Slashdot Mirror

← Back to Stories (view on slashdot.org)

Locking Down Linux Desktops In an Enterprise?

Posted by kdawson on from the just-the-policy-ma'am dept.

supermehra writes "How do you move 300 desktops, locked down with Windows ADS Group Policies (GPO), over to Ubuntu desktop? We have tried Centrify, Likewise, Gnome Gconf, and the like. Of course, we evaluated SuSe Desktop Enterprise and RedHat Desktop. Samba 4.0 promises the server side, however nothing for desktop lockdown. And while gnome gconf does offer promise, no real tools for remotely managing 300 desktops running gnome + gconf exist. All the options listed above are expensive, in fact so expensive that it's cheaper to leave M$ on! So while we've figured out the Office suite, email client, browser, VPN, drawing tools, and pretty much everything else, there seems to be no reasonable, open source alternative to locking down Linux terminals to comply with company policies. We're not looking for kiosk mode — we're looking for IT policy enforcement across the enterprise. Any ideas ladies & gentlemen?"

11 of 904 comments (clear)

  1. dumb terminals? by timmarhy · · Score: 5, Insightful
    if your talking about dumb terminals, your making me hot. sexy little gadgets with no fans or moving parts. in this instance you can lock down any of the major desktop environments by modifying their default user to have a really low level of user access , so when you create a new user it inherits these settings. gnome,kde and xfce all have this ability. and since they are terminals an logging into a central server management is dead easy.

    if you are talking stand alone desktops then it's not so great. linux doesn't really have anything as good as group polices and active directory, it's part of the reason corperate networks are mostly windows.

    --
    If you mod me down, I will become more powerful than you can imagine....
  2. What are you trying to do? by Todd+Knarr · · Score: 5, Insightful

    I guess the first question is: what are you trying to accomplish? Are you trying to prevent users from installing additional software locally? Are you trying to insure that particular applications get particular preferences set and users are prevented from changing those settings? What? Just saying "lock down the desktops" doesn't say what you're trying to actually do.

    Remember that Unix is, in large part, designed to work correctly without needing to be locked down. Much is controlled simply by the system-wide configuration files. The rest tends to be controlled on the server side, so that users simply can't do unacceptable things regardless of how they configure their local user account.

    1. Re:What are you trying to do? by citylivin · · Score: 5, Insightful

      "Then how do we prevent people from bringing in USB printers from home and connecting them locally"

      Id say if someone has to bring in their own printer, your company has bigger IT problems...

      --
      As a potential lottery winner, I totally support tax cuts for the wealthy
  3. Indeed it is a problem by Anonymous Coward · · Score: 5, Insightful

    In linux world, there is yet to be a quick, 3 question and 1 button way to add the computer to a domain and then receive straight away:
    - group policies - security and software install
    - single password store (with cached passwords for notebooks that go away from the network)
    - Patch update policy

    The only thing linux does right is work on technologies such as DHCP that were written for OTHER unix O/S'.

    Ubuntu is not interested in those things, they're more interested in making stories about koalas and hiding popup boxes.

    Gnome is dead, Mono and moonlight took all their brains away.

    kde is making a next-gen desktop but have yet to understand why so many IT shops have kept Windows at the office.

    This is all depressing. Windoze will never be replaced at the current rate.

  4. Re:How about: less douchebaggery? by Registered+Coward+v2 · · Score: 5, Insightful

    Instead of spending $$$ on bondage and discipline, how about treating your users like adult human beings?

    Because a number of them will wind up installing aps that put the company at risk?

    --
    I'm a consultant - I convert gibberish into cash-flow.
  5. Re:How about: less douchebaggery? by RichardJenkins · · Score: 5, Insightful

    You think using technology to help enforce an IT policy and respecting your employees are mutually exclusive aims? I strongly disagree.

