Locking Down A Computer Lab

[Guest]

Hello! I have 16 XP SP2 machines I just installed in a computer lab, and I
want to lock them down. I got each of them setup today, used a password for
the administrator, then setup a new user for each one (lab01, lab02, etc.).
When I was all done I wanted to change the permission on the user from
administrator level to restricted, so I rebooted, went into safe mode as
administrator. I was told I couldn't change the user from administrator
because there had to be one computer administrator (I thought the
"administrator" log in was that?). I created a new user that I would give
low rights to, but when the computer is booted up it gives the option of
choosing a users - that kind of negates what I'm trying to do! I'd just like
it so the computer boots up to the restricted user.

I need to lock down these computer so no one installs any software, disables
antivirus or Adaware, etc. Does anyone have any tips I can use? Thanks so
much!

Mike, MIS Director

 

[Jerry]

Try the Group Policy Editor and do some reading:

Windows XP Booklist

Microsoft Windows XP Inside Out 2nd ed ISBN 0-7356-2044-X
Microsoft Windows XP Professional Resource Kit 2nd ed ISBN 0-7356-1974-3
Microsoft Windows Command-Line ISBN 0-7356-2038-5
Windows XP Pro 2nd ed The Missing Manual ISBN 0-596-00898-8
Windows XP in a Nutshell, 2nd Edition ISBN 0-596-00900-3
Windows XP Annoyances, 2nd ed ISBN 0-596-00876-7
Windows XP Hacks, 2nd ed ISBN 0-596-0000918-6
Windows XP Solutions ISBN 0-7645-6773-X
Windows XP Speed Solutions ISBN 0-7645-7814-6
Guide to Home Networking ISBN 0-7645-4473-X

Downloadable Guides

XP Tweak Guide (TweakGuides_XPTC.zip) from wwww.TweakGuides.com
Windows Registry Guide (registryguide2003.exe) from www.winguides.com
Error Message for Windows (MSWinErr.zip) from www.gregorybraun.com

 

[Guest]

Jerry, thanks for the response. Sadly, I don't have the opportunity to get
those books (we don't even have a book store in our little town), or that
much time. The lab goes into use on Tuesday, May 17th. If someone could
just tell me what I need to do to accomplish these two tasks (going to a
restricted user at boot and / or changing the default login to a restricted
user), that would get me far enough to lock it down by the time the doors
open.

Thanks again!
Mike

 

[Carey Frisch [MVP]]

How To Assign a Mandatory User Profile in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;307800

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

Get Windows XP Service Pack 2 with Advanced Security Technologies:
http://www.microsoft.com/athome/security/protect/windowsxp/choose.mspx

-------------------------------------------------------------------------------------------

:

| Hello! I have 16 XP SP2 machines I just installed in a computer lab, and I
| want to lock them down. I got each of them setup today, used a password for
| the administrator, then setup a new user for each one (lab01, lab02, etc.).
| When I was all done I wanted to change the permission on the user from
| administrator level to restricted, so I rebooted, went into safe mode as
| administrator. I was told I couldn't change the user from administrator
| because there had to be one computer administrator (I thought the
| "administrator" log in was that?). I created a new user that I would give
| low rights to, but when the computer is booted up it gives the option of
| choosing a users - that kind of negates what I'm trying to do! I'd just like
| it so the computer boots up to the restricted user.
|
| I need to lock down these computer so no one installs any software, disables
| antivirus or Adaware, etc. Does anyone have any tips I can use? Thanks so
| much!
|
| Mike, MIS Director


---
avast! Antivirus: Outbound message clean.
Virus Database (VPS): 0519-2, 05/12/2005
Tested on: 5/13/2005 5:42:04 PM
avast! - copyright (c) 1988-2005 ALWIL Software.
http://www.avast.com

 

[Nepatsfan]

I'm guessing that these machines are not part of a domain. If
they are, post back with that info as that would make a big
difference in my answer. I'm also guessing that you have the
Professional version of XP as opposed to Home Edition.

That said, here are some suggestions you might consider
implementing:

1. Put passwords on both the built in administrator account and
the account you created that is a member of the administrators
group. Make sure it's something you'll remember but your users
won't be able to guess. It's OK if it's the same for both
accounts.

