General discussion

  • Creator
    Topic
  • #2179936

    desktop lockdown

    Locked

    by fishmarket ·

    Hello. I manage a small company IT department 100-150 desktops. As I don’t have many resources to manage helpdesk requests I’m looking for a simplified tool to lock down certain aspects of the windows desktop (to avoid calls to the helpdesk). I’ve used windows policies but was wondering if there was a more streamlined, simplified way of handling this. Does anyone know of thirdparty tools that have this functionality OR are policies the best way to go?

    Thanks for any assistance.

    -fish

All Comments

  • Author
    Replies
    • #3131754

      Several questions

      by ni70 ·

      In reply to desktop lockdown

      How is your domain set up?
      Is it active directory?
      If active directory, you can use Group Policy Objects.

      Sounds like you have used Windows Policy Editor in the past, and GPOs are similar. Our organization uses NetIQ Directory and Resource Administrator for administering users & computers. NetIQ has Group Policy Administrator. But I would think Microsoft’s Group Policy Manager MMC snap-in would work just as well. I haven’t used NetIQ Group Policy Administrator, so I couldn’t offer a comparison.

    • #3117198

      NOTS-SIJBM

      by 2manycerts ·

      In reply to desktop lockdown

      “Nothing Original To Say, So I’ll Just Bash Microsoft” Thread…

      Just making a starting spot for the 4000 idiot replies about how Microsoft is the worst OS ever and Linux is the savior of Mankind.

      On a serious note–Microsoft GPO, particularly with the expanded set offered in 2k3 and the easy interface of GPMC make GPOs very easy and appropriate to use.

    • #3117195

      How about Microsoft shared computer toolkit?

      by asegu ·

      In reply to desktop lockdown

      I at first simply used software restriction policies and filesystem security. With the software restriction policies set to default:deny and exceptions for ‘program files’, ‘all users’\’start menu’, ‘all users’\’desktop’ and ‘windows’ folders, while filesystem security denied users the ability to save there. That system effectively limited the computers to run only what was installed on the computer and for any new software would go through me. This effectively kept computers virus free.

      The shared computer toolkit does this, but also has helped me keep desktops (background picture, screen resolution, etc) looking as it was the day I installed windows.

      Maybe one of these two could help you?

      Andrew

    • #3117192

      Try Appsense stuff

      by iainwilkinson ·

      In reply to desktop lockdown

      I have had some good experiences with AppSense Environment manager. It allows the user desktop to be configured in similar ways to GPO, but has a nice intuitive GUI and can apply setting and controls to none microsoft apps. It also has some nice additional features, such as the ability to “self heal” i.e. ensure a process is always running, or a registry key remains unchanged – both very nice if you get infected by a worm that writes to the run key and kills the AV process.

      • #3117190

        Try Foolproof and/or CleanSlate

        by garyira ·

        In reply to Try Appsense stuff

        We use an number of different methods of protecting our workstations at the school I’m in. Depending on the operating systems, I have had success with locking down the settings with a product called FoolProof (Win 98 and 2000). For XP we use GPO’s. To keep the workstations in the as built stage we use a product called CleanSlate. I tried the MS version on XP machines in our library, it works but does not allow flexiblity of different users being locked down ( just the PUBLIC user ). Another product used in the NYC Department of Ed is called DeepFreeze Similar to CleanSlate, just a matter of taste as to which is better.
        Good luck.

    • #3117183

      DeepFreeze is the answer

      by artty sie ·

      In reply to desktop lockdown

      Try deepfreeze, http://www.faronics.com. I used it to protect workstations at cybercafes, which are under a barrage of attacks from in and outside. The computer will boot clean every time.
      The pro version allows a thawed space but also the limited version can do that, just create a data partition and leave it thawed. Use PowerToys XP to move Documents and Favorites (and possibly some program folders) to the thawed space. There are others but DeepFreeze is the best!! For realtime zero day antivirus protection they have another product which works OK, Anti-Executable, but you have to leave the international settings to USA otherwise it won’t accept your admin password. All this works way easier and better and quicker than implementing complex Win security policies.

      • #3117180

        Yep, Deepfreeze will do it

        by advancewithit ·

        In reply to DeepFreeze is the answer

        I’m in agreement with asieders, Deepfreeze will do the job. You can download a free 60 day trial from the Faronics website as well.

        • #3122443

          Deep Freeze…plus

          by methatswho ·

          In reply to Yep, Deepfreeze will do it

          We use Deep freeze and it works great for most instances. Some of the laptops we use, we lock down with Fortres. Just depends on your tastes.

        • #3122221

          I second… uhhh third….uhhh forth that motion

          by r.e.c. ·

          In reply to Deep Freeze…plus

          I’ve seen Deep Freeze in action.
          Very impressive.
          You set the computer up just how you want it and
          the freeze it.
          After that you can install and run anything you
          want on the PC until it’s turned off.
          After you reboot the computer, it goes back to
          it’s original (frozen) state.
          Way too cool.

          The only thing close is using a live CD (such as
          Knoppix) but I don’t know if such a thing exists
          for Windows.

    • #3122498

      GPO’s :)

      by james speed ·

      In reply to desktop lockdown

      There are as many resources as there as people to reply.

