretty low-paying shit job anyway. The managers of the depts in question don't have a problem with web-surfing, and neither does the IT director, it's just a few people in between. I think there's a lot of other options, and these answers seem to back that up.
posted by cottonswab at 9:31 AM on February 19, 2010
Make sure you are using group policy management console. With that you say wich users it applies to and which ones dont. I am pretty sure if you have it apply to the users it overrides it.
You can lock IE down pretty heavily .
I dont think local admin matters as long as its not domain admin.
posted by majortom1981 at 10:39 AM on February 19, 2010
You can lock IE down pretty heavily .
I dont think local admin matters as long as its not domain admin.
posted by majortom1981 at 10:39 AM on February 19, 2010
This thread is closed to new comments.
posted by Blue Jello Elf at 8:42 AM on February 19, 2010