If these machines have floppy drives or, better yet, you have a
USB flash drive you might want to run the "Forgotten Password
wizard". Here's how:

http://www.petri.co.il/what's_the_password_reset_disk_in_windows_xp.htm

I'd suggest leaving the limited account with a blank password.

2. Configure all machines to logon with the limited accounts by
doing the following:

Go to Start -> Run.
Enter the following into the Open box:

control userpasswords2

Click OK.
Uncheck "Users must enter a user name and password to use this
computer".
In the box that pops up, replace Administrator in the "User Name"
box with your limited user account. Enter your password twice.
Note: You can leave the password box blank if your account does
not have a password.
Click OK twice and reboot to see if you get the desired results.

When you want to logon with your administrative account you can
log off the limited account. The Welcome screen will be displayed
which should contain the icon for your administrative account.
Alternatively, you can hold down the shift key while windows is
starting. This will bring you directly to the Welcome screen.

3. If running XP Professional in a workgroup:

Right click on My Computer and select Manage from the drop down
menu.
In the Local Users and Groups section click on the Users.
Right click on the limited account and select Properties.
Put a check mark in the box next to "User cannot change password"
as well as "Password never expires".
This should prevent someone from assigning a password to this
account. If you don't do this you're probably going to find
yourself having to reset the password often.

4. If you plan on using the Local Group Policy to restrict the
limited accounts you will need to use one of the procedures
outlined in these articles to prevent the policies from being
applied to members of the administrators group:

Applies to XP as well as Win2K:
http://support.microsoft.com/default.aspx?scid=kb;en-us;293655

Group policy in a workgroup:
http://www.theeldergeek.com/gp07.htm

Be careful with Group Policy. It's not that hard to configure it
in such a way that you lock yourself out of the computer.

Good luck

 

[Bruce Chambers]

Jerry, thanks for the response. Sadly, I don't have the opportunity to get
those books (we don't even have a book store in our little town), or that
much time. The lab goes into use on Tuesday, May 17th. If someone could
just tell me what I need to do to accomplish these two tasks (going to a
restricted user at boot and / or changing the default login to a restricted
user), that would get me far enough to lock it down by the time the doors
open.

Thanks again!
Mike

HOW TO Create and Configure User Accounts in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;279783

HOW TO Set, View, Change, or Remove File and Folder Permissions
http://support.microsoft.com/default.aspx?scid=kb;en-us;q308418

HOW TO Set, View, Change, or Remove Special Permissions for Files and
Folders
http://support.microsoft.com/default.aspx?scid=kb;[LN];Q308419

How To Use the Group Policy Editor to Manage Local Computer Policy in
Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;307882


--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[Guest]

Nepatsfan, that was great! I got everything done in just a couple hours!
Now I can move on to other issues - like writing a Proper Usage document all
the kids have to sign!

Thanks again!

Mike

 

[terry]

Another possibility: look at
Doug's Windows XP Security Console -
http://www.dougknox.com/index.html
(then navigate to XP Utilities, and Doug's Windows XP Security Console

I found this easy to use and effective in locking down 12 XP Pro
machines at our school.

Main Plus: You can separately control many permissions for different
features,
for different user names. So your Admin account is untouched. There
can be multiple other users: We have STUDENT with very limited
capability. Since they can't get to any control panel or internet
settings, we can turn off download in Internet Explorer and it stays
off. (We will be adding ADV_STUDENT with a password that we'll change
often, for students needing unlimited download capabilities).

If anyone knows a way to selectively prevent download of .MP3 files
while allowing other filetypes, please let me know! (I understand that
IF we had the right support person running our firewall, it could
probably do this...)

We're in a mixed MAC/PC environment, with MAC servers, which had made
this all challenging..

Regards, Terry King ...On The Mediterranean in Carthage

 

[Nepatsfan]

Glad to hear you're making progress. Keep in mind that the
suggestions I passed along cover only the most basic issues
you'll need to address. Unless you want to find out how creative
the kids can be I'd suggest that you tighten your security ASAP.
You can either use the Local Group Policy or, as suggested by
Terry King, use Doug Knox's Security Console.

Good luck