1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Windows Securing XP against schoolkids?

Discussion in 'Tech Support' started by johnmalc, 15 May 2010.

  1. johnmalc

    johnmalc That shouldn't happen....

    Joined:
    7 Jul 2007
    Posts:
    51
    Likes Received:
    1
    I've been asked by the head of the local junior school to come in and sort out the computers. Most of them are PIII spec, SDRAM, running an assortment of Win 95/98/2000 (17 of them donated by a philanthropic local about 10 years ago).They have never been maintained and are a mess.The headmaster wants them internet enabled, so an upgrade to XP is a must. I'll be donating some licences and beg/borrowing/stealing others as here in southern Greece there are zero funds available for this sort of thing, my labour will also be donated.....

    Whilst I am fine with the hardware/software/networking side of this, the thing I am seeking advice on is: how to lock them down? Most of my customers couldn't hack open a tin of beans, but there are some tech savvy 10 year olds out there who won't hesitate to get admin rights and do what they want with it.... I do NOT want to be outsmarted by a kid, nor do I want to be administering a botnet. Bear in mind this will be XP home, not the easiest OS to secure, so would the IT pros out there give me the benefit of their experience.

    Things on my list so far:

    BIOS locked, so no booting from CD or USB.
    Limited accounts
    No access to any administative tasks whatsoever
    Torx screws securing the case covers, some also have padlock tags.
    Err, that's about it actually, never really had to do something on this scale before, so suggestions please.

    Additional: I plan to connect them wirelessly to the internet.
     
  2. SuicideNeil

    SuicideNeil What's a Dremel?

    Joined:
    17 Aug 2009
    Posts:
    5,983
    Likes Received:
    345
    When I was school, the PCs were actually pretty much as you plan to do- locked bios so you couldnt go into there and alter anything ( required a password ), and we had limited user accounts that only allowed us accress to basic programmes and features such as word and picture editing software etc. We could go into the control panel & alter the screensaver, but that was about it- all the 'tastey' folders in the programme menus and win32 etc were thoroughly locked down to prevent anyone adding or deleting anything dodgy/ important.


    We also didnt have access to the recycle bin, so if anyone deleted something the computer tech would have to retrieve it for us and restore it to out account from a central computer in a safe office- you could have that on the teachers desk or a cuboard etc with restricted access.


    Seemed like all the PCs were networked in a manner that ment you could log onto your user account from anyone, sharing a single printer and scanner. Im not a networking guy though so I'll let you figure that part out :p

    I'd make sure the wireless network is secured to prevent hackers or leechers obviously, and bolt down and spherials like that too.

    I dunno if the microsoft website will have any more useful info or software perhaps, but I think your basic plan seems fine- Im sure if you missed anything then the little oiks will soon show you, one way or another :lol:
     
  3. d3m0n_edge

    d3m0n_edge Lost Is Your Soul

    Joined:
    11 Oct 2009
    Posts:
    50
    Likes Received:
    0
    Use one PC for a domain controller, maybe another for an ADC or even a print server and the rest of the PCs as workstations. User accounts can only be modified by an administrator on the domain controller.
     
  4. johnmalc

    johnmalc That shouldn't happen....

    Joined:
    7 Jul 2007
    Posts:
    51
    Likes Received:
    1
    Thanks for the replies, interesting.

    @SuicideNeil
    Like the idea of the kids being able to log on to their own account from any PC, no idea how to do it yet....

    d3mon_edge
    Didn't think XP Home could join a domain, but seems like the ways to do it are all built into the system, nice.
     
  5. Andersen

    Andersen I'm fine. I'M FINE! *banshee howl*

    Joined:
    25 Nov 2002
    Posts:
    1,282
    Likes Received:
    484
    First get a real server and a beefy UPS for it. Cheap homebrew stuff is not enough in this case.

    Build yourself a lab. Not really expensive, you'll a lisence for Win03 and XP Pro (heck, you could install both XP machines using the same key for testing purposes).

    Get VMWare Server 2 (free, requires registration). Grab a copy of Win03 Server and two XP Pro lisences. Install Win03 on one virtual machine and XPs on another two. Then add the domain controller role on Win03 and plop the XP machines on domain.

    Now you gotta start playing around with group policies which is the fun part. Make backups of the virtual machines and unleash hell in GPEDIT.MSC on the server. :D

    I'd say update to XP Pro atleast, home versions are a bit iffy on domain.
     
  6. Edge102030

    Edge102030 Son, i am disappoint.

    Joined:
    21 Aug 2009
    Posts:
    568
    Likes Received:
    28
    Did you miss the part where he said it was basicly just donated/begged/stolen stuff he was using in terms of hardware and software?

