Configuring and Securing Multiple Computers

[Guest]

Hi,

I have to maintain a computer lab containing around 20-25 computers. What is the most efficient and fastest way to install the same software set on all of them, without doing it manually on each computer. All the computers are networked together.

Also, as these computers will be used publicly and mostly for LAN Gaming, I want them to be ultra-secure. I need no removable storage to be enabled on these computers, no right clicks, no system properties, and no access to all the stuff worth tweaking, no deletion of data from the drive, etc. I want it to be impenetrable for the average techie user, so a good, lightweight security solution is essential. Keep in mind that the PCs are a bit old (P4s, 512 megs of RAM, they run XP) Is cloning/imaging a good idea so that it can be restored to its previous state once it has been used? A lot of questions, hoping for some answers.

Thanks in advance.

 

[tigsounds]

My idea,

If they are all the same make/model computers, set one up, clone drive and make cloned-copies for all other machines.

Use GPedit to allow only those executables to run that you permit.

Start>run>gpedit.msc>User Configuration>Administrative templates>system>Run only allowed Windows applications>{your list here}

While you are there...
disable the command prompt
Prevent access to registry editing tools
turn off autoplay
Prevent these programs from being lunched from help {your list here}

disable right-click context menu in Explorer by opening Regedit, go to

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Create a new 32-bit DWORD value on the right-hand side named NoViewContextMenu with one value = 1

This setting should also be set under HKEY_LOCAL_MACHINE as well.

While you are there, many other useful things can be turned off as well, look around.

Turn off "Found new hardware" so that neat gizmo someone plugs in won't be detected by XP...

Start>Run>Services.msc>Diable the "Shell Hardware Detection" service
and if your machine acts up, re-enable and delete these two files after all hardware you want installed is completed: hdwwiz.cpl and newdev.dll. Keep them in your own computer so you can replace them later if new hardware needs to be added.

There are so many things you can do to limit changes to XP books have been written on the subject.
The group policy editor is a power thing. Look around in it, you'll see many things you can prohibit or allow.

 

[Guest]

Thanks a lot. Any more suggestions? Also, I want to disable the task manager and other stuff. Should I do this in my Administrator account or the account of the users? How can I disable gpedit too after I finish tweaking?

 

[tigsounds]

Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Policies\System
Name: DisableTaskMgr
Type: REG_DWORD
Value: 1=Enablethis key, that is DISABLE TaskManager
Value: 0=Disablethis key, that is Don't Disable, Enable TaskManager

You can disable lots of things in this 'key' area, just get their name and do like above for each that you want to disable. Most names are the executable programs, leave out the exe extension in the name here.

You can simply delete gpedit.msc.
What ever windows components you delete in windows/system32 must also be deleted in the dll cache or they will be replaced automatically.

Edit: You'll want to disable or delete SFC.exe too, or someone will be able to restore all the deleted sys32 items later. Autoplay must be disabled on CD drives or an autorun program can be launched to tweek/restore items you prohibited. Make sure the command prompt is disabled. And of course, go to disk cleanup and delete all but the last system restore points but the last one (required to be there) and then turn off system restore in services before you disable access and control to services. Killing "manage" in "My Computer" (by right-clicking) removes a lot of tampering power.

 

[tigsounds]

Thanks a lot. Any more suggestions? Also, I want to disable the task manager and other stuff. Should I do this in my Administrator account or the account of the users? How can I disable gpedit too after I finish tweaking?

I'd lock it down in the registry the most because you can export those critical keys prior to locking it down so you have a fast and easy way to unlock it later. Export locked-down keys also so you can re-lock it again when changes you want to make are done. This way an administrator has very little more power to make a change than a guest. If you use an editor (like Notepad) properly, you can paste-in your various reg keys to make a single file to restore your control and another to re-block the machine. 3 clicks and the changes are done, either way.

Google items you are interested in, such as blocking certain keyboard keys like, the Del key doesn't really need to work does it? When it won't work Alt-Ctrl-Del won't work anymore either as a side effect.

 

[Guest]

Thanks. Very informative replies. I'll try them out .
P.S: Err...Is there any app which can let me do this instead of doing it from the registry?

 

[tigsounds]

Thanks. Very informative replies. I'll try them out .
P.S: Err...Is there any app which can let me do this instead of doing it from the registry?

None that I've heard about.

 

[hang-the-9]

Policy Editor should be able to set any user restricions that you can manually in the registry.

To your install software on the multiple computers question, without a dedicated management program like SMS or LANdesk it's not too easy, but can be setup to be more efficient. Many (well depends on the type of program that is) programs have a "silent" setup switch you can use when installing, you need to check into each program though. You can also use a re-packaging software like Wise to re-build an application into a build you can roll out that way, along with any custom settings. That takes a bit of work though, and will involve some money spent as I have not run across a free re-packager that works well.

You can also setup a share with the installation files, and remote into each of the computers from one to install the program, saving some time hopping from place to place.

 

[Guest]

Thanks a lot Tigsounds and hang-the-9. Very Helpful