Desperately seeking help securing XP Pro Computers

[Guest]

I've just recently started a new job and one of my responsibilites is
managing 30 new PC's 15 with XP Pro and 15 with Win2000. Because the
computers are logging into a Linux file server to authenticate a user (really
just a workgroup) has given the PC users free reighn do what they please,
change settings, administrator rights since they are not logged in locally.
Apparently the user groups mean nothing when not logged on locally with a
default install of XP Pro. My Win2000 machines are secure using the Guest
account.

I'm guessing I need to configure the Global Policy Editor but never doing
it, unclear as to the steps. Can anyone shed some light on my dilemna to help
secure the 15 XP machines? Thank you.

 

[Lanwench [MVP - Exchange]]

In

I've just recently started a new job and one of my responsibilites is
managing 30 new PC's 15 with XP Pro and 15 with Win2000. Because the
computers are logging into a Linux file server to authenticate a user
(really just a workgroup) has given the PC users free reighn do what
they please, change settings, administrator rights since they are not
logged in locally. Apparently the user groups mean nothing when not
logged on locally with a default install of XP Pro. My Win2000
machines are secure using the Guest account.

? Disable guest

I'm guessing I need to configure the Global Policy Editor but never
doing it, unclear as to the steps. Can anyone shed some light on my
dilemna to help secure the 15 XP machines? Thank you.

Ugh - no way to get a Windows 2003 server and set up AD? It doesn't have to
be kick-a__ hardware. Without AD, group policies are a huge PITA. You have
to do everything on each machine.....and you can't globally change it.

 

[Steven L Umbach]

I agree with Lanwench. If you can not use a domain controller start by
verifying that the users do not need to be local administrators or power
users to have the functionality they need to run application and if that is
the case remove all but authorized users from the local administrators/power
users group on each computer and change the passwords for any users left in
the administrators/power users groups including the built in administrator
account.

Also configure all computers to boot only from system drive and password
protect cmos settings on the computer as it is trivial for user's to gain
access as an administrator if they have full physical access to the
computer. Even password protecting cmos settings is not going to stop a
determined user but it will be roadblock worth building. Consult with the
powers that be to create a computer use policy that prohibits malicious
activity of non user owned computers with stated consequences and make sure
each user signs a copy for you or personnel to keep.

Steve