Locked down Administrator profiles

Similar Messages

• Locking down anyconnect client profile

  I was wondering if there is a way to lock down the anyconnect profile on a clients machine.  Basically we are using certifcates to authenticate so the client can make a VPN connection.  We have enabled the certifcate match function to check for IPSec User Extended Match Key.  I can modify the XML on the client PC to bypass the check and authenticate.  We would like to keep users from doing that.  Is there something I can setup on the ASA versus the client to check the certificate or prevent the XML from being modified?
  Thanks in advance.

  I went in and modified the xml and removed the following.  I was then able to make a connection without checking for the IPSecUser extended key usage.  I have 2 certs on my client.  One cert has the IPSecUser extended key usage and the other does not.
      IPSecUser

• How Creative Cloud working under locked down IT administration environment

  We are  existing CS6 and would like to sign for Creative Cloud. Just want to know how it works on the locked down user computers (without local administrator rights)?
  DISCLAIMER The contents of this email and any attachments (together "this email") may contain information that is confidential to Breville Group Limited (and/or its associated entities) (together"BRG"). Information contained in this email is subject to copyright. If you are not the intended recipient, you cannot print, use, rely, or disseminate any part of this email. If you receive this email in error, please notify us immediately by return e-mail and erase all copies. If you are the intended recipient of this email you should not copy, disclose, or distribute this email without the authority of BRG. Any views expressed in this email are those of the individual sender, except where the sender specifically states them to be the views of BRG. If this email contains any defamatory comments expressed by the individual sender, these comments are made outside the scope of his/her authority. BRG does not accept liability in respect of such defamatory comments. BRG does not warrant that the integrity of this email has been maintained, or that this email is free of errors or viruses, and has not been intercepted or interfered with. It is your responsibility to scan this email for computer viruses and other defects. BRG does not accept liability for any loss or damage however caused, whether by negligence or otherwise, which may result directly or indirectly from this email. In any event, BRG's liability is limited to the cost of re-supplying this email. Please consider the environment before printing this email. ***************************************************************

  The deployment is just the same like for the conventional suites and the same rules apply, so I'm not sure what you are asking.
  Mylenium

• Access Connections v4.52 - user rights in locked down environment

  I'm currently working on a small project to deploy various Lenovo wireless drivers, Access Connections v4.52, Hotkey and Power Management drivers via SMS but have come across a slight issue with Access Connections that I can't seem to resolve.
  I'm hoping to provide my locked down users with a selection of standard profiles that are copied to their machines on logon but would also like to give them the ability to create and modify new ones too - this is where I'm having problems.
  Through Group Policy I have set:
  Allow Windows users without administrator privileges to create and apply WLAN location profiles using Find Wireless Network function
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Lenovo\AccessConnection\EnableCreateProfilewithFWN 1
  Allow Windows users without administrator privileges to create and apply location profiles
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Lenovo\AccessConnection\EnableUserMode 1
  I have also manually set the following:
  HKEY_LOCAL_MACHINE\SOFTWARE\Lenovo\Access Connections\Install\AllowPrfCreationThruFWN 1
  I couldn't find a key for the 'EnableUserMode' option
  Unfortunately, none of these give standard users access to create or modify profiles.
  Have any of you come across this in your environment and if so did you manage to come up with a suitable solution?
  Thanks in advance.

  Hi,
  the steps, that you performed are correct.
  However I would not do the last step:
  HKEY_LOCAL_MACHINE\SOFTWARE\Lenovo\Access Connections\Install\AllowPrfCreationThruFWN 1
  This might cause confusiong.
  I have just tested it in here and it's working fine with the 5.x version of AC
  Cheers

• Would like to know how to Completely Lock-down Windows 7 OS

  I don't have a general question..
  It's more like specifics about how to lock down windows 7 computers..
  Here's a little background information...
  I have two computers, both with win 7(Pro, and home prem).
  A family member can somehow bypass all bios and all windows security services... Everytime I go to work or school, he will power on my desktop and somehow 'hack' into the OS and install keyloggers or viruses so he can obtain my banking or other personal information.
  He also unlocks and deletes all the passwords so he can have access whenever he wants..
  Can someone please tell me how to do a complete lockdown? This is getting extremely annoying.. I've done everything that I can do; Also considering on switching my major to some sort of computer security. I'm starting to lose my mind over these months.. All
  help is appreciated.
  I've password protected BIOS
  I've disabled administrator accounts, i've put password on the admin and the guest user; locked the option to change passwords..
  All help is appreciated. Thank you all in advance.

