Sign in with
Sign up | Sign in
Your question

Would like to lockdown public computer

Last response: in Windows 2000/NT
Share
October 7, 2004 12:33:37 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I would like to make some computers available to some kids with social
problems and I would like to restrict their access to everything including
whether they can install something on the computer, whether they can change
the wallpaper, or the local hard disk etc without using a domain. Is this
possible? If yes can you tell me what I'll need to learn or do to make it
happen?
Also, I would like to know if it's possible to setup something like a
mandatory profile on a machine without using a domain.
Any help would be appreciated.
Thanks in advance.
Anonymous
October 7, 2004 8:18:55 AM

Archived from groups: microsoft.public.win2000.security (More info?)

First off make sure they are only regular users. Then on the root/drive
folder make sure that uses have no more that read/list/execute permissions
so that they can not install or copy files there. If you use the guest
account, any changes they make to the computer profile/desktop while logged
on will not be saved when they logoff. If you use the guest account be sure
to disable file and print sharing or make sure that the everyone group does
not have access to any shares for share permissions or ntfs permissions.

If you assign regular user accounts make sure they are not owner of that
user profile and then you can change permissions to the desktop folder in
the profiles to have only read/list/execute permissions so that they can not
change the desktop. Learn to use Group Policy. You can enable it on a local
computer via Gpedit.msc and you will find a bunch of user restrictions under
user configuration/administrative templates. Note that for local Group
Policy that the restrictions will apply to all local users including
administrators so be careful not to lock yourself out though you can always
manage Group Policy remotely from another computer on the network using the
Group Policy mmc snapin on the remote computer targeting the other computer.
Mmc in the run box will open the Microsoft management Console.

I don't know how computer savvy your kids are but you want to configure cmos
settings on the computers to boot only from the hard drive and password
protect the cmos settings as it is easy to reboot a computer from a floppy
or cdrom to reset the built in administrator account so that the attacker
can gain administrator access to the computer. If possible lock the computer
cases as cmos settings can usually be reset by removing the motherboard
battery for a minute. I am not sure about using mandatory profiles on a
workgroup computer. I think you may be able to do it, but you have to create
the mandatory profile on the local computer and then have the users account
point to it as it's profile path using the local disk instead of a network
share that would normally be used. You might find out that by configuring
ntfs permissions on the users account profile and using Group Policy that
you may be able to do most or all of what you want to do. For instance you
could configure display properties to your liking and then use Group
Policy/user configuration/administrative templates/control panel/display to
prevent users from changing display settings. It might also be a good idea
to make Ghost images of those computers for a quick reinstall in case they
end up getting messed up somehow. If you are going to be giving them
internet access, see the article in the link below on recommended minimum IE
security settings and then disable their ability to change IE settings via
Group Policy. --- Steve

http://mvps.org/winhelp2002/unwanted.htm


"Joe" <user@host.com> wrote in message
news:6audnajVd55DE_ncRVn-pg@rogers.com...
>I would like to make some computers available to some kids with social
> problems and I would like to restrict their access to everything including
> whether they can install something on the computer, whether they can
> change
> the wallpaper, or the local hard disk etc without using a domain. Is this
> possible? If yes can you tell me what I'll need to learn or do to make it
> happen?
> Also, I would like to know if it's possible to setup something like a
> mandatory profile on a machine without using a domain.
> Any help would be appreciated.
> Thanks in advance.
>
>
Anonymous
October 7, 2004 3:11:07 PM

Archived from groups: microsoft.public.win2000.security (More info?)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joe wrote:
| I would like to make some computers available to some kids with social
| problems and I would like to restrict their access to everything including
| whether they can install something on the computer, whether they can
change
| the wallpaper, or the local hard disk etc without using a domain. Is this
| possible? If yes can you tell me what I'll need to learn or do to make it
| happen?
| Also, I would like to know if it's possible to setup something like a
| mandatory profile on a machine without using a domain.
| Any help would be appreciated.
| Thanks in advance.
|
|
A friend of mine works in a college with a lot of students who like to
tinker with the machines etc. He uses a product called 'Deep Freeze' to
lock down the machines - he says it's very effective. I could put you in
touch if you like.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBZRY7qmlxlf41jHgRAkJwAJ9Hy+m0GBz/psGI5oZrccmZhRZjQQCglZGP
tg0vBKf9A8qiNYEY4ESd+mk=
=b6NX
-----END PGP SIGNATURE-----
October 8, 2004 2:07:57 AM

Archived from groups: microsoft.public.win2000.security (More info?)

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:p s39d.202135$D%.132326@attbi_s51...
> First off make sure they are only regular users. Then on the root/drive
> folder make sure that uses have no more that read/list/execute permissions
> so that they can not install or copy files there. If you use the guest
> account, any changes they make to the computer profile/desktop while
logged
> on will not be saved when they logoff. If you use the guest account be
sure
> to disable file and print sharing or make sure that the everyone group
does
> not have access to any shares for share permissions or ntfs permissions.
>
> If you assign regular user accounts make sure they are not owner of that
> user profile and then you can change permissions to the desktop folder in
> the profiles to have only read/list/execute permissions so that they can
not
> change the desktop. Learn to use Group Policy. You can enable it on a
local
> computer via Gpedit.msc and you will find a bunch of user restrictions
under
> user configuration/administrative templates. Note that for local Group
> Policy that the restrictions will apply to all local users including
> administrators so be careful not to lock yourself out though you can
always
> manage Group Policy remotely from another computer on the network using
the
> Group Policy mmc snapin on the remote computer targeting the other
computer.
> Mmc in the run box will open the Microsoft management Console.
>
> I don't know how computer savvy your kids are but you want to configure
cmos
> settings on the computers to boot only from the hard drive and password
> protect the cmos settings as it is easy to reboot a computer from a floppy
> or cdrom to reset the built in administrator account so that the attacker
> can gain administrator access to the computer. If possible lock the
computer
> cases as cmos settings can usually be reset by removing the motherboard
> battery for a minute. I am not sure about using mandatory profiles on a
> workgroup computer. I think you may be able to do it, but you have to
create
> the mandatory profile on the local computer and then have the users
account
> point to it as it's profile path using the local disk instead of a network
> share that would normally be used. You might find out that by configuring
> ntfs permissions on the users account profile and using Group Policy that
> you may be able to do most or all of what you want to do. For instance you
> could configure display properties to your liking and then use Group
> Policy/user configuration/administrative templates/control panel/display
to
> prevent users from changing display settings. It might also be a good idea
> to make Ghost images of those computers for a quick reinstall in case they
> end up getting messed up somehow. If you are going to be giving them
> internet access, see the article in the link below on recommended minimum
IE
> security settings and then disable their ability to change IE settings via
> Group Policy. --- Steve
>
> http://mvps.org/winhelp2002/unwanted.htm
>
>
> "Joe" <user@host.com> wrote in message
> news:6audnajVd55DE_ncRVn-pg@rogers.com...
> >I would like to make some computers available to some kids with social
> > problems and I would like to restrict their access to everything
including
> > whether they can install something on the computer, whether they can
> > change
> > the wallpaper, or the local hard disk etc without using a domain. Is
this
> > possible? If yes can you tell me what I'll need to learn or do to make
it
> > happen?
> > Also, I would like to know if it's possible to setup something like a
> > mandatory profile on a machine without using a domain.
> > Any help would be appreciated.
> > Thanks in advance.
> >
> >
>
>

Thanks Steven. I appreciate your help.
Cheers!
Related resources
!