-
May 8th, 2009, 03:35 PM
#1
Lockdown XP Desktops in a Domain
I need to lockdown approximately 100 desktops used by students. They are all part of Win2k3 domain. They are all XP Pro, fully patched.
By lockdown, I mean... They (users in the Student Group) can make NO changes to the workstation. They already have roaming profiles with their "My Documents" on a network share. Kids are installing stuff and modifying desktop/display settings, and just being general nuisance.
Is there an elegant way to accomplish this? e.g. push GPO to all desktops?
Is there some doc somewhere of best practices for lockdown?
Also, unrelated but.... is there a tool (free?) like MS Inventory Analyzer that I can run to identify all software installed?
CSR
In God We Trust....Everything else we backup.
-
May 8th, 2009, 08:49 PM
#2
It is a royal pain at times, but we use 'Run only allowed Windows Executables'. You can bypass this easily enough, but so far no students have figured out how. We enforce this for teachers too. Cuts down on them opening those wonderful .zip eCards.
The hardest part is creating the whitelist at the beginning.
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
May 9th, 2009, 09:58 AM
#3
Easy way : http://www.microsoft.com/windows/pro...s/default.mspx
Hard way but more elegant : GP ! .. You can start by creating a group on the AD and adding all users to that group.. Create a new GP for those users and give permission's as you like it.. You should delete all local accounts (except builtin) and allow only domain login.. You can also use steadystate with GP or domain setup.. If you need more help let me know..
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
-
May 9th, 2009, 10:44 AM
#4
Hi CSR,
Have you looked at "Deepfreeze" by Faronics software?
http://www.faronics.com/
It doesn't do exactly as you are asking, but might be of interest as an additional or alternative approach? Basically it stores the authorised setup and writes it back on reboot, thus undoing any changes that might have been made in the last session.
It costs, but is an easy solution. I believe that they give discounts for .edu users
-
May 9th, 2009, 02:56 PM
#5
Originally Posted by nihil
Hi CSR,
Have you looked at "Deepfreeze" by Faronics software?
http://www.faronics.com/
It doesn't do exactly as you are asking, but might be of interest as an additional or alternative approach? Basically it stores the authorised setup and writes it back on reboot, thus undoing any changes that might have been made in the last session.
It costs, but is an easy solution. I believe that they give discounts for .edu users
Steadystate does that for Free..
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
-
May 9th, 2009, 03:38 PM
#6
I was going to suggest Steadystate, but I couldn't remember what it was called :s Thanks, ByTeWrangler, for the reminder
-
May 10th, 2009, 01:49 PM
#7
Thanks. Steadystate appears to be exactly what they are looking for. Gonna install and check it out first thing Monday morning.Thanks again.
P.S. The faronics Deep Freeze looks interesting. If the steadystate proves ineffective, I will eval this as well.
Last edited by Cheap Scotch Ron; May 10th, 2009 at 01:58 PM.
In God We Trust....Everything else we backup.
-
May 10th, 2009, 06:01 PM
#8
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
-
May 12th, 2009, 05:03 PM
#9
Finally got around to eval'ing SteadyState. Very nice. Easy to config.
You basically setup the user accounts, select the restrictions you want enforced, schedule winupdate and enable disk partition protection. Took me about 30 minutes and that including RTFM. Best feature is the export/import that allows you to build a config once and import to all desktops.
Thanks again. CSR
In God We Trust....Everything else we backup.
-
May 13th, 2009, 04:03 AM
#10
Junior Member
I would imagine it's quite common, a lot of coffee shops and other places offering computers with internet access use a feature like this. Seems like a great idea, the user gets to screw around with the system almost all they want but as soon as the system starts up for the next person to use it, everything is back to square one.
Similar Threads
-
By cheyenne1212 in forum Miscellaneous Security Discussions
Replies: 7
Last Post: February 1st, 2012, 02:51 PM
-
By 576869746568617 in forum The Security Tutorials Forum
Replies: 1
Last Post: July 8th, 2006, 04:57 PM
-
By fraggin in forum Operating Systems
Replies: 3
Last Post: March 29th, 2005, 03:53 PM
-
By phishphreek in forum Microsoft Security Discussions
Replies: 9
Last Post: September 25th, 2003, 08:09 PM
-
By Krimlin in forum Miscellaneous Security Discussions
Replies: 3
Last Post: June 16th, 2003, 08:26 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|