Solved

Locked down user account for visitors?

Posted on 2007-03-19
16
268 Views
Last Modified: 2013-12-04
We are currently running a windows network with a Small Business Server and roughly 30 WinXP workstations.  There about 20 users that are spend the majority of there time offsite and come in 3-4 times per week to submit reports, check email, etc.  Each user has their own login, but they share a group of 4 computers in a common area.  The office also has an astaro firewall at the front end and all internet activity is passed through the content filter on the box.

I have been asked to setup a user account which can be used to access the internet on these 4 "shared" computers.  They only want the account to be able to run Firefox and surf the net, check webmail.  The user should not be able to download anything..  The user should not be able to see or make any changes to the system or anything on the network.

I'm assuming that the best way to do this is to create a new user account on the small business server, and then lock it down via group policy.  Can anyone confirm if this is the way to go about it and if not, please advise on the alternative?

If group policy is the way to do it, can anyone suggest on what the settings should be or point me to a good resource?
0
Comment
Question by:EnvisionTech
  • 4
  • 4
  • 4
  • +2
16 Comments
 
LVL 15

Expert Comment

by:vico1
ID: 18753996
You need to create a security group instead of a user.
then add the users to the group.
That would be a better  approch.
Vico1!
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 18754432
Do you have ISA installed?
If not you can keep these machines of the domain and they will still have access to the internet.
Olaf
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18754805
You should first be aware that Firefox is not easily managed via Group Policy.  Therefore, you should only allow IE to be used on your network.

You can create users in a "Restricted" Security Group, and then the workstation itself should be run in Kiosk mode.  Alternatively, you can just add the computers outside of the domain and outside of the LAN, in a DMZ, remove the hard drives and just run a CD-Based Operating system which will keep most everything safe.  Check out http://www.livekiosk.com/

Jeff
TechSoEasy
0
 
LVL 6

Expert Comment

by:manicsquirrel
ID: 18761994
You also might want to check out Doug Knox's XP Security Console, www.dougknox.com/xp/utils/xp_securityconsole.htm .  I use it to lock down "community" workstations.
0
 

Author Comment

by:EnvisionTech
ID: 18769073
Thank you all for the responses.  These are all good but they might not be quite right for the situation.  The workstations in question will also be used by legitimate employees of the company who will need to access the network as needed.  So DMZ and Kiosk would not appear to be an option (unless I'm missing something). The security console looks great, thanks for the pointer (it will come in handy for some of my other clients), but these machines will be on the domain and Group Policy will be available.

So any further thoughts on what my best options may be?

Thanks in advance.
0
 
LVL 6

Expert Comment

by:manicsquirrel
ID: 18769228
Just want to be clear what you want to achieve.  You want these four workstations to act as normal workstations except when twenty or so specific users use these workstations.  When these specific users use these four workstations, you want them locked down for the most part.  However, when these users are away from the office and logging in remotely? or maybe logged in at a different workstation, you want their user accounts to act like everyone elses?
0
 

Author Comment

by:EnvisionTech
ID: 18839517
Essentially what we have is 4 workstations being used by about 20 office users.  Each of these users has their own login and can access data on the server, get email, surf the net, etc.  These workstations are all on the domain, with a Win Small Business Server 2003 as DC.

However, the office also occasionally gets visitors that are not employees.  The management would like to allow these visitors to use these 4 systems to surf the net and maybe do some basic word processing and printing.  They want to ensure that these guests don't do any damage to the workstations and the infrastructure.   So I'm looking at creating a locked down "guest" login for these visitors that is fully locked down and can only do those things.

Thanks for you help.
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 18840478
Set up a new security group and create a bunch of gpo's assigned to that group.
Olaf
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 6

Assisted Solution

by:manicsquirrel
manicsquirrel earned 100 total points
ID: 18840631
I would go with your last suggestion of creating a special account for guests to use and create a GPO to lock their accounts down (as an old friend use to say, "tighter than a virgin on prom night")  Then go further by using the sysinternals auto login utility, http://www.microsoft.com/technet/sysinternals/Security/Autologon.mspx ,  so that these workstation will log in with that restricted account when restarted.

If a "normal" authorized user comes along, he or she can just log off and log in with their credentials.  You may also want to look at http://support.microsoft.com/kb/314999 that would assist in loggin the computers off the network should a regular user forget to log off when they leave the workstation.
0
 
LVL 15

Expert Comment

by:vico1
ID: 18840645
That was my very first suggestion.
There is not a better way around it?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18855894
You could just have the "locked down" guest login be to the local machine instead of logging into the domain.  They would still have Internet Access, but would not have ANY permissions for domain resources.

Just create a local user account on those workstations.

Jeff
TechSoEasy
0
 
LVL 6

Expert Comment

by:manicsquirrel
ID: 18857131
Jeff,

Could you just activate the built-in Guest account?  Would that accomplish the same thing?  I've never really thought about it.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18857457
Yeah, it would.  I always ignore that account so I didn't think to suggest it.  But it would be just fine for this purpose.

Jeff
TechSoEasy
0
 

Author Comment

by:EnvisionTech
ID: 18895334
Thanks so much for your help people.  Looks like I was on the right track with the locked down user account.  Now the (newly increased) 400 point question is what Group Policy settings I should be looking at to effectively lock down this user.  Is there any guidance available for this?

The local account is a bit of a tougher sell as the firewall at the perimeter is setup to only allow specific Active Directory accounts through to the internet, and has some finely tweaked content filtering rules based on active directory group membership.

0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 300 total points
ID: 18900956
There is lots of guidance on Group Policy settings for various levels of security.  Many of the restrictive policy settings are outlined here:  http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/gpfeat.mspx

Jeff
TechSoEasy
0
 

Author Comment

by:EnvisionTech
ID: 18926851
Thanks to everyone for their help.  I split the points between a couple of the most useful comments.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now