Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Best Practices Documentation

04 May 2012   #1

Windows 7 Enterprise 64-bit
 
 
Best Practices Documentation

Hello,
I am looking for some documentation around locking down the workstation. We are migrating from XP to Windows 7 and as a part of this migration we are trying to implement a lot tighter security. We are receiving a significant amount of push back from people wanting to know why we would do things like remove access to cmd.exe and regedit.exe from normal users. We have explained the rationale, but are now getting static about "who else does this?" and "where is that written?". If anyone has any links that might be helpful, please post them. Thank you.

My System SpecsSystem Spec
.

04 May 2012   #2

Windows 7 Home Premium 64 bit
 
 

I would ask them why in the world would they ever need regedit if they are normal users. Also CMD is not needed at all for normal users.

I don't understand where or why they would want this in writing. Every company has different needs and Windows 7 allows that flexibility through group policy.
My System SpecsSystem Spec
04 May 2012   #3

Windows 7 Ultimate x64 x2 + x86 + Windows 8.1 x64 x2
 
 

Not sure as to where it's actually written down, some things are now so accepted in the industry that hey are now just accepted

You could have a look here Total Workstation Lockdown: Your Action Plan for some suggestions on Technet, and a search for the technologies mentioned on the presentation should hopefully provide access to white-papers etc
My System SpecsSystem Spec
.


04 May 2012   #4

Windows 7 Enterprise 64-bit
 
 

event3horizon, I guess it's because the level of complaining from the technical/developer types that want to retain admin rights on the workstations. Management wants to be able to "back up" their decisions.

BarMan58, I agree that these things should just be commonly accepted practices, but we're moving from the wild west into a more controlled environment. Thanks for the link, also. I will take a look and see what I can take away from this.
My System SpecsSystem Spec
04 May 2012   #5

Windows 7 Ultimate x64 x2 + x86 + Windows 8.1 x64 x2
 
 

Speaking from a System Admin point of view I always had the IT agreement as an integral part of the Job acceptance - so if you didn't sign it you didn't get the job. Even the MD and the board were subject to restrictions, for their own protection, and it stopped any complaints from lower echelons. Good old days

You should find a fair number of Microsoft White-papers on the technet site, that should be official enough. they are actually more likely to be found in the server sections rather than the workstations.
My System SpecsSystem Spec
04 May 2012   #6

Windows 7 Ultimate x64
 
 

Normal users can make use of the cmd command for lots of things. Perhaps to see if they can ping a server. Perhaps to see if they can get DNS name resolution. Perhaps to see what their IP address is. Lots of reasons an average person would need cmd.exe. I don't see how locking it down solves any security risks.
My System SpecsSystem Spec
08 May 2012   #7

Windows 7 Enterprise 64-bit
 
 

pparks1, thanks for the feedback. Our concern is the possibility of command prompts being used to launch malicious code. We have access to cmd.exe for administrative functions like you mentioned, but one needs to launch it with elevated rights. For our users, I can't think of an instance where they would need to run under their own limited access. Of course, that's not to say that there isn't a legitimate reason for it. In the meantime, I am still searching for the documentation. There is a group policy setting out there; there must be a reason why Microsoft put it in. I just can't find it...yet
My System SpecsSystem Spec
Reply

 Best Practices Documentation




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 05:32 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33