TweakUI and Security

Giganews Newsgroups
Subject: TweakUI and Security
Posted by:  David Sharman (dsharm…@bigpond.net.au)
Date: Thu, 7 Sep 2006

Hello All,

I run a small network for the employee's social club of a large company
which consisting of 1 Windows Server 2003 SP1 and several client computers
running Windows XP Pro.

The client computers are mainly provided for members of the social club to
pass their downtime such as lunch breaks by surfing the Internet and thought
to have been severely restricted using GP's so as to prevent modification of
the client computer, networking and server systems and hopefully to assist
in the prevention computer virus infection and the installation of illegal
software. Members are also prevented from logging on to the local computer
using GP.

Restrictions thought to have been enforced include only granting members
access to their own directories, the Intranet and the Internet and cannot
see the local hard drives, all system control panels hidden except where
only personal choice options are available such as selecting the autotype
feature in  Internet Explorer, no access to the command prompt , etc etc

From what I can see their is no way to create new folders and store files on
the local computer nor the ability to install unauthorised software but
every so often when I scan the client hard drives they seem to doing exactly
that!

Of greatest concern is that during one of these scans I came across
"TweakUI".

I think I came across somewhere that TweakUI cannot be prevented from
running on the local computers and that all you can do is ensure continueing
refresh of the active directories group policies.

My questions is;

"What settings can I check are in place regarding the relevant GP's within
AD to ensure TweakUI or any similar software cannot be used to break the
integrity of the computer network?"

Thanking you for your assistance

David Sharman
Regional Computer Services

Replies