    Anyway, the BIOS password is very easy, just enter the BIOS and it should be on the first screen for password, for the non usb/cd boot then you need to enter the booting menu and change it so that you can't boot in from usb/cd. Simply remove the disk drive from the boot priorities, if usb boot isn't listed then no worries because that motherboard doesn't support usb booting.
     
  7. unknowngamer

    unknowngamer here

    Joined:
    3 Apr 2009
    Posts:
    1,200
    Likes Received:
    98
    + for a server with Actvie directory, sorts out all your setup problems.
    Might be worth trying to get a deal from microsoft.
    Explain your situation, the worse you get is a No.

    For internet access, I use Censornet. Also has built in firewall.

    Pick any old machine and use a second netowrk card.

    All trafic goes through it. And the internet is made safe.

    uses Word filter, address filter an intenet IP filter. So words, Word combinations or web address are blocked.

    Also allows for acces profiles.
    So some users only get "the white list" so only 10 or so EDUCATIONAL sites are available.
    Standard filtered so bad words/adresses are blocked.
    Denied: No internet access.
    Unfiltered (for staff)

    It's a very robust system.
    At also keeps a log of all internet use by users and where they went.

    If you get told "Pupil A was on a bad site, I ddin't get the address, he shut the window" you can get the details from the log.


    It's easy to setup.
    Workes on machine MAC address which the system will search for.
    And username and password.
     
  8. saspro

    saspro IT monkey

    Joined:
    23 Apr 2009
    Posts:
    9,610
    Likes Received:
    401
    School licences for MS software is dirt cheap so I'd go for a full AD network.

    You might want to install Microsoft Steady State on the PC's as well, that way they can do what they like but it's all rolled back with a reboot.
     
  9. bestseany

    bestseany What's a Dremel?

    Joined:
    2 Jul 2009
    Posts:
    448
    Likes Received:
    6
    The only real way to properly lock the computers down is through group policy on a Windows Server network. However, you can't do that unless the workstations are XP Pro.

    BIOS password protection and non-local-admin accounts for the users too. I'd also be disabling the USB controllers in the BIOS to prevent pen drives being used, assuming they're not using USB keyboards and mice of course! Some sort of web filtering is a must in a school really, such as ISA or an alternative.
     
  10. Phalanx

    Phalanx Needs more dragons and stuff.

    Joined:
    28 Apr 2010
    Posts:
    3,712
    Likes Received:
    156
    Could always approach Microsoft and see if they'll sponsor the build :) You never know. I've heard of a few places who got funding like that.
     
  11. johnmalc

    johnmalc That shouldn't happen....

    Joined:
    7 Jul 2007
    Posts:
    51
    Likes Received:
    1
    Really appreciate the replies, am investigating all, especially re MS for licenses for Pro, Home just cannot be locked down! Maybe the guys at MS have read of the problems here in Greece (trust me, it's bad) and will be feeling charitable.

    Again, many thanks.
     
  12. ianajones25

    ianajones25 What's a Dremel?

    Joined:
    19 May 2010
    Posts:
    20
    Likes Received:
    1
    At our college we use a program called Deep Freeze by Faronics which restores local files to a previous state when rebooted.

    Another handy programme for rolling out an image on multiple machines is Acronis. You can often find free versions of it on magazine CDs. 'm sure i've got one you can have.

    If using VMWare you could even put extra servers on there such as the file server then migrate them off once more hardware becomes available.

    For part of our network we use IPCop which is a free linux distro. It works pretty well but luckily MS gave us a free copy of their Threat Management Gateway 2010 for free so you could try blagging that off them.
     
  13. Andersen

    Andersen I'm fine. I'M FINE! *banshee howl*

    Joined:
    25 Nov 2002
    Posts:
    1,282
    Likes Received:
    484
    I have an old rackmount Proliant in my kitchen collecting dust. Both Fedex and UPS want about 200 euros to ship it from finland to greece. Its not exactly fast by today's standards (866Mhz Xeon) but should get the job done as a DC running Win03Srv. I'd limit the roles to AD, DHCP, DNS, file server for administration/staff and whatever other roles those require.

    Photo #1 and photo #2. Those nasty marks on tape drive were not made by me. Previous owner got a bit too happy with a screwdriver. I managed to remove the tape gently by following manufacturer's instructions.

    Most likely the drive is toasted as it makes a nasty grinding sound every now and then. The rest works as it should as I never had any other hw related problem. Specs: 866Mhz Xeon (dual socket, one free), 640MB, 2x9,1GB RAID1, 4x36GB RAID5, Ubuntu 9.10 Server atm for testing.

    johnmalc: PM me if interested. Server itself is free but you get to pay the shipping.

