Would like to lockdown public computer

J

Joe

I would like to make some computers available to some kids with social
problems and I would like to restrict their access to everything including
whether they can install something on the computer, whether they can change
the wallpaper, or the local hard disk etc without using a domain. Is this
possible? If yes can you tell me what I'll need to learn or do to make it
happen?
Also, I would like to know if it's possible to setup something like a
mandatory profile on a machine without using a domain.
Any help would be appreciated.
Thanks in advance.
 
S

Steven L Umbach

First off make sure they are only regular users. Then on the root/drive
folder make sure that uses have no more that read/list/execute permissions
so that they can not install or copy files there. If you use the guest
account, any changes they make to the computer profile/desktop while logged
on will not be saved when they logoff. If you use the guest account be sure
to disable file and print sharing or make sure that the everyone group does
not have access to any shares for share permissions or ntfs permissions.

If you assign regular user accounts make sure they are not owner of that
user profile and then you can change permissions to the desktop folder in
the profiles to have only read/list/execute permissions so that they can not
change the desktop. Learn to use Group Policy. You can enable it on a local
computer via Gpedit.msc and you will find a bunch of user restrictions under
user configuration/administrative templates. Note that for local Group
Policy that the restrictions will apply to all local users including
administrators so be careful not to lock yourself out though you can always
manage Group Policy remotely from another computer on the network using the
Group Policy mmc snapin on the remote computer targeting the other computer.
Mmc in the run box will open the Microsoft management Console.

I don't know how computer savvy your kids are but you want to configure cmos
settings on the computers to boot only from the hard drive and password
protect the cmos settings as it is easy to reboot a computer from a floppy
or cdrom to reset the built in administrator account so that the attacker
can gain administrator access to the computer. If possible lock the computer
cases as cmos settings can usually be reset by removing the motherboard
battery for a minute. I am not sure about using mandatory profiles on a
workgroup computer. I think you may be able to do it, but you have to create
the mandatory profile on the local computer and then have the users account
point to it as it's profile path using the local disk instead of a network
share that would normally be used. You might find out that by configuring
ntfs permissions on the users account profile and using Group Policy that
you may be able to do most or all of what you want to do. For instance you
could configure display properties to your liking and then use Group
Policy/user configuration/administrative templates/control panel/display to
prevent users from changing display settings. It might also be a good idea
to make Ghost images of those computers for a quick reinstall in case they
end up getting messed up somehow. If you are going to be giving them
internet access, see the article in the link below on recommended minimum IE
security settings and then disable their ability to change IE settings via
Group Policy. --- Steve

http://mvps.org/winhelp2002/unwanted.htm
 
A

andy smart

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joe wrote:
| I would like to make some computers available to some kids with social
| problems and I would like to restrict their access to everything including
| whether they can install something on the computer, whether they can
change
| the wallpaper, or the local hard disk etc without using a domain. Is this
| possible? If yes can you tell me what I'll need to learn or do to make it
| happen?
| Also, I would like to know if it's possible to setup something like a
| mandatory profile on a machine without using a domain.
| Any help would be appreciated.
| Thanks in advance.
|
|
A friend of mine works in a college with a lot of students who like to
tinker with the machines etc. He uses a product called 'Deep Freeze' to
lock down the machines - he says it's very effective. I could put you in
touch if you like.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBZRY7qmlxlf41jHgRAkJwAJ9Hy+m0GBz/psGI5oZrccmZhRZjQQCglZGP
tg0vBKf9A8qiNYEY4ESd+mk=
=b6NX
-----END PGP SIGNATURE-----
 
J

Joe

Steven L Umbach said:
First off make sure they are only regular users. Then on the root/drive
folder make sure that uses have no more that read/list/execute permissions
so that they can not install or copy files there. If you use the guest
account, any changes they make to the computer profile/desktop while logged
on will not be saved when they logoff. If you use the guest account be sure
to disable file and print sharing or make sure that the everyone group does
not have access to any shares for share permissions or ntfs permissions.

If you assign regular user accounts make sure they are not owner of that
user profile and then you can change permissions to the desktop folder in
the profiles to have only read/list/execute permissions so that they can not
change the desktop. Learn to use Group Policy. You can enable it on a local
computer via Gpedit.msc and you will find a bunch of user restrictions under
user configuration/administrative templates. Note that for local Group
Policy that the restrictions will apply to all local users including
administrators so be careful not to lock yourself out though you can always
manage Group Policy remotely from another computer on the network using the
Group Policy mmc snapin on the remote computer targeting the other computer.
Mmc in the run box will open the Microsoft management Console.

I don't know how computer savvy your kids are but you want to configure cmos
settings on the computers to boot only from the hard drive and password
protect the cmos settings as it is easy to reboot a computer from a floppy
or cdrom to reset the built in administrator account so that the attacker
can gain administrator access to the computer. If possible lock the computer
cases as cmos settings can usually be reset by removing the motherboard
battery for a minute. I am not sure about using mandatory profiles on a
workgroup computer. I think you may be able to do it, but you have to create
the mandatory profile on the local computer and then have the users account
point to it as it's profile path using the local disk instead of a network
share that would normally be used. You might find out that by configuring
ntfs permissions on the users account profile and using Group Policy that
you may be able to do most or all of what you want to do. For instance you
could configure display properties to your liking and then use Group
Policy/user configuration/administrative templates/control panel/display to
prevent users from changing display settings. It might also be a good idea
to make Ghost images of those computers for a quick reinstall in case they
end up getting messed up somehow. If you are going to be giving them
internet access, see the article in the link below on recommended minimum IE
security settings and then disable their ability to change IE settings via
Group Policy. --- Steve

http://mvps.org/winhelp2002/unwanted.htm
Click to expand...

Thanks Steven. I appreciate your help.
Cheers!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

restricting access by users to O.S. 2
Lockdown desktops 3
Desktop Lockdown 1
Domain Admins can't manage computers 3
Computer Lockdown 2
Minimum security 3
hiding user profiles 1
Migrated account needs admin access 8

Top