Recommendations for local group policy settings for Windows 7 Pro box?

So I've built a new Windows Pro 7 box for my parents, to replace their aging Win XP box.

One of the things I want to do is lock it down with local group policy, so they don't shoot themselves in the foot, however would still like to give some freedom on the box.

Right now, I'm installing software/updates, shutting off unnecessary services thanks to Black Viper.

I'm digging into the Local Group Policy, done a few searches online, however was wondering what others would recommend in order to make the box a bit more secure.

Some of the things I've already tweaked from local group policy
-renamed both guest and administrator local account
-minimum password length 8 characters
-turned on some of the auditing policies

Any other recommendations?

thanks

Find more posts tagged with

Comments

Hyper-Me

A big thing is make sure that UAC is on, and that they dont use an administrator account whiel they are just poking around on the internet or what have you.

If they insist on using one account, change the UAC settings so they have to put in their password to make any change, even if they are using an admin account.

Why are you in the red? I dont think ive seen any rude/wrong posts by you?

JockVSJock

Hyper-Me wrote: »

A big thing is make sure that UAC is on, and that they dont use an administrator account whiel they are just poking around on the internet or what have you.

Everyone is setup under either a User Account or a Guest Account.

My biggest concern is preventing software from being installed, for example, someone installed a IE7 from Myspace, because the Title Bar had Myspace written into it. I'm going to continue to look into figuring out a way that the only way software can get installed is from the Administrator account.

TheShadow

JockVSJock wrote: »

Everyone is setup under either a User Account or a Guest Account.

My biggest concern is preventing software from being installed, for example, someone installed a IE7 from Myspace, because the Title Bar had Myspace written into it. I'm going to continue to look into figuring out a way that the only way software can get installed is from the Administrator account.

That is just a registry edit many ISP's do the same thing. Don't you think you are going just a little over board? I think that if my kid did that to me he would get the system back and Dell or HP would get a call. It is not like they are tied to a domain. So they have to get your permission eveytime they install an app or game? Do you pre-program their GPS too. Being one of the old guys around here I will be insulted for them.

I would recommend that you invest in Winpatrol which will tell them when they are doing something stupid or dangerous. Also MS new be all end all security set. Let them make mistakes, isn't that how we all learn? Teach them about restore points and system backups.

Standard winpatrol is free and the plus version is around 25 dollars for a life all updates license. It requires permission for any software or functions that will change the system. I consider it one of the best kept secret utilities around. Puts a little dog on your taskbar that barks at dll's programs start up changes etc. The plus version scans in real time the standard version scans every 10 minutes. Works on all versions of windows.