Solved

best software to lock down desktop pcs

Posted on 2012-03-28
5
321 Views
Last Modified: 2012-06-21
I have 4 desktop pcs in a warehouse that I need to lock down so people can't delete icons, get in the control panel etc.  I have tried using group policy but this always left something people could mess with (yes, we have "those" type of people working for us)

my ideal solution would be as follows:

have a central profile so all pc's are locked down the same way
can be unlocked by typing in a password
be able to lock down the vast majority of things people with idle hands will try to mess with.
work on both XP and windows 7
32 and 64 bit.

any suggestions would be appreciated

thanks
0
Comment
Question by:monkey_balls
5 Comments
 
LVL 28

Accepted Solution

by:
Run5k earned 500 total points
ID: 37777187
Depending upon how in-depth you want to get, you may want to consider the Faronics products:

Faronics Deep Freeze Standard

Faronics Deep Freeze Standard Manual

Faronics WINSelect Standard

Faronics WINSelect Standard Manual

Great functionality, and they will definitely do what you want.
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37777220
A combination of Group Policy and not running as a local administrator or power user should eliminate these problems.  

An option could be to use a thin client in the warehouse connected to either a VM which is restored to a 'gold' snapshot at the end of the day, or use VDI to accomplish this.  

Citrix has purchased Kaviza which produces VDI-in-a-Box.  This is a very affordable VDI solution for small deployments.  With this, you can control your 'gold' image and manage any updates as well.
http://www.citrix.com/English/ps2/products/product.asp?contentID=2316437

Here is a TechRepublic article on Desktop Lockdown
http://www.techrepublic.com/article/alternatives-to-windows-standard-desktop-lockdown-features/5034950

More information
http://www.infosecblog.org/2009/07/alternatives-to-desktop-lockdown/
0
 
LVL 29

Expert Comment

by:serialband
ID: 37777334
How about just creating a mandatory profile in addition to group policy for the account.  They can mess with it all they want, but upon logout, everything is reset.

http://support.microsoft.com/kb/307800
http://technet.microsoft.com/en-us/library/gg241183(v=ws.10).aspx
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37778304
If you are looking for a software solution, you should look into BeyondTrust.

It integrates with AD/Group Policy and is able to give very granular controls to secure the desktop.
0
 
LVL 7

Expert Comment

by:Vanguard_LH
ID: 37781189
Going along with the DeepFreeze suggestion (of restoring your computer back to a base state), you could use the following to ensure upon reboot that the state of the computer is back to some baseline state.  Any changes get discarded on reboot.  Let them change whatever they want but it'll be back again to the baseline state on reboot.  You could even schedule a reboot during off-hours, like at 3AM, to ensure the host is at its baseline state in the morning when the workers show up.

Returnil System Safe
Returnil Pro 2011
Returnil Lite 2011
(www.returnil.com)

Some [biased] comparisons here between RSS and DF:
http://www.bleepingcomputer.com/forums/topic347970.html

I do like Returnil's config where I can have it prompt on unknown programs (those ran or "installed" [but will disappear on reboot] after activating safe mode) rather than just trust all programs to run in safe mode.  Just because I virtualized all disk I/O that gets discarded on a reboot still doesn't mean I want unknown processes to startup while I'm virtualized in safe mode.

There was Microsoft's SteadyState but they dropped it back in June 2011; see http://support.microsoft.com/kb/2390706.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Internet Protocol Security question 3 94
Event ID 1054 Userenv 2 32
Windows 7 Pro connection to a Windows Server 2012 R2 Windows Fax Server 5 22
Sony EVI-D70 and Skype 2 32
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question