Securing XP Pro from the end user [Archive] - Glock Talk

PDA

View Full Version : Securing XP Pro from the end user


N2DFire
12-15-2004, 14:37
O.K. - long story short - I have a small LAN that (when completed) will have 3 XP Pro computers on it. This LAN is also connected to the internet via a firewall/router & cable modem.

The 3 systems will be in a common workgroup and I will create 1 Administrator Account & 1 General User Account (which will auto log-on) & *duplicate* them across all 3 systems (will probably also add a back door Admin account for myself too :cool: ).

What I need from you folks who do this a lot more than I do - is information on how to lock down the computers to keep the end users from:
Installing any new software
Removing any software
Changing any system settings (Desktop, Start Menu, IE Settings, etc.)

I will have one partition open to these folks as we have college students who do homework on them, but other than that I also need to keep them away from system files/partition.

Also 1 system will also be running various IM clients (as of yet to be determined but most likely AIM & Yahoo) so they will need the ability to create the various user accounts on that as well.

I used to do this stuff years ago in the NT 4 days and I know that some of this is already done in 2K & XP simply by creating the account as a User instead of an Administrator, but I need to lock down further than that.


Thanks in advance for your help.

Melete
12-15-2004, 15:57
Beyond the basic stuff you mentioned, what you want to do is use the Policy Editor to set more restrictive local security policies for user accounts. However, you will lock yourself out of a computer completely at some point if you play around with Security Policies long enough :) so make sure that you understand the effect of what you're doing, take backups of the system state, and have a plan to restore the system when something goes wrong. Security Policies aren't a simple topic, but Googling for "XP Policy Editor" will probably bring up enough info to get you started.

fastvfr
12-15-2004, 16:07
Can't you set up workstations that boot from the LAN and use a central server with locally-managed permissions to restrict them?

You could give them Read-Only access which would prevent them from doing anything at all to the server, though things could be added to memory on each machine and printing jobs sent, ect.

Probably be a little bit cheaper this way, too!!

Good luck,

FastVFR

Melete
12-15-2004, 17:39
Originally posted by fastvfr
Can't you set up workstations that boot from the LAN and use a central server with locally-managed permissions to restrict them?

You could give them Read-Only access which would prevent them from doing anything at all to the server, though things could be added to memory on each machine and printing jobs sent, ect.

Probably be a little bit cheaper this way, too!!

Good luck,

FastVFR

Whoo, if you've ever done that successfully, I'd like to hear from you. I used to manage some research/teaching labs where that kind of setup would be nice, but it always seemed like too much of a pain to actually get all the kinks worked out.

It might not save this guy and money, either, since he doesn't say anything about having a server in place already.

N2DFire
12-15-2004, 18:26
Nope - no server. If I had one I'd set up a domain instead of a workgroup, create individual log-in's and then get way into security policy (BTDT at my current job), just never done it from a workgroup set-up (to be honest, I really had forgotten about it altogether).

A central server would be nice but right now there's no $$ for it. My total budget for the new system is $500 (not that that's a bad budget but I was hoping to get away cheaper and add the little LAN to USB print server box as well). May have to wait till after Christmas and see if the prices drop.

Thanks for the replies thus far though. Any other suggestions or past experiences are welcome.

BLiTzNicK
12-15-2004, 20:23
If you don't know how to do it, save yourself some time and just buy a 3rd party app. WinLock comes to mind.

Glock Bob
12-18-2004, 01:44
There's a program called "Deep Freeze" that might work well in this situation. When setup, it "freezes" the harddrive by creating a second hidden partition. When the drive is "frozen" all changes are recorded on the hidden partition, but show up normally. However, when the system is reset, the hidden partition is wiped clean, and settings are restored. To "thaw" a drive, you simply press Ctrl + Alt + Shift + F6 and enter a password. It gives you three scenarios:

1. Boot frozen
2. Boot thawed
3. Boot thawed X times

Booting "thawed" allows you to make "real" changes to the system (such as install programs, change settings, etc).

There's also another program that denies access to pretty much whatever you want to keep safe. It can even keep Control Panel from showing up in the Start menu. I forget what it's called.

Garweh
12-18-2004, 08:37
Sorry, wrong post. Please ignore.