I've been asked by the head of the local junior school to come in and sort out the computers. Most of them are PIII spec, SDRAM, running an assortment of Win 95/98/2000 (17 of them donated by a philanthropic local about 10 years ago).They have never been maintained and are a mess.The headmaster wants them internet enabled, so an upgrade to XP is a must. I'll be donating some licences and beg/borrowing/stealing others as here in southern Greece there are zero funds available for this sort of thing, my labour will also be donated..... Whilst I am fine with the hardware/software/networking side of this, the thing I am seeking advice on is: how to lock them down? Most of my customers couldn't hack open a tin of beans, but there are some tech savvy 10 year olds out there who won't hesitate to get admin rights and do what they want with it.... I do NOT want to be outsmarted by a kid, nor do I want to be administering a botnet. Bear in mind this will be XP home, not the easiest OS to secure, so would the IT pros out there give me the benefit of their experience. Things on my list so far: BIOS locked, so no booting from CD or USB. Limited accounts No access to any administative tasks whatsoever Torx screws securing the case covers, some also have padlock tags. Err, that's about it actually, never really had to do something on this scale before, so suggestions please. Additional: I plan to connect them wirelessly to the internet.
When I was school, the PCs were actually pretty much as you plan to do- locked bios so you couldnt go into there and alter anything ( required a password ), and we had limited user accounts that only allowed us accress to basic programmes and features such as word and picture editing software etc. We could go into the control panel & alter the screensaver, but that was about it- all the 'tastey' folders in the programme menus and win32 etc were thoroughly locked down to prevent anyone adding or deleting anything dodgy/ important. We also didnt have access to the recycle bin, so if anyone deleted something the computer tech would have to retrieve it for us and restore it to out account from a central computer in a safe office- you could have that on the teachers desk or a cuboard etc with restricted access. Seemed like all the PCs were networked in a manner that ment you could log onto your user account from anyone, sharing a single printer and scanner. Im not a networking guy though so I'll let you figure that part out I'd make sure the wireless network is secured to prevent hackers or leechers obviously, and bolt down and spherials like that too. I dunno if the microsoft website will have any more useful info or software perhaps, but I think your basic plan seems fine- Im sure if you missed anything then the little oiks will soon show you, one way or another
Use one PC for a domain controller, maybe another for an ADC or even a print server and the rest of the PCs as workstations. User accounts can only be modified by an administrator on the domain controller.
Thanks for the replies, interesting. @SuicideNeil Like the idea of the kids being able to log on to their own account from any PC, no idea how to do it yet.... d3mon_edge Didn't think XP Home could join a domain, but seems like the ways to do it are all built into the system, nice.
First get a real server and a beefy UPS for it. Cheap homebrew stuff is not enough in this case. Build yourself a lab. Not really expensive, you'll a lisence for Win03 and XP Pro (heck, you could install both XP machines using the same key for testing purposes). Get VMWare Server 2 (free, requires registration). Grab a copy of Win03 Server and two XP Pro lisences. Install Win03 on one virtual machine and XPs on another two. Then add the domain controller role on Win03 and plop the XP machines on domain. Now you gotta start playing around with group policies which is the fun part. Make backups of the virtual machines and unleash hell in GPEDIT.MSC on the server. I'd say update to XP Pro atleast, home versions are a bit iffy on domain.
Did you miss the part where he said it was basicly just donated/begged/stolen stuff he was using in terms of hardware and software? Anyway, the BIOS password is very easy, just enter the BIOS and it should be on the first screen for password, for the non usb/cd boot then you need to enter the booting menu and change it so that you can't boot in from usb/cd. Simply remove the disk drive from the boot priorities, if usb boot isn't listed then no worries because that motherboard doesn't support usb booting.
+ for a server with Actvie directory, sorts out all your setup problems. Might be worth trying to get a deal from microsoft. Explain your situation, the worse you get is a No. For internet access, I use Censornet. Also has built in firewall. Pick any old machine and use a second netowrk card. All trafic goes through it. And the internet is made safe. uses Word filter, address filter an intenet IP filter. So words, Word combinations or web address are blocked. Also allows for acces profiles. So some users only get "the white list" so only 10 or so EDUCATIONAL sites are available. Standard filtered so bad words/adresses are blocked. Denied: No internet access. Unfiltered (for staff) It's a very robust system. At also keeps a log of all internet use by users and where they went. If you get told "Pupil A was on a bad site, I ddin't get the address, he shut the window" you can get the details from the log. It's easy to setup. Workes on machine MAC address which the system will search for. And username and password.
