Questions

Locking down a PC

Tags:
+
0 Votes
Locked

Locking down a PC

MC_User
I am setting up a dozen PCs for public access in a student union. They are intended for pure web browsing, nothing else. I will be using MS Steadystate to lock down the OS. Can anyone point me to a checklist of things I need to verify or disable or lock down?
  • +
    0 Votes
    Wizard-09

    GPO is what you want to configure on the work stations you have a lot you can do with the GPO so this would be your 1st step.

    Keep us informed as to your progress if you require further assistance.

    If you think that any of the posts that have been made by all TR Members, have solved or contributed to solving the problem, please Mark them as Helpful so that others may benefit from the outcome.

    +
    0 Votes
    MC_User

    But our current configurations via GPO is a mess. A previous support vendor made lots of customizations to a lot of profiles and allowed for a lot of security loopholes.

    Bypassing that with MS SteadyState allowed the PCs to be locked down for just web browsing. They should not be able to load any applications and even if they did then then SteadyState will wipe the changes when the PC is rebooted.

    +
    1 Votes
    Maevinn

    Well, not ten...

    Lock out control panel, changes to the desktop, installations, trusted zones. Create ONE folder where users can save information, and lock them out of everywhere else on the machine. I'd also lock down the USB ports, CD/DVD drive...but that might not be realistic.

    There's also a forum: http://social.microsoft.com/forums/en-US/windowssteadystate/threads/

    +
    0 Votes
    ---TK---

    make sure you can't ctrl+shift+esc, from there you can get the run command... well, I would lock them out of any keyboard short cuts... theres lots of them... make sure they cant get into c:\windows

    I would remove the CD\DVD drive... password protect the bios, and make sure they cannot boot to a USB device.

    +
    0 Votes
    MC_User

    I set the PC's bios to disable booting from anything other than the internal SATA drive. I have a password override in case I need to get to this function. SteadyState allows for the lock down of the USB, floppy and CD/DVD drive. It also locks out of all of the other items you mentioned.

  • +
    0 Votes
    Wizard-09

    GPO is what you want to configure on the work stations you have a lot you can do with the GPO so this would be your 1st step.

    Keep us informed as to your progress if you require further assistance.

    If you think that any of the posts that have been made by all TR Members, have solved or contributed to solving the problem, please Mark them as Helpful so that others may benefit from the outcome.

    +
    0 Votes
    MC_User

    But our current configurations via GPO is a mess. A previous support vendor made lots of customizations to a lot of profiles and allowed for a lot of security loopholes.

    Bypassing that with MS SteadyState allowed the PCs to be locked down for just web browsing. They should not be able to load any applications and even if they did then then SteadyState will wipe the changes when the PC is rebooted.

    +
    1 Votes
    Maevinn

    Well, not ten...

    Lock out control panel, changes to the desktop, installations, trusted zones. Create ONE folder where users can save information, and lock them out of everywhere else on the machine. I'd also lock down the USB ports, CD/DVD drive...but that might not be realistic.

    There's also a forum: http://social.microsoft.com/forums/en-US/windowssteadystate/threads/

    +
    0 Votes
    ---TK---

    make sure you can't ctrl+shift+esc, from there you can get the run command... well, I would lock them out of any keyboard short cuts... theres lots of them... make sure they cant get into c:\windows

    I would remove the CD\DVD drive... password protect the bios, and make sure they cannot boot to a USB device.

    +
    0 Votes
    MC_User

    I set the PC's bios to disable booting from anything other than the internal SATA drive. I have a password override in case I need to get to this function. SteadyState allows for the lock down of the USB, floppy and CD/DVD drive. It also locks out of all of the other items you mentioned.