Locking down a computer
Locking down a computer in Windows XP Professional
Do the following from within the Administrator profile
1) Install XP, add one user, Public User (PU), to Workgroup Registrar-Lab
2) Set up the BIOS password so that users can't modify the BIOS settings (often the "settings" password").
3) Copy ieopen.exe into C:\
4) Add shortcuts to ieopen.exe and IExplore.exe (C:\Program Files\Internet Explorer) into the PU startup menu: C:\Documents and Settings\Public User\Start Menu\Programs\Startup
5) Download Weblocker from and load the program onto the system.
6) Add a printer as necessary.
7) Run Regedit and add a new REG_DWORD value of 0 to the following: HKEY_LOCAL_MACHINE\Software\Microsoft
a. \Windows\CurrentVersion\Explorer\Advanced---EnableBalloonTips
b. \Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList—Administrator
8) Go to My Computer(Tools ( Folder Options(View and click the following:
a. Show hidden files and folders (check)
b. Hide protected operating system files (uncheck)
c. Use simple file sharing (uncheck)
9) Run MMC. Add the Snap-in "Group Policy". Save it as "public user". Right click on "local computer policy"(properties and check "disable computer configuration".
10) Go to My Computer(c:\Windows\System32. Right click on "Group Policy", go to the "properties" tab, then "security" and deny "read" access to "Administrator". Click on "add" and type "public user" and allow full control. Click again on "Add" and add "users" and allow full control.
11) Change the picture for the Public User icon if you want. Control Panel(User Accounts
12) Go to My Computer(Documents and Settings(Public User. Rename the file ntuser.dat to "ntuser.man".
13) Set whatever network settings are necessary (ip address, etc).
14) Go to Control Panel(Performance and Maintenance(Administrative Tools(Computer Management(Local Users and Groups(Users(Public User. Add Administrators and Users.
15) Go to Control Panel(Performance and Maintenance(System(Remote.
a. Uncheck "allow remote assistance invitations"
b. Check "allow users to connect remotely"
Do the following from inside the PU profile:
1) Right click on the Start (Properties(StartMenu(Customize(Advanced. Uncheck "Printers and Faxes" and "List my most recently opened documents" to remove them from the Start Menu.
2) Go to Control Panel(Performance and Maintenance(Power Options. Set "Turn Off monitor" to 2 hours and "Turn off hard disks" to 3 hours.
3) Go to My Computer(c:\Windows\System32. Right click on Group Policy(Properties( Security(Advanced(Owner. Highlight "public user", check the box that says "Replace owner on subcontainers" and click OK.
4) Internet Explorer
a. You will have to register Weblocker to make the register screen go away
b. Assign the appropriate homepage in IE.
c. Right click on the tool bar and delete any icons you don't want to show (e-mail, printing, search, folders, etc).
5) Open the MMC publicuser and "enable" the appropriate features (see attached sheet)
Go back to the Administrator's profile and do the following:
1) Run Regedit. Do a search only for "keys" and delete all references to "Outlook Express".
2) Deny permissions to specific folders by going into My Computer and right clicking on the appropriate folder(Properties(Security(public user :
a. Documents and Settings(Public User--deny "write" access.
b. Windows(Help—deny "full control"
3) Go to Control Panel(Performance and Maintenance(Administrative Tools(Computer Management(Local Users and Groups(Users(Public User. Remove Administrators and add Users.
4) Make sure that the public user can't change the password: Control Panel(Performance and Maintenance(Administrative Tools( Computer Management(Local Users and Groups(Users. Double Click on the public user and check the box "user cannot change password".
When creating a 3rd user, not locked down as tight as the above profile, but on the same computer
1) Create a new group, for example "public users". All of the instructions above that refer to the "users" groups, substitute "public users" insead. Delete public user from the "users" group and put it instead into the "public users" group.
