Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How should I lock down a user account for employees? Beyond 'standard user'


  • Please log in to reply
10 replies to this topic

#1 r84shi37

r84shi37

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 29 April 2014 - 12:32 PM

Hi. I'm fixing up a computer for someone and I'm considering locking down permissions for non-admin users a little more than just setting the account type to standard.

 

*quick back story*

 

This computer is locked down because the employees forgot the password to the single account.  I break in via iso and then BitTorrent boots up and starts SEEDING illegal music files.  I know the owner of the company very well and I know he doesn't condone the use of his computer and bandwidth for pirating and seeding music.  There's loads of other junk on the computer that in no way benefits the company (assisted living housing).  So I clean it up with Revo, CCleaner, Malwarebytes, etc.  Then I made a new standard user account and an administrator account.  I plan to give the admin password to the owner, and the standard password to the employees + owner.  

 

My friend suggested that I somehow lock down the account beyond just setting the permissions to standard.  Do you guys have any recommendations for programs to do this?  Do you think that just standard permissions will be enough?  Thanks.

 

edit:

 

fyi the employees use it to view MS Office documents and web browsing.  Other than that I don't believe their work involves the use of other programs.


Edited by r84shi37, 29 April 2014 - 12:56 PM.


BC AdBot (Login to Remove)

 


#2 JohnC_21

JohnC_21

  • Members
  • 24,827 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:54 PM

Posted 29 April 2014 - 01:26 PM

Hello, You didn't mention the OS. You can set up a Software Restriction Policy but it is only available with Windows 7 Professional, Windows 7 Ultimate, and Windows 7 Enterprise and XP pro.

 

http://www.mechbgon.com/srp/

 

With Windows Home you can use Parental Controls to allow only certain programs.



#3 r84shi37

r84shi37
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 29 April 2014 - 01:29 PM

Ah yes sorry about that.

It's Windows 7 Home.

 

I'll look into the parental controls thank you.  I consulted my dad again and explained that they wouldn't be able to install new programs or make modifications as a standard user without the administrative password.  He agreed that it should be sufficient.  

 

Thanks for your advice.  I'll ask the owner of the company if he's interested in parental controls to only allow certain programs.



#4 Kilroy

Kilroy

  • BC Advisor
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:08:54 PM

Posted 30 April 2014 - 09:24 AM

It sounds like you are doing this on a part time basis and they do not have formal IT support.

 

They should look into getting standard business machines with a standard image with data stored on a network drive that is backed up regularly.  In a work environment you don't clean machines you reimage them.  After a user has a machine reimaged and has to deal with the inconvenience of reconfiguring their machine to how they want it is normally a sufficient deterrent.

 

Users need to have standard accounts.  Users will insist that they need administrative rights, they do not.  Initially when administrative rights are removed users will come up with two tons of things that they need to do that require administrative rights, after these issues are addressed they are able to function normally and the fact that they do not have administrative rights does not come up as often and when it does come up they are easily addressed.

 

Application Whitlisting would be a great thing to implement, but is only really functional when users only need limited software.  I have never worked at a company where this was actually a workable solution.



#5 r84shi37

r84shi37
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 30 April 2014 - 11:03 AM

[removed because copying all the words is unnecessary.  I wanted to be clear about who I was replying to with this post.]

 

Thank you for the information.  I'm a high school student... kind of.... long story- lets just say I'm 17, I want money, and I want to be 'self employed' instead of working at Mcdonald's.  I'm not a pro with computers like you guys are, but I'm certainly above average and I'm good enough that I can made money with it and do my job effectively.  My little service / business is just starting out.  I'm doing this particular job partly for the money, partly as a favor to a family friend, and mostly to make a bit of a name for myself.  I'm only charging $20 for all this.  Nice thing is that one of his employees has already taken my card because her personal computer has had some issues.  

 

They don't really have formal IT except for me as of recently.  My understanding is that the computer that was locked out via MS password had been that way for six months!  Evidently that computer wasn't a necessity for work- more of a luxury.   

 

In regards to the imaging, his business is 1.  A little too small to make it worth implementing. 2. Computers aren't really central to his work.  Obviously they're important, but his employees spend 15% or so of their time in front of a computer, and 85% of their time taking care of the elderly.  Also, the computers are really only used (as far as I know) to share MS Office file data and some web browsing e.g researching information for work.  I'll present it to him, but I doubt he'll be interested.  

 

Regarding the administrative privileges, I completely agree.  Tomorrow (or maybe today *shrug*) I plan to go help the employees by reinstalling any software that they need that I happened to uninstall when I cleaned it.  I really, really doubt that there will be any since I only uninstalled bloatware, games, and other useless crap, but it's better to be safe than sorry.   The only annoying part of not being able to trust employees enough to give them administrative rights is that they can't update their software as needed (as far as I know).  Is there any way to bypass it so that the are allowed to update existing software but not install new software?

