Solved

best software to lock down desktop pcs

Posted on 2012-03-28
5
315 Views
Last Modified: 2012-06-21
I have 4 desktop pcs in a warehouse that I need to lock down so people can't delete icons, get in the control panel etc.  I have tried using group policy but this always left something people could mess with (yes, we have "those" type of people working for us)

my ideal solution would be as follows:

have a central profile so all pc's are locked down the same way
can be unlocked by typing in a password
be able to lock down the vast majority of things people with idle hands will try to mess with.
work on both XP and windows 7
32 and 64 bit.

any suggestions would be appreciated

thanks
0
Comment
Question by:monkey_balls
5 Comments
 
LVL 28

Accepted Solution

by:
Run5k earned 500 total points
Comment Utility
Depending upon how in-depth you want to get, you may want to consider the Faronics products:

Faronics Deep Freeze Standard

Faronics Deep Freeze Standard Manual

Faronics WINSelect Standard

Faronics WINSelect Standard Manual

Great functionality, and they will definitely do what you want.
0
 
LVL 6

Expert Comment

by:awaggoner
Comment Utility
A combination of Group Policy and not running as a local administrator or power user should eliminate these problems.  

An option could be to use a thin client in the warehouse connected to either a VM which is restored to a 'gold' snapshot at the end of the day, or use VDI to accomplish this.  

Citrix has purchased Kaviza which produces VDI-in-a-Box.  This is a very affordable VDI solution for small deployments.  With this, you can control your 'gold' image and manage any updates as well.
http://www.citrix.com/English/ps2/products/product.asp?contentID=2316437

Here is a TechRepublic article on Desktop Lockdown
http://www.techrepublic.com/article/alternatives-to-windows-standard-desktop-lockdown-features/5034950

More information
http://www.infosecblog.org/2009/07/alternatives-to-desktop-lockdown/
0
 
LVL 27

Expert Comment

by:serialband
Comment Utility
How about just creating a mandatory profile in addition to group policy for the account.  They can mess with it all they want, but upon logout, everything is reset.

http://support.microsoft.com/kb/307800
http://technet.microsoft.com/en-us/library/gg241183(v=ws.10).aspx
0
 
LVL 6

Expert Comment

by:awaggoner
Comment Utility
If you are looking for a software solution, you should look into BeyondTrust.

It integrates with AD/Group Policy and is able to give very granular controls to secure the desktop.
0
 
LVL 7

Expert Comment

by:Vanguard_LH
Comment Utility
Going along with the DeepFreeze suggestion (of restoring your computer back to a base state), you could use the following to ensure upon reboot that the state of the computer is back to some baseline state.  Any changes get discarded on reboot.  Let them change whatever they want but it'll be back again to the baseline state on reboot.  You could even schedule a reboot during off-hours, like at 3AM, to ensure the host is at its baseline state in the morning when the workers show up.

Returnil System Safe
Returnil Pro 2011
Returnil Lite 2011
(www.returnil.com)

Some [biased] comparisons here between RSS and DF:
http://www.bleepingcomputer.com/forums/topic347970.html

I do like Returnil's config where I can have it prompt on unknown programs (those ran or "installed" [but will disappear on reboot] after activating safe mode) rather than just trust all programs to run in safe mode.  Just because I virtualized all disk I/O that gets discarded on a reboot still doesn't mean I want unknown processes to startup while I'm virtualized in safe mode.

There was Microsoft's SteadyState but they dropped it back in June 2011; see http://support.microsoft.com/kb/2390706.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Article by: Lee
Windows 7 Ultimate and Enterprise (and 2008 R2) introduced a new feature you may not be aware of - Boot from VHD.   Boot from VHD (or what Microsoft refers to asNative Boot allows you to install Windows to a VHD (Virtual Hard Disk) file that is t…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now