  Hi,
  If you are using Windows 7 Professional, Ultimate, or Enterprise, you can use the Local Group Policy Editor to change policies that affect the security of your computer. Please check if the following policies meet you requirements.
  [User Configuration\Administrative Templates\Windows Components\Windows Explorer]
  Enable these two polices:
  Prevent access to drives from My Computer
  Hide these specified drives in My Computer
  For your reference:
  Lock Down PCs with Windows 7:
  http://technet.microsoft.com/en-us/windows/gg983426.aspx
  Also, restrict Which Programs a User Can Run. You can set rules in AppLocker in the Group Policy Editor that prevents all programs from being run.
  In addition, temporarily Lock Your Computer if Someone Tries to Guess Your Password
  If you share your computer with other family members or allow your friends to use it, you should have a password on your Windows account so no one else can log into it. However, someone may try to guess your password and log into your account. If this happens,
  you can temporarily lock your computer.
  You should also periodically change your password.
  If you suspect, you family member using a tool to bypass your password. You may use Malicious Software Removal Tool (http://www.microsoft.com/security/pc-security/malware-removal.aspx)
  to remove it.
  Hope it helps.
  Regards,
  Blair Deng
  Blair Deng
  TechNet Community Support

• Directory preferences in a locked down PC environment

  How do I change:
  ide.pref.dir
  ide.pref.dir.base
  ide.user.dir
  ide.work.dir
  ide.work.dir.base
  user.home
  so that they don't reference a windows path like \\<server>\<user>$, but <drive letter>:\Oracle\sqldeveloper instead
  We use locked down PC's (with no access to the A: and C: drives) . And when we start SQLD we get 16 dialogue windows say that it cannot access the A: drive, to which we press the continue button. You also get the message when using the File navigator and the File->Open or File-Save functions.
  On upgrade from 1.5.1 to 1.5.4 the number of dialogue windows dropped from 16 to 2.
  We also always lose our connextions and have to reimport from a saved file every morning.
  A response to thread Connections fail to load at startup by user user641239 at 1-sep-2008 0:59 seems to have the solution - except it requires access to regedit. We don't have that. It's much too painful to get SQLD part of the PC build at the customer, so we need to be able to configure without resorting to regedit.
  Any help appreciated.
  Nic
  Edited by: Nic Atkin on 17-apr-2009 2:41
  Edited by: Nic Atkin on 17-apr-2009 2:54

  Hi FurryOne,
  There is a way to hide both A: and C: - but you need Windows Administrator rights to do it. Not possible in a locked down PC, So I'll live with it for now.
  I was also having the Configure File Type Associations at startup everytime problem (see
  Re: Configure File Type Associations at startup everytime
  So, my current solution looks like this:
  AddVMOption -Dide.pref.dir.base=M:\Oracle\
  AddVMOption -Dide.pref.dir=M:\Oracle\sqldeveloper
  AddVMOption -Dide.user.dir.base=M:\Oracle\
  AddVMOption -Dide.user.dir=M:\Oracle\sqldeveloper
  AddVMOption -Dide.work.dir.base=M:\Oracle\
  AddVMOption -Dide.work.dir=M:\Oracle\sqldeveloper
  AddVMOption -Duser.home=M:\
  AddVMOption -Dno.shell.integration=true

• Can we lock down user admin functionality to allow password changes only?