      Personally I use both GPO’s and Desktop Authority (ScriptLogic) to manage my domain. There is a snap in for working with AD, Group Policy Management from Microsoft, download it and install it on your PC. It makes things alot easier to manage. As far as streamlining – if you have your AD really nice and clean it should be a snap to configure. If its a mess, then youre going to have problems no matter what you do. Even though we spent almost 7K on Desktop Authority, I still use default Domain policy to lock down all 500 of our PC’s excepting IS dept.

      Jim Speed
      Network Administrator
      LCHCS

      • #3122480

        GPOs are good

        by sys-arch ·

        In reply to GPO’s :)

        If you manage through AD, GPOs are relatively easy. Define a single GPO, then link it to as many Active Directory OUs as you want. Anything you can set on a single computer can now be controlled centrally. No start button? no problem. Lock down desktop icons? No problem. etc. All from the comfort and convenience of your desktop.

        WARNING!!! If you aren’t already implementing these lockdowns, NOTIFY YOUR USERS that this is coming. You will get more calls about the lockdown than you will about existing problems! You might offer to work with users if they feel they have a “special case.” That will give you a chance to educate the “special users” one-on-one as to the benefits of this approach; or you may find that the user does indeed have a need to “be different.”

        GPOs can accomodate exceptions fairly easily. Simply make the GPO not apply to a specific object within an OU. (This is done through the properties of the specific user/computer object within the OU. Or you can create, within an OU, a group for “special users or computers” and make the GPO not apply to (members of) that group.)

        Been there.

    • #3122484

      Locking I/O access and Applications

      by p852pck ·

      In reply to desktop lockdown

      Take a look at SecureWave. They have both a product that will only allow certain apps to run and can be administered on per user or global basis or anythin in between. True zero day as if you get a virus, it won’t be allowed to execute. Let you AV clean it out later when thay have a signature for it. Lock down for I/O is similar, let some one plug in a USB stick and if they are not allowed by the admin, they can’t read or write to it. (or be allowed to read only, or write only, or both)

    • #3122460

      Policy Commander

      by arthgg ·

      In reply to desktop lockdown

    • #3122447

      Reply To: desktop lockdown

      by djameson ·

      In reply to desktop lockdown

      The first steps in Locking down a windows network is removing ADMIN rights from the standard uses and giving them either user or poweruser rights, take a remove-all then add back what they need. It is extrememly easy using XP and 2k3 to do GPO, there is tons of documentation on the web on how to do it. The most important ones are IE policy, and Software restrictions,

    • #3122431

      SANS gold standard template

      by dbaman6 ·

      In reply to desktop lockdown

      In the past, SANS has worked with other organizations (CIS, NSA, etc.) to come up with a very comprehensive template to be applied to 2000 boxes called “the gold standard template”. CIS has posted a tool to help you evaluate security as well.

      http://www.cisecurity.org/bench_win2000.html

      The NSA has also made public templates on how to secure servers and I think the XP os and XP office suite. Search the NSA.gov site if the link is broken

      http://www.nsa.gov/snac/downloads_all.cfm?MenuID=scg10.3.1

      The NSA templates may be a bit harsh (like not allowing anything to run) so always test it on a separate domain for several weeks before even thinking about putting it on a live production box.

      The point is to understand each setting a template makes to the group policy. SANS, as part of the GIAC program, has public papers outlining how to secure various boxes for free reading and download that will go over the meaning of these settings.

      http://www.giac.org/certified_professionals/listing/gcwn.php

      • #3043935

        NIST templates & Securewave

        by tech supporter ·

        In reply to SANS gold standard template

        The NIST docs and templates are available for free download, as mentioned above and would make a great out-of-the-box solution if you’re running an ADS.

        Seen the Securewave App Manager and Device manager software and they offer extremely granular control via an ADS snap-in. A white list stops any unauthorised s/w from running, almost negating AV. Device management can be added to enhance security and control all I/O. Probably a little expensive for your small estate.

        You can use a modified ntuser.dat combined with policies to achieve total desktop lockdown for free. Just create a template user, install and modify all settings then copy its .dat file over to the default user, before sysprep’g then imaging the build. One build for each HAL.

    • #3122406

      desktop lockdown

      by pnewell ·

      In reply to desktop lockdown

      Check out a solution called Policy Commander from a company called New Boundary technologies. Contains all the Microsoft, NSA NIST templates pre-packed for quick testing and deployment. Also has an editor where you can create your own security policies. Tool will deploy one policy or a group but the neat thing is once you lockdown your PC it will never go out of compliance because the client monitors the configuration you set and, it if gets changed in any way, the client will either alert you or, if you have the automatic function enabled, it will restore the policy with out you or your help desk needing to do a thing.

    • #3122067

      Thanks for all the great suggestions

      by fishmarket ·

      In reply to desktop lockdown

      I’m currently doing a little due diligence on the many suggestion I rec’d on my post. While doing this I came across another product similar to SecureWare’s. It’s FullControl from a company called Bardon. Does anyone have any experiences with it?

      Thanks for the help.

    • #2804965

      Desktop Lockdown

      by frogmandan ·

      In reply to desktop lockdown

      I use Desktop Authority by ScripLogic.
      I it is a suite of products that can be added to for $$$. It does offer remote management and Computer lock downs. One of the features you can add is AD Mmgt.
      Thanks

Viewing 12 reply threads