Re: Would like to lockdown public computer

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 10/07/04

  • Next message: Joe Richards [MVP]: "Re: Lock Computer withour revealing user name?" 
    Date: Thu, 07 Oct 2004 04:18:55 GMT

    First off make sure they are only regular users. Then on the root/drive
    folder make sure that uses have no more that read/list/execute permissions
    so that they can not install or copy files there. If you use the guest
    account, any changes they make to the computer profile/desktop while logged
    on will not be saved when they logoff. If you use the guest account be sure
    to disable file and print sharing or make sure that the everyone group does
    not have access to any shares for share permissions or ntfs permissions.

    If you assign regular user accounts make sure they are not owner of that
    user profile and then you can change permissions to the desktop folder in
    the profiles to have only read/list/execute permissions so that they can not
    change the desktop. Learn to use Group Policy. You can enable it on a local
    computer via Gpedit.msc and you will find a bunch of user restrictions under
    user configuration/administrative templates. Note that for local Group
    Policy that the restrictions will apply to all local users including
    administrators so be careful not to lock yourself out though you can always
    manage Group Policy remotely from another computer on the network using the
    Group Policy mmc snapin on the remote computer targeting the other computer.
    Mmc in the run box will open the Microsoft management Console.

    I don't know how computer savvy your kids are but you want to configure cmos
    settings on the computers to boot only from the hard drive and password
    protect the cmos settings as it is easy to reboot a computer from a floppy
    or cdrom to reset the built in administrator account so that the attacker
    can gain administrator access to the computer. If possible lock the computer
    cases as cmos settings can usually be reset by removing the motherboard
    battery for a minute. I am not sure about using mandatory profiles on a
    workgroup computer. I think you may be able to do it, but you have to create
    the mandatory profile on the local computer and then have the users account
    point to it as it's profile path using the local disk instead of a network
    share that would normally be used. You might find out that by configuring
    ntfs permissions on the users account profile and using Group Policy that
    you may be able to do most or all of what you want to do. For instance you
    could configure display properties to your liking and then use Group
    Policy/user configuration/administrative templates/control panel/display to
    prevent users from changing display settings. It might also be a good idea
    to make Ghost images of those computers for a quick reinstall in case they
    end up getting messed up somehow. If you are going to be giving them
    internet access, see the article in the link below on recommended minimum IE
    security settings and then disable their ability to change IE settings via
    Group Policy. --- Steve

    http://mvps.org/winhelp2002/unwanted.htm

    "Joe" <user@host.com> wrote in message
    news:6audnajVd55DE_ncRVn-pg@rogers.com...
    >I would like to make some computers available to some kids with social
    > problems and I would like to restrict their access to everything including
    > whether they can install something on the computer, whether they can
    > change
    > the wallpaper, or the local hard disk etc without using a domain. Is this
    > possible? If yes can you tell me what I'll need to learn or do to make it
    > happen?
    > Also, I would like to know if it's possible to setup something like a
    > mandatory profile on a machine without using a domain.
    > Any help would be appreciated.
    > Thanks in advance.
    >
    >

  • Next message: Joe Richards [MVP]: "Re: Lock Computer withour revealing user name?"

    Relevant Pages

    • Re: Would like to lockdown public computer
      ... If you use the guest account be ... Learn to use Group Policy. ... > protect the cmos settings as it is easy to reboot a computer from a floppy ... > the mandatory profile on the local computer and then have the users ...
      (microsoft.public.win2000.security)
    • Re: SBS control settings on PC
      ... You want to know how to create standard personal settings for all the ... you are unable to create such a profile for all ... settings by using group policy. ... Microsoft CSS Online Newsgroup Support ...
      (microsoft.public.windows.server.sbs)
    • Re: SBS control settings on PC
      ... by setting up personal settings (you can see this small popup windows at the ... minimum settings should i configure on the server using group policy? ... that is to go through to all PCs to set up default profile there. ... Microsoft CSS Online Newsgroup Support ...
      (microsoft.public.windows.server.sbs)
    • Re: activating firewall using GPO for windows XP clients
      ... Configuration Using Group Policy Settings ... A new set of Computer Configuration Group Policy Windows Firewall settings allow a network administrator to configure Windows Firewall operational modes, excepted traffic, and other settings using a Group Policy object. ... The domain profile is the set of Windows Firewall settings that are needed when the computer is connected to the network that contains the domain controllers of the organization. ...
      (microsoft.public.windows.group_policy)
    • Re: Problems configuring security for services
      ... I would think that the permissions you describe should be fine. ... thought that those permissions on the services in the Group Policy were ... you see what's wrong by looking in the Windows security Event Log. ... > settings to try to reset ...
      (microsoft.public.win2000.security)