How Would You Lock Down a Windows XP Machine?

Kronos666 asks: "I've been working with a network of about 50 computers, and a few of them have to be locked down. What I mean is that there is an application running, and the users must not be able to do anything else on it. The computers (Windows XP), are in a Windows 2000 domain and I've tried everything that comes to mind with the group policies. Now, I know it might seem contradictory to some, but is there a way to make those computers completely locked down? Maybe someone has had previous experience with something like this?"

Re:Physical security

[DiscoOnTheSide]

Lack of a CD drive? :)

I used to play this game...

[Ianoo]

... and it's no fun for the network administrator. A big problem we (and by 'we' I mean a school where I used to do volunteer work) had with NT4 years ago was network messaging using 'net send' from the command line. No matter what we tried, locking down local hard disks, removing applications, whatever, the little fsckers still found ways to access it. The most innovative was using the File -> Open dialog of an MS Office dialog to get to c:\winnt\system32 (since thanks to Microsoft's code re-use, these dialogs are custom, not the system-wide standard ones), using the dialog to add cmd32 as an IE Favorite, launching IE and clicking on Favorites -> cmd32. Voila, the command line.

I hear Win2K and WinXP are improved, but to be honest I think trying to completely lock down a system that clearly isn't designed to be locked down is a lost cause.

Think about exactly what you're doing, and try not to catch Diebold syndrome*. If you want to provide a terminal for web browsing and e-mail, is a full Windows install necessary? Why not go for Mozilla on Linux, which will connect to your Windows-based TCP/IP network and provide the functions you want. Of course, your requirements might be a lot more complex, so this might not be an option.

If so, why not consider enforcement rather than prevention? Tell the users they can't do this, can't do that, and track them if necessary. If they break the rules, suspend them from the network. Placing software restrictions on people will often upset them, especially if they have a legitimate use for doing odd things (like installing a new media codec to watch a video they need for their work).

* Diebold syndrome: believing that a full multi-tasking memory-protected graphical operating system that consumes 300MHz of processor power and 500MB of disk space is the best basis for a dumb embedded system such as eVoting or an ATM

With Google, as with life...

[CaptainCheese]

there's no ask-slashdot that google couldn't solve...

But 90% of the answer is in knowing how to ask exactly the right question.

The same is true of life.

That's kind of the point of "42" in Hitchhikers.. by Douglas Adams.

I prefer the well-tested...

[leonbrooks]

...railway spike hammered down through the case into the CPU and the surface of the desk beneath.

Being MS-Windows, you might need to use hardwood stake instead, in which case I recommend either Wandoo or what the PNG call "Ironwood" (which loosely corresponds with San Martin's Ferran from David Weber's Honorverse).

I'd recommend first off porting the apps in question to Linux (well, to not-MS-Windows) where that can be readily done because it's easy to make the program into the WM (if they exit, they get a new session running... the same program).

If the app is well behaved, you can do this using WINE and no port... [/ME pauses to wonder whether that pun was part of the original rationale for the acronym]... and using NX you can now give other users efficient platform-independent sessions on such a box at no extra charge.

Plus there's the instant-thin-client aspect to think about. Something screwy with the system? Doorbell time. No hard disks to worry about the structure of.

It might also save you some trouble if you're forced to stick with MS-Windows to put all of these apps on a Terminal Services box and lock it down once-for-all rather than locking down n workstations. This also gives you another opportunity to Linuxify (with rdesktopification) and/or thinclientise the workstations themselves (sorry, didn't get much sleep last night and am feeling a bit Dubya now).

the phrase "surely there's a program for this"

[torpor]

I would say that phrase is the #1 reason i never, ever use microsoft windows.

if you have to download a program for every single little thing you do on your computer, the operating system is broken. don't bother trying to fix it, just switch.

honestly, that really struck home with me. you need a program for everything you want to do on your computer? oh, you must be using windows ...

Re:the phrase "surely there's a program for this"

[ColaMan]

if you have to download a program for every single little thing you do on your computer, the operating system is broken. don't bother trying to fix it, just switch.

Er, unlike the unix(er, GNU?) mentality of "lots of little programs that do a single thing well"?

Re:the phrase "surely there's a program for this"

[torpor]

Unix is a tools-based approach. You have many tools already, with which you can do many different kinds of things.

Windows is a "one app, one task" based approach. You've got an app for everything you need to do, and you can't use those apps together to accomplish a bigger 'task'.

Yes, I prefer the Unix way. Give me a toolbox, and with that toolbox (and not much else) I can build a car, a house, a boat, a dam, a power station, etc.

But with Windows, I gotta download "PowerStation 1.0", "House 2.3.2", "Boat 3.2", etc. And god help me if I wanna plug House into PowerStation safely and securely ...