-1

I work in an organization that uses Faronics Deep Freeze to prevent users from making changes to the computer. I had always been under the impression that a standard user (a user who is only a member of the "Users" group) can't make any system-wide changes. The description for the group states:

Users are prevented from making accidental or intentional system-wide changes and can run most applications

The senior system administrators here tell me this isn't true in practice. What is an example of where this isn't true? Do standard users have any write permissions outside of %USERPROFILE% or HKCU?

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Jason
  • 718
  • 5
  • 15
  • 3
    There's weak spots in almost every system. HKCU is Hkey Current User, so it's normal for users to be able to modify that. There's also plenty of applications that do dirty things like have global config options and paths, that one users settings can 'spill over' on others. – Sobrique Apr 25 '14 at 19:40
  • 2
    Why don't you ask the fellow senior admin on what he meant? Also, "system wide changes" is a very wide term. Is changing the desktop wallpaper for every user a "system wide change"? Is it a big security nightmare? I think this question is very broad in it's current state – MichelZ Apr 25 '14 at 19:44
  • 1
    @MichelZ The admins here don't remember precisely because they've been relying on Deep Freeze for so long. Yes, changing the desktop wallpaper for all users is a system-wide change. Is that possible? – Jason Apr 25 '14 at 19:50
  • 1
    I don't know. That's what I'm saying... the question is very broad. There could be dozens of things a user can do which might be considered "system wide" – MichelZ Apr 25 '14 at 19:52
  • @MichelZ "I don't know" and "There could be" isn't very helpful. If as you say, there are dozens of things, providing an actual example should be easy. And if an actual example can be provided, it can be said the description in Windows isn't entirely accurate. – Jason Apr 25 '14 at 20:09
  • @Jason This is because I don't know any, and I'm not an expert in this field. What I want to say is that the question is very broad. Nothing more, nothing less :) What version of Windows are you referring to by the way? Windows XP probably has a lot more weaknesses than Windows 8.1 (again, just an educated guess, and why the question is pretty broad) – MichelZ Apr 25 '14 at 20:16
  • 3
    Is unplugging the computer a system-wide change? What about hitting it with a hammer? How about booting into a different operating system? Your question lacks clarity, and as such, is impossibly broad. – HopelessN00b Apr 25 '14 at 20:46
  • @HopelessN00bGeniusofnetwork Really? The entire question is in the context of the operating system and you're asking about plugs and hammers? – Jason Apr 29 '14 at 15:19
  • @Jason The comment's a little glib, but valid, nonetheless. One of the cracks against the PS3 system protection was achieved by applying an electrical current at a certain point in the boot process. The point was that without defining what constitutes a system-wide change, your question is answerable. Even within the context of user actions within their defined user permissions, users can (accidentally, or maliciously) fill up the hard drive or registry and render the OS unusable. Is spamming the hard drive or registry until it runs out of space a system-wide change? (And like that there.) – HopelessN00b Apr 29 '14 at 15:31

1 Answers1

2

Yes, by default a standard user can get to a bunch of stuff. Most, if not all, of this can be fixed with policies, but I can absolutely understand why people end up using a deep freeze type solution and, indeed, non persistant images is a selling point of VDI solutions.

Depending on whether UAC is enabled users may be able to access and modify files on the local drives, install applications (though generally to their own profile), run viruses or malware etc etc.

To clarify, by default, the standard user is nowhere near secure enough for use in an environment where users need to be heavily controlled such as schools, public stations and so on.

Correct me if I'm wrong, but I didn't think Deep Freeze was about securing a particular session, but to prevent changes from sticking?

Dan
  • 15,280
  • 1
  • 35
  • 67
  • Yes, Deep Freeze is more about management (keeping the configuration static) than security. I'm still curious to see an example of something a standard user can do that effects other users. – Jason Apr 25 '14 at 20:21
  • 4
    Yet you've told us nothing about your environment. Why not fire up a vanilla station, log on as a user and have a play? I've given you some places to start. – Dan Apr 25 '14 at 20:23