| Author |
locking down a desktop
|
|
| mcbevwiz 2003-10-20, 1:04 am |
| What are ways to limit the amount of damage a user can do to his/her system (i.e. deleting config files, installing bad
applications, etc)? | |
| Papiya 2003-10-20, 7:48 am |
| Create an unprivileged account, hide the Run button, customize the desktop to get rid of any system tools or apps that you don't want to allow access to, lock the taskbar, and make sure all permissions to sensitive folders is protected. | |
| bloodshotx 2003-10-20, 11:09 am |
| Also you can get a Utility called centurion. We run it at the college on 5 different labs. It creates a image file when locked, when changes are made it writes to that file. Upon reboot, it whipes and starts over.
This option is only good for labs in education. Students can't save to the harddrave, but they can save to floppy/zip/USB. | |
| curiousgeorge 2003-10-20, 10:54 pm |
| Whenever creating a new user, just copy the guest account and rename it. In a group policy or local security settings, deny access to the control panel and deny the ability to empty the recycle bin.
Bloodshotx is referring to a mandatory profile. Create a profile the way you want it. The profile will be named ntuser.dat. Find that hidden file and change the extension from .dat to .man. This makes it a mandatory profile. That way users can make changes to it while they are logged on, but when they log off, all changes are erased. | |
|
|
| mcbevwiz 2003-10-22, 10:49 am |
| For 2000/XP:
Is it better to just use GPO's and not profiles or both? | |
| mcbevwiz 2003-10-22, 10:57 am |
| Why deny the ability to empty the recycle bin? | |
| azimuth40 2003-10-22, 4:19 pm |
| quote:
Originally posted by mcbevwiz
Why deny the ability to empty the recycle bin?
As long as something is in the recycle bin it can be undone. After it is emptied it is like following the trash truck to the city dump only to find out it caught fire on the way. (part of your space got reused). | |
| Carl_Docklands 2003-10-22, 5:47 pm |
| The current "textbook" best practise to lock down a Windows XP Desktop is to use Group Policy and use NetIQ Group Policy Guardian for Policy Enforcement.
The aspects of Group Policy to leverage depends on your environment however there are some Architectural best practises you can employ. |
|
|
|