Lockdown Computers

Hello Experts,

I have been asked to lock down computers that we hand out to employees. We currently rename them and then add them to our Domain. Then we add their domain account as an Administrator account of that local machine. By doing this we give them full control to do anything on that machine.

Part of our lockdown process I have so far removed the Administrator account which has helped a lot to lock the machine down but was wondering if there is anything else that I can do without enforcing Group Policy from our Domain.

Also, at this time we don't want to have to purchase software to lock the machines down.

Also, all of machines are Windows 7 Pro x64.

Thanks in advance!!!
LVL 4
asp_net2Asked:
Who is Participating?
 
McKnifeCommented:
"At this point in time I don't know what upper management wants to lockdown" - Oh. But upper management does know? Then they should tell you what they expect from you. "Lockdown" can be all the things there are, securing is a huge field. You need to define what should be prevented, what should be made as hard as possible.

About GPOs: You don't need to use GPOs, but it won't be easier without, but in fact harder.

So please come back when you have a concept.
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
Remove their account from the administrators group will go further to locking down the machine than anything else.

Disable the local administrator if you would like. Set UAC to the most secure setting (prompt for cred on secure desktop). Make sure firewall is enabled.
0
 
asp_net2Author Commented:
Hi Joseph,

We have to leave Administrator account enabled in the event that we need to install software for them to use. But the Administrator account has a strong password to it. What does the UAC do to lock down the computer?
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
Joseph MoodyBlogger and wearer of all hats.Commented:
UAC ensures that all applications run with the least amount of privileges until additional rights are needed.
0
 
McKnifeCommented:
Hi.

"Lockdown" is not really descriptive. Please describe what exactly should be prevented, or helping will be next to impossible.
Also include a reason for not using GPOs (since GPOs are part of every windows security concept, normally).
0
 
asp_net2Author Commented:
Hi McKnife,

>> Please describe what exactly should be prevented, or helping will be next to impossible.

At this point in time I don't know what upper management wants to lockdown. They just advised me to start getting ideas without enforcing Group Policy since they don't want to have our Engineers have to manage more than what they are doing now.
0
 
asp_net2Author Commented:
Hi Joseph,

What UAC setting do you recommend that I set?
0
 
asp_net2Author Commented:
I just found out one of them now. They would like to prevent any sort of External Hard Drives to work if plugged in via USB. Can this be done without using Group Policy?
0
 
McKnifeCommented:
It can, but no one would be doing that without GPOs. GPOs are mostly registry keys. To find out what registry keys are behind the "prevent-allsortsofexternaldrives" ideas, will mean work. Distributing that keys without GPOs will require a concept as well. Don't even think about it.
0
 
asp_net2Author Commented:
So your saying it can't be done then? Or just buggy if attempted?
0
 
DonNetwork AdministratorCommented:
How many PC's/Laptops are we talking about ??
Find out all the restrictions that you want to make. Then you can use a dot.reg file and import it on them. Why are you bothering joining them to domain if you arent going to use any Group Policies ??

This is how you disable storage devices
http://www.redmondpie.com/disable-usb-storage-in-windows-8-7-how-to-guide/
0
 
McKnifeCommented:
"So your saying it can't be done then? Or just buggy if attempted?" - I said it can be done, but no one would do it with anything but GPO.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.