Here is some additional information of what I've tried...
I have tried to use policies to restrict what programs I want the
specific user to use, but this proved too difficult since the software
installed on the stations is very dynamic. I have also tried to make
the whole hard drive read only for the group everyone, except for the
users desktop, which they need to be able to write to. But it seems
that when an install is executed, it bypasses the restriction and goes
ahead and writes to the hard drive.
If anyone has any input, please let me know. Thank you.
The short answer is no, since it is straightforward to write software
that can be installed with no more than write access to your desktop.
The long answer is that you can enable auditing and determine what
programs are being run by various users. This will generate large
audit logs, but it ought to be fairly simple to filter out everything
except "running something", and then to filter out programs that live
in "Program Files".
Once you've found users who insist on running chat programs, send
them a detailed log of *every* such usage over the past week, to
prove that you have the willing and the capability to detect this.
At this point, you should find that most users take the hint.
> > I have a lab of 30 computers running Windows NT Workstation 4.0. My
> > supervisors are tired of seeing people in the lab using the chat
> > programs. Is there a way I can prevent users from installing software?
>
> The short answer is no, since it is straightforward to write software
> that can be installed with no more than write access to your desktop.
However, you can set up each system such that users cannot install a wide
range of software. For example, don't just focus on the Everyone group...
set up a specific group for users and make sure that each user has a unique
ID.
Then, remove write access to the drive for many of the folders for that
group
with all of the users in it. C:\, C:\winnt, C:\winnt\system32, etc. They
may need
to write to c:\temp, though.
> The long answer is that you can enable auditing and determine what
> programs are being run by various users. This will generate large
> audit logs, but it ought to be fairly simple to filter out everything
> except "running something", and then to filter out programs that live
> in "Program Files".
>
> Once you've found users who insist on running chat programs, send
> them a detailed log of *every* such usage over the past week, to
> prove that you have the willing and the capability to detect this.
This is a good idea, as well. And it's pretty easy to implement. There are
a wide
range of tools available that will assist you in automatically collecting
the log files.
For example, dumpevt.pl from http://patriot.net/~carvdawg/perl.html will
dump the
EventLogs from the various systems in .csv format, suitable for opening in
Excel.
But b/c it's a flat text file, it's also suitable for quickly parsing w/
Perl.
I'd suggest setting up a process to:
a) Increase the default EventLog sizes.
b) Enable auditing for Process Tracking (success and failure)
c) find some way that you're comfortable with for retrieving at least the
Security EventLog
d) Run this for a week, parsing out the chat programs.
Using the execution of programs tracked in the EventLog, you'll know how
long the program
was run.
> I have a lab of 30 computers running Windows NT Workstation 4.0. My
> supervisors are tired of seeing people in the lab using the chat
> programs. Is there a way I can prevent users from installing software?
Instead of stopping this at the workstation, why not stop it at the router?
What kind of network topology do you have? Can you set up firewall rules at
your routers to block the chat apps? Should be a simple case of blocking
some specific outbound ports.
--
Kenneth Porter
http://www.sewingwitch.com/ken/
Chad...
"Davo" <buffd...@hotmail.com> wrote in message
news:17c3efd9.01102...@posting.google.com...
...because the net-admin doesn't have the clout.
In a business scenario, they *could* say "Unless you back me, I cannot
guarantee the integrity of the company's IT. Hackers could destroy critical
records and systems." They might be taken seriously, or they might be told
that if they can't find a technical solution to such a simple problem then
they should find a new job. (In the latter case, they'd be well advised to
take that advice, but not everyone is sufficiently confident of their CV to
resign just because their employer is "too stupid to work with".)
In a lab or academic environment, the net-admin probably has a "proper job"
and is only doing the admin stuff as time permits. They could "resign", but
they know then that the system would be completely unadministered. Is that
better?
> Go to the HR dept. Have
> them write a letter that says anyone installing unauthorized software on
> their machines, including chat, etc., will have disciplinary action taken.
> Place a copy of this letter on each workstation before the users get there
> in the morning. Net cost: 10 minutes and 30 sheets of paper.
This is, of course, the correct approach to an enormous number of
administrative problems.