  Hi,
  Is it possible to lock down the user admin functionality so a specific role can only change passwords?
  We have a large user base of >10K infrequent users that are forced to change their passwords every 30 days. We suspect a lot will require password changes and we are keen to not have the tech team spending most of their time dealing with such requests. We would like to pass this task onto data management but not allow them the system administrator functionality.
  We know we can create a responsibility with a limited menu available so the operator can see only the security/user/define menu. But this will still allow the person to add responsibilities to existing user accounts and create new user accounts, both of which are deemed unacceptable security risks. Is it possible to lock down the form as well as the menu? Allowing operators to only change the password of existing users? Or can we use the custom.pll to error when a user tries to do anything except edit the password field when in this role?
  Thanks
  Matt

  You should be able to do that. You would create a new privilege level (ie 7), assign all commands to that level except (this is my guess) the command vpn-sessiondb, you would put that at a lower privilege level (ie 6). Here's a write-up that may help getting you in the right direction.
  http://www.packetpros.com/2012/08/read-only-asdm.html

• Best Practise to lock down server 2012 for Junior Admins

  We require locking down the desktop for junior admins. Essentially we would like for them to only access specific tools and applications.
  Below are examples of specific tools they would require access to however, if we want to block out everything else then what is the best way to go about that? I would image a combination of group rights? how best to handle this?
  Examples
  All Programs->Accessories->System Tools->System Information. then export report.
  "ipconfig /all
  go to Run and then type "systeminfo" and capture all data.

  You can use security group and delegation of administration model.
  http://technet.microsoft.com/en-us/library/cc755982(v=WS.10).aspx
  Santhosh Sivarajan | Houston, TX | www.sivarajan.com
  ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
  Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
  Blogs: Blogs
  Twitter: Twitter
  LinkedIn: LinkedIn
  Facebook: Facebook
  Microsoft Virtual Academy:
  Microsoft Virtual Academy
  This posting is provided AS IS with no warranties, and confers no rights.

• Forward facing locked down machines... kiosk?

  Hey everyone,
  So I have done a lot of research on this topic, but have yet to find an end-all solution to my conundrum. I have many machines in my network that are forward facing and public use reference terminals that connect to a database of books and things. These
  machines are not and should not be used to casual internet browsing so we have manually locked them down. These machines currently run IE10 Win7x32. The windows side locking down is no problem. But we are having a BIG issue with the current way we allow specific
  sites and lock out all others. 
  In our system, we have an abundance of allowed sites for quick research purposes that these machines are allowed to access. Still technically reference information. For the sake of argument, we have about 25 sites including the main database site that should
  be allowed through a proxy or other filtering system. Currently, we have this proxy based with exceptions built into IE... however, there is around a 255 char limit on that input box (for whatever reason).
  So that brings me to my current solution that is not quite working correctly. I have configured a .PAC script and stored it on a server that these machines can access and an msi for IE10 branding using the IEAK for IE10. This .PAC script does not seem to
  be working the way it should. I got the idea from a site I didn't save, but the basic idea is below:
  function FindProxyForURL(url, host)
  // variable strings to return
  var proxy_yes = "PROXY 255.255.255.255:8080";
  var proxy_no = "DIRECT";
  if (shExpMatch(url, "*.google.com")) { return proxy_no; }
  // Proxy anything else with yes
  return proxy_yes;
  So, my understanding is this would run when sites are accessed, if it matches the if statements it passes and if it doesn't, it defaults to proxy_yes which doesn't exist and thus doesn't load. The ADMX configures the proxy itself and everything should be
  great. 
  My main question: is there a better way to allow sites through to a machine WITHOUT loading the pages first. A simple whitelist/blacklist doesn't necessarily work because it, as far as I understand, still loads the pages but does not display them. Currently,
  it looks like IEAK is the only way to correctly manipulate these settings in internet explorer 10+, unless I'm getting that wrong. It doesn't seem like the list from our previous installation from GP is being overridden using this method, and it doesn't
  apply to new machines connected to the policy. Of course, I know it is applying because other functions, like the content rating system that I accidentally left on, have caused some problems in the past. 
  We will be upgrading these machines to newer optiplex models and installing Windows 8, so if there is a more effective solution that only works in windows 8, I am willing to try it. 
  Thanks in advance for the help, you guys are always awesome! 