    Brainfart, sorry.

    Quite good idea as VMWare Server is free. Though it does require a boatload of memory and a beefy CPU or two.

    Check the lisence first. Might be free for home use but not for business or education. Also in this case I'd sysprep and image each machine individually (except if there are two or more identical computers, then one image for those is enough).
     
    Last edited: 20 May 2010
  14. Guinevere

    Guinevere Mega Mom

    Joined:
    8 May 2010
    Posts:
    2,484
    Likes Received:
    176
    You've got a mixed bag of old hardware and very limited funds. If you don't have experience of setting up domain controllers etc then I would seriously stay away from that. You'll only open up a can of worms if your one machine running the domain controller goes down (and it will).

    How about a totally different approach...

    Do you really need XP? If all you need is internet and basic apps, how about running a flavour of linux? You could use a live boot CD so you wouldn't even have to install the OS on each machine, just get them booting from the CD in the draw... and you'll bash up a lock for each CD drawer so that only you can change the boot disc.

    Oh I do like a good wild card idea
     
  15. Bluespider

    Bluespider What's a Dremel?

    Joined:
    21 May 2010
    Posts:
    3
    Likes Received:
    0
    O.k. this is a fudge... it definately works in pro and with the additions added below *should* work in home...


    ***Remember to create both an admin account and a usetr account. the changes below will be applied to the user account.

    Windows XP Home does not include GPEDIT; XP Home users can apparently run this program if they have access to files from an XP Pro (or possibly Win 2000?) installation, by doing the following:

    * Copy the files gpedit.dll and fde.dll from \WINDOWS\System32 on the XP Pro machine to \WINDOWS\System32 on the XP Home machine.
    * From a command prompt issue the following commands on the XP Home machine: regsvr32 C:\WINDOWS\System32\gpedit.dll

    * regsvr32 C:\WINDOWS\System32\fde.dll Open the Microsoft Management Console (mmc.exe) and select File->Add/Remove Snap-in... Then click Add. Select the Group Policy snap-in from the list of installed snap ins.

    You can now edit the Group Policy on the local machine. But XP Home doesn't support the same feature set as XP Pro, so the policies you are looking for might be missing.

    Folder Restrictions

    The below process was used for restricting both the “WWW” user and Administrator:

    • Deny read permissions to c:\windows\system32\grouppolicy folder for
    the “administrator” account
    • Remove all shortcuts under c:\docs and settings\all users (desktop and start menu)
    and place into c:\document and settings\ Administrator
    • Add in the following shortcuts under c:\docs and settings\internet user\start
    menu\programs:

    Accessories folder: IE, calculator, tour XP, media player and messenger
    Games folder: free-cell, hearts, minesweeper, pinball, solitaire and spider solitaire
    Start-up folder: leave empty

    Local Policy Settings


    When applying the local policy settings one by one it will happen with immediate effect to any user account with read permissions to the c:\windows\system32\group policy folder (all accounts by default). It is wise to apply the group policy to the subfolders in the order shown below. The last two folders are particularly powerful and may find that you cannot apply other settings as your environment is tied down too much. If you do find you need to modify the policy settings and it is restricted too much, you will need to insert a windows XP CD. Conduct a repair and delete the gpt.ini file. This will allow you to log back in and open up gpedit.msc without any restrictions. Regrettably in XP local group policies can’t be imported from text file so you will have to go through this list manually changing the settings



    Internet Explorer

    Search: Disable Search Customization not configured
    Search: Disable Find Files via F3 within the browser not configured
    Disable external branding of Internet Explorer enabled
    Disable importing and exporting of favorites enabled
    Disable changing advanced page settings enabled
    Disable changing home page settings not configured
    Use Automatic Detection for dial-up connections not configured
    Disable caching of Auto-Proxy scripts not configured
    Display error message on proxy script download failure not configured
    Disable changing Temporary Internet files settings not configured
    Disable changing history settings not configured
    Disable changing color settings not configured
    Disable changing link color settings not configured
    Disable changing font settings not configured
    Disable changing language settings not configured
    Disable changing accessibility settings not configured
    Disable Internet Connection wizard not configured
    Disable changing connection settings not configured
    Disable changing proxy settings not configured
    Disable changing Automatic Configuration settings not configured
    Turn off pop-up management not configured
    Pop-up allow list not configured
    Disable changing ratings settings not configured
    Disable changing certificate settings not configured
    Disable changing Profile Assistant settings not configured
    Disable AutoComplete for forms enabled
    Do not allow AutoComplete to save passwords enabled
    Disable changing Messaging settings not configured
    Disable changing Calendar and Contact settings not configured
    Disable the Reset Web Settings feature not configured
    Disable changing default browser check enabled
    Turn off Crash Detection enabled
    Do not allow users to enable or disable add-ons not configured
    Identity Manager: Prevent users from using Identities not configured
    Configure Outlook Express disabled

