Desktop Lockdown

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I'm currently running Windows 2000 Pro -- soon to be XP and shortly on a
Windows 2003 domain -- and I want to lockdown the desktops. I don't want
users to be able to install any programs -- whether by inserting a CD to
install something, or downloading some junk, like Webshots and AIM. But
ometimes, they may need to download a pdf file so I can't halt ALL downloads.

I also have a program that needs to be installed per user due to registry
settings. So, I've started installing everything under an Administrator
account and making that the Default User account to circumvent that issue. In
doing so, have I granted that user more file and registry permissions than I
should have? I don't want them to have rights beyond User -- not even Power
User.

Lastly, is there a Windows security template that would be good to use on
the domain (within Group Policy) that would give the ideal permission
restrictions I'm looking to implment?

Thanks for your thoughts and ideas...
 
Frank said:
I'm currently running Windows 2000 Pro -- soon to be XP and shortly on a
Windows 2003 domain -- and I want to lockdown the desktops. I don't want
users to be able to install any programs -- whether by inserting a CD to
install something, or downloading some junk, like Webshots and AIM. But
ometimes, they may need to download a pdf file so I can't halt ALL downloads.

I also have a program that needs to be installed per user due to registry
settings. So, I've started installing everything under an Administrator
account and making that the Default User account to circumvent that issue. In
doing so, have I granted that user more file and registry permissions than I
should have? I don't want them to have rights beyond User -- not even Power
User.
Click to expand...

By pure definition you have given them more permission than just User.
Administrator > user.
Administrator has access to everything.
Lastly, is there a Windows security template that would be good to use on
the domain (within Group Policy) that would give the ideal permission
restrictions I'm looking to implment?

Thanks for your thoughts and ideas...
Click to expand...

well, we're not sure of the exact details you need on everything in the domain or
the local machines but I'd start out with the Default Domain Policy that already
exists in the Group Policy Management console and edit it to suit your
needs(better yet, copy it and edit the copy in case you need to revert back to
the default). Then do something similar, with slightly different settings, and
apply it to your workstations (servers will need different settings from
workstations so let them fall under the auspices of the domain policy or even
create specific server policies in addition to specific workstation related
policies). Look on nsa.gov and search for security guidelines for Windows. If
you really want it locked down you can start modifying registry and FS
permissions as well as redirecting a user's desktop to a readonly location and
only giving them write access to a My Documents folder. You can also restrict
use of MSI and disable access to all the drives in the system (don't disable
access to the C drive). All that is done within group policies under the User
configuration section.

hope that helps
Brandon
 
Back
Top