"Locking Down" a computer lab

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hello! I'm quite familiar with XP, but only in a straight-forward
environment here where I work, no real security issues. We recently
installed a 16 station computer lab for all ages, all running XP (but not
networked, just sharing internet). I've got the stations setup as user
accounts, with direct logins so they can't install their own programs. But
I've been told I should really setup some local security policies on the
machines to keep the malicious users from doing damage. Does anybody have
any suggestions of what I should be locking down? I'm vaguely familiar with
the policy editor, but that would be a good learning experience anyway.

Any and all advice is appreciated - thank you!

Mike
6 answers Last reply
More about locking down computer
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    You could do some reading.

    Windows XP Booklist

    Microsoft Windows XP Inside Out 2nd ed ISBN 0-7356-2044-X
    www.microsoft.com/mspress
    Microsoft Windows XP Professional Resource Kit 2nd ed ISBN 0-7356-1974-3
    www.microsoft.com/mspress
    Microsoft Windows Command-Line ISBN 0-7356-2038-5
    www.microsoft.com/mspress
    Windows XP Pro 2nd ed The Missing Manual ISBN 0-596-00898-8
    www.missingmanuals.com
    Windows XP in a Nutshell, 2nd Edition ISBN 0-596-00900-3 www.oreilly.com
    Windows XP Annoyances for Geeks, 2nd ed ISBN 0-596-00876-7 www.oreilly.com
    Windows XP Hacks, 2nd ed ISBN 0-596-0000918-6 www.oreilly.com
    Windows XP Solutions ISBN 0-7645-6773-X www.wiley.com/compbooks/pcmag
    Windows XP Speed Solutions ISBN 0-7645-7814-6
    www.wiley.com/compbooks/pcmag
    Guide to Home Networking ISBN 0-7645-4473-X www.wiley.com/compbooks/pcmag
    Hacking Windows XP ISBN 0-7645-6929-5 www.TweakXP.com

    Downloadable Guides

    XP Tweak Guide (TweakGuides_XPTC.zip) from www.TweakGuides.com
    Windows Registry Guide (registryguide2003.exe) from www.winguides.com
    Error Message for Windows (MSWinErr.zip) from www.gregorybraun.com

    The BIOS

    The BIOS Companion ISBN 0-9681928-0-7 www.electrocution.com
    Breaking Through The BIOS Barrier ISBN 0-13-145536-2 www.rojakpot.com

    PC Hardware in a Nutshell ISBN 0-596-00513-X www.oreilly.com
    "mjfmn" <mjfmn@discussions.microsoft.com> wrote in message
    news:50A406D8-A2FA-4732-B28B-449D124FF25B@microsoft.com...
    > Hello! I'm quite familiar with XP, but only in a straight-forward
    > environment here where I work, no real security issues. We recently
    > installed a 16 station computer lab for all ages, all running XP (but not
    > networked, just sharing internet). I've got the stations setup as user
    > accounts, with direct logins so they can't install their own programs.
    > But
    > I've been told I should really setup some local security policies on the
    > machines to keep the malicious users from doing damage. Does anybody have
    > any suggestions of what I should be locking down? I'm vaguely familiar
    > with
    > the policy editor, but that would be a good learning experience anyway.
    >
    > Any and all advice is appreciated - thank you!
    >
    > Mike
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Jerry, thanks for the quick reply. What I'm really looking for here is ideas
    of what others would "close off" to users, like Network Neighborhood,
    exploring, start menu items, etc. I've never messed with anything so open to
    the public so I'm pretty much a novice figuring out what people will do to my
    computers if I give them the chance!

