NEED User Accounts Solution!!Please HELP

I have 15 win xp hosts on a network with 3 servers, one being for the active directory. Recently a keylogger was found on numerous machines on the network(atomiclog). Therefore we want to lock down user accounts a little more. We use a sonicwall hardware firewall and then we have spysweeper running on all the hosts. First off is it possible to replace the current spyware solution with something better such as a device or something made for corporate networks? It would also be nice for everyone to be able to logon to each computer and have available their e-mail and everything else like a roaming account would provide but without the slow logon process. I was thinking of setting up the user accounts like roaming profiles and using folder redirection. But how would this affect outlook and how would you set up that. I was also looking at products by Faronics ( They have software called deep freeze and another program called anti-executable. If I did the roaming profile thing then the deepfreeze would be great to use but if not I think anti-exe would be better. If you use soemthing else like these to help maintain your systems please say so. I am looking for a complete solution here basically becuase the network is getting to be too much to handle by administering on each machine and giving everyone admin privlieges. Thanks for the help
Who is Participating?
Ok, you've brought up quite a few questions and concerns, I'll try to touch on them all:

1. Your KeyLogger issue and locking down accounts.  You definitely want to keep the users from installing software.  They'll fight you on this but these days it's the best way to protect them from themselves.  Anyway, as bigjimbo813 suggested above the easy way to do this is to only allow users power user to their local machine.  If you really want to lock it down, only allow them user access.  Utimately, you'll save time by doing this.  Instead of figuring out what a user did to screw up their machine, you'll be able to spend more time on being proactive - making sure that they have all that they need to do their jobs.

2. Protecting the Enterprise -

a) Spyware - I'm a personal fan of the Webroot products (Spysweeper).  They have an enterprise product as well (  
b) Antivirus - You'll always need this; but you probably already know that
c) Anti-Spam or RBL or both - We use a Real Time Black List subscription to block most SPAM.  Its great because it's simply a list of known spam origins and blocks all mail coming from any malicious source.  In addition to the RBL we Trend Micro's mail scanning tool.
d) Web Content Filtering/Proxy - Filter where your users go on the internet.  The primary source of attacks is no longer just email.  Filtering tools such as Websense will save your users from themselves.
e) Configure IE to be more secure via GPO.  Force your users to go through a web filter/proxy by configuring IE to use the proxy or if you have an advanced router use WCCP to route all 80 and 443 traffic through your web filtering tool.

3. Roaming accounts and how it will affect email.  Since it sounds like you're in a fairly small environment 15 users and 3 servers, then you probably don't have alot of network traffic so take the plunge - setup the roaming profiles and create outlook profiles using prf files (  If network performance becomes a problem then you might want to consider something else, but you should give it a try.  Roaming profiles while not perfect will still save you time, if your users like to play musical computers.

4. Maintenance is a pain.  So instead of spending hours visiting every machine, take some time to learn how to create msi packages with wise or another packaging product and push the software to your workstations via GPO.  

5. A complete solution probably won't come in a single package from a vendor.  We use Trend Micro, Symantec, RBL, web-filtering/proxy - all from different vendors and it's not because we want to confuse ourselves.  We do this because each one specializes in the service that they provide.  There is also the school of thought that if you have all your eggs in one basket and it's compromised, you're up the creek.  

Hope this helps.
I restrict all desktop users to Local Power User accounts. This way the users are still able to map network shares and printers.

Personally I have only used anti-spyware tools on a per user basis. If a user calls in and complains about performance, or I catch suspicious network activity, the issue will be resolved. Primarily by using limited user accounts, this can help reduce the infestation of computers.

If I am not mistaken most corporate editions of AV help fight spyware also. Currently I am using Symantec AV 10.1 and it's working great.
Rich RumbleSecurity SamuraiCommented:
LUP as pointed out above is 99.999% effective against spyware and viri, we moved users to the users group and halved the helpdesk work load in 1 day!
MS is doing this in Vista, about 10-15 years later than other OS's, but it's the first BIG step they have made in security in a long time

You should still have virus scanners on the PC's, and especially your servers like Email(anti-spam too) and Web. Roaming profiles and folder redirection don't accomplish much if they still have admin rights. There are plenty of tools available to help you automate tasks that require higher privileges:
Live Q & A: Securing Your Wi-Fi for Summer Travel

Traveling this summer? Join us on June 18, 2018 for a live stream to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

Kevin HaysIT AnalystCommented:
I restrict all my users to just the normal "domain users" group and that is it.  They don't get the privilege of being power user on their machine.  I have roaming profiles setup so each user can go from workstation to workstation and login.  Login times are not a problem.  My DNS is setup correctly, application data and my documents are also being redirected so the long login times that most people have heard are not a problem.

Mapping drives, printers, I do that for them via login scripts.
Installing software, I do that via group policy and software packages.
Defragging HD's, I do that via Defrag Manager 4.0 on a scheduled task.
Spyware, Sunbelt Counterspy has a corporate spyware scanner that is deployed and maintained in one central location.  Very handy.  I've not used this before though.

So you could have roaming profiles, redirection of application data and my documents (outlook email via exchange) and drop them down to just users.  Of course I have other things to tray and stop spam, spyware and viruses as well, but that is the basics.

Rich RumbleSecurity SamuraiCommented:
To summarize, and use my favorite saying: Security is Process, not a Product.
As indicated above as well, security is about trade-off's, folks in the users group or guest group are very limited in what they can do, such as install printers and programs, and as put forth above, there are other ways to accomplish those tasks such as login scripts and scheduled tasks.
gscoAuthor Commented:
Could you explain more on how to setup the outlook profiles? What folders should I redirect when I switch over the accounts? Thanks for all the help
Kevin HaysIT AnalystCommented:
If you are using an exchange server and outlook then you just simply use roaming profiles which you can set in the ADUC profile tab as \\servername\profiles\%username%

In group policy under user configuration section you would simply redirect the my documents and application data to a shared resource on a folder.  When the user moves from station to station and as long as outlook is installed on each machine it will pull the correct mailbox.

If you are going to use roaming profiles then you should use folder redirection.

I'll explain in more detail, time to head home for now though.
gscoAuthor Commented:
kshays, could you go more in depth please?
To flat out tell you how to setup roaming profiles isn't really possible because you need to make choices that will work best for your network.  Therefore, I've done a little research to provide you will some very good descriptions of what is involved in setting up roaming profiles:

First some documents that speak to why you would want to implement roaming profiles, security issues, a bit about how, etc.

this document speaks about what is involved in making profiles "mobile" and folder redirection (good background info):

Second, what Microsoft has to say on the issue:

Third, Configuring Outlook for roaming profiles - Microsoft's Whitepaper on the subject.  More importantly though, this website is a wealth of knowledge on configuring Office and I use it often.

Fourth, A good cautionary source on Roaming profiles - what they are, what they're not and what oddities to expect from using roaming profiles.  Keep in mind that this source is a blog and this is mostly options and experiences of others - not necessarily fact.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.