Solved

Locked down user account for visitors?

Posted on 2007-03-19
16
273 Views
Last Modified: 2013-12-04
We are currently running a windows network with a Small Business Server and roughly 30 WinXP workstations.  There about 20 users that are spend the majority of there time offsite and come in 3-4 times per week to submit reports, check email, etc.  Each user has their own login, but they share a group of 4 computers in a common area.  The office also has an astaro firewall at the front end and all internet activity is passed through the content filter on the box.

I have been asked to setup a user account which can be used to access the internet on these 4 "shared" computers.  They only want the account to be able to run Firefox and surf the net, check webmail.  The user should not be able to download anything..  The user should not be able to see or make any changes to the system or anything on the network.

I'm assuming that the best way to do this is to create a new user account on the small business server, and then lock it down via group policy.  Can anyone confirm if this is the way to go about it and if not, please advise on the alternative?

If group policy is the way to do it, can anyone suggest on what the settings should be or point me to a good resource?
0
Comment
Question by:EnvisionTech
  • 4
  • 4
  • 4
  • +2
16 Comments
 
LVL 15

Expert Comment

by:vico1
ID: 18753996
You need to create a security group instead of a user.
then add the users to the group.
That would be a better  approch.
Vico1!
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 18754432
Do you have ISA installed?
If not you can keep these machines of the domain and they will still have access to the internet.
Olaf
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18754805
You should first be aware that Firefox is not easily managed via Group Policy.  Therefore, you should only allow IE to be used on your network.

You can create users in a "Restricted" Security Group, and then the workstation itself should be run in Kiosk mode.  Alternatively, you can just add the computers outside of the domain and outside of the LAN, in a DMZ, remove the hard drives and just run a CD-Based Operating system which will keep most everything safe.  Check out http://www.livekiosk.com/

Jeff
TechSoEasy
0
 
LVL 6

Expert Comment

by:manicsquirrel
ID: 18761994
You also might want to check out Doug Knox's XP Security Console, www.dougknox.com/xp/utils/xp_securityconsole.htm .  I use it to lock down "community" workstations.
0
 

Author Comment

by:EnvisionTech
ID: 18769073
Thank you all for the responses.  These are all good but they might not be quite right for the situation.  The workstations in question will also be used by legitimate employees of the company who will need to access the network as needed.  So DMZ and Kiosk would not appear to be an option (unless I'm missing something). The security console looks great, thanks for the pointer (it will come in handy for some of my other clients), but these machines will be on the domain and Group Policy will be available.

So any further thoughts on what my best options may be?

Thanks in advance.
0
 
LVL 6

Expert Comment

by:manicsquirrel
ID: 18769228
Just want to be clear what you want to achieve.  You want these four workstations to act as normal workstations except when twenty or so specific users use these workstations.  When these specific users use these four workstations, you want them locked down for the most part.  However, when these users are away from the office and logging in remotely? or maybe logged in at a different workstation, you want their user accounts to act like everyone elses?
0
 

Author Comment

by:EnvisionTech
ID: 18839517
Essentially what we have is 4 workstations being used by about 20 office users.  Each of these users has their own login and can access data on the server, get email, surf the net, etc.  These workstations are all on the domain, with a Win Small Business Server 2003 as DC.

However, the office also occasionally gets visitors that are not employees.  The management would like to allow these visitors to use these 4 systems to surf the net and maybe do some basic word processing and printing.  They want to ensure that these guests don't do any damage to the workstations and the infrastructure.   So I'm looking at creating a locked down "guest" login for these visitors that is fully locked down and can only do those things.

Thanks for you help.
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 18840478
Set up a new security group and create a bunch of gpo's assigned to that group.
Olaf
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 6

Assisted Solution

by:manicsquirrel
manicsquirrel earned 100 total points
ID: 18840631
I would go with your last suggestion of creating a special account for guests to use and create a GPO to lock their accounts down (as an old friend use to say, "tighter than a virgin on prom night")  Then go further by using the sysinternals auto login utility, http://www.microsoft.com/technet/sysinternals/Security/Autologon.mspx ,  so that these workstation will log in with that restricted account when restarted.

If a "normal" authorized user comes along, he or she can just log off and log in with their credentials.  You may also want to look at http://support.microsoft.com/kb/314999 that would assist in loggin the computers off the network should a regular user forget to log off when they leave the workstation.
0
 
LVL 15

Expert Comment

by:vico1
ID: 18840645
That was my very first suggestion.
There is not a better way around it?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18855894
You could just have the "locked down" guest login be to the local machine instead of logging into the domain.  They would still have Internet Access, but would not have ANY permissions for domain resources.

Just create a local user account on those workstations.

Jeff
TechSoEasy
0
 
LVL 6

Expert Comment

by:manicsquirrel
ID: 18857131
Jeff,

Could you just activate the built-in Guest account?  Would that accomplish the same thing?  I've never really thought about it.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18857457
Yeah, it would.  I always ignore that account so I didn't think to suggest it.  But it would be just fine for this purpose.

Jeff
TechSoEasy
0
 

Author Comment

by:EnvisionTech
ID: 18895334
Thanks so much for your help people.  Looks like I was on the right track with the locked down user account.  Now the (newly increased) 400 point question is what Group Policy settings I should be looking at to effectively lock down this user.  Is there any guidance available for this?

The local account is a bit of a tougher sell as the firewall at the perimeter is setup to only allow specific Active Directory accounts through to the internet, and has some finely tweaked content filtering rules based on active directory group membership.

0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 300 total points
ID: 18900956
There is lots of guidance on Group Policy settings for various levels of security.  Many of the restrictive policy settings are outlined here:  http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/gpfeat.mspx

Jeff
TechSoEasy
0
 

Author Comment

by:EnvisionTech
ID: 18926851
Thanks to everyone for their help.  I split the points between a couple of the most useful comments.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now