School licences for MS software is dirt cheap so I'd go for a full AD network. You might want to install Microsoft Steady State on the PC's as well, that way they can do what they like but it's all rolled back with a reboot.
The only real way to properly lock the computers down is through group policy on a Windows Server network. However, you can't do that unless the workstations are XP Pro. BIOS password protection and non-local-admin accounts for the users too. I'd also be disabling the USB controllers in the BIOS to prevent pen drives being used, assuming they're not using USB keyboards and mice of course! Some sort of web filtering is a must in a school really, such as ISA or an alternative.
Could always approach Microsoft and see if they'll sponsor the build You never know. I've heard of a few places who got funding like that.
Really appreciate the replies, am investigating all, especially re MS for licenses for Pro, Home just cannot be locked down! Maybe the guys at MS have read of the problems here in Greece (trust me, it's bad) and will be feeling charitable. Again, many thanks.
At our college we use a program called Deep Freeze by Faronics which restores local files to a previous state when rebooted. Another handy programme for rolling out an image on multiple machines is Acronis. You can often find free versions of it on magazine CDs. 'm sure i've got one you can have. If using VMWare you could even put extra servers on there such as the file server then migrate them off once more hardware becomes available. For part of our network we use IPCop which is a free linux distro. It works pretty well but luckily MS gave us a free copy of their Threat Management Gateway 2010 for free so you could try blagging that off them.
I have an old rackmount Proliant in my kitchen collecting dust. Both Fedex and UPS want about 200 euros to ship it from finland to greece. Its not exactly fast by today's standards (866Mhz Xeon) but should get the job done as a DC running Win03Srv. I'd limit the roles to AD, DHCP, DNS, file server for administration/staff and whatever other roles those require. Photo #1 and photo #2. Those nasty marks on tape drive were not made by me. Previous owner got a bit too happy with a screwdriver. I managed to remove the tape gently by following manufacturer's instructions. Most likely the drive is toasted as it makes a nasty grinding sound every now and then. The rest works as it should as I never had any other hw related problem. Specs: 866Mhz Xeon (dual socket, one free), 640MB, 2x9,1GB RAID1, 4x36GB RAID5, Ubuntu 9.10 Server atm for testing. johnmalc: PM me if interested. Server itself is free but you get to pay the shipping. Brainfart, sorry. Quite good idea as VMWare Server is free. Though it does require a boatload of memory and a beefy CPU or two. Check the lisence first. Might be free for home use but not for business or education. Also in this case I'd sysprep and image each machine individually (except if there are two or more identical computers, then one image for those is enough).
You've got a mixed bag of old hardware and very limited funds. If you don't have experience of setting up domain controllers etc then I would seriously stay away from that. You'll only open up a can of worms if your one machine running the domain controller goes down (and it will). How about a totally different approach... Do you really need XP? If all you need is internet and basic apps, how about running a flavour of linux? You could use a live boot CD so you wouldn't even have to install the OS on each machine, just get them booting from the CD in the draw... and you'll bash up a lock for each CD drawer so that only you can change the boot disc. Oh I do like a good wild card idea
O.k. this is a fudge... it definately works in pro and with the additions added below *should* work in home... ***Remember to create both an admin account and a usetr account. the changes below will be applied to the user account. Windows XP Home does not include GPEDIT; XP Home users can apparently run this program if they have access to files from an XP Pro (or possibly Win 2000?) installation, by doing the following: * Copy the files gpedit.dll and fde.dll from \WINDOWS\System32 on the XP Pro machine to \WINDOWS\System32 on the XP Home machine. * From a command prompt issue the following commands on the XP Home machine: regsvr32 C:\WINDOWS\System32\gpedit.dll * regsvr32 C:\WINDOWS\System32\fde.dll Open the Microsoft Management Console (mmc.exe) and select File->Add/Remove Snap-in... Then click Add. Select the Group Policy snap-in from the list of installed snap ins. You can now edit the Group Policy on the local machine. But XP Home doesn't support the same feature set as XP Pro, so the policies you are looking for might be missing. Folder Restrictions The below process was used for restricting both the “WWW” user and Administrator: • Deny read permissions to c:\windows\system32\grouppolicy folder for the “administrator” account • Remove all shortcuts under c:\docs and settings\all users (desktop and start menu) and place into c:\document and settings\ Administrator • Add in the following shortcuts under c:\docs and settings\internet user\start menu\programs: Accessories folder: IE, calculator, tour XP, media player and messenger Games folder: free-cell, hearts, minesweeper, pinball, solitaire and spider solitaire Start-up folder: leave empty Local Policy Settings When applying the local policy settings one by one it will happen with immediate effect to any user account with read permissions to the c:\windows\system32\group policy folder (all accounts by default). It is wise to apply the group policy to the subfolders in the order shown below. The