We help IT Professionals succeed at work.

Lockdown Computers

asp_net2
asp_net2 asked
on
Hello Experts,

I have been asked to lock down computers that we hand out to employees. We currently rename them and then add them to our Domain. Then we add their domain account as an Administrator account of that local machine. By doing this we give them full control to do anything on that machine.

Part of our lockdown process I have so far removed the Administrator account which has helped a lot to lock the machine down but was wondering if there is anything else that I can do without enforcing Group Policy from our Domain.

Also, at this time we don't want to have to purchase software to lock the machines down.

Also, all of machines are Windows 7 Pro x64.

Thanks in advance!!!
Comment
Watch Question

Joseph MoodyBlogger and wearer of all hats.

Commented:
Remove their account from the administrators group will go further to locking down the machine than anything else.

Disable the local administrator if you would like. Set UAC to the most secure setting (prompt for cred on secure desktop). Make sure firewall is enabled.

Author

Commented:
Hi Joseph,

We have to leave Administrator account enabled in the event that we need to install software for them to use. But the Administrator account has a strong password to it. What does the UAC do to lock down the computer?
Joseph MoodyBlogger and wearer of all hats.

Commented:
UAC ensures that all applications run with the least amount of privileges until additional rights are needed.
Distinguished Expert 2019

Commented:
Hi.

"Lockdown" is not really descriptive. Please describe what exactly should be prevented, or helping will be next to impossible.
Also include a reason for not using GPOs (since GPOs are part of every windows security concept, normally).

Author

Commented:
Hi McKnife,

>> Please describe what exactly should be prevented, or helping will be next to impossible.

At this point in time I don't know what upper management wants to lockdown. They just advised me to start getting ideas without enforcing Group Policy since they don't want to have our Engineers have to manage more than what they are doing now.

Author

Commented:
Hi Joseph,

What UAC setting do you recommend that I set?
Distinguished Expert 2019
Commented:
"At this point in time I don't know what upper management wants to lockdown" - Oh. But upper management does know? Then they should tell you what they expect from you. "Lockdown" can be all the things there are, securing is a huge field. You need to define what should be prevented, what should be made as hard as possible.

About GPOs: You don't need to use GPOs, but it won't be easier without, but in fact harder.

So please come back when you have a concept.

Author

Commented:
I just found out one of them now. They would like to prevent any sort of External Hard Drives to work if plugged in via USB. Can this be done without using Group Policy?
Distinguished Expert 2019

Commented:
It can, but no one would be doing that without GPOs. GPOs are mostly registry keys. To find out what registry keys are behind the "prevent-allsortsofexternaldrives" ideas, will mean work. Distributing that keys without GPOs will require a concept as well. Don't even think about it.

Author

Commented:
So your saying it can't be done then? Or just buggy if attempted?
DonNetwork Administrator

Commented:
How many PC's/Laptops are we talking about ??
Find out all the restrictions that you want to make. Then you can use a dot.reg file and import it on them. Why are you bothering joining them to domain if you arent going to use any Group Policies ??

This is how you disable storage devices
http://www.redmondpie.com/disable-usb-storage-in-windows-8-7-how-to-guide/
Distinguished Expert 2019

Commented:
"So your saying it can't be done then? Or just buggy if attempted?" - I said it can be done, but no one would do it with anything but GPO.