How Would You Lock Down a Windows XP Machine?

Kronos666 asks: "I've been working with a network of about 50 computers, and a few of them have to be locked down. What I mean is that there is an application running, and the users must not be able to do anything else on it. The computers (Windows XP), are in a Windows 2000 domain and I've tried everything that comes to mind with the group policies. Now, I know it might seem contradictory to some, but is there a way to make those computers completely locked down? Maybe someone has had previous experience with something like this?"

Thin client

[0x0d0a]

It's a pain, because it's so much harder to build Windows-from-scratch barebones systems than their Linux equivalents. I've seen a lot of Windows kiosks, and they're almost always loaded with scads of things they don't need because it's so hard to really pare down a Windows box.

I'm going to be blunt and say that the best way to do this is with Linux, because it's much easier to pare down.

Set up a bunch of thin clients with netbooting enabled. That means no CD drive, floppy drive, hard drive. Lock the BIOS. Buy cases that are physically securable.

Have one or several Windows Terminal Server boxes set up.

Set up your netboot server to serve a Linux distro something like Red Hat (or an even more bare-bones system), installing a minimal set of packages necessary. You'll want to install rdesktop so that your clients can act as Terminal Server clients, but no terminals or anything. In /etc/inittab, remove all VTs. In /etc/X11/XF86Config, kill the "special" xorg key combinations (like control-alt-backspace). Don't have xterm or any such terminals installed. Use an xsession set up to start rdesktop, and a window manager of your choice that can slap something up fullscreen and disable all other functionality -- almost all can do this, but you'll probably want something more barebones than the sawfish that I use. Have rdesktop running fullscreen. Set up X to respawn logged in to whatever user you have using the program.

The user should have no write access to anything on the Linux distro (if you want to include a small swap drive, you might want to have a local hard drive, but only root should be able to write to the thing).

The user should have no write access to anything on the Windows TS system (unless as required by your application). Hence, the users can't install anything. It's easy to administer. You don't have to pay for each client, since they're running Linux, which makes a decent thin client OS.

Now, you can do whatever you want in a trusted manner on the TS system(s), since the users don't have the ability to reboot or muck with it, since they have no local access (and rebooting or mucking with their thin client does nothing that gives them any influence over what applications are running on the server). Kill all processes that you don't recognize automatically or whatnot.