Best Practices Documentation


  1. Posts : 5
    Windows 7 Enterprise 64-bit
       #1

    Best Practices Documentation


    Hello,
    I am looking for some documentation around locking down the workstation. We are migrating from XP to Windows 7 and as a part of this migration we are trying to implement a lot tighter security. We are receiving a significant amount of push back from people wanting to know why we would do things like remove access to cmd.exe and regedit.exe from normal users. We have explained the rationale, but are now getting static about "who else does this?" and "where is that written?". If anyone has any links that might be helpful, please post them. Thank you.
      My Computer


  2. Posts : 335
    Windows 7 Pro 64 bit SP1
       #2

    I would ask them why in the world would they ever need regedit if they are normal users. Also CMD is not needed at all for normal users.

    I don't understand where or why they would want this in writing. Every company has different needs and Windows 7 allows that flexibility through group policy.
      My Computer


  3. Posts : 31,242
    Windows 11 Pro x64 [Latest Release and Release Preview]
       #3

    Not sure as to where it's actually written down, some things are now so accepted in the industry that hey are now just accepted

    You could have a look here Total Workstation Lockdown: Your Action Plan for some suggestions on Technet, and a search for the technologies mentioned on the presentation should hopefully provide access to white-papers etc
      My Computers


  4. Posts : 5
    Windows 7 Enterprise 64-bit
    Thread Starter
       #4

    event3horizon, I guess it's because the level of complaining from the technical/developer types that want to retain admin rights on the workstations. Management wants to be able to "back up" their decisions.

    BarMan58, I agree that these things should just be commonly accepted practices, but we're moving from the wild west into a more controlled environment. Thanks for the link, also. I will take a look and see what I can take away from this.
      My Computer


  5. Posts : 31,242
    Windows 11 Pro x64 [Latest Release and Release Preview]
       #5

    Speaking from a System Admin point of view I always had the IT agreement as an integral part of the Job acceptance - so if you didn't sign it you didn't get the job. Even the MD and the board were subject to restrictions, for their own protection, and it stopped any complaints from lower echelons. Good old days :)

    You should find a fair number of Microsoft White-papers on the technet site, that should be official enough. they are actually more likely to be found in the server sections rather than the workstations.
      My Computers


  6. Posts : 7,878
    Windows 7 Ultimate x64
       #6

    Normal users can make use of the cmd command for lots of things. Perhaps to see if they can ping a server. Perhaps to see if they can get DNS name resolution. Perhaps to see what their IP address is. Lots of reasons an average person would need cmd.exe. I don't see how locking it down solves any security risks.
      My Computer


  7. Posts : 5
    Windows 7 Enterprise 64-bit
    Thread Starter
       #7

    pparks1, thanks for the feedback. Our concern is the possibility of command prompts being used to launch malicious code. We have access to cmd.exe for administrative functions like you mentioned, but one needs to launch it with elevated rights. For our users, I can't think of an instance where they would need to run under their own limited access. Of course, that's not to say that there isn't a legitimate reason for it. In the meantime, I am still searching for the documentation. There is a group policy setting out there; there must be a reason why Microsoft put it in. I just can't find it...yet
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 20:19.
Find Us