    Internet control panel

    Disable the General page enabled
    Disable the Security page enabled
    Disable the Content page enabled
    Disable the Connections page enabled
    Disable the Programs page enabled
    Disable the Privacy page enabled
    Disable the Advanced page enabled

    Browser menus

    ile menu: Disable Save As menu option enabled
    File menu: Disable new menu option enabled
    File menu: Disable Open menu option enabled
    File menu: Disable Save as Web Page Complete enabled
    File menu: Disable closing the browser and Explorer windows not configured
    View menu: Disable Source menu option enabled
    View menu: Disable Full Screen menu option enabled
    Hide Favorites menu not configured
    Tools menu: Disable Internet Options... menu option enabled
    Help menu: Remove 'Tip of the Day' menu option enabled
    Help menu: Remove 'For Netscape Users' menu option enabled
    Help menu: Remove 'Tour' menu option enabled
    Help menu: Remove 'Send Feedback' menu option enabled
    Disable Context menu enabled
    Disable Open in New Window menu option not configured
    Disable Save this program to disk option enabled

    Toolbars

    Disable customizing browser toolbar buttons enabled
    Disable customizing browser toolbars enabled
    Configure Toolbar Buttons disabled

    Desktop

    Hide and disable all items on the desktop enabled
    Remove My Documents icon on the desktop not configured
    Remove My Computer icon on the desktop not configured
    Remove Recycle Bin icon from desktop not configured
    Remove Properties from the My Documents context menu not configured
    Remove Properties from the My Computer context menu not configured
    Remove Properties from the Recycle Bin context menu not configured
    Hide My Network Places icon on desktop not configured
    Hide Internet Explorer icon on desktop not configured
    Do not add shares of recently opened documents to
    My Network Places not configured
    Prohibit user from changing My Documents path enabled
    Prevent adding, dragging, dropping and closing the
    Taskbar's toolbars enabled
    Prohibit adjusting desktop toolbars enabled
    Don't save settings at exit not configured
    Remove the Desktop Cleanup Wizard not configured

    Control panel

    Prohibit access to the Control Panel enabled
    Hide specified Control Panel applets not configured
    Show only specified Control Panel applets not configured
    Force classic Control Panel Style not configured

    Display

    Prevent changing wallpaper enabled

    Printers

    Browse a common web site to find printers not configured
    Browse the network to find printers not configured
    Default Active Directory path when searching for printers not configured
    Point and Print Restrictions not configured
    Prevent addition of printers enabled
    Prevent deletion of printers not configured
    Control-alt-del

    Remove Task Manager not configured
    Remove Lock Computer enabled
    Remove Change Password enabled
    Remove Logoff not configured

    System

    Don't display the Getting Started welcome screen at logon enabled
    Century interpretation for Year 2000 not configured
    Configure driver search locations not configured
    Code signing for device drivers not configured
    Custom user interface not configured
    Prevent access to the command prompt enabled
    Prevent access to registry editing tools enabled
    Run only allowed Windows applications not configured
    Don't run specified Windows applications not configured
    Turn off auto-play not configured
    Restrict these programs from being launched from Help not configured
    Download missing COM components not configured
    Windows Automatic Updates not configured
    Turn off Windows Update device driver search prompt not configured

    Start menu and taskbar

    Remove user's folders from the Start Menu not configured
    Remove links and access to Windows Update enabled
    Remove common program groups from Start Menu not configured
    Remove My Documents icon from Start Menu enabled
    Remove Documents menu from Start Menu enabled
    Remove programs on Settings menu enabled
    Remove Network Connections from Start Menu enabled
    Remove Favorites menu from Start Menu enabled
    Remove Search menu from Start Menu enabled
    Remove Help menu from Start Menu not configured
    Remove Run menu from Start Menu enabled
    Remove My Pictures icon from Start Menu enabled
    Remove My Music icon from Start Menu enabled
    Remove My Network Places icon from Start Menu enabled
    Add Logoff to the Start Menu not configured
    Remove Logoff on the Start Menu not configured
    Remove and prevent access to the Shut Down command enabled
    Remove Drag-and-drop context menus on the Start Menu enabled
    Prevent changes to Taskbar and Start Menu Settings enabled
    Remove access to the context menus for the taskbar enabled
    Do not keep history of recently opened documents enabled
    Clear history of recently opened documents on exit not configured
    Turn off personalized menus not configured
    Turn off user tracking not configured
    Add "Run in Separate Memory Space" check box to
    Run dialog box not configured
    Do not use the search-based method when resolving
    shell shortcuts not configured
    Do not use the tracking-based method when resolving
    shell shortcuts not configured
    Gray unavailable Windows Installer programs Start
    Menu shortcuts not configured
    Prevent grouping of taskbar items not configured
    Turn off notification area cleanup not configured
    Lock the Taskbar enabled
    Force classic Start Menu not configured
    Remove Balloon Tips on Start Menu items not configured
    Remove pinned programs list from the Start Menu not configured
    Remove frequent programs list from the Start Menu enabled
    Remove All Programs list from the Start menu not configured
    Remove the "Undock PC" button from the Start Menu not configured
    Remove user name from Start Menu not configured
    Remove Clock from the system notification area not configured
    Hide the notification area not configured
    Do not display any custom toolbars in the taskbar not configured
    Remove Set Program Access and Defaults from Start menu enabled