2) The third user, named, for example, Peoplesoft, will still go into the "users" profile. In the administrators profile, create the following security settings by right clicking on the listed folders and doing Properties(Security. To each of these folders add the user "peoplesoft" and apply these policies.
a. Program Files: allow only read
b. Windows: allow only read
c. Under Documents and Settings:
i. Administrator: deny full control
ii. Public User: deny full control
3) Make sure you create a password for this profile as necessary
4) If these profiles will be used cyclically and not concurrently, you can go into the Administrator's profile and disable the non-used profile: Control Panel(Performance and Maintenance(Administrative Tools( Computer Management(Local Users and Groups(Users. Double Click on the Profile to be disabled, then check the "Account is Disabled" box. You can enable the profile again in this same way.
Changing Settings after the profile has been locked down:
1) You may simply need to go into My Computer(C:\Windows(System32. Right click on Group Policy(Properties(Security and check the box allowing write access to "Administrator". Make the necessary changes to gpedit.msc, follow the same procedure above and check to box to deny write access to "Administrator". If that doesn't work, do the following.
2) In the Administrator profile, go to Control Panel(Performance and Maintenance(Administrative Tools(Computer Management(Local Users and Groups(Public User(Member Of, add Administrators.
3) Go to My Computer(C:\Windows(System32. Right click on Group Policy(Properties(Security(Advanced(Owner. Check the box that says "Replace owner on subcontainers" and make Administrator the owner by highlighting Administrator and click on OK.
4) Run gpedit.msc, right click on Local Computer Policy(Properties and check "Disable User Configuration settings.
5) Make any changes necessary in gpedit.msc and in the appropriate profile.
6) In Administrator, run gpedit.msc again and uncheck "Disable User Configuration settings".
7) In the Public User profile, take ownership of Group Policy using the same procedure in step 2. Then deny "read" permissions for "Administrator". You may need to go to My Computer(Tools(Folder Options(View and check "show hidden files" to see the folder.
8) In the Administrator profile, remove Administrators from the Public User profile as in step 1.
If this doesn't work appropriately (giving no access to the public user and full access to the administrator), make sure you are giving it enough time. We were using Pentium IV with 256KB RAM and it would sometimes take 5 minutes for the changes to propagate, even after logging in and out a couple of times. If that fails, then check the following permissions by going to My Computer(C:\Windows(System32. Right click on Group Policy(Properties(Security. You will probably have to "add" them back into the security as taking ownership deletes them.
Administrator: allow write, deny read
Public user: full control
Users: full control
It is often useful to leave the "run" command available for use on the start menu in case you lock the system down and are not able to get back into gpedit.msc. In this case, after the system is completely locked down and tested, you can go back in and take out the run command as the final step in setting up your system. It might also be useful to put a shortcut to the "system32" folder and the "gpedit.msc" file on the desktop of the administrator.
If you get to a place where you are not able to make changes to gpedit.msc from the administrator and you can't get into gpedit.msc from the public user, go into administrator and create a new user with administrator privileges, giving them full access to gpedit.msc. Sometimes this user will be able to take ownership of the file and modify it.
Another useful tip while trying to lock down the profiles is to temporarily put a shortcut to gpedit.msc onto the desktop of the public user. Since you've blocked seeing the desktop you won't be able to see the shortcut. However, if you go into Internet Explorer(View(Explorer Bar(Search you will be able to see it. As long as public user has Administrator privilege, you will be able to modify the settings. Make sure to remove both the short cut and Administrator privilege after you have it all locked down.
