Locking down a PC

By MC_User ·
I am setting up a dozen PCs for public access in a student union. They are intended for pure web browsing, nothing else. I will be using MS Steadystate to lock down the OS. Can anyone point me to a checklist of things I need to verify or disable or lock down?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -


by Wizard-09 In reply to Locking down a PC

GPO is what you want to configure on the work stations you have a lot you can do with the GPO so this would be your 1st step.

Keep us informed as to your progress if you require further assistance.

If you think that any of the posts that have been made by all TR Members, have solved or contributed to solving the problem, please Mark them as Helpful so that others may benefit from the outcome.

Collapse -

I thought of that first

by MC_User In reply to Local

But our current configurations via GPO is a mess. A previous support vendor made lots of customizations to a lot of profiles and allowed for a lot of security loopholes.

Bypassing that with MS SteadyState allowed the PCs to be locked down for just web browsing. They should not be able to load any applications and even if they did then then SteadyState will wipe the changes when the PC is rebooted.

Collapse -

The top 10

by Maevinn In reply to Locking down a PC

Well, not ten...

Lock out control panel, changes to the desktop, installations, trusted zones. Create ONE folder where users can save information, and lock them out of everywhere else on the machine. I'd also lock down the USB ports, CD/DVD drive...but that might not be realistic.

There's also a forum:

Collapse -

good list.... a few more...

by ---TK--- In reply to The top 10

make sure you can't ctrl+shift+esc, from there you can get the run command... well, I would lock them out of any keyboard short cuts... theres lots of them... make sure they cant get into c:\windows

I would remove the CD\DVD drive... password protect the bios, and make sure they cannot boot to a USB device.

Collapse -

Done and done

by MC_User In reply to The top 10

I set the PC's bios to disable booting from anything other than the internal SATA drive. I have a password override in case I need to get to this function. SteadyState allows for the lock down of the USB, floppy and CD/DVD drive. It also locks out of all of the other items you mentioned.

Related Discussions

Related Forums