Lockdown the desktop with policies

• Tags:
• Help Desk,
• Viruses,
• Lockdown,
• Install

Jeff Davis

Published: 29 Apr 2003 10:57 BST

Network policies to back up the written policies
In one of the Fortune 500 shops where I consult as a technical writer, the network administrators and the help desk analysts joined forces to define the standard user configuration for end user desktop machines.

In this Windows 2000 environment, the standard user image is locked down by Group Policy Object (GPO) settings, or collections of settings that define the system and how it will behave for a specific group of users. For select power users and IT staff, the policies were less restrictive. However, for most end users, the following rules were in place:

• No A or B drives. New end user machines are deployed without A or B drives. Machines already in service had those drives deactivated by policy.
• The autorun feature is disabled for machines that have CD-ROM drives.
• No Run option is available on the Start menu.
• The number of Control Panel applets has been pared down to the bare minimum. Conspicuously absent is Add/Remove Programs.
• The following file types are prohibited from running at any time: *.msi (Microsoft Install programs), *setup*.* and install*.* (no setup or installation programs of any kind will run), AOL*.* (because the company doesn't want AOL's Instant Messenger running on its network), and quake*.* (because the company doesn't want users chewing up bandwidth playing Quake).

With such policies in place, even if users open the box and install a new video card or their own modem, Windows 2000 won't let users see the new device. The policy protects the system at the level of the Hardware Abstraction Layer, affectionately known as HAL.

In this shop, the GPOs are managed using FullArmor's Zero Administration (FAZAM 2000) for Windows NT, a third party graphical tool that broadens the functionality and flexibility of Group Policy management under Windows 2000.

Lock them down now or clean up the mess later
Some of you may believe that policies that require locking down end user machines are too restrictive. Some of you believe companies should allow end users as much freedom to install applications or configure machines as they like.

If the users in your organisation can be trusted to add or remove hardware or software, more power to you and to them. And if you don't mind providing help desk support for the picture-maker-of-the-month and gamers on the network, more power to you.

Be forewarned, though. The first time a user inadvertently launches a virus or brings down the network, you'll wish you'd locked down your machines.

How do you lock down your end user machines? Tell us by mailing the Enterprise Mailroom.

For a weekly round-up of the enterprise IT news, sign up for the
Enterprise newsletter.

Tell us what you think in the
Enterprise Mailroom.