  Hi,
  >>Currently, it looks like IEAK is the only way to correctly manipulate these settings in internet explorer 10+, unless I'm getting that wrong.
  In addition to IEAK 10, to configure proxy for IE 10 on Windows 7, if our most up-to-date domain controller is Windows Server 2012 or R2, we can use Group Policy Preferences
  Internet Settings extension to configure the proxy setting. Besides, we can also choose to install Remote Server Administrative Tools on a Windows 8 or 8.1 client and manage group policy settings from this client.
  Moreover, another way is that we can try using Group Policy Preferences Registry extension to configure the proxy settings for IE10 on Windows 7.
  Regarding this point, the following thread can be referred to as reference.
  Proxy settings not applying to IE above 8
  http://social.technet.microsoft.com/Forums/en-US/3b0f54d7-7293-49dc-9e3f-e8799c20265b/proxy-settings-not-applying-to-ie-above-8?forum=winserverGP
  Best regards,
  Frank Shen

• Locked down computer (means I cannot see network settings) allows IE6 but Firefox always times out.

  The tech guys have locked down the computer and I cannot see the network settings and have no access to the registry. Firefox always times out so I am forced to use IE6. How to set up Firefox to get round this?

  Presumably, you're talking about your company's administrator. It probably wouldn't be wise to try and circumvent their network policy. It might get you fired even.
  A better idea would be to show them how insecure IE6 is - ''it's no longer supported by Microsoft for example and exposes their network to all kinds of attacks'' - and that it's in their own interests to use a secure browser like Firefox 4.0
  Maybe they'll even promote you!

• Locking down call forwarding

  I just started a new job, this company doesn't want call forwarding from phones but one of the high level vendors was allowed to have his phone sent to just one number. The last technician figured out how to disallow the change of the forwarding number he set in call manager. I can't for the life of me figure out how he did it. When I set a number in call manager the phone is still allowed to change the number locally and reset it in call manager. I'm really interested to know how he did this. 

  Hi
  In case you want to lock down the call forwarding, you can just remove the CFA button from the softkey template from all the phones. This would prevent users from doing from the phone.
  The only option would now be the ccm end user page. In case you want to remove from there as well, use the following enterprise parameter on CCM Administration page :
  Show Call Forwarding :This parameter determines whether end users can configure all, none, or specific call forwarding
  directives for their phone(s) when using the Cisco Unified CM User Options (ccmuser) window. Call forwarding
  options are not provided regardless of the setting in this parameter if the phone template assigned to the user's device does not support call forwarding
  With this, what ever CFA settings you put on the phone, users won;t be able to change that.
  Regards
  Aditya

• Locking Down & Creating Exceptions

  We have seven school district buildings which includes an administration
  building. Each school has it's own server set on NW6.5SP5 and BM3.8SP4 as
  well as Zen 7. The admin bld has two servers, one for the building and one
  is our web/e-mail server using GW 7.0.2HP and Apache2. It also has GWava
  running with Kaspersky A/V (e-mail) and both servers are our DNS servers.
  If I set the default filters (to lock down the system) with BM, all
  connectivity is lost, which it should be. However, I've not been able to
  figure out the correct filters to set to allow traffic into and out of the
  web server and e-mail, i.e., if I lock down the building server no one can
  get to their e-mail or access the web server but can access the Internet via
  the BM proxy.
  I have Craig's books but guess I need a little more detail and pictures. Is
  there a book out there for those of us with A.D.D. that will walk me through
  creating a filter one-step-at-time including saying what each step is
  for/doing or what will be accomplished?
  I need to lock down each of the servers, but can't because, although users
  can get out to the Internet via the BM Proxy, they still don't have access
  to GroupWise from the client and / or Novell's iFolder, and Instant
  Messaging, of course. If I go to iManager 2.6 and attempt to creating
  exceptions for GW, iFolder and IM, the filter exceptions are created but
  don't make a difference.
  Sorry to drag on so long, but we've had an incident happen in the last month
  and we need to make the network more secure but still allow users to such
  things as the Internet, GW, iFolder, etc.
  Any suggestions and/or ideas would be appreciated,
  Tim

