Lockdown XP Desktops in a Domain
Results 1 to 10 of 10

Thread: Lockdown XP Desktops in a Domain

Hybrid View

  1. #1
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378

    Lockdown XP Desktops in a Domain

    I need to lockdown approximately 100 desktops used by students. They are all part of Win2k3 domain. They are all XP Pro, fully patched.

    By lockdown, I mean... They (users in the Student Group) can make NO changes to the workstation. They already have roaming profiles with their "My Documents" on a network share. Kids are installing stuff and modifying desktop/display settings, and just being general nuisance.

    Is there an elegant way to accomplish this? e.g. push GPO to all desktops?
    Is there some doc somewhere of best practices for lockdown?

    Also, unrelated but.... is there a tool (free?) like MS Inventory Analyzer that I can run to identify all software installed?

    CSR
    In God We Trust....Everything else we backup.

  2. #2
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,188
    It is a royal pain at times, but we use 'Run only allowed Windows Executables'. You can bypass this easily enough, but so far no students have figured out how. We enforce this for teachers too. Cuts down on them opening those wonderful .zip eCards.

    The hardest part is creating the whitelist at the beginning.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  3. #3
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    Easy way : http://www.microsoft.com/windows/pro...s/default.mspx

    Hard way but more elegant : GP ! .. You can start by creating a group on the AD and adding all users to that group.. Create a new GP for those users and give permission's as you like it.. You should delete all local accounts (except builtin) and allow only domain login.. You can also use steadystate with GP or domain setup.. If you need more help let me know..
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  4. #4
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hi CSR,

    Have you looked at "Deepfreeze" by Faronics software?

    http://www.faronics.com/

    It doesn't do exactly as you are asking, but might be of interest as an additional or alternative approach? Basically it stores the authorised setup and writes it back on reboot, thus undoing any changes that might have been made in the last session.

    It costs, but is an easy solution. I believe that they give discounts for .edu users
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #5
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    Quote Originally Posted by nihil View Post
    Hi CSR,

    Have you looked at "Deepfreeze" by Faronics software?

    http://www.faronics.com/

    It doesn't do exactly as you are asking, but might be of interest as an additional or alternative approach? Basically it stores the authorised setup and writes it back on reboot, thus undoing any changes that might have been made in the last session.

    It costs, but is an easy solution. I believe that they give discounts for .edu users
    Steadystate does that for Free..
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  6. #6
    Junior Member greygnome's Avatar
    Join Date
    Oct 2004
    Location
    Watertown, Minnesota, USA
    Posts
    19
    I would imagine it's quite common, a lot of coffee shops and other places offering computers with internet access use a feature like this. Seems like a great idea, the user gets to screw around with the system almost all they want but as soon as the system starts up for the next person to use it, everything is back to square one.
    Y Gwir Yn Erbyn Byd

  7. #7
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,429
    I was going to suggest Steadystate, but I couldn't remember what it was called :s Thanks, ByTeWrangler, for the reminder

  8. #8
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    Thanks. Steadystate appears to be exactly what they are looking for. Gonna install and check it out first thing Monday morning.Thanks again.

    P.S. The faronics Deep Freeze looks interesting. If the steadystate proves ineffective, I will eval this as well.
    Last edited by Cheap Scotch Ron; May 10th, 2009 at 02:58 PM.
    In God We Trust....Everything else we backup.

  9. #9
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    .. No problem guys ..
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  10. #10
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    Finally got around to eval'ing SteadyState. Very nice. Easy to config.

    You basically setup the user accounts, select the restrictions you want enforced, schedule winupdate and enable disk partition protection. Took me about 30 minutes and that including RTFM. Best feature is the export/import that allows you to build a config once and import to all desktops.

    Thanks again. CSR
    In God We Trust....Everything else we backup.

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 02:51 PM
  2. Simplified Domain Controller Hardening, Part 1
    By 576869746568617 in forum The Security Tutorials Forum
    Replies: 1
    Last Post: July 8th, 2006, 05:57 PM
  3. Domain Needs Spring Cleaning..
    By fraggin in forum Operating Systems
    Replies: 3
    Last Post: March 29th, 2005, 03:53 PM
  4. multiple master browsers in domain??
    By phishphreek in forum Microsoft Security Discussions
    Replies: 9
    Last Post: September 25th, 2003, 09:09 PM
  5. requirements for a .ca website?
    By Krimlin in forum Miscellaneous Security Discussions
    Replies: 3
    Last Post: June 16th, 2003, 09:26 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •