0
Rdutch

Tech help w2000 permission's?

By Rdutch, in The Bonfire

Recommended Posts

Rdutch    0

Rdutch
Im trying to set up a w2000 network, for use with the intenet for browsing only. I created a InternetUser's account, and made them members of the user's group. My intent was to not let them download anything. But for some reason they can still download msn im. Nothing else, does windows bypass microsoft downloads, and saving? Any Ideas on how to keep people from downloading Im, or at least disabling it. I know msn Im uses specific ports maybe disabling them will work.
Any ideas let me know. Thank's.

Also I cant covert the drive to Ntfs due to os conflicts in the network.


Ray
Small and fast what every girl dreams of!

Share this post

Link to post
Share on other sites

flyingferret    0

flyingferret
Honestly, you need NTFS to have full security permissions that are one of the inherent advantages of Win2k. Beyond that, you might want to look at setting up a proxy server.

MSN IM ports: http://www.seifried.org/security/ports/6000/6892.html
A few other sits also list 1863 and 7801-7825
http://www.swinc.com/resource/e2kfaq_sec3.htm scroll down to 3.16.

Of course this also depends on what version of Exchange you are running, if you are running it. There is a version on IM that is internal only that runs as a plugin for Exchange.
--
All the flaming and trolls of wreck dot with a pretty GUI.

Share this post

Link to post
Share on other sites

wildblue    7

wildblue
Quote

Also I cant covert the drive to Ntfs due to os conflicts in the network


Eh? What kind of conflicts?

Disabling ports probably won't work - IIRC, MSN can use 80.

As far as disabling certain programs or downloading of stuff, you'll probably want to setup a policy. You running AD?
it's like incest - you're substituting convenience for quality

Share this post

Link to post
Share on other sites

Rdutch    0

Rdutch
Quote

Also I cant covert the drive to Ntfs due to os conflicts in the network
Eh? What kind of conflicts?

Quote


There is macintosh computer's running virtual pc, in the network and even though with the virtual pc you can change the drives to Ntfs I am afraid it will cause problems with the Apple programs running on that drive, and I dont know anything about apple.

Disabling ports probably won't work - IIRC, MSN can use 80.

As far as disabling certain programs or downloading of stuff, you'll probably want to setup a policy. You running AD?



Not running active directory, Im not running server, just proffessional. By making the internet user's group a guest it's stopping them from downloading anything but msn im. It's frustrating, everytime I find a way to stop anyone from downloading msn im someone finds a way around it.


Ray
Small and fast what every girl dreams of!

Share this post

Link to post
Share on other sites

Rdutch    0

Rdutch
Quote

One solution would be a proxy server/router, check this site www.linksys.com not expensive and very configurable.



I am running all the computer's on a router. Im just curious does the router you listed have options that would block download's if your not administrator?


Ray
Small and fast what every girl dreams of!

Share this post

Link to post
Share on other sites

CrazyIvan    0

CrazyIvan
Quote

Quote

One solution would be a proxy server/router, check this site www.linksys.com not expensive and very configurable.



I am running all the computer's on a router. Im just curious does the router you listed have options that would block download's if your not administrator?



You can configure that, the router itself has a utility built-in and you can grant access, deny access to the internet by IP, etc, also, if you have ZoneAlarm Pro, you can allow/deny access to APPLICATIONS thru the router.
In your case, you could deny access to ALL the PC except yours, but you will need to know the IP's, which of course YOU can easily setup.
__________________________________________
Blue Skies and May the Force be with you.

Share this post

Link to post
Share on other sites

Rdutch    0

Rdutch
Thank's I'll look into zonealarm. I want all the computer's in the network to access the internet. That is what they all are their for, nothing else. But I dont want anyone to save anything or delete anything or change any configuration's. That is why I made them all members of the user's group. I then changed them to the guest's group to limit their permissions more, and now they cant save or delete anything, but for some reason Msn Im gets through the crack. W2000 pro is supposed to have the ability to stop people from doing just what I wanted, but you know Microsoft its full of holes.
Once again thanks for the help and I will look at zonealarm. If anyone knows how to keep w2000 from doing this using just w2000 it would be appreciated.


Ray
Small and fast what every girl dreams of!

Share this post

Link to post
Share on other sites

CrazyIvan    0

CrazyIvan
I forgot to mention, the Linksys utility allows to set a password, so no one can change the config, same thing with zone alarm, there is a FREE version by the way, but if you want the router to use it, you'll need the Pro version
__________________________________________
Blue Skies and May the Force be with you.