    Mike

    "Jerry" wrote:

    > You could do some reading.
    >
    > Windows XP Booklist
    >
    > Microsoft Windows XP Inside Out 2nd ed ISBN 0-7356-2044-X
    > www.microsoft.com/mspress
    > Microsoft Windows XP Professional Resource Kit 2nd ed ISBN 0-7356-1974-3
    > www.microsoft.com/mspress
    > Microsoft Windows Command-Line ISBN 0-7356-2038-5
    > www.microsoft.com/mspress
    > Windows XP Pro 2nd ed The Missing Manual ISBN 0-596-00898-8
    > www.missingmanuals.com
    > Windows XP in a Nutshell, 2nd Edition ISBN 0-596-00900-3 www.oreilly.com
    > Windows XP Annoyances for Geeks, 2nd ed ISBN 0-596-00876-7 www.oreilly.com
    > Windows XP Hacks, 2nd ed ISBN 0-596-0000918-6 www.oreilly.com
    > Windows XP Solutions ISBN 0-7645-6773-X www.wiley.com/compbooks/pcmag
    > Windows XP Speed Solutions ISBN 0-7645-7814-6
    > www.wiley.com/compbooks/pcmag
    > Guide to Home Networking ISBN 0-7645-4473-X www.wiley.com/compbooks/pcmag
    > Hacking Windows XP ISBN 0-7645-6929-5 www.TweakXP.com
    >
    > Downloadable Guides
    >
    > XP Tweak Guide (TweakGuides_XPTC.zip) from www.TweakGuides.com
    > Windows Registry Guide (registryguide2003.exe) from www.winguides.com
    > Error Message for Windows (MSWinErr.zip) from www.gregorybraun.com
    >
    > The BIOS
    >
    > The BIOS Companion ISBN 0-9681928-0-7 www.electrocution.com
    > Breaking Through The BIOS Barrier ISBN 0-13-145536-2 www.rojakpot.com
    >
    > PC Hardware in a Nutshell ISBN 0-596-00513-X www.oreilly.com
    > "mjfmn" <mjfmn@discussions.microsoft.com> wrote in message
    > news:50A406D8-A2FA-4732-B28B-449D124FF25B@microsoft.com...
    > > Hello! I'm quite familiar with XP, but only in a straight-forward
    > > environment here where I work, no real security issues. We recently
    > > installed a 16 station computer lab for all ages, all running XP (but not
    > > networked, just sharing internet). I've got the stations setup as user
    > > accounts, with direct logins so they can't install their own programs.
    > > But
    > > I've been told I should really setup some local security policies on the
    > > machines to keep the malicious users from doing damage. Does anybody have
    > > any suggestions of what I should be locking down? I'm vaguely familiar
    > > with
    > > the policy editor, but that would be a good learning experience anyway.
    > >
    > > Any and all advice is appreciated - thank you!
    > >
    > > Mike
    >
    >
    >
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "mjfmn" <mjfmn@discussions.microsoft.com> wrote in message
    news:50A406D8-A2FA-4732-B28B-449D124FF25B@microsoft.com...
    > Hello! I'm quite familiar with XP, but only in a straight-forward
    > environment here where I work, no real security issues. We recently
    > installed a 16 station computer lab for all ages, all running XP (but not
    > networked, just sharing internet). I've got the stations setup as user
    > accounts, with direct logins so they can't install their own programs.
    > But
    > I've been told I should really setup some local security policies on the
    > machines to keep the malicious users from doing damage. Does anybody have
    > any suggestions of what I should be locking down? I'm vaguely familiar
    > with
    > the policy editor, but that would be a good learning experience anyway.
    >
    > Any and all advice is appreciated - thank you!
    >
    > Mike

    If they are limited users, they shouldn't be able to do much other than play
    with their own profile (and any files to which they have permissions to.)
    Locking down interface elements like the Start Menu and Desktop is usually
    done less for security reasons and more to keep a consistent configuration
    with the goal of reducing IT support costs. As a limited user, the worst
    case scenario would be that you need to delete the user's local profile and
    let it be recreated from the default -- they wouldn't be able to affect
    other users.
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Hi Mike,

    How is the boot order on those boxes? Do you have the BIOS locked? Did you
    perhaps make a Ghost image of the machines before folks started trashing
    them about? Are there any privacy issues or consideration you need to look
    at?

    You can get some good ready made policies using the snaps in that are
    afforded in running MMC from the Run line.

    I have about 450 units including some laptops running Deep Freeze by
    Faronics.com in labs, classrooms and public areas. I sleep well at night
    because of it. You can get a trial version off their site, and test it
    against some of your other units, and see what shape they are in after the
    trial.

