Your clients might want to use desktop lockdown software for a variety of reasons. For example, any time a PC is publicly accessible, they would want to lock down the desktop to prevent anyone from installing unauthorized software. And if they keep sensitive information on PCs in their offices, they should place desktop lockdown software on the PCs to prevent anyone from accessing their files while they're out of the office.
Microsoft has always stood by the claim that security was a major priority in the development of Windows. But sometimes the built-in Windows security mechanisms may not be sufficient. Let's look at several desktop lockdown products that you can suggest to clients to further protect a Windows PC.
Why use desktop lockdown software?
You might be wondering why you should suggest a client spend good money to do something that Windows is already supposed to be able to do. After all, a well-written group policy should prevent anyone from accessing files or modifying the system. However, the sad fact is that it’s way too easy to get past the Windows built-in security.
For instance, I have a friend who teaches a high school computer networking class. At first, my friend tried to set up group policies and user accounts in a way that would prevent the students from accessing anything confidential or from modifying the system. However, one day a student loaded a keystroke recorder into the PC. The student then purposefully screwed up something on the system and asked the teacher for assistance. The teacher logged into the machine using the administrator account, fixed the problem, and didn’t think anymore about it. The student’s keystroke recorder had stolen the administrator password when the teacher logged in. The only reason that the student was caught was that another student reported him.
Desktop lockdown software
With so many tricky ways to get around Windows desktop security, let’s take a look at some software that goes beyond the basics.
WINSelect is a desktop lockdown utility that can be installed on Windows 9x, Me, NT 4.0, and 2000. The idea behind WINSelect is that it can disable certain features of the operating system and certain applications, such as Internet Explorer. WINSelect allows you to have 100 percent control over the Web browser and to gain control over things like menus and dialog boxes. You can also disable printing, boot menu options, the Start button, and various desktop icons, such as Network Neighborhood and My Computer. You can also disable the [Ctrl] and [Alt] keys and the right mouse button. While I think that WINSelect is fine for Windows 9x and Windows Me systems, I would avoid using it on Windows NT and Windows 2000 systems because it is unable to disable the [CTRL][ALT][DELETE] key combination in these operating systems. WINSelect is $49.
Secure PC takes a unique approach to locking down a desktop. Secure PC’s philosophy is that most of Microsoft’s built-in security mechanisms are good. The problem is that in some versions of the Windows operating system, when you block an operation, the option is simply made unavailable to the user. However, if the user knows how to get around the GUI, the user is often able to perform the “blocked” operation.
Secure PC is designed to take advantage of all of Microsoft’s built-in security mechanisms and then build on them by using behind-the-scenes techniques to disable prohibited operations rather than hide them. Secure PC also uses global security mechanisms to individually control access to both files and applications. This allows you to disable any menu option, button, etc. in any application.
Secure PC is an enterprise-class product that supports the creation of various security profiles that can be applied based on a machine’s role. The software works on Windows 9x, Me, NT 4.0, 2000, and XP clients, and on Windows NT 4.0, Windows 2000, and Novell NetWare 3.x, 4.x, and 5.x servers. Pricing starts at $99 per license.
Verified Security Lockdown
Verified Security Lock Down is a desktop lockdown tool that only works on Windows 9x and Windows Me systems. I mention it for two reasons. First, Windows 9x and Windows Me are the operating systems that are the most vulnerable to intrusion. Second, I really like this software because it has some cool monitoring capabilities built in.
This software is used not so much to control what a user has access to, but to completely lock down the PC while the user is away. The software loads as Windows starts and is password-protected. It then disables mouse movement and [CTRL][ALT][DELETE]. It also disables the Windows boot keys. This prevents someone from just booting the system into safe mode and gaining access to the system.
What I really like about the system is that it has two major modes of operation. The normal operational mode hides the desktop from view so that no one can read documents that might have been left open. It also allows you to leave a message on your screen to others and allows others to leave messages for you, kind of like an electronic note taker.
The other mode is stealth mode, which is invisible to the user. Instead of blocking a user, it records the user’s actions. That way, if you suspect someone is stealing information off your PC, this tool would allow you to catch them red-handed.
Both the normal and stealth modes have activity-logging options. Verified Security Lockdown costs $14.95 and PayPal users get a 10 percent discount. Unfortunately, Verified Security does not offer refunds and it takes 48 hours to get your software e-mailed to you.
SpyLock is designed to run on Windows 9x, Me, NT 4.0, 2000, and XP. This software offers the best of both worlds. If you are placing it on an end user’s PC, you can use the software to hide various desktop icons and Start menu items. You can also place restrictions on Internet Explorer, such as hiding various menus. You can even control whether a user is allowed to shut down the PC.
If you are using the software to lock down your own PC while you’re away, you can disable the Windows boot keys to prevent someone from booting into safe mode and disabling or bypassing the software. You can also disable various system key combinations and disable the mouse. As with Verified Security Lockdown, you can leave messages indicating you are away and when you will return, and there is an activity monitor that logs activity that occurs when you aren’t around. Like Verified Security Lockdown, SpyLock has a stealth mode. A single copy of SpyLock costs $39.95.
Dozens of desktop lockdown software packages are on the market. Not every product will work on every system or fit into every price range. Furthermore, some desktop lockdown products are better suited to certain environments than others. I've listed some of the desktop lockdown solutions available for the Windows PC. If you would like to add to the list, click on the Discussion button below and tell us about your desktop lockdown solution.