id="info"

General discussion

Locked

desktop lockdown

By fishmarket ·
Hello. I manage a small company IT department 100-150 desktops. As I don't have many resources to manage helpdesk requests I'm looking for a simplified tool to lock down certain aspects of the windows desktop (to avoid calls to the helpdesk). I've used windows policies but was wondering if there was a more streamlined, simplified way of handling this. Does anyone know of thirdparty tools that have this functionality OR are policies the best way to go?

Thanks for any assistance.

-fish

This conversation is currently closed to new comments.

19 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Several questions

by NI70 In reply to desktop lockdown

How is your domain set up?
Is it active directory?
If active directory, you can use Group Policy Objects.

Sounds like you have used Windows Policy Editor in the past, and GPOs are similar. Our organization uses NetIQ Directory and Resource Administrator for administering users & computers. NetIQ has Group Policy Administrator. But I would think Microsoft's Group Policy Manager MMC snap-in would work just as well. I haven't used NetIQ Group Policy Administrator, so I couldn't offer a comparison.

Collapse -

NOTS-SIJBM

by 2MANYCERTS In reply to desktop lockdown

"Nothing Original To Say, So I'll Just Bash Microsoft" Thread...

Just making a starting spot for the 4000 idiot replies about how Microsoft is the worst OS ever and Linux is the savior of Mankind.

On a serious note--Microsoft GPO, particularly with the expanded set offered in 2k3 and the easy interface of GPMC make GPOs very easy and appropriate to use.

Collapse -

How about Microsoft shared computer toolkit?

by Asegu In reply to desktop lockdown

I at first simply used software restriction policies and filesystem security. With the software restriction policies set to default:deny and exceptions for 'program files', 'all users'\'start menu', 'all users'\'desktop' and 'windows' folders, while filesystem security denied users the ability to save there. That system effectively limited the computers to run only what was installed on the computer and for any new software would go through me. This effectively kept computers virus free.

The shared computer toolkit does this, but also has helped me keep desktops (background picture, screen resolution, etc) looking as it was the day I installed windows.

Maybe one of these two could help you?

Andrew

Collapse -

Try Appsense stuff

by iainwilkinson In reply to desktop lockdown

I have had some good experiences with AppSense Environment manager. It allows the user desktop to be configured in similar ways to GPO, but has a nice intuitive GUI and can apply setting and controls to none microsoft apps. It also has some nice additional features, such as the ability to "self heal" i.e. ensure a process is always running, or a registry key remains unchanged - both very nice if you get infected by a worm that writes to the run key and kills the AV process.

Collapse -

Try Foolproof and/or CleanSlate

by garyira In reply to Try Appsense stuff

We use an number of different methods of protecting our workstations at the school I'm in. Depending on the operating systems, I have had success with locking down the settings with a product called FoolProof (Win 98 and 2000). For XP we use GPO's. To keep the workstations in the as built stage we use a product called CleanSlate. I tried the MS version on XP machines in our library, it works but does not allow flexiblity of different users being locked down ( just the PUBLIC user ). Another product used in the NYC Department of Ed is called DeepFreeze Similar to CleanSlate, just a matter of taste as to which is better.
Good luck.

Collapse -

DeepFreeze is the answer

by Artty Sie In reply to desktop lockdown

Try deepfreeze, www.faronics.com. I used it to protect workstations at cybercafes, which are under a barrage of attacks from in and outside. The computer will boot clean every time.
The pro version allows a thawed space but also the limited version can do that, just create a data partition and leave it thawed. Use PowerToys XP to move Documents and Favorites (and possibly some program folders) to the thawed space. There are others but DeepFreeze is the best!! For realtime zero day antivirus protection they have another product which works OK, Anti-Executable, but you have to leave the international settings to USA otherwise it won't accept your admin password. All this works way easier and better and quicker than implementing complex Win security policies.

Collapse -

Yep, Deepfreeze will do it

by AdvanceWithIT In reply to DeepFreeze is the answer

I'm in agreement with asieders, Deepfreeze will do the job. You can download a free 60 day trial from the Faronics website as well.

Collapse -

Deep Freeze...plus

by Lost Cause? In reply to Yep, Deepfreeze will do i ...

We use Deep freeze and it works great for most instances. Some of the laptops we use, we lock down with Fortres. Just depends on your tastes.

Collapse -

I second... uhhh third....uhhh forth that motion

by R.E.C. In reply to Deep Freeze...plus

I've seen Deep Freeze in action.
Very impressive.
You set the computer up just how you want it and
the freeze it.
After that you can install and run anything you
want on the PC until it's turned off.
After you reboot the computer, it goes back to
it's original (frozen) state.
Way too cool.

The only thing close is using a live CD (such as
Knoppix) but I don't know if such a thing exists
for Windows.

Collapse -

GPO's :)

by James Speed In reply to desktop lockdown

There are as many resources as there as people to reply.

Personally I use both GPO's and Desktop Authority (ScriptLogic) to manage my domain. There is a snap in for working with AD, Group Policy Management from Microsoft, download it and install it on your PC. It makes things alot easier to manage. As far as streamlining - if you have your AD really nice and clean it should be a snap to configure. If its a mess, then youre going to have problems no matter what you do. Even though we spent almost 7K on Desktop Authority, I still use default Domain policy to lock down all 500 of our PC's excepting IS dept.

Jim Speed
Network Administrator
LCHCS

Back to Security Forum
19 total posts (Page 1 of 2)   01 | 02   Next

Security Forums