Also, if you want to change the ACLs with NTFS for the entire hard drive, but still need all of your programs to work, then you will be interested in tools by SysInternals called Regmon and Filemon. You have to use the combination of these tools to find out what programs require which registry keys, and which programs require write access to the HD. It is a painstaking process, but this is how we secure the machines in the labs at Portland State University. You have to figure it out, program by program. Jerod Alexander OIT Campus and Networking Services Security Team Labs and Classrooms Team Portland State University -----Original Message----- From: owner-crime@private [mailto:owner-crime@private] On Behalf Of Seth Arnold Sent: Sunday, December 08, 2002 8:38 PM To: Vince Alexander Cc: crime@private; fw@private Subject: Re: CRIME Ideas? On Sun, Dec 08, 2002 at 11:39:22AM -0800, Vince Alexander wrote: > Situation: multiple user stand alone PC with Internet access with Zone Alarm > Operating system: W2k > > Looking for solutions: > > 1. software to audit URLs visited (with user ID, datetime - if possible) and > capability to access audit log remotely (email out from stand alone?) The best way to do something like this is to firewall the machine so that it cannot initiate network traffic except to a web proxy, and have the web proxy save all URLs visited. IE and netscape both have history files, but they are pretty easy to tamper with, so it is at best an "honour policy". > 2. How to prevent user saving application files to C:\ drive ( forcing save to floppy)? Use NTFS ACLs to prevent filesystem writes to C:. (Right click on C in an explorer window, hit Properties, and poke around. It ought to be in there somewhere.) You may or may not want to make exceptions to this policy for the browser caches of whichever browsers your users will use. (You might be surprised to find out just how much software will try to write to the drive; depending on your applications, this might not be possible to do. Which would be too bad.) > Please answer off list. And prevent the other list members from seeing answers they might also be interested in? :) -- "Soldiers quartered in a populous town will always occasion two mobs where they prevent one. They are wretched conservators of the peace." -- John Adams
This archive was generated by hypermail 2b30 : Sun Dec 08 2002 - 21:20:57 PST