  >> In article <[email protected]>, Tim Ferguson wrote:
  >> When I say "Yes" to create a secure system when running BRDCFG, all outside
  >> access is blocked or isn't it supposed to be?.
  >> When you do that, it blocks all traffic to and from the public interface, and
  >> then adds some default exceptions intended to allow the VPN and certain
  >> proxies to work. (It will not overwrite any exceptions you might already
  >> having in place that would allow too much traffic through).
  >> The only way to the Internet
  >> is through the proxy, and VPN traffic is ok. Traffic on the VPN and the
  >> private IP network is fine, or should be, correct?
  >> Should be, correct.
  >> For Example:
  >> I have a user at 192.168.30.150 that needs to access his GW e-mail using the
  >> GW client to the server at 209.xxx.xxx.163, port 1677, but can't once the
  >> "secure system" is set. Realistically, we should set his client to check
  >> the private IP of the e-mail server at 192.168.20.1, port 1677, correct?
  >> Well...
  >> I'm not clear if you are trying to have the client access the GW process from
  >> inside or outside the LAN. Normally if you have a client on the inside of the
  >> LAN, that client should always be pointed to the internal IP address of a
  >> process, not the public IP address.
  I was talking about each teacher's workstation GW client, all of which are inside the VPN-created LAN
  >> If the GW process (POA, here) is running on the BMgr server itself, it is most
  >> likely listening on all IP addresses, and you need to make sure the internal
  >> address (unfiltered) is being used when inside the LAN.
  We have seven buildings, six schools and the administration building. Each building has it's own BorderManager server. Each building has it's own T-1 circuit. The buildings are connected by a BorderManager VPN (IKE). The web/mail server at the administration building is the VPN master.
  Currently each workstation's GW client (in each building) is set to the GW server's (MTA, POA, GWIA, WEBACC) public IP. Setting the filters to create a secure system would kill this capability, correct?
  >> If the process is being static NAT'd to that public address, you should not be
  >> able to access it from the inside (using the public address) with filters up
  >> or not.
  We are using "dynamic" NAT in each building. I only use "static" NAT when I create a secondary IP to my office computer so I can access it from home. NAT is then set to "dynamic and static" and not "static" only.
  >> If the process is being proxied to the public address, you could access it on
  >> the public address, as long as filter exceptions were added to allow the
  >> traffic from private to public, but it would be better to just point to the
  >> internal address.
  The process is not being proxied to the public address, was never able to get that configured and working.
  >> Often this means you just set up an internal DNS server.
  Explain further, please. Each of the two servers at the administration building is a public DNS server. To create an internal DNS server, it would be set just to the private IP's of most of the same objects on the public DNS servers?
  >> Should I then: (1) Create an exception on his building's server (the
  >> gateway) using the public interface to let his client out on port 1677? And
  >> (2) Create an exception on the mail server using the public interface to
  >> allow port 1677 in, and use a stateful filter exception on both so traffic
  >> goes both ways? or (3) ???
  >> If the client is on the inside of the LAN, you definitely should be pointing
  >> the client to an internal IP address.
  >> If the client is on the outside of the LAN (laptop taken home, for instance,
  >> or a home PC using GW client), then you have options:
  >> 1. GW running on a BMgr server
  YES
  >> 2. GW running internally, proxied to a public address
  NO
  >> 3. GW running internally, static NAT'd to a public address.
  NO
  From home or otherwise outside the private LAN, we use the GW server's public IP from the GW client.
  >> With 1 and 2, the filter exceptions are the same. With 3, they are different.
  >> I have examples for each in the filtering book.
  >> With 2, you not only have to have filter exceptions (public to public), you
  >> also have to have proxy configured and running AND access rules.
  >> With 3, you just need to have static NAT configured, filter exceptions, and a
  >> default route on the GW server. This option is the most common one I see.

• How do I lock down the wifi network?