Group Policy Changes: Applied to Computer Configuration(Administrative Template
PRINTERS (as necessary)
|Disallow Installation of Printers |enabled |
|Web based Printer |enabled |
Group Policy Changes: Applied to User Configuration(Administrative Template
WINDOWS COMPONENTS
INTERNET EXPLORER
|Search: Disable Search Customization |enabled |
|Search: Disable Find Files via F3 |enabled |
|Disable external branding of Internet Explorer |enabled |
|Disable importing and exporting of favorites |enabled |
|Disable changing Advanced page settings |enabled |
|Disable changing home page settings |enabled |
|Use Automatic Detection for dial-up connections |Not configured |
|Disable caching of Auto-Proxy scripts |Not configured |
|Display error message on proxy script download failure |Not configured |
|Disable changing Temporary Internet files |enabled |
|Disable changing history settings |enabled |
|Disable changing color settings |Not configured |
|Disable changing link color settings |Not configured |
|Disable changing font settings |Not configured |
|Disable changing language settings |enabled |
|Disable changing accessibility settings |enabled |
|Disable Internet Connection wizard |enabled |
|Disable changing connection settings |enabled |
|Disable changing proxy settings |enabled |
|Disable changing Automatic Configuration |enabled |
|Disable changing ratings settings |enabled |
|Disable changing certificate settings |enabled |
|Disable changing Profile Assistant settings |enabled |
|Disable AutoComplete for forms |enabled |
|Do not allow AutoComplete to save passwords |enabled |
|Disable changing Messaging settings |enabled |
|Disable changing Calendar and Contact |enabled |
|Disable the Reset Web Settings feature |enabled |
|Disable changing default browser check |enabled |
|Identity Manager: Prevent users from using |enabled |
|Configure Outlook Express |enabled |
|Configure Media Explorer Bar (Disable the Media Explorer Bar) |enabled |
BROWSWER MENUS (under Internet Explorer)
|File menu: Disable Save As... menu option |enabled |
|File menu: Disable New menu option |enabled |
|File menu: Disable Open menu option |enabled |
|File menu: Disable Save As Web Page |enabled |
|File menu: Disable closing the browser |Not configured |
|View menu: Disable Source menu option |enabled |
|View menu: Disable Full Screen menu option |enabled |
|Hide Favorites menu |enabled |
|Tools menu: Disable Internet Options |enabled |
|Help menu: Remove 'Tip of the Day' |enabled |
|Help menu: Remove 'For Netscape Users' |enabled |
|Help menu: Remove 'Send Feedback' menu |enabled |
|Disable Context menu |enabled |
|Disable Open in New Window menu option |Not configured |
|Disable Save this program to disk option |enabled |
TOOLBARS (under Internet Explorer)
|Disable customizing browser toolbar buttons |enabled |
|Disable customizing browser toolbars |enabled |
|Configure toolbar buttons (check Back, Forward, Stop, Refresh, Home; and|enabled |
|Print if appropriate) | |
OFFLINE PAGES (under Internet Explorer)
|Disable adding channels |enabled |
|Disable offline page hit logging |enabled |
|Disable channel user interface completely |enabled |
WINDOWS EXPLORER
|Removes the folder options menu from the Tools menu |enabled |
|Remove file menu from Windows Explorer |enabled |
|Remove search button from Windows Explorer |enabled |
|Remove Windows Explorer's default context menu |enabled |
|Hides the Manage Items on the Windows Explorer's context menu |enabled |
|Hide these specified drives in My Computer |enabled |
|(restrict all drives) | |
|Do not move deleted files to the Recycle bin |enabled |
|Remove Shared Documents from My computer |enabled |
WINDOWS MESSENGER
|Do not allow WM to Run |enabled |
WINDOWS MESSENGER
|Remove access to use of all Windows Update Features |enabled |
DESKTOP
|Hide and disable all items on the desktop |enabled |
|Remove My Documents icon on the desktop |enabled |
|Remove My Computer icon on the desktop |enabled |
|Remove Recycle Bin icon from desktop |enabled |
|Remove Properties from the My Documents context menu |enabled |
|Remove Properties from the My Computer context menu |enabled |
|Remove Properties from the Recycle Bin context menu |enabled |
