Link to home
Create AccountLog in
Avatar of mikepj
mikepjFlag for Canada

asked on

how can we "lock down" school computers to prevent customization?

we have a small non-profit school with an assortment of windows 98, 2000, and xp.  we have students customizing the computers, adding users, changing passwords and soon they will be connected to the internet and able to download and install junk software.

managing 25 windows computers is a really big job, especially since the users change whatever they want any time.

what are our options for locking these computers so the students can only use the computer in an acceptable way.

we'd also like to set them up like linux so that the computers are less susceptible to viruses because they have no "permissions".

we're getting a new windows 2003 server.  it'd be nice if we could set up the server to manage the user rights and access to documents in some way.

i write software for a living but have very limited knowledge on this.  thank you for your help on this...we really need a lot of help!  will give more points for outstanding answers!
ASKER CERTIFIED SOLUTION
Avatar of Brian Pierce
Brian Pierce
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Wish I only had 25 PCs to deal with! Try managing over 600 in a school environment!

All good advise above. If you can have all XP machines that would be ideal. Establishing group policies would be next. I don't have any links at the moment on where to get started. We use steady state (I don't know much about it) but our imaging guy later found he didn't like it. I've seen Deep Freeze used in other schools with great success. Lock down the local administrator account with a password, even the BIOS if you feel necessary. I would recommend re-imaging all the computers in conjunction with establishment of a group policy.
I find the scope of Group Policy is more often than not sufficient for locking down nearly every aspect of a PC. I generally use an imaging tool to store an image file of a freshly built system, so it can easily be restored when necessary.

With your new server and Active Directory domain you will create with it, you will instantly eradicate the user account issue - the administrator has to manage it through AD U&C tool instead.

When configuring permissions on your shared drives, make sure you use security groups for every department and access privilege/right a user may require, rather than hard code usernames into NTFS file/folder permissions. It is much easier when a user wants access to a set of folders to simply add their AD user object as a member of a group, rather than go round changing permissions in hundreds of different places on the system (no doubt you'll forget one!). With groups you only configure the permissions side of things once, then leave it.

AND - the most important thing when it comes to security. NEVER give anyone on the system more privileges than they NEED. (Note, for the purposes of this comment the term "WANT" isn't the same as "NEED") It's all very well if a user wants a particular set of permissions, but if they don't NEED them you will create a potential security threat to your network by granting them access - even just to read data (particularly sensitive data), since read privileges would mean they can take it off the system (i.e. by USB Memory Key) and distribute it.

Another security recommendation would be to lock down the domain Administrator account with a randomly generated password, but don't let anyone use it unless they have to. Instead it is much better to give your administrators their own Administrator_<USER SURNAME> accounts with domain admin privileges for managing the domain. These accounts are in addition to their usual, everyday accounts which should just be standard users like everyone else on the system.

-tigermatt
Avatar of mikepj

ASKER

thank you  all for your ideas.  i have a lot to learn.  i'm doing this as a volunteer.  doing this one pc at a time has been difficult (i knew there was a better way but had no knowledge of it).  it'll be a week or so before the new server will arrive so it'll take a few days before i can communicate more intelligently.

will get back to you.
thank you!
mp
It will make life much easier if all the client machines use the same operting system, especially if you plan to use group policies.
Avatar of mikepj

ASKER

>It will make life much easier if all the client machines use the same operting system, especially if you plan to use group policies.

it sure would.  regrettably the school has bought only a few at a time.  next time they buy pc's i want them to replace all of them & disseminate the viable ones from the lab to teachers for their classrooms.
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of mikepj

ASKER

>A skilled person will be able to break in to any computer.

yes; perhaps my choice of words was not optimal.  my intention is not so much for security as to prevent them from customizing the computer at all.

regrettably there's too much diversity in that computer lab so we'd probably need 8-10 different "restore" images.  additionally they don't have a good setup for storing (or making) "restore" images.

many problems...
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of mikepj

ASKER

thank you for your comments.  i'll let you know how it goes when the new gear arrives.
Avatar of mikepj

ASKER

thank you all for your help.  the gear arrived but i haven't had time to deal with this.  i'll need to close the question and explore this more later once i know more about this and have more specific questions.
Now that you've posted a comment after you started the automated closure process, you've stopped it and there will have to be moderator intervention! I just thought I should post to let you know you'll need to start it again and then don't post any comments after you've started it. (Then the moderators won't need to do anything)

Alternatively I guess you could just use Accept Multiple Solutions and split the points as before between expert comments. This would close this immediately rather than wait the 7 days.

-tigermatt
Avatar of mikepj

ASKER

i don't know why it's doing this "automated closure process".  all i did was divide the points up btwn the various experts and accepted the answer.  i'm an old-time EE user/expert and maybe i missed something during the closure process.

i had to close it today as i canceled my EE account effective tomorrow because EE was secretly charging my credit card again.  i learned that because i hadn't been working as an expert much lately, i need to pay.  too bad they seem to not notify when they do sneaky things like that.