Win2k security question: Locking down a workstation.

TattooMatt

I'm have a customer that has small Win2k peer to peer network. Lots of children will be using the network for educational purposes. There is no security implemented on the network currently and as expected the children regularly get into things they shouldn't and make a mess of things.

Ideally, I would like to use the Group Policy Editor and completely lock the workstations down to limit their ability to make any changes to the computers. Is there anyway to do this so the GP won't affect an admin who logs on locally? Maybe I should use Poledit....?

RussS

Let the kids sign on as Users and restrict them from there - Admin is in the Adminstrators group and has different restrictions/access rights so it shouldn't be an issue.

TattooMatt

Well, that part of it is already in the works but that alone won't prevent the kids from deleting desktop items and local files will it? I mean, I've seen some of the kids type some interesting stuff in the run line. Some of them know exactly where things are.

Also, by lots of kids I'm talking about several hundred per month. Most of the kids won't log in for more than an hour but they still manage to hose things pretty bad.

HackNack

What are the minimum privileges that the kids must have? Are they only to browse websites?

RussS

You can lock it down to as tight as you wish - read only permissions etc. That stops most damage - of course having an image that can be pushed down to the machines daily can make life a breeze

TattooMatt

The kids minimum permissions would be to just use and create documents using word, pp, and excel. They also need to be able to log into courseware to take training modules. They should never have to make any changes to the workstations aside from saving a document that they created.

And, yes. Once I figure the best way to configure one I'll pull an image from it and push it to the others. It's much better to figure things out once than try to manually configure 10 (or more) machines and have them all the same.

I almost forgot, there is no internet access. They don't need it so the company has not provided it both as a means to trim costs and eliminate other problems.

Non-Profit Techie

TattooMatt wrote:

And, yes. Once I figure the best way to configure one I'll pull an image from it and push it to the others. It's much better to figure things out once than try to manually configure 10 (or more) machines and have them all the same.

i think he ment, once you get the image perfect, you can reimage the computers every day so you dont have to worry about what they do everyday to the machine.

RussS

Thats the one non-Profit. Actually doing this weekly would probably solve the various issues regularly enough. A favourite is to have a ghost image on a hidden partition on the drive.

TattooMatt

Hiding an image on a partition isn't a bad idea. The main problem is that I'm stepping in to implement some security on the network within a few weeks time. After that the employees are on their own and they aren't the most computer literate people I've worked with.

If I was the one that was going to be overseeing this network on a daily basis it would be a different story.

lazyart

Any machine like this is going to need some sort of maintanence. What I have done for an internet cafe at work:

Format a small partition and install DOS on C:. Larger partition for Windows, followed by another partition to hold the image and the ghost executable.... should only need to be 1/3 the size of the windows partition.

Install Windows, install patches and configure, then ghost the partition into the third.

Unhide and unlock the BOOT.INI file on C:\. You'll have to make two versions-- one that boots into Windows and another to boot into DOS. May help to let Windows (via System Properties)do this and then save copies of it. Be sure to set the countdown to 0 so there is no interference. Next you will need a batch file that swaps the boot.ini files so that the machine will go to DOS on next restart.

For the DOS side, you will need to create an autoexec file that will swap the boot.ini files, then launch ghost in unattended mode and restore the image. There is a switch for ghost that will reset the computer and therefore launch windows.

Take the batch file you created for windows and make it a scheduled task for Friday evenings or Monday mornings (monday is good because you can be sure the machines are turned on).

BOOT.INI is a hidden and system file so you will need ATTRIB to access it from DOS. It sounds more complicated than it really is, but it works like a charm.

TattooMatt

Any machine like this is going to need some sort of maintanence. What I have done for an internet cafe at work:

That should be exactly what I need. I'll set up a test machine in the office on Monday to get it to work. Running the reimage from the task scheduler will take most of the administration out of it for the employees. I'll just have to make sure that any files that they need are stored centrally.

Do you know of any sources where I can read more about doing this?

lazyart

I'll fire up my testbed machine and scribble up some specific notes.

Non-Profit Techie

dont forget. imaging the machine is great., but if they dont have a network drive to map to, they will lose everything. Make em sign a notice that they understand this and you are not at fault.

rossonieri#1

just give them a mandatory user profile, or you just go ahead on local gpo to not save settings on exit/restart/logoff.

Drakonblayde

You know, you can remove the Run command from the start menu

Honestly, I'd just lock them down to do the bare minimum necessary. GPO is great, you can take away pretty much *everything*. Hell, you can even remove their access to the explorer shell have them boot into a window which has shortcuts *only* for what they need, and you can make the shortcuts read only so that they can't delete them

I've done a network setup for a small health care clinic and let's just say that I'm known as the network **** by the various employees there. Their workstations can't really do crap. Most of their work isn't even done on the local workstation... the software they need to do their jobs is on the terminal server, and the shortcuts load an RDP session for just that application. Their computers might as well be thin clients.

lazyart

Don't know if this topic is dead or not, but I did finally come across my notes:

Create a Win 98SE boot disk from www.bootdisk.com. Be sure to get the updated FDISK (same site) for HD >64 MB if necessary.

Create a small primary partition for DOS, larger partition for Windows, thrid partition for holding images.

Format C: /s
Copy attrib.exe from ramdisk to c:\. Add also ghost7 executable.

Install windows to second partition using NTFS. Format 3rd partition as FAT32.

Copy c:\boot.ini to c:\bootxp.ini. (this is a hidden system file) Set the timeout to 0.
Copy c:\bootxp.ini to bootdos.ini. Change default to c:\.
(You might want to rename the c:\ description to "DOS" or "ReGHOST" for reference purposes.)

Create a batch file to be invoked from windows. This will change the attributes of boot.ini to -h -s (in that order), then copy bootdos.ini into it's place. Finally, attrib +S +H for the new boot.ini. Use XP's shutdown command to instantly reboot the system:

---CUT HERE---

attrib c:\boot.ini -h -s
copy c:\bootdos.ini c:\boot.ini /y
attrib c:\boot.ini +s +h

shutdown -r -f -t 00
rem restart, force all windows closed, timeout 0 seconds.

---

Create a batch file to be invoked from autoexec when system is rebooted into DOS. As above, attrib -h -s on the old boot.ini, then copy bootxp.ini into it's place to boot into windows when finished.
Then ghost should be invoked. If Windows is installed on an NTFS partition, DOS will ignore it, so the third partition created will seem to have the same drive letter as Windows was installed to.

Save this batch file somewhere where DOS can see it, either the first or last partition.

----CUT HERE

---

@echo off

rem unlock and copy boot.ini to allow reboot to Win XP

attrib boot.ini -h -s
copy bootxp.ini boot.ini /y
attrib boot.ini +s +h

rem restore ghost image and reboot

rem partition load from image on d:\ (first partition within image) destination drive 1, part2

d:\ghost7 -clone,mode=pload,src=d:\basentfs.gho:1,dst=1:2 -quiet -sure -rb

---

note on switches:
clone goes into copy mode
pload = load partition
src = filename:1 (partition #1 within image filename)
dst = harddisk:partition # of destination
quiet = gui with no interaction
sure = do not ask user before starting image (required, even with -quiet)
-rb = reboot system when complete (which will return user to Windows after boot.ini swap)