 

Thanks for the suggestion on application whitelisting, but I don't think it will be necessary in our case.  I've installed everything they'll need for work which is actually very few applications.  I'll ask them if they'll need anything else (within reason) when I drop by again.

 

Thanks! 



#6 Kilroy

Kilroy

  • BC Advisor
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:08:54 PM

Posted 30 April 2014 - 12:48 PM

Actually you can do the imaging.  Clonezilla is a free solution, not as easy to use as the paid products, but functional enough it this instance.  After you get the machine configured how it is supposed to be, make an image.  This will allow you to quickly restore the computer to its current state.

 

Since they don't have formal IT taking away administrative rights is more of an issue.  They are not going to want to call you every time they need something installed.

 

Backups are something to bring up.  Even though computers aren't a major part of this organization what would they do if they didn't have them?



#7 JohnC_21

JohnC_21

  • Members
  • 24,827 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:54 PM

Posted 30 April 2014 - 01:21 PM

I agree with Rkilroy that you should look at some type of imaging program. Clonezilla is very good but the learning curve is a little high and I do not know how one can easily verify the image it makes but I never had a problem with it. You may also want to take a look at Aoemi Backupper which is free for commercial use. I have used it on a computer and it is very easy to use. Version 2 now also allows for file backup as well as creating a system image. It will also let you create a bootable Windows PE disk with a small download. Windows 7 also has it's own system image backup and that has never failed me either.

 

http://www.aomeitech.com/



#8 r84shi37

r84shi37
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 30 April 2014 - 02:07 PM

Thanks guys.  

 

In my case, imaging would be great for backups.  I'm guessing he has very important data that he wouldn't want to lose.  The question is if he wants to use something like Carbonite, or hire me to do it DIY style.  What I meant about imaging not being practical in my setting is that we don't really need a standard set up for all our computers or at least it's not worth the time and money to standardize it.  Maybe I should propose that he purchase an external hard drive... I'm not sure how much data he has, but almost certainly not more than a terabyte, maybe just 500 gb will be enough.  Then I can set up his whole network to automatically back up to it.  I'm guessing that he has a LAN external hard drive so that all his data is accessible from any computer on his network.  Auto backups sound like a good idea.  Correct me if I'm wrong but backing up his data on site would be a one time payment of like... $100; versus a service like Carbonite would be $60 a year.  Carbonite would just be easier and probably more reliable.  I'll let him know and see what he thinks.  



#9 Kilroy

Kilroy

  • BC Advisor
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:08:54 PM

Posted 30 April 2014 - 02:19 PM

Having a local drive for images is one thing, but backups need to be a little more in depth.  A lot of thought needs to be put into a business backup.  How long do you want to be able to pull a file from backup?  How often do you backup?

 

You always want to follow the 3-2-1 Backup Rule

 

3 copies of the data

2 different media types

1 off site

 

For a small shop Carbonite, or similar, is probably the best answer you do not want to be responsible if things are lost.  Cabonite is also off site, a major part of what a good backup should be.  There are a lot of business who save money in the short term, but end up paying much more in the long term.

 

Who will verify and check that the onsite back up is running as it should?  I can't tell you the number of times people thought they had a back up and found out that didn't, but only when they needed the data.  Backups are not a part time job, they are a full time responsibility.



#10 r84shi37

r84shi37
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 30 April 2014 - 06:38 PM

I suppose I could teach one or more of the employees there (the more trustworthy and reliable ones) to babysit the backups.  I won't be around in 2015 to take care of it for them.  There are no backups being done right now though, so anything is better than what he has now.  I think I'll have to go to lunch with him or something and talk stuff over with him.  We're also looking into wearable trackers to place on his memory care patients because they tend to run away.  I'm kind of on the fence of if we should use GPS or RFID... do you have any suggestions of pros and cons.

 

As far as I can tell GPS is more expensive, but has pretty much unlimited range and it's probably a tad easier to set up.  RFID is cheaper, lighter, smaller etc (not injections though, just a bracelet), but it has a relatively small range.



#11 technonymous

technonymous

  • Members
  • 2,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 PM

Posted 01 May 2014 - 02:20 AM

Important data needs to be double/triple encrypted backed up on a slide out hot swap caddy. Offsite backups as others metioned. Also keeping passwords/login info etc encrypted and stored on a couple usb sticks is wise. In case of fire emergency of some sort you can yank the drive and USB sticks and get out. Encrypted offsite cloud service is a plus for that. As others have said it's crucial to make full backup clones, we can't stress that enough. Remember to double/triple backup because hardware drive's usb sticks can go without warning. Get familar with encryption such as truecrypt and how to create a encrypted container for files. That encrypted container file can also be burned to dvd. Store it on good media not cheapy dvd's. The film on the back of the dvd such as dvd-rw are extra thick and last much longer and take more of a beating if you will.


Edited by technonymous, 01 May 2014 - 02:26 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users