Locking down clients
Hi Guys,
i want to use my 2 new windows 2003 R2 domain controllers to lock down all my XP Clients. the main problems we are having with them is that the users are filling them up with junk, installing software, chat clients, itunes, download software, casino software etc.
I want to rebuild all the machines, install the sopftware they really need, then try and lock down as much things as possible to prevent them from messing up the machiens! any1 have any ideas on how to do this? are there any major policy rules that i should DEFINATLY put in place straight away?
Thanks, Gavin
i want to use my 2 new windows 2003 R2 domain controllers to lock down all my XP Clients. the main problems we are having with them is that the users are filling them up with junk, installing software, chat clients, itunes, download software, casino software etc.
I want to rebuild all the machines, install the sopftware they really need, then try and lock down as much things as possible to prevent them from messing up the machiens! any1 have any ideas on how to do this? are there any major policy rules that i should DEFINATLY put in place straight away?
Thanks, Gavin
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I agree... the trick here is to take the users out of the local Administrators group on thier desktops...
First remove them from local admins
Or you can use deepfreeze ... its a great piece of software that locks a computer to a set config, then allows changes to be made for that session, but when the PC is rebooted all the changes are removed.
You can set it to allow windows updates and AV updates. You also can unfreeze when an IT department user needs to connect to the computer to do software installs.
Or you can use deepfreeze ... its a great piece of software that locks a computer to a set config, then allows changes to be made for that session, but when the PC is rebooted all the changes are removed.
You can set it to allow windows updates and AV updates. You also can unfreeze when an IT department user needs to connect to the computer to do software installs.
If you want to really lock them down give them mandatory profiles in addition to making sure they are not a local admin on the machine.
I would suggest along with some others the following to begin with.
1. If anyone is a member of any group on the local machine remove them. Use restricted groups if needed to make sure only certain individuals are a member of the local machine.
2. Make everyone a member of the "domain users" to begin with and nothing else. They will not be able to install applications. You will need to add the groups to other accounts that need be though after this.
3. Put up a proxy server or use some type of filtering so they can not download anything that you do not specify or want them to.
4. Route them through a proxy as #3 so you can log their websites they visit and then either ban sites based on filtering rules, etc.......
Lock down either IE or firefox with group policies so they are not able to change the lan settings to bypass the proxy. If you don't want them to have internet access put in a fake proxy IP. Firefox is MUCH harder to control via GPO's.
5. Create deployable applications via native MSI files or use some type of MSI packager to create the MSI and then assign/publish according to regulations and company policy.
6. Use Group policies, software restriction policies, IPsec policies etc. Group policies are your friend!!!!! That is if you are experienced with them, if not then you better start practicing with some test accounts and leave the default domain controllers, default domain policy alone!
Mandatory profiles are an option to, but I use roaming profiles and let my users change the desktop background of their choice. I also map drives based on group membership, printers, etc via gpo login scripts just so they don't have to go hunt for them.
Test, Test, Test, Test on dummy accounts and workstations. Grap Virtual Server 2005 R2 and slap it on a windows xp sp2 or 2003 machine to create a few virtual xp machines or 2000, the choice is yours and then run with it :)
That's just some basics of restricting and locking down users so that your total cost of administration will go down.
kshays
1. If anyone is a member of any group on the local machine remove them. Use restricted groups if needed to make sure only certain individuals are a member of the local machine.
2. Make everyone a member of the "domain users" to begin with and nothing else. They will not be able to install applications. You will need to add the groups to other accounts that need be though after this.
3. Put up a proxy server or use some type of filtering so they can not download anything that you do not specify or want them to.
4. Route them through a proxy as #3 so you can log their websites they visit and then either ban sites based on filtering rules, etc.......
Lock down either IE or firefox with group policies so they are not able to change the lan settings to bypass the proxy. If you don't want them to have internet access put in a fake proxy IP. Firefox is MUCH harder to control via GPO's.
5. Create deployable applications via native MSI files or use some type of MSI packager to create the MSI and then assign/publish according to regulations and company policy.
6. Use Group policies, software restriction policies, IPsec policies etc. Group policies are your friend!!!!! That is if you are experienced with them, if not then you better start practicing with some test accounts and leave the default domain controllers, default domain policy alone!
Mandatory profiles are an option to, but I use roaming profiles and let my users change the desktop background of their choice. I also map drives based on group membership, printers, etc via gpo login scripts just so they don't have to go hunt for them.
Test, Test, Test, Test on dummy accounts and workstations. Grap Virtual Server 2005 R2 and slap it on a windows xp sp2 or 2003 machine to create a few virtual xp machines or 2000, the choice is yours and then run with it :)
That's just some basics of restricting and locking down users so that your total cost of administration will go down.
kshays
What we do is restrict from Active Directory. Also, we have purchased a firewall device called "Watchguard FireBox" with has a cool feature that makes the user authenticate to the firebox before having access to the internet. Then when they are authenticated, they are only allowed access to predetermined sites. This has worked out great, and it is basically a set and forget soulution. You also set what types of files are allowed. Nice thing is you can set up other policies that allow other users who need internet access the access they need. They would also need to authenticate, but one done, they can go to any site ( or no sites) that you choose. We also have policies that allow our servers out without authentication. We simply enter there ip address into the policy, and from then on they are allowd full access. Also remember, the because you are allowing them (your users) access through what is essentially a proxy, (they are using a name and password to authenticate) you are able to run historical reports on these users (anything from sites visited to attemped sites. You can also get software which is integrated into watchguard called WebBlocker which only allows them to goto specific sites defined by a policy. Long story short, the box works, and setup is a breaze. I have two fireboxes set up and they have done great jobs watching over my sites. (You can also set up a VPN between them too)
Also in Active Directory you can limit what is installed and also restrict (prevent) software installs. We have created a domain with a group called Workstations and Users. Then put all the users in the "Users" folder and all the workstations in the "workstations" folder. This also helps with the .MSI files because then they are assigned to the workstation folder, you specify what software gets installed on login. (You can also set up a login script which maps drives, printers, etc.) Mark Manasi has a really great site for Windows and has written several books. His site would be a great resouce too.
But from what I can recall, a firewall with restrictions might be the only way to prevent downloads, but I have been wrong before...
Also in Active Directory you can limit what is installed and also restrict (prevent) software installs. We have created a domain with a group called Workstations and Users. Then put all the users in the "Users" folder and all the workstations in the "workstations" folder. This also helps with the .MSI files because then they are assigned to the workstation folder, you specify what software gets installed on login. (You can also set up a login script which maps drives, printers, etc.) Mark Manasi has a really great site for Windows and has written several books. His site would be a great resouce too.
But from what I can recall, a firewall with restrictions might be the only way to prevent downloads, but I have been wrong before...
I have use Script Logic in the past...which definitely can do this, if you want to buy a program http://www.scriptlogic.com/