Lockdown Computers

Hello Experts,

I have been asked to lock down computers that we hand out to employees. We currently rename them and then add them to our Domain. Then we add their domain account as an Administrator account of that local machine. By doing this we give them full control to do anything on that machine.

Part of our lockdown process I have so far removed the Administrator account which has helped a lot to lock the machine down but was wondering if there is anything else that I can do without enforcing Group Policy from our Domain.

Also, at this time we don't want to have to purchase software to lock the machines down.

Also, all of machines are Windows 7 Pro x64.

Thanks in advance!!!
LVL 4
asp_net2Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joseph MoodyBlogger and wearer of all hats.Commented:
Remove their account from the administrators group will go further to locking down the machine than anything else.

Disable the local administrator if you would like. Set UAC to the most secure setting (prompt for cred on secure desktop). Make sure firewall is enabled.
0
asp_net2Author Commented:
Hi Joseph,

We have to leave Administrator account enabled in the event that we need to install software for them to use. But the Administrator account has a strong password to it. What does the UAC do to lock down the computer?
0
Joseph MoodyBlogger and wearer of all hats.Commented:
UAC ensures that all applications run with the least amount of privileges until additional rights are needed.
0
Make Network Traffic Fast and Furious with SD-WAN

Software-defined WAN (SD-WAN) is a technology that determines the most effective way to route traffic to and from datacenter sites. Register for the webinar today to learn how your business can benefit from SD-WAN!

McKnifeCommented:
Hi.

"Lockdown" is not really descriptive. Please describe what exactly should be prevented, or helping will be next to impossible.
Also include a reason for not using GPOs (since GPOs are part of every windows security concept, normally).
0
asp_net2Author Commented:
Hi McKnife,

>> Please describe what exactly should be prevented, or helping will be next to impossible.

At this point in time I don't know what upper management wants to lockdown. They just advised me to start getting ideas without enforcing Group Policy since they don't want to have our Engineers have to manage more than what they are doing now.
0
asp_net2Author Commented:
Hi Joseph,

What UAC setting do you recommend that I set?
0
McKnifeCommented:
"At this point in time I don't know what upper management wants to lockdown" - Oh. But upper management does know? Then they should tell you what they expect from you. "Lockdown" can be all the things there are, securing is a huge field. You need to define what should be prevented, what should be made as hard as possible.

About GPOs: You don't need to use GPOs, but it won't be easier without, but in fact harder.

So please come back when you have a concept.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
asp_net2Author Commented:
I just found out one of them now. They would like to prevent any sort of External Hard Drives to work if plugged in via USB. Can this be done without using Group Policy?
0
McKnifeCommented:
It can, but no one would be doing that without GPOs. GPOs are mostly registry keys. To find out what registry keys are behind the "prevent-allsortsofexternaldrives" ideas, will mean work. Distributing that keys without GPOs will require a concept as well. Don't even think about it.
0
asp_net2Author Commented:
So your saying it can't be done then? Or just buggy if attempted?
0
DonNetwork AdministratorCommented:
How many PC's/Laptops are we talking about ??
Find out all the restrictions that you want to make. Then you can use a dot.reg file and import it on them. Why are you bothering joining them to domain if you arent going to use any Group Policies ??

This is how you disable storage devices
http://www.redmondpie.com/disable-usb-storage-in-windows-8-7-how-to-guide/
0
McKnifeCommented:
"So your saying it can't be done then? Or just buggy if attempted?" - I said it can be done, but no one would do it with anything but GPO.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IT Administration

From novice to tech pro — start learning today.