Part of client-side security is locking down desktops so that end users can’t ruin a workstation’s configuration and cause you or your helpdesk staff to spend hours on repairs. However, I’ve never believed in the “network nazi” theory of administration. I think you should give end users as much freedom as possible, except in high-security environments. There are cases, though, when it’s in your best interest to limit end-user control on client machines.
The local group policy
The key vehicle for enforcing limits on local workstations is the local group policy. As the name suggests, it affects the local computer, not the overall domain. It also doesn’t directly affect the user objects. A user object can have one set of rights on one computer but be restricted by the local group policy on another computer. To modify the local computer policy, you’ll use the Local Computer Policy MMC.
To access the Local Computer Policy MMC, enter the MMC command at the Run prompt. You’ll then see the Microsoft Management Console load. Select the Add/Remove Snap In command from the Console menu. The Add/Remove Snap In properties sheet will then appear. Click the Add button on the properties sheet’s Standalone tab, and you’ll see a list of available snap ins. Select Group Policy from the list and click the Add button. You’ll see a dialog box that asks you which group policy object that you want to load. Select the default option, Local Computer, and click Finish. Click Close and OK to access the local computer policy.
Controlling the Start menu
It’s relatively easy to control which icons appear on a user’s desktop. However, even if you remove all undesirable icons, there are still a number of options on the user’s Start menu that he or she could use to harm the system. To avoid such a situation, you can customize the Start menu.
To do so, navigate through the Local Computer Policy to Local Computer Policy | User Configuration | Administrative Templates | Start Menu & Taskbar. When you select the Start Menu & Taskbar object, you’ll see several different Start Menu options appear in the column to the right, as shown in Figure A.
|By default, all of the settings are not configured.|
Since the settings are not configured, it’s up to you to enable the settings that you need. Unfortunately, I can’t discuss every setting in detail, but I’ll try to explain the most useful options. If you need a more detailed explanation of an option, you can right-click it and select Properties. Then, just take a look at the Explain tab for a detailed explanation, as shown in Figure B.
|You can get a detailed explanation of any Start Menu & Taskbar option.|
So what types of things can you do to lock down the Start menu and the taskbar? As you can see in Figure A, most of the available options are fairly self explanatory. However, as an absolute minimum, here are the options that I recommend. With each option listed below, I’ve explained why I recommend disabling it.
- Disable And Remove Links To Windows Update—Implementing this option keeps users from updating the Windows code or drivers through Windows Update.
- Remove Documents Menu From Start Menu—Users can sometimes use the Documents menu to gain access to folders that you've attempted to hide, so it’s a good idea to remove it.
- Disable Programs On Settings Menu—Disabling the programs on the Settings menu prevents users from running Control Panel, Network, and Dial Up Connections. This setting is absolutely critical to local computer security.
- Remove Network And Dial Up Connections—I recommend using this setting because you don't want users reconfiguring the network properties for their machines. While this may sound trivial, I’ve seen countless examples of users assigning static IP addresses to their machines or trying to change computers’ names.
- Remove Search Menu From Start Menu—It may sound a little paranoid to enable this option, but I wouldn’t want a curious but potentially destructive user searching my network or even their own local computer for that matter.
- Remove Run Menu From Start Menu—Removing the Run command prevents the user from running unauthorized software or executing potentially destructive commands.
- Add Logoff To Start Menu—This option prevents users from accidentally removing the Logoff command from the Start menu.
- Disable Drag And Drop Context Menus On The Start Menu—This option prevents users from changing the order or contents of the Start menu.
- Disable Changes To Taskbar And Start Menu Settings—This setting prevents the user from adding or removing menu items or manipulating the Taskbar.
Of course there are many other Start Menu & Taskbar customization options. These are just the ones that I’ve found to be the most useful for preventing users from tampering with their machines.
Protecting the desktop
You’ve probably seen how you can implement a mandatory profile in the interest of protecting a system’s desktop settings. If you’re unfamiliar with a mandatory profile, the idea behind it is that users have a specific desktop assigned to them. If a user creates or deletes icons, the desktop will return to its previous state the next time that the user logs in. If I have a user who likes to play, I highly recommend enforcing a mandatory profile. However, a mandatory profile alone isn’t enough.
I’ve seen cases in which a user has tampered with the display settings and rendered the system unusable. Perhaps they changed the display resolution to an unsupported level, or worse yet, completely changed the display adapter driver. I’ve also seen users crash the system by running an unauthorized screen saver that contained a virus or a bug. In any case, you can save yourself a lot of trouble by locking down the desktop and display.
To truly protect your desktop, you’ll have to make some changes in a variety of places. Again, the types of changes that you make will greatly depend on which features you use and on how much or how little freedom you want to give end users. Below, I’ve listed several locations in the Local Computer Policy. Beneath each section, I discuss the options I recommend and why I recommend them.
Local Computer Policy | User Configuration Administrative Templates | Desktop
- Do Not Add Shares Of Recently Opened Documents To My Network Places—You should use this option because having recently opened shares displayed in My Network Places reveals something about the structure of your network. You don’t want the user to get curious about the share structure. The idea here is out of sight, out of mind.
- Prohibit User From Changing My Documents Path—I strongly recommend enabling this option to prevent the user from looking in someone else’s My Documents folder. Even if the chance of accidentally accessing someone else’s data doesn’t exist, you don’t want the user to end up with documents scattered all over the place.
- Don’t Save Settings On Exit—Normally, when you make certain desktop related changes to Windows, it saves the changes at exit. Enabling this option disables the save.
Local Computer Policy | User Configuration | Administrative Templates | Desktop | Active Desktop
Although there aren’t really any critical settings under the Active Desktop object, it contains numerous options that are designed to prevent users from adding, removing, or editing Active Desktop objects. You can even force Windows to always enable or disable the Active Desktop.
Local Computer Policy | User Configuration | Administrative Templates | Control Panel | Display
- Disable Display In Control Panel—Use this option to prevent a user from tampering with the display settings. I recommend using the options listed below along with this option, just in case a savvy user slips past the initial block on display settings.
- Hide Appearance Tab—Using this setting will prevent the user from changing the screen resolution or the number of colors. While such operations may sound harmless, an incorrect setting can render the computer useless until an administrator resets the machine to the appropriate setting.
- Hide Settings Tab—Using this option will prevent the user from changing the display adapter type.
- Remove Screen Saver Tab From Display In Control Panel—I’ve seen some very destructive screen savers. To prevent users from installing unauthorized screen savers, use this option.
- Password Protect Screen Saver—This option can be used to control whether or not a password can be assigned to a screen saver. If multiple people use a common computer, I recommend setting this option to not allow screen saver passwords. This will prevent a user from tying up the computer with a password-protected screen saver, thus preventing others from using the system.
The Display container contains other screen saver related policies and policies that control wallpapers and backgrounds.
With so much potential for a user to mess things up on a system, you need to weigh each security measure carefully before implementing. Local Computer Policy is an ideal tool for securing your local systems. Although you may be uncomfortable with the idea of placing restrictions on your users’ desktops, sometimes you have no choice. Fortunately, using Local Computer Policy MMC can be a big help.