Windows Security Qs

Maybe I'm missing something but could I stop text from being shown in IE where loading urls are shown? Maybe even stopping people from changing the style of my scroll bar?
In Outlook, is there a way to set that all incoming messages most come in plain text form rather than HTML?
Windows is annoying as well. I try and set my account to limited from admin but it won't do it becuase there isn't another account with admin rights, but there is, "Administrator" is the other user, but because it doesn't show up on the User Accounts part of the control panel.
Last but not least, I use the Windows 2000 style login UI but each time I log out and come back to the login window it has the last used username there, can I make it so that when I come to the login page it has a blank login form rather than one with my username in it?



Just some security queries,
Loadsgood.

Don't know about the others off the top of my head, but the blanking of the last user logged on can be achieved using the group policy editor:

Start/Run gpedit.msc
Drill down to Local Computer Policy/Windows Settings/Security Settings/Local Policies/Security Options
Enable "Interactive logon: Do not display last user name"

There is an administrator account on your pc. Right click My Computer, choose manage, click users and computers, expand users... now you can see the account. You can rename it if you like. You cannot delete the administrator account from your PC. You should assign it a password. You can also create new accounts and give them lesser permissions. This is a best practice. You cannot reduce the permissions of the built-in administrator account, but you can rename it. This is to ensure that you always have at least one account with administrator rights on your PC. You wouldn't want to try running your pc without one.

Best,

Geoff

You can't currently restrict the modification of status bar text in IE, not stop the scroll bar style change. At least, not without setting "Binary and script behaviors" to "Administrator Approved", but that will have an impact on many other areas, some of which will cause websites to fail because they don't expect errors to be raised when the restricted routines are called. Some properties of the browser, window and document objects in the object model are implemented as behaviours.

In Outlook 2003, go to Tools/Options, the Preferences tab, click E-mail Options, then check "Read all standard mail in plain text".

You should be able to change group membership without this check occurring by using the Local Users and Groups snap-in in Computer Management, rather than User Accounts in Control Panel. Alternatively you can simply run the following commands (as an administrator):

net localgroup Users your-account /add
net localgroup Administrators your-account /delete

If the first command says you're already a member of Users, you can ignore that.

If you plan to run with a limited account, you may find Aaron Margosis' makemeadmin scripts useful.

if you have xp logon style, and want to hide an account from showing up in the welcome screen, go to the following registry key;

KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

add the name of the user account, (new dword value, and set the value to 0 )

Mike Dimmick wrote:

In Outlook 2003, go to Tools/Options, the Preferences tab, click E-mail Options, then check "Read all standard mail in plain text".

In Outlook XP, you can convert all mail to plan text as well.  You have to set a registry key to do it, though.

http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/RegistryTips/Security/MicrosoftOutlook-Forcereadingemailtoplaintext.html

You have to install one of the Office XP Service Packs to get this feature.  I think SP1 is sufficient, but you should probably be running the latest one.  Visit www.officeupdate.com regularly.

Wow.


Here's me, thinking that I would have to venture to the ends of the earth to do these things. Then come along 9ers and help. I'm very happy to have found the smartest people in the world Now some more Qs:
How do I change the style of the Windows login UI? In TweakUI it has an option to import the appearance of Windows into the Windows login UI but it doesn't work.
I'll look into that admin script thingy to stop changes, if it stuffs up things too much I'll dump it.
I want to enable password expiration on my user account, but for that I have to be joined to a 'domain'. What is a domain? Can I make one easily? Could I make one then remove it but still have password expiration with a few reg hacks?



Thanks a million,
Loadsgood.

You might be able to stop the scrollbar changes.  Create a normal-scrollbars.css file that has !important style sheets specifying "normal" scrollbar styles.  Then in Internet Explorer, go to:
Tools | Internet Options | Accessibility
Check the "Format documents using my style sheet" box
Point the file browser to your normal-scrollbars.css file

EDIT: You can force password expiration without joining a domain - Control Panel | Administrative Tools | Local Security Policy

I believe the default is to expire every 40-something days

by the way...

if you want to play with group policy you can lock down a PC to almost any level.

look at the msft windows server deplyment docs and downloads on group policy.

they have a whitepaper and some downloads that show for example a pc in "Kiosk" mode where the pc runs an app and when the user leaves it dumps all settings and re-starts the way it was before the user used it.

you can use the settings w/o a domain just that you will have to hack at it a bit....

Thanks, guys. Now how do I stop a user in the group users (NOT power user) doing certain things in folders, like being able to read the Control Panel, but not being able to write or access anything there? Or not being able to red, write, or run anything under C:/windows ? etc. Could I get it to come up with a custom error message? How about locking a user from the Internet Options page?



Nooooo,
Loadsgood.

Loadsgood wrote:

Or not being able to red, write, or run anything under C:/windows ?

That's obviously not possible; if you did that, Windows wouldn't work anymore. Normal users already don't have write permissions to Windows (assuming of course, that you installed on an NTFS drive, if you're running FAT32 you're out of luck, and if you've used convert then probably the permissions are set wrong).

The rest you describe can be done using group policy. The problem is that most group policies apply to all users, so you need to have a server and Active Directory to make sure you're not applying them to the admin user as well. You can tinker with local policies with gpedit.msc, but be careful with it, it's not that difficult to define policies that lock everyone including the admin accounts out of a machine.

Sven Groot wrote:

The rest you describe can be done using group policy. The problem is that most group policies apply to all users, so you need to have a server and Active Directory to make sure you're not applying them to the admin user as well. You can tinker with local policies with gpedit.msc, but be careful with it, it's not that difficult to define policies that lock everyone including the admin accounts out of a machine.

There are at least two different methods for filtering local group policy settings such as they do not apply for the administrator.

One of them is the following;

Log on as an administrator and do the necesary changes in local group policy, for example under the
User Configuration, Adminstrative Templates.
 
The settings will be stored in a registry.pol file  under the systemroot\system32\group policy\user folder

Use calcs or windows explorer to set a deny read on that file ( or the whole group policy folder)for the administrator group, and no admin will be affected of the gp settings.