Locking down clients

Posted on 2006-05-19
Last Modified: 2010-04-18
Hi Guys,

i want to use my 2 new windows 2003 R2 domain controllers to lock down all my XP Clients. the main problems we are having with them is that the users are filling them up with junk, installing software, chat clients, itunes, download software, casino software etc.

I want to rebuild all the machines, install the sopftware they really need, then try and lock down as much things as possible to prevent them from messing up the machiens! any1 have any ideas on how to do this? are there any major policy rules that i should DEFINATLY put in place straight away?

Thanks, Gavin
Question by:Gavin5511
    LVL 16

    Expert Comment

    Probably can do it with policy rules...never tried.

    I have use Script Logic in the past...which definitely can do this, if you want to buy a program
    LVL 26

    Accepted Solution

    Before u lock down users just make sure they only belong to DOMAIN USERS...
    test this setup for a while and see if anyone is complaing(certain applications
    may require users to belong to power users or local admin groups)....
    if u tighten users too much it may have the same negative effect as leting them
    loose all together....
    smart tech savy users always find a way around any RESTRICTIVE POLICY....
    sometimes a nice chat(or email)explaining corporate policy regarding computer use does the trick...
    LVL 33

    Expert Comment

    I agree... the trick here is to take the users out of the local Administrators group on thier desktops...
    LVL 8

    Expert Comment

    First remove them from local admins

    Or you can use deepfreeze ... its a great piece of software that locks a computer to a set config, then allows changes to be made for that session, but when the PC is rebooted all the changes are removed.

    You can set it to allow windows updates and AV updates. You also can unfreeze when an IT department user needs to connect to the computer to do software installs.
    LVL 5

    Expert Comment

    If you want to really lock them down give them mandatory profiles in addition to making sure they are not a local admin on the machine.
    LVL 16

    Expert Comment

    I would suggest along with some others the following to begin with.

    1.  If anyone is a member of any group on the local machine remove them.  Use restricted groups if needed to make sure only certain individuals are a member of the local machine.
    2.  Make everyone a member of the "domain users" to begin with and nothing else.  They will not be able to install applications.  You will need to add the groups to other accounts that need be though after this.
    3.  Put up a proxy server or use some type of filtering so they can not download anything that you do not specify or want them to.
    4.  Route them through a proxy as #3 so you can log their websites they visit and then either ban sites based on filtering rules, etc.......
    Lock down either IE or firefox with group policies so they are not able to change the lan settings to bypass the proxy.  If you don't want them to have internet access put in a fake proxy IP.  Firefox is MUCH harder to control via GPO's.
    5.  Create deployable applications via native MSI files or use some type of MSI packager to create the MSI and then assign/publish according to regulations and company policy.
    6.  Use Group policies, software restriction policies, IPsec policies etc.  Group policies are your friend!!!!!  That is if you are experienced with them, if not then you better start practicing with some test accounts and leave the default domain controllers, default domain policy alone!

    Mandatory profiles are an option to, but I use roaming profiles and let my users change the desktop background of their choice.  I also map drives based on group membership, printers, etc via gpo login scripts just so they don't have to go hunt for them.

    Test, Test, Test, Test on dummy accounts and workstations.  Grap Virtual Server 2005 R2 and slap it on a windows xp sp2 or 2003 machine to create a few virtual xp machines or 2000, the choice is yours and then run with it :)

    That's just some basics of restricting and locking down users so that your total cost of administration will go down.

    LVL 1

    Expert Comment

    What we do is restrict from Active Directory.  Also, we have purchased a firewall device called "Watchguard FireBox"  with has a cool feature that makes the user authenticate to the firebox before having access to the internet.  Then when they are authenticated, they are only allowed access to predetermined sites.  This has worked out great, and it is basically a set and forget soulution.  You also set what types of files are allowed.  Nice thing is you can set up other policies that allow other users who need internet access the access they need.  They would also need to authenticate, but one done, they can go to any site ( or no sites) that you choose.  We also have policies that allow our servers out without authentication.  We simply enter there ip address into the policy, and from then on they are allowd full access.  Also remember, the because you are allowing them (your users) access through what is essentially a proxy, (they are using a name and password to authenticate) you are able to run historical reports on these users (anything from sites visited to attemped sites.  You can also get software which is integrated into watchguard called WebBlocker which only allows them to goto specific sites defined by a policy.  Long story short, the box works, and setup is a breaze.  I have two fireboxes set up and they have done great jobs watching over my sites. (You can also set up a VPN between them too)  

    Also in Active Directory you can limit what is installed and also restrict (prevent) software installs.  We have created a domain with a group called Workstations and Users.  Then put all the users in the "Users" folder and all the workstations in the "workstations" folder.  This also helps with the .MSI files because then they are assigned to the workstation folder, you specify what software gets installed on login.  (You can also set up a login script which maps drives, printers, etc.)  Mark Manasi has a really great site for Windows and has written several books.  His site would be a great resouce too.  

    But from what I can recall, a firewall with restrictions might be the only way to prevent downloads, but I have been wrong before...

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
    I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now