Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

best software to lock down desktop pcs

Posted on 2012-03-28
5
Medium Priority
?
328 Views
Last Modified: 2012-06-21
I have 4 desktop pcs in a warehouse that I need to lock down so people can't delete icons, get in the control panel etc.  I have tried using group policy but this always left something people could mess with (yes, we have "those" type of people working for us)

my ideal solution would be as follows:

have a central profile so all pc's are locked down the same way
can be unlocked by typing in a password
be able to lock down the vast majority of things people with idle hands will try to mess with.
work on both XP and windows 7
32 and 64 bit.

any suggestions would be appreciated

thanks
0
Comment
Question by:monkey_balls
5 Comments
 
LVL 28

Accepted Solution

by:
Run5k earned 2000 total points
ID: 37777187
Depending upon how in-depth you want to get, you may want to consider the Faronics products:

Faronics Deep Freeze Standard

Faronics Deep Freeze Standard Manual

Faronics WINSelect Standard

Faronics WINSelect Standard Manual

Great functionality, and they will definitely do what you want.
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37777220
A combination of Group Policy and not running as a local administrator or power user should eliminate these problems.  

An option could be to use a thin client in the warehouse connected to either a VM which is restored to a 'gold' snapshot at the end of the day, or use VDI to accomplish this.  

Citrix has purchased Kaviza which produces VDI-in-a-Box.  This is a very affordable VDI solution for small deployments.  With this, you can control your 'gold' image and manage any updates as well.
http://www.citrix.com/English/ps2/products/product.asp?contentID=2316437

Here is a TechRepublic article on Desktop Lockdown
http://www.techrepublic.com/article/alternatives-to-windows-standard-desktop-lockdown-features/5034950

More information
http://www.infosecblog.org/2009/07/alternatives-to-desktop-lockdown/
0
 
LVL 31

Expert Comment

by:serialband
ID: 37777334
How about just creating a mandatory profile in addition to group policy for the account.  They can mess with it all they want, but upon logout, everything is reset.

http://support.microsoft.com/kb/307800
http://technet.microsoft.com/en-us/library/gg241183(v=ws.10).aspx
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37778304
If you are looking for a software solution, you should look into BeyondTrust.

It integrates with AD/Group Policy and is able to give very granular controls to secure the desktop.
0
 
LVL 7

Expert Comment

by:Vanguard_LH
ID: 37781189
Going along with the DeepFreeze suggestion (of restoring your computer back to a base state), you could use the following to ensure upon reboot that the state of the computer is back to some baseline state.  Any changes get discarded on reboot.  Let them change whatever they want but it'll be back again to the baseline state on reboot.  You could even schedule a reboot during off-hours, like at 3AM, to ensure the host is at its baseline state in the morning when the workers show up.

Returnil System Safe
Returnil Pro 2011
Returnil Lite 2011
(www.returnil.com)

Some [biased] comparisons here between RSS and DF:
http://www.bleepingcomputer.com/forums/topic347970.html

I do like Returnil's config where I can have it prompt on unknown programs (those ran or "installed" [but will disappear on reboot] after activating safe mode) rather than just trust all programs to run in safe mode.  Just because I virtualized all disk I/O that gets discarded on a reboot still doesn't mean I want unknown processes to startup while I'm virtualized in safe mode.

There was Microsoft's SteadyState but they dropped it back in June 2011; see http://support.microsoft.com/kb/2390706.
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
Suggested Courses
Course of the Month14 days, 12 hours left to enroll

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question