Windows Desktop Lockdown on 2000 Server Environment

[Marvin]

I'm trying to lockdown several workstations running
Windows XP Pro. on a Windows 2000 Server using Group
Policies. Any suggestions will help. I'm basically just
trying to have a limited desktop and specified apps
running on these workstations. Thank you for your
assistance....

 

[Curtis Clay III [MSFT]]

Hello Marvin,
Locking down desktops is an extremely broad topic. It may be better to ask
if it's possible to lock down a specific app or object rather than the
entire desktop. Things to consider.
1. Locking the ability to run apps from the help menu
2. Locking down the Start Menu options
3. Locking down explorer and the command prompt
4. Preventing the install of apps. From Disk, IE, CD, etc.
5. NTFS permissions on files and directories.
6. The ability to logon to certian workstations.
7. Logon/logoff hours.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Steven L Umbach]

Check Group Policy user configuration/administrative templates for several options to
limit users. To limit the desktop, you may want to look into mandatory profiles which
will not allow any changes to be saved to the profile. XP Pro has Software
Restriction Policies that can be used to lock down a users ability to install and run
software and even prevent a lot of malicious programs/scripts [.vbs and such] from
executing which is a huge improvement over W2K. I suggest that you set up a test
Organizational Unit with it's own GPO to tweak your settings before rolling out. ---
Steve

http://www.microsoft.com/technet/tr...et/prodtechnol/winxppro/maintain/rstrplcy.asp
http://support.microsoft.com/?kbid=310791
http://support.microsoft.com/default.aspx?scid=kb;en-us;307900

 

[Guest]

Thanks for the response Steve! I've been working with
GPO on a test OU and have made some progress. I'm still
pruning for a more direct approach to suffice my goal.
I've found that GPO works well but I'm worried about
those "Genius" who search for other ways of breaking
through that level of Windows Security. I've been
searching for desktop management software but haven't
found one. Any suggestions?

-----Original Message-----
Check Group Policy user configuration/administrative

templates for several options to

limit users. To limit the desktop, you may want to look into mandatory profiles which
will not allow any changes to be saved to the profile. XP Pro has Software
Restriction Policies that can be used to lock down a

users ability to install and run

software and even prevent a lot of malicious

programs/scripts [.vbs and such] from

executing which is a huge improvement over W2K. I suggest that you set up a test
Organizational Unit with it's own GPO to tweak your

settings before rolling out. ---

 

[Guest]

Thanks for the response Curtis!

I'm pretty much doing 1-7 with the exception of 6.
That's part of what I'm attempting to do but haven't made
much progress. I've been working with GPO on a test OU
and it looks promising but I'm concerned about the few
who will find a way around those policies. To be more
direct, I'm not sure if GPO can publish a custom desktop
and start menu. Any insight on that? Also, I've
stumbled upon preventing certain apps from running but
haven't found how to publish specified apps to run on a
workstation(within an OU). Other than GPO, do you have
any suggestions on Desktop Management Software? Thanks
for the insight thus far.
Marvin

 

[Steven L Umbach]

Thanks for the response Steve! I've been working with
GPO on a test OU and have made some progress. I'm still
pruning for a more direct approach to suffice my goal.
I've found that GPO works well but I'm worried about
those "Genius" who search for other ways of breaking
through that level of Windows Security. I've been
searching for desktop management software but haven't
found one. Any suggestions?

-----Original Message-----
Check Group Policy user configuration/administrative

templates for several options to

limit users. To limit the desktop, you may want to look into mandatory profiles which
will not allow any changes to be saved to the profile. XP Pro has Software
Restriction Policies that can be used to lock down a

users ability to install and run

software and even prevent a lot of malicious

programs/scripts [.vbs and such] from

executing which is a huge improvement over W2K. I suggest that you set up a test
Organizational Unit with it's own GPO to tweak your

settings before rolling out. ---

Steve

http://www.microsoft.com/technet/treeview/default.asp? url=/technet/prodtechnol/winxppro/maintain/rstrplcy.asp
us;307900




.

 

[Steven L Umbach]

Group Policy does hide a lot of access. You really need to be sure that ntfs
permissions are locked down to prevent a user from accessing what they should not. By
default, XP has pretty good ntfs security. You may want to remove the write
permission for the users group from the drive/root folder and leave them with
read/list/execute. Check the advanced page of the security page to check advanced
permissions also for the users group. On XP Pro, I really don't thing you need extra
program because Software Restriction Policies are very powerful and can be configured
to lock a user down like a coffin lid. I also suggest that you read the free
Microsoft XP Security Guide. --- Steve

http://www.microsoft.com/technet/tr...ecurity/prodtech/winclnt/secwinxp/default.asp
http://www.infosec.uga.edu/windows.html -- Great list of security guides.

Thanks for the response Steve! I've been working with
GPO on a test OU and have made some progress. I'm still
pruning for a more direct approach to suffice my goal.
I've found that GPO works well but I'm worried about
those "Genius" who search for other ways of breaking
through that level of Windows Security. I've been
searching for desktop management software but haven't
found one. Any suggestions?

-----Original Message-----
Check Group Policy user configuration/administrative

templates for several options to

limit users. To limit the desktop, you may want to look into mandatory profiles which
will not allow any changes to be saved to the profile. XP Pro has Software
Restriction Policies that can be used to lock down a

users ability to install and run

software and even prevent a lot of malicious

programs/scripts [.vbs and such] from

executing which is a huge improvement over W2K. I suggest that you set up a test
Organizational Unit with it's own GPO to tweak your

settings before rolling out. ---

Steve

http://www.microsoft.com/technet/treeview/default.asp? url=/technet/prodtechnol/winxppro/maintain/rstrplcy.asp
us;307900




.

 

[Curtis Clay III [MSFT]]

Hello Marvin,
You users will not be able to circumvent the group policy without some very
specific happenings.
i.e. they disjoin from the domain
Have the ability to edit group policy or adminitratie access to the domain.
What ever you implement will remain in affect as long as they are members
of your domain.

This posting is provided "AS IS" with no warranties, and confers no rights.