    Ron Chamberlin
    MS-MVP


    "mjfmn" <mjfmn@discussions.microsoft.com> wrote in message
    news:50A406D8-A2FA-4732-B28B-449D124FF25B@microsoft.com...
    > Hello! I'm quite familiar with XP, but only in a straight-forward
    > environment here where I work, no real security issues. We recently
    > installed a 16 station computer lab for all ages, all running XP (but not
    > networked, just sharing internet). I've got the stations setup as user
    > accounts, with direct logins so they can't install their own programs.
    > But
    > I've been told I should really setup some local security policies on the
    > machines to keep the malicious users from doing damage. Does anybody have
    > any suggestions of what I should be locking down? I'm vaguely familiar
    > with
    > the policy editor, but that would be a good learning experience anyway.
    >
    > Any and all advice is appreciated - thank you!
    >
    > Mike
  5. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    In <50A406D8-A2FA-4732-B28B-449D124FF25B@microsoft.com>, "=?Utf-8?B?bWpmbW4=?=" <mjfmn@discussions.microsoft.com> writes:
    >Hello! I'm quite familiar with XP, but only in a straight-forward
    >environment here where I work, no real security issues. We recently
    >installed a 16 station computer lab for all ages, all running XP (but not
    >networked, just sharing internet). I've got the stations setup as user
    >accounts, with direct logins so they can't install their own programs. But
    >I've been told I should really setup some local security policies on the
    >machines to keep the malicious users from doing damage. Does anybody have
    >any suggestions of what I should be locking down? I'm vaguely familiar with
    >the policy editor, but that would be a good learning experience anyway.
    >
    >Any and all advice is appreciated - thank you!


    I run a high school computer lab (this is my qualification to speak).

    I hope you installed Windows with NTFS file system and that Safe Mode is protected by a strong password. Never type your administrator password whilst users are in the room, and lock yourself in whilst doing admin work. It is easy to get distracted and leave a machine exposed.

    If you install applications in the All Users folder, then I expect that all users will be able to delete them. I install as Administrator into the Program Files folder. If legacy apps don't run for users, you can try the Compability tab in shortcut properties or assign permission to some or all of the app code.

    Download MS PowerTools TweakUI and employ it to delete the recycle bin from the user desktops.

    I tried a free lockdown product which was useless, and a commercial one (from an "internet only" corporation) which was defeated by an uneducated but streetsmart 14 yr old within 40 minutes. People have spoken well of Deep Freeze. I formed the impression that it allows users to destroy their interface, but that is rolled back on reboot. This might not be enough because my users deleted the contents of their All Programs list and I have not found a way to repopulate it.

    I employ cacls.exe to lock users out of Text to Speech, Media Player and any administrative code that I put on the hard drive.
    I uninstall Windows components Games, MSN Explorer and Windows Messenger.
    I stop and disable about half of the Windows Services.
    I place a bastion router, hosting a rule based firewall and proxy server with ACL, between the classroom network and the internet (this is corporate, not consumer, technology).
    I employ static IP to confound smuggled in laptops.

    Cumbersome to setup, but it seems to work.
  6. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Shared Computer Toolkit for Windows XP product overview
    http://www.microsoft.com/windowsxp/sharedaccess/overview.mspx

    --
    Carey Frisch
    Microsoft MVP
    Windows XP - Shell/User
    Microsoft Newsgroups

    Get Windows XP Service Pack 2 with Advanced Security Technologies:
    http://www.microsoft.com/athome/security/protect/windowsxp/choose.mspx

    -------------------------------------------------------------------------------------------

    "mjfmn" wrote:

    | Hello! I'm quite familiar with XP, but only in a straight-forward
    | environment here where I work, no real security issues. We recently
    | installed a 16 station computer lab for all ages, all running XP (but not
    | networked, just sharing internet). I've got the stations setup as user
    | accounts, with direct logins so they can't install their own programs. But
    | I've been told I should really setup some local security policies on the
    | machines to keep the malicious users from doing damage. Does anybody have
    | any suggestions of what I should be locking down? I'm vaguely familiar with
    | the policy editor, but that would be a good learning experience anyway.
    |
    | Any and all advice is appreciated - thank you!
    |
    | Mike
Ask a new question

Read More

Security Computers Windows XP