last two folders are particularly powerful and may find that you cannot apply other settings as your environment is tied down too much. If you do find you need to modify the policy settings and it is restricted too much, you will need to insert a windows XP CD. Conduct a repair and delete the gpt.ini file. This will allow you to log back in and open up gpedit.msc without any restrictions. Regrettably in XP local group policies can’t be imported from text file so you will have to go through this list manually changing the settings Internet Explorer Search: Disable Search Customization not configured Search: Disable Find Files via F3 within the browser not configured Disable external branding of Internet Explorer enabled Disable importing and exporting of favorites enabled Disable changing advanced page settings enabled Disable changing home page settings not configured Use Automatic Detection for dial-up connections not configured Disable caching of Auto-Proxy scripts not configured Display error message on proxy script download failure not configured Disable changing Temporary Internet files settings not configured Disable changing history settings not configured Disable changing color settings not configured Disable changing link color settings not configured Disable changing font settings not configured Disable changing language settings not configured Disable changing accessibility settings not configured Disable Internet Connection wizard not configured Disable changing connection settings not configured Disable changing proxy settings not configured Disable changing Automatic Configuration settings not configured Turn off pop-up management not configured Pop-up allow list not configured Disable changing ratings settings not configured Disable changing certificate settings not configured Disable changing Profile Assistant settings not configured Disable AutoComplete for forms enabled Do not allow AutoComplete to save passwords enabled Disable changing Messaging settings not configured Disable changing Calendar and Contact settings not configured Disable the Reset Web Settings feature not configured Disable changing default browser check enabled Turn off Crash Detection enabled Do not allow users to enable or disable add-ons not configured Identity Manager: Prevent users from using Identities not configured Configure Outlook Express disabled Internet control panel Disable the General page enabled Disable the Security page enabled Disable the Content page enabled Disable the Connections page enabled Disable the Programs page enabled Disable the Privacy page enabled Disable the Advanced page enabled Browser menus ile menu: Disable Save As menu option enabled File menu: Disable new menu option enabled File menu: Disable Open menu option enabled File menu: Disable Save as Web Page Complete enabled File menu: Disable closing the browser and Explorer windows not configured View menu: Disable Source menu option enabled View menu: Disable Full Screen menu option enabled Hide Favorites menu not configured Tools menu: Disable Internet Options... menu option enabled Help menu: Remove 'Tip of the Day' menu option enabled Help menu: Remove 'For Netscape Users' menu option enabled Help menu: Remove 'Tour' menu option enabled Help menu: Remove 'Send Feedback' menu option enabled Disable Context menu enabled Disable Open in New Window menu option not configured Disable Save this program to disk option enabled Toolbars Disable customizing browser toolbar buttons enabled Disable customizing browser toolbars enabled Configure Toolbar Buttons disabled Desktop Hide and disable all items on the desktop enabled Remove My Documents icon on the desktop not configured Remove My Computer icon on the desktop not configured Remove Recycle Bin icon from desktop not configured Remove Properties from the My Documents context menu not configured Remove Properties from the My Computer context menu not configured Remove Properties from the Recycle Bin context menu not configured Hide My Network Places icon on desktop not configured Hide Internet Explorer icon on desktop not configured Do not add shares of recently opened documents to My Network Places not configured Prohibit user from changing My Documents path enabled Prevent adding, dragging, dropping and closing the Taskbar's toolbars enabled Prohibit adjusting desktop toolbars enabled Don't save settings at exit not configured Remove the Desktop Cleanup Wizard not configured Control panel Prohibit access to the Control Panel enabled Hide specified Control Panel applets not configured Show only specified Control Panel applets not configured Force classic Control Panel Style not configured Display Prevent changing wallpaper enabled Printers Browse a common web site to find printers not configured Browse the network to find printers not configured Default Active Directory path when searching for printers not configured Point and Print Restrictions not configured Prevent addition of printers enabled Prevent deletion of printers not configured Control-alt-del Remove Task Manager not configured Remove Lock Computer enabled Remove Change Password enabled Remove Logoff not configured System Don't display the Getting Started welcome screen at logon enabled Century interpretation for Year 2000 not configured Configure driver search locations not configured Code signing for device drivers not configured Custom user interface not configured Prevent access to the command prompt enabled Prevent access to registry editing tools enabled Run only allowed Windows applications not configured Don't run specified Windows applications not configured Turn off auto-play not configured Restrict these programs from being launched from Help