  I just had fios installed today would like to upgrade the security to wpa or wpa2. Can someone please tell me the procedure on how to do this.
  Thanks, Geoff

  gpg wrote:
  I just had fios installed today would like to upgrade the security to wpa or wpa2. Can someone please tell me the procedure on how to do this.
  Thanks, Geoff
  There are 3 things you should do to "lock down" your network.
  1. Change the default administration password. The default is password or password1.
  2. Change the SSID and set to not broadcast.
  3. Set the security to WPA-psk or WPA2-psk and pick a password key.
  To do this, log in to the router by opening your internet program and type 192.168.1.1 in to the address bar. Type admin and the password into the login page. Once logged in, click on "wireless settings". Click on "basic settings". From there you can change the SSID and turn off WEP. Once that is done, click apply. Now click on "advanced settings".  From this page you can select your security type, set the password key (recommend a sentence that is easy to remember) and turn SSID broadcast off. You can also set mac filtering for extra security. When done click apply. You should be all set.
  "If your problem has been solved, please mark it as such. Don't forget to hand out your Kudos!"

• HELP - Macbook Pro Locked Down

  Ok, to make a long story short, I bought a used Macbook Pro and the password I was given is not working. The person I bought the computer from seemed fishy, I should have realized something was wrong before agreeing to buy the computer. The computer seems like it is a demo machine from an Apple Store or some other retail store. It is locked down and I can not gain access to the administrator account. I have tried everything I found on the internet. I called Apple up to inquire about this machine to see if it is marked/reported as being fraudlent/stolen/counterfiet and they confirmed the serial number is fine and it is an official apple computer. They said I have hardware support until end of March 2011, but no longer have software support. Oh by the way, I am new to Macs, this is my first Mac, so I'm not familiar with them. Not a very good first experience. I guess its my fault for buying a used computer without receiving the install/backup disks.
  Below is a summary of what is happening and what I tried:
  When I turn the computer on, it logs in fine. Everything seems to function fine. But if I try to do anything administratively it asks for password and I can not do anything.
  I tried the following things:
  - entering single user mode, removing the AppleSetupDone file. After I reboot from that, it just logs in as normal and doesn't prompt for new account. When I went back into single user mode, the AppleSetupDone file was back.
  - entered single user mode, changing password via command line. Seems like it changes fine with no errors. After I reboot, logs in fine and I try password I changed to and it doesn't accept it.
  - Tried putting OS 10.6.3 into DVD and booting from that by holding c key, but it ends up going to grey screen with Apple logo and does nothing.
  - Tried putting OS 10.6.3 into DVD and pressing "Option" key while booting to choose which device to boot from. I choose DVD and it goes to grey screen with Apple logo and does nothing.
  - I tried formating the hard drive, went to single user mode, did a rm -rf / Seemed like it erased the hard drive, so I figured it has to boot from DVD. Well when I turned on computer, it booted fine and logged in as normal. Went back into single user mode and everything was restored as was.
  - Tried clearing the PRAM and NVRAM thinking maybe there was something in the non-volatile memory, but that did nothing. Logged in as normal and still would not allow me to boot from DVD.
  Someone suggested the firmware was password protected, but I had read if you hold the option key down while booting that a lock would appear if the firmware was password protected and that didn't happen, I got the HD or DVD options to boot.
  Seems like the computer is locked down somehow to restrict anyone from modifying anything and at bootup, it restores everything to original state. Does anyone have any ideas or suggestions? Does anyone know how Apple stores lock down their demo computers to avoid customers from modifying them? Is there something in the hardware? Are there jumpers set somewhere that could be causing the machine to do a unique protected/recovery bootup? Someone mentioned pulling the hard drive and formatting it in another computer. Do you think this would do it for me?
  Thank you for the help,
  Kevin

  Proof? I bought it used from someone. All I have is the computer and charger. When I talked to the Apple representative on the phone about the serial number, he said the machine has not been registered yet. So what would the proof be?

• Locked down RDS Server

  Good morning,
   I followed this tutorial to lock down my RDS Server but I have one issue.
  http://www.it.ltsoy.com/windows/lock-down-remote-desktop-services-server-2012/
   When users are in an app they try to attach a file and explorer defaults to the c my documents. Is there a way to change it so it defaults to there network drive?
   Also, how can I have there local drives redirect to the RDS server?
  Thanks,
  Derek

  Hi Derek,
  Please disable the below policy setting and verify.
  Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection
  Do not allow drive redirection
  More information.
  Make Local Devices and Resources Available in a Remote Session
  https://technet.microsoft.com/en-in/library/cc770631.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]