|Hide My Network Places icon on desktop |enabled |
|Hide Internet Explorer icon on desktop |not configured |
|Do not add shares of recently opened documents to My Network Places |not configured |
|Prohibit user from changing My Documents path |enabled |
|Prevent adding, dragging, dropping and closing the Taskbar's toolbars |enabled |
|Prohibit adjusting desktop toolbars |enabled |
|Don't save settings at exit |enabled |
|Remove the Desktop Cleanup Wizard |not configured |
ACTIVE DESKTOP –UNDER DESKTOP
|Prohibit changing items |enabled |
|Prohibit deleting items |enabled |
|Prohibit adding items |enabled |
|Prohibit editing items |enabled |
START MENU AND TASKBAR
|Remove user's folders from the Start Menu |enabled |
|Remove links and access to Windows Update |not configured |
|Remove common program groups from Start Menu |enabled |
|Remove My Documents icon from Start Menu |enabled |
|Remove Documents menu from Start Menu |enabled |
|Remove programs on Settings menu |enabled |
|Remove Network Connections from Start Menu |enabled |
|Remove Favorites menu from Start Menu |enabled |
|Remove Search menu from Start Menu |enabled |
|Remove Help menu from Start Menu |enabled |
|Remove Run menu from Start Menu |enabled |
|Remove My Pictures icon from Start Menu |enabled |
|Remove My Music icon from Start Menu |enabled |
|Remove My Network Places icon from Start Menu |enabled |
|Add Logoff to the Start Menu |enabled |
|Remove Logoff on the Start Menu |not configured |
|Remove and prevent access to the Shut Down command |enabled |
|Remove Drag-and-drop context menus on the Start Menu |enabled |
|Prevent changes to Taskbar and Start Menu Settings |enabled |
|Remove access to the context menus for the taskbar |enabled |
|Do not keep history of recently opened documents |enabled |
|Clear history of recently opened documents on exit |enabled |
|Turn off personalized menus |enabled |
|Turn off user tracking |enabled |
|Add "Run in Separate Memory Space" check box to Run dialog box |enabled |
|Do not use the search-based method when resolving shell shortcuts |enabled |
|Do not use the tracking-based method when resolving shell shortcuts |enabled |
|Gray unavailable Windows Installer programs Start Menu shortcuts |enabled |
|Prevent grouping of taskbar items |enabled |
|Turn off notification area cleanup |enabled |
|Lock the Taskbar |enabled |
|Force classic Start Menu |not configured |
|Remove Balloon Tips on Start Menu items |enabled |
|Remove pinned programs list from the Start Menu |not configured |
|Remove frequent programs list from the Start Menu |enabled |
|Remove All Programs list from the Start menu |enabled |
|Remove and disable the Turn Off Computer button |enabled |
|Remove the "Undock PC" button from the Start Menu |enabled |
|Remove user name from Start Menu |not configured |
|Remove Clock from the system notification area |not configured |
|Hide the notification area |not configured |
|Do not display any custom toolbars in the taskbar |enabled |
CONTROL PANEL
|Prohibit access to the control panel |enabled |
CONTROL PANEL
PRINTERS
|Browse the network to find printers |enabled |
|Prevent addition of printers |enabled |
|Prevent deletion of printers |enabled |
NETWORK
OFFLINE FILES
|Prohibit User Configuration of Offline Files |enabled |
|Remove 'Make Available Offline' |enabled |
|Prevent use of offline files folder |enabled |
|Turn Off Reminder Balloons |enabled |
SYSTEM – CTRL-ALT-DEL OPTIONS
|Remove Task Manager |enabled |
|Remove Lock Computer |enabled |
|Remove Change Password |enabled |
*******************************
Do these only when necessary
SYSTEM--LOGON
Allow only these programs to run at user logon
iexplore.exe, bursaropen.exe, WebSafe.exe, syswb6.exe
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- how to unlock a computer forgot password
- careers with a computer science degree
- how to open a computer without password
- being a computer science major
- how to reset a computer without administrator
- how to wipe a computer clean
- component of a computer system
- parts of a computer and their functions
- how to shut down my computer safely
- how to clean a computer before donating
- benefits of a computer network
- how to use a computer for dummies