• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 229
  • Last Modified:

Locking down clients

Hi Guys,

i want to use my 2 new windows 2003 R2 domain controllers to lock down all my XP Clients. the main problems we are having with them is that the users are filling them up with junk, installing software, chat clients, itunes, download software, casino software etc.

I want to rebuild all the machines, install the sopftware they really need, then try and lock down as much things as possible to prevent them from messing up the machiens! any1 have any ideas on how to do this? are there any major policy rules that i should DEFINATLY put in place straight away?

Thanks, Gavin
1 Solution
Probably can do it with policy rules...never tried.

I have use Script Logic in the past...which definitely can do this, if you want to buy a program http://www.scriptlogic.com/
Before u lock down users just make sure they only belong to DOMAIN USERS...
test this setup for a while and see if anyone is complaing(certain applications
may require users to belong to power users or local admin groups)....
if u tighten users too much it may have the same negative effect as leting them
loose all together....
smart tech savy users always find a way around any RESTRICTIVE POLICY....
sometimes a nice chat(or email)explaining corporate policy regarding computer use does the trick...
I agree... the trick here is to take the users out of the local Administrators group on thier desktops...
Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

First remove them from local admins

Or you can use deepfreeze ... its a great piece of software that locks a computer to a set config, then allows changes to be made for that session, but when the PC is rebooted all the changes are removed.

You can set it to allow windows updates and AV updates. You also can unfreeze when an IT department user needs to connect to the computer to do software installs.
If you want to really lock them down give them mandatory profiles in addition to making sure they are not a local admin on the machine.
Kevin HaysIT AnalystCommented:
I would suggest along with some others the following to begin with.

1.  If anyone is a member of any group on the local machine remove them.  Use restricted groups if needed to make sure only certain individuals are a member of the local machine.
2.  Make everyone a member of the "domain users" to begin with and nothing else.  They will not be able to install applications.  You will need to add the groups to other accounts that need be though after this.
3.  Put up a proxy server or use some type of filtering so they can not download anything that you do not specify or want them to.
4.  Route them through a proxy as #3 so you can log their websites they visit and then either ban sites based on filtering rules, etc.......
Lock down either IE or firefox with group policies so they are not able to change the lan settings to bypass the proxy.  If you don't want them to have internet access put in a fake proxy IP.  Firefox is MUCH harder to control via GPO's.
5.  Create deployable applications via native MSI files or use some type of MSI packager to create the MSI and then assign/publish according to regulations and company policy.
6.  Use Group policies, software restriction policies, IPsec policies etc.  Group policies are your friend!!!!!  That is if you are experienced with them, if not then you better start practicing with some test accounts and leave the default domain controllers, default domain policy alone!

Mandatory profiles are an option to, but I use roaming profiles and let my users change the desktop background of their choice.  I also map drives based on group membership, printers, etc via gpo login scripts just so they don't have to go hunt for them.

Test, Test, Test, Test on dummy accounts and workstations.  Grap Virtual Server 2005 R2 and slap it on a windows xp sp2 or 2003 machine to create a few virtual xp machines or 2000, the choice is yours and then run with it :)

That's just some basics of restricting and locking down users so that your total cost of administration will go down.

What we do is restrict from Active Directory.  Also, we have purchased a firewall device called "Watchguard FireBox"  with has a cool feature that makes the user authenticate to the firebox before having access to the internet.  Then when they are authenticated, they are only allowed access to predetermined sites.  This has worked out great, and it is basically a set and forget soulution.  You also set what types of files are allowed.  Nice thing is you can set up other policies that allow other users who need internet access the access they need.  They would also need to authenticate, but one done, they can go to any site ( or no sites) that you choose.  We also have policies that allow our servers out without authentication.  We simply enter there ip address into the policy, and from then on they are allowd full access.  Also remember, the because you are allowing them (your users) access through what is essentially a proxy, (they are using a name and password to authenticate) you are able to run historical reports on these users (anything from sites visited to attemped sites.  You can also get software which is integrated into watchguard called WebBlocker which only allows them to goto specific sites defined by a policy.  Long story short, the box works, and setup is a breaze.  I have two fireboxes set up and they have done great jobs watching over my sites. (You can also set up a VPN between them too)  

Also in Active Directory you can limit what is installed and also restrict (prevent) software installs.  We have created a domain with a group called Workstations and Users.  Then put all the users in the "Users" folder and all the workstations in the "workstations" folder.  This also helps with the .MSI files because then they are assigned to the workstation folder, you specify what software gets installed on login.  (You can also set up a login script which maps drives, printers, etc.)  Mark Manasi has a really great site for Windows and has written several books.  His site would be a great resouce too.  

But from what I can recall, a firewall with restrictions might be the only way to prevent downloads, but I have been wrong before...

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now