"Locking Down" a computer lab

[Guest]

Hello! I'm quite familiar with XP, but only in a straight-forward
environment here where I work, no real security issues. We recently
installed a 16 station computer lab for all ages, all running XP (but not
networked, just sharing internet). I've got the stations setup as user
accounts, with direct logins so they can't install their own programs. But
I've been told I should really setup some local security policies on the
machines to keep the malicious users from doing damage. Does anybody have
any suggestions of what I should be locking down? I'm vaguely familiar with
the policy editor, but that would be a good learning experience anyway.

Any and all advice is appreciated - thank you!

Mike

 

[Jerry]

You could do some reading.

Windows XP Booklist

Microsoft Windows XP Inside Out 2nd ed ISBN 0-7356-2044-X
www.microsoft.com/mspress
Microsoft Windows XP Professional Resource Kit 2nd ed ISBN 0-7356-1974-3
www.microsoft.com/mspress
Microsoft Windows Command-Line ISBN 0-7356-2038-5
www.microsoft.com/mspress
Windows XP Pro 2nd ed The Missing Manual ISBN 0-596-00898-8
www.missingmanuals.com
Windows XP in a Nutshell, 2nd Edition ISBN 0-596-00900-3 www.oreilly.com
Windows XP Annoyances for Geeks, 2nd ed ISBN 0-596-00876-7 www.oreilly.com
Windows XP Hacks, 2nd ed ISBN 0-596-0000918-6 www.oreilly.com
Windows XP Solutions ISBN 0-7645-6773-X www.wiley.com/compbooks/pcmag
Windows XP Speed Solutions ISBN 0-7645-7814-6
www.wiley.com/compbooks/pcmag
Guide to Home Networking ISBN 0-7645-4473-X www.wiley.com/compbooks/pcmag
Hacking Windows XP ISBN 0-7645-6929-5 www.TweakXP.com

Downloadable Guides

XP Tweak Guide (TweakGuides_XPTC.zip) from www.TweakGuides.com
Windows Registry Guide (registryguide2003.exe) from www.winguides.com
Error Message for Windows (MSWinErr.zip) from www.gregorybraun.com

The BIOS

The BIOS Companion ISBN 0-9681928-0-7 www.electrocution.com
Breaking Through The BIOS Barrier ISBN 0-13-145536-2 www.rojakpot.com

PC Hardware in a Nutshell ISBN 0-596-00513-X www.oreilly.com

 

[Guest]

Jerry, thanks for the quick reply. What I'm really looking for here is ideas
of what others would "close off" to users, like Network Neighborhood,
exploring, start menu items, etc. I've never messed with anything so open to
the public so I'm pretty much a novice figuring out what people will do to my
computers if I give them the chance!

Mike

 

[Colin Nash [MVP]]

Hello! I'm quite familiar with XP, but only in a straight-forward
environment here where I work, no real security issues. We recently
installed a 16 station computer lab for all ages, all running XP (but not
networked, just sharing internet). I've got the stations setup as user
accounts, with direct logins so they can't install their own programs.
But
I've been told I should really setup some local security policies on the
machines to keep the malicious users from doing damage. Does anybody have
any suggestions of what I should be locking down? I'm vaguely familiar
with
the policy editor, but that would be a good learning experience anyway.

Any and all advice is appreciated - thank you!

Mike

If they are limited users, they shouldn't be able to do much other than play
with their own profile (and any files to which they have permissions to.)
Locking down interface elements like the Start Menu and Desktop is usually
done less for security reasons and more to keep a consistent configuration
with the goal of reducing IT support costs. As a limited user, the worst
case scenario would be that you need to delete the user's local profile and
let it be recreated from the default -- they wouldn't be able to affect
other users.

 

[Ron Chamberlin]

Hi Mike,

How is the boot order on those boxes? Do you have the BIOS locked? Did you
perhaps make a Ghost image of the machines before folks started trashing
them about? Are there any privacy issues or consideration you need to look
at?

You can get some good ready made policies using the snaps in that are
afforded in running MMC from the Run line.

I have about 450 units including some laptops running Deep Freeze by
Faronics.com in labs, classrooms and public areas. I sleep well at night
because of it. You can get a trial version off their site, and test it
against some of your other units, and see what shape they are in after the
trial.

Ron Chamberlin
MS-MVP

 

[johnsuth]

Hello! I'm quite familiar with XP, but only in a straight-forward
environment here where I work, no real security issues. We recently
installed a 16 station computer lab for all ages, all running XP (but not
networked, just sharing internet). I've got the stations setup as user
accounts, with direct logins so they can't install their own programs. But
I've been told I should really setup some local security policies on the
machines to keep the malicious users from doing damage. Does anybody have
any suggestions of what I should be locking down? I'm vaguely familiar with
the policy editor, but that would be a good learning experience anyway.

Any and all advice is appreciated - thank you!

I run a high school computer lab (this is my qualification to speak).

I hope you installed Windows with NTFS file system and that Safe Mode is protected by a strong password. Never type your administrator password whilst users are in the room, and lock yourself in whilst doing admin work. It is easy to get distracted and leave a machine exposed.

If you install applications in the All Users folder, then I expect that all users will be able to delete them. I install as Administrator into the Program Files folder. If legacy apps don't run for users, you can try the Compability tab in shortcut properties or assign permission to some or all of the app code.

Download MS PowerTools TweakUI and employ it to delete the recycle bin from the user desktops.

I tried a free lockdown product which was useless, and a commercial one (from an "internet only" corporation) which was defeated by an uneducated but streetsmart 14 yr old within 40 minutes. People have spoken well of Deep Freeze. I formed the impression that it allows users to destroy their interface, but that is rolled back on reboot. This might not be enough because my users deleted the contents of their All Programs list and I have not found a way to repopulate it.

I employ cacls.exe to lock users out of Text to Speech, Media Player and any administrative code that I put on the hard drive.
I uninstall Windows components Games, MSN Explorer and Windows Messenger.
I stop and disable about half of the Windows Services.
I place a bastion router, hosting a rule based firewall and proxy server with ACL, between the classroom network and the internet (this is corporate, not consumer, technology).
I employ static IP to confound smuggled in laptops.

Cumbersome to setup, but it seems to work.

 

[Carey Frisch [MVP]]

Shared Computer Toolkit for Windows XP product overview
http://www.microsoft.com/windowsxp/sharedaccess/overview.mspx

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

Get Windows XP Service Pack 2 with Advanced Security Technologies:
http://www.microsoft.com/athome/security/protect/windowsxp/choose.mspx

-------------------------------------------------------------------------------------------

:

| Hello! I'm quite familiar with XP, but only in a straight-forward
| environment here where I work, no real security issues. We recently
| installed a 16 station computer lab for all ages, all running XP (but not
| networked, just sharing internet). I've got the stations setup as user
| accounts, with direct logins so they can't install their own programs. But
| I've been told I should really setup some local security policies on the
| machines to keep the malicious users from doing damage. Does anybody have
| any suggestions of what I should be locking down? I'm vaguely familiar with
| the policy editor, but that would be a good learning experience anyway.
|
| Any and all advice is appreciated - thank you!
|
| Mike