Desktop lockdown in a domain or non-domain environment
Locking down desktops is becoming more and more prevalent in today’s corporate environment. Malware, viruses and malicious users are putting the pressure on IT staff to remove users as local admin’s and lockdown systems. In order for this to be successful, administrators need a delivery mechanism to install software and hot fixes to users machines. Here is some of our experiences in locking down desktops as a very import step in securing your infrastructure. Specifically, we focused on locking down desktop via Group Policy and how to leverage that in an Active Directory environment.
In many corporate environments, users are required to install their own software and patches. While this may reduce the load on IT staff, the ability for users to download applications off the ‘net, including viruses, Malware and other suspect software will increase the load. Certifying software to be used, locking down and automating software installation and patch management shifts the role of the IT staff; however the load should remain the same. With a proper infrastructure in place you can reduce the workload on the IT department by implementing such a scheme. Applications such as WSUS and SMS make it easier for IT staff to implement and manage this.
It sounds like a lot of work. We can use group policy as a starting point. What can we set with group policy? To lock down desktops, we can focus on the following policies or settings:
• Access control list's (ACL’s)
• Corporate policy
• User rights
• Restricted groups
• Software restrictions
• Security templates
• Administrative templates
For instance, you can restrict what software users can run on the server by using Software Restriction Policies:
Using Software Restriction Policies to Protect Against Unauthorized Software
https://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
Outlined below is a list of some common policies used to lock down desktops:
Top policies |
Obvious / important ones |
Not so obvious ones |
For users |
– Folder redirection - Restrict Windows components– Screen saver password - Restrict control panel– Removing My Documents properties |
– Standardize OS "Look and Feel" Settings– Locking down the Attachment manager– Force the execution of antivirus programs– Internet Explorer– Microsoft Office administrative templates |
For Computers |
– NTLM authentication - Disable default shares (careful!)– Disable guest account - Rename Admin account– Last user name - Restrict access from the network |
– Wait for Network at Startup and Logon– Restrict anonymous (removing them from Everyone)– Disable anonymous enumeration of SAM accounts and shares– Deploy security templates (registry and file ACLs)– Use restricted groups– Control Windows firewall– Control wireless network adapters– Disable removable devices |
In a non-domain environment, you can download the beta Shared Computer Toolkit and get powerful new software tools for shared computers in classrooms, school computer labs, libraries, and public places. It’s designed to help you lock-down and support computers that are running as shared resources:
Lock Down Desktops without GP
https://blogs.technet.com/mitpro/archive/2005/06/29/407058.aspx
Since Terminal Servers (or Citrix servers) are usually a shared desktop for your users, it makes sense to include Terminal server in your desktop lockdown plan. For more information on how to lock Terminal Server session, view the following articles:
278295 How to lock down a Windows Server 2003 or Windows 2000 Terminal Server session
https://support.microsoft.com/default.aspx?scid=kb;EN-US;278295
Locking Down Windows Server 2003 Terminal Server Sessions
-End-
Author:Pearson Peng