not configured Download missing COM components not configured Windows Automatic Updates not configured Turn off Windows Update device driver search prompt not configured Start menu and taskbar Remove user's folders from the Start Menu not configured Remove links and access to Windows Update enabled Remove common program groups from Start Menu not configured Remove My Documents icon from Start Menu enabled Remove Documents menu from Start Menu enabled Remove programs on Settings menu enabled Remove Network Connections from Start Menu enabled Remove Favorites menu from Start Menu enabled Remove Search menu from Start Menu enabled Remove Help menu from Start Menu not configured Remove Run menu from Start Menu enabled Remove My Pictures icon from Start Menu enabled Remove My Music icon from Start Menu enabled Remove My Network Places icon from Start Menu enabled Add Logoff to the Start Menu not configured Remove Logoff on the Start Menu not configured Remove and prevent access to the Shut Down command enabled Remove Drag-and-drop context menus on the Start Menu enabled Prevent changes to Taskbar and Start Menu Settings enabled Remove access to the context menus for the taskbar enabled Do not keep history of recently opened documents enabled Clear history of recently opened documents on exit not configured Turn off personalized menus not configured Turn off user tracking not configured Add "Run in Separate Memory Space" check box to Run dialog box not configured Do not use the search-based method when resolving shell shortcuts not configured Do not use the tracking-based method when resolving shell shortcuts not configured Gray unavailable Windows Installer programs Start Menu shortcuts not configured Prevent grouping of taskbar items not configured Turn off notification area cleanup not configured Lock the Taskbar enabled Force classic Start Menu not configured Remove Balloon Tips on Start Menu items not configured Remove pinned programs list from the Start Menu not configured Remove frequent programs list from the Start Menu enabled Remove All Programs list from the Start menu not configured Remove the "Undock PC" button from the Start Menu not configured Remove user name from Start Menu not configured Remove Clock from the system notification area not configured Hide the notification area not configured Do not display any custom toolbars in the taskbar not configured Remove Set Program Access and Defaults from Start menu enabled Windows explorer Removes the Folder Options menu item from the Tools menu enabled Remove File menu from Windows Explorer not configured Remove "Map Network Drive" and "Disconnect Netw Drive" enabled Remove Search button from Windows Explorer not configured Remove Windows Explorer's default context menu enabled Hides the Manage item on the Windows Explorer menu not configured Allow only per user or approved shell extensions not configured Do not track Shell shortcuts during roaming not configured Hide these specified drives in My Computer enabled Prevent access to drives from My Computer enabled Remove Hardware tab not configured Remove DFS tab not configured Remove Security tab not configured Remove UI to change menu animation setting not configured Remove UI to change keyboard navigation indicator setting not configured No "Computers near Me" in My Network Places not configured No "Entire Network" in My Network Places enabled Maximum number of recent documents not configured Do not request alternate credentials not configured Request credentials for network installations not configured Remove CD Burning features not configured Do not move deleted files to the Recycle Bin not configured Display confirmation dialog when deleting files not configured Maximum allowed Recycle Bin size not configured Remove Shared Documents from My Computer not configured Turn off caching of thumbnail pictures not configured Turn off Windows+X hotkeys not configured Turn off shell protocol protected mode not configured I would also install k9 filtering software (free) and a good av package, i.e. ms security essentials or AVG
@Bluespider - that's one hell of a list for a volunteer to admin on a bunch of different machines. Anything that involved jumping through a million and one hoops on each PC is going to kill the poor guy!
Not exactly if the admin has an image without drivers (very hard to do) or runs a domain. Latter scenario is much, much better as he'd just have to fiddle with GPOs and wait for them to apply. johnmalc: PM me, I have a server up for donation. Shipping is expensive though.
Well basically the truth of the matter is that if you want it for free or cheap then you need to do a bit more work... There are ways to automate that, but all involve some other technology to impliment it. either a DC or some imaging technology once its set up before hand. If i could make it easier I would, but those changes will categorically lock down the box to only allow the things you want on the start menu.
@Bluespider, I'm not doubting the list is appropriate - I just as a long term management solution I can't see it being workable on so many different machines. Doing it on an XP virtual machine running in virtualbox, or doing it once and then cloning the drive I could see it being fine. The thing is, as you've said, without the "proper" way of doing it (AD,DC - policies etc) XP will be a bugger to lock down. Hence my "go with a linux live CD" solution if only web + office type apps is needed. If you need to lock down XP but can't do it easily and reliably (and repeatably) then don't go there.
You'll want some sort of net filtering, the last thing you want it children watching "videos" in school then going home and showing their parents.