Share this post

Link to post
Share on other sites

wildblue    7

wildblue
Quote

There is macintosh computer's running virtual pc, in the network and even though with the virtual pc you can change the drives to Ntfs I am afraid it will cause problems with the Apple programs running on that drive, and I dont know anything about apple.



You've got an apple that's sharing files off the 2000 pro machine? Or it's running network apps like other clients? In any case, it shouldn't affect anything.

How many workstations are you working with that you want to restrict like that? If it's only a few, there's some cheap and dirty ideas like playing with hosts files and adding static routes that would only take a few seconds to do, and not cost you anything. They might still be able to download it, but it could probably stop them from actually using it.
it's like incest - you're substituting convenience for quality

Share this post

Link to post
Share on other sites

PhreeZone    20

PhreeZone
Without NTFS your figthing an uphill battle. A simple fix is just to change the registry key to allow no new creation of folders. I forget the key off the top of my head but NTFS is the best way and it should'nt affect the Apples at all.
Yesterday is history
And tomorrow is a mystery

Parachutemanuals.com

Share this post

Link to post
Share on other sites

wingnut    0

wingnut
we use win2k pro at workj and as my short stint as asistant network admin i learned a few things..not of whcih will help you i did know that even though we could download things if we tried to install them it wanted us to be administrators or it wouldn't work... i'll see if i can fing my config file for ya and you can try those settings.....

______________________________________
"i have no reader's digest version"

Share this post

Link to post
Share on other sites

wildblue    7

wildblue
Quote

block port 1863 at the firewall.

That's the port that MSN messenger uses.


It will still try port 80. Reduced functionality, but it will still work.

As I said before - for cheap, dirty, and easy - I'd add bogus static routes or entries in the hosts file. Failing of course, you go ahead and conver to NTFS and get crazy with file/registry permissions.
it's like incest - you're substituting convenience for quality

Share this post

Link to post
Share on other sites

hookitt    1

hookitt
It will still try port 80. Reduced functionality, but it will still work>>


I did not know that. Thanks. What about blocking messenger.hotmail.com since That's the host it uses

I'll look into it myself since I may be forced to do the same thing.

C-ya
My grammar sometimes resembles that of magnetic refrigerator poetry... Ghetto

Share this post

Link to post
Share on other sites

wildblue    7

wildblue
Quote

What about blocking messenger.hotmail.com since That's the host it uses



Yeah, that's what I was saying about the bogus routes, hosts file, deny that domain at the router/firewall/whatever.
And it's *.msgr.hotmail.com
Or, you could block (a complete guess here) the range 207.46.106.???
it's like incest - you're substituting convenience for quality

Share this post

Link to post
Share on other sites

flyingferret    0

flyingferret
The thing that gets me....only one person has mentioned. Guests should not have install rights! If they do, there is something bigger wrong, and you will face more problems down the road. my first guess would once again go back to the lack of NTFS. Seriously, running Win2k without NTFS is like jumping a round, it still works, but you lose almost all directional control. You really need to get a fully NTFS system up, and a domain with AD would not hurt either.
--
All the flaming and trolls of wreck dot with a pretty GUI.

Share this post

Link to post
Share on other sites

rhino    0

rhino
Active Directory isn't necessary for what he is trying to do.

NTFS does help..

Standard procedure is to rename the guest account, set a password on it, and disable it.

The best thing to do would be to create a group, adding users to that group only with specific rights on the machine dictated through local and or domain policies.


Rhino

Share this post

Link to post
Share on other sites

flyingferret    0

flyingferret
I know AD is not necessary, I said it would not hurt. He already said he was using the guest account. Most groups below admin, should not have install privs. But it depends on each setup. He can do local policy, but he could use AD and group policy and everything would be awesome.

In theory waht he is already doing should work. But administering rights for a domain is alot easier than a group of local machines.
--
All the flaming and trolls of wreck dot with a pretty GUI.

Share this post

Link to post
Share on other sites

Rdutch    0

Rdutch
Im using 2 mac's running virtual pc, to run windows program's. And a pc running w2000 all set up as a workgroup. I dont want to convert the Macintosh drives to ntfs because Im afraid it will mess up the macintosh programs that run on the drive. I created an account called internet users, and made them members of the user's group. This makes it so that they can't save anything, or download, but for some reason the one program that can be downloaded is msn im. I tried downloading other programs just to test and it wont let me. Then just to see I made the Internet users, members of the guests group, and deleted them from the user's group. And the same thing happen's. Im wondering if microsoft does something to allow you to download microsoft products no matter what the permission's. Also I dont want to spend the money on server so I cant install active directory services. Well legally.
Thanks for all the help


Ray
Small and fast what every girl dreams of!

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
0
Go To Topic Listing