    Windows explorer

    Removes the Folder Options menu item from the Tools menu enabled
    Remove File menu from Windows Explorer not configured
    Remove "Map Network Drive" and "Disconnect Netw Drive" enabled
    Remove Search button from Windows Explorer not configured
    Remove Windows Explorer's default context menu enabled
    Hides the Manage item on the Windows Explorer menu not configured
    Allow only per user or approved shell extensions not configured
    Do not track Shell shortcuts during roaming not configured
    Hide these specified drives in My Computer enabled
    Prevent access to drives from My Computer enabled
    Remove Hardware tab not configured
    Remove DFS tab not configured
    Remove Security tab not configured
    Remove UI to change menu animation setting not configured
    Remove UI to change keyboard navigation indicator setting not configured
    No "Computers near Me" in My Network Places not configured
    No "Entire Network" in My Network Places enabled
    Maximum number of recent documents not configured
    Do not request alternate credentials not configured
    Request credentials for network installations not configured
    Remove CD Burning features not configured
    Do not move deleted files to the Recycle Bin not configured
    Display confirmation dialog when deleting files not configured
    Maximum allowed Recycle Bin size not configured
    Remove Shared Documents from My Computer not configured
    Turn off caching of thumbnail pictures not configured
    Turn off Windows+X hotkeys not configured
    Turn off shell protocol protected mode not configured

    I would also install k9 filtering software (free) and a good av package, i.e. ms security essentials or AVG
     
  16. Guinevere

    Guinevere Mega Mom

    Joined:
    8 May 2010
    Posts:
    2,484
    Likes Received:
    176
    @Bluespider - that's one hell of a list for a volunteer to admin on a bunch of different machines. Anything that involved jumping through a million and one hoops on each PC is going to kill the poor guy!
     
  17. Andersen

    Andersen I'm fine. I'M FINE! *banshee howl*

    Joined:
    25 Nov 2002
    Posts:
    1,282
    Likes Received:
    484
    Not exactly if the admin has an image without drivers (very hard to do) or runs a domain. Latter scenario is much, much better as he'd just have to fiddle with GPOs and wait for them to apply.

    johnmalc: PM me, I have a server up for donation. Shipping is expensive though.
     
  18. Bluespider

    Bluespider What's a Dremel?

    Joined:
    21 May 2010
    Posts:
    3
    Likes Received:
    0
    Well basically the truth of the matter is that if you want it for free or cheap then you need to do a bit more work...

    There are ways to automate that, but all involve some other technology to impliment it. either a DC or some imaging technology once its set up before hand.

    If i could make it easier I would, but those changes will categorically lock down the box to only allow the things you want on the start menu.
     
  19. Guinevere

    Guinevere Mega Mom

    Joined:
    8 May 2010
    Posts:
    2,484
    Likes Received:
    176
    @Bluespider, I'm not doubting the list is appropriate - I just as a long term management solution I can't see it being workable on so many different machines. Doing it on an XP virtual machine running in virtualbox, or doing it once and then cloning the drive I could see it being fine.

    The thing is, as you've said, without the "proper" way of doing it (AD,DC - policies etc) XP will be a bugger to lock down.

    Hence my "go with a linux live CD" solution if only web + office type apps is needed.

    If you need to lock down XP but can't do it easily and reliably (and repeatably) then don't go there.
     
  20. MarkW7

    MarkW7 Total Noob

    Joined:
    30 Nov 2008
    Posts:
    1,795
    Likes Received:
    32
    You'll want some sort of net filtering, the last thing you want it children watching "videos" in school then going home and showing their parents.
     

Share This Page