    A small contingent of 'bad apples' can do serious harm if you do not effectively enforce IT policies. It's not possible to guarantee there is no one like this in your company, so you should protect the company and other staff from from them.

    Respecting staff won't stop douchebags being douchebags and screwing up your systems.

  6. Re:MOD PARENT UP by binner1 · · Score: 5, Insightful

    While I _mostly_ agree with this, a nice policy management (configuration management mostly) tool is also essential when dealing with lots of boxes. You want a new setting for all Gnome desktops, simply add it to the policy tool and let it distributed any required config files or run commands to change the setting, etc. This type of thing used to be done with things like: for h in $all_my_hosts; do ssh $h /tweak/some/setting; done

    CFEngine and Puppet and friends are a nicer way of doing this. They're "self documenting" in that your write the code and then you can later very easily see when you added some configuration bits, etc...version control your configuration management scripts and you get even better tracking of who did what and when. (A side question: How does one do the version control type stuff in AD?)

    While kickstart is great (I use it), it only goes so far. Having a policy manager on top of that (installed and configured in the kickstart) is a beautiful thing!

    -Ben

  7. Re:This is linux's strength, actually by Anonymous Coward · · Score: 5, Insightful

    Or, am I missing something?

    Yeah managing this for 300+ people in an environment that changes daily without spending your entire IT budget on admins and the sneakernet support staff.

    despite our desire to act like open source is the cure for all ills this is the type of problem we need to solve. You MUST lock down some enterprise environments (or have a CEO who is willing to go to jail) and you MUST be able to manage this without breaking the company piggy bank. He's asking for solutions to these two requirements not how to keep ONE person on ONE desktop from doing ONE of the many forbidden things.

    And as for the guy/gal who suggested we treat everyone nice and hope they act right. That's fine for your 10 person IT shop...not so much for a multi-billion dollar public company that needs public trust and investment and is governed by a whole mess of federal regulations in numerous national jurisdictions around the world.

  8. Re:How about: less douchebaggery? by Anonymous Coward · · Score: 5, Insightful

    Have you ever met a sales person, or watched them try to use a computer? Seriously, watch them try to send a 500MB powerpoint presentation as an e-mail attachment, or ask for tech support on their limewire install, and marvel at the risk to your company.

  9. Re:MOD PARENT UP by magamiako1 · · Score: 5, Insightful

    You kids still think that what the OP is asking for has anything to do with "preventing users from doing something harmful to the computer".

    Get it out of your heads. Many of the things group policy can do has nothing to do with "security" or "preventing users" from doing anything. It has a lot to do with quickly standardizing departments, offices, rooms, or whatever your business structure is.

    When you move a computer to a different department you simply drag the computer in AD to the different OU and BAM! That computer now gets everything new with its policies. There's no bringing the computer in to the IT department and reloading its configuration with "Configuration A for Department B".

    Want to make a change to how a whole department does things? There's no pushing a script out later on to the whole department. You simply change it in group policy and the entire thing gets taken care of automatically.

    You can spend more time focusing on actually getting shit done than fussing around with HOW to solve the problem with roundabout tool sets.

  10. Re:More information on what you want to lock down? by SaDan · · Score: 5, Insightful

    Unfortunately, few people in the Windows world seem to grasp that LDAP has been around for many years in the *nix world, and has all the functionality you would find in Group Policies when linked into PAM on the client side.

    For a couple years, I maintained a company-wide network that supported unified "home" directories and unified login/password capabilities between Windows workstations, Linux workstations, and Solaris servers, all tied back to Fedora Directory Server. It was hell to set up, and sweet to watch in action.

    Active Directory and Group Policies aren't bad for simple installations, but really turn into a mess quickly depending on your setup. LDAP and *nix systems that support PAM are a snap to set up, work fairly well and took significantly LESS time to get working properly than the Windows side did.

    There's a lot of research that goes into setting up either side of the equation. Linux/Unix has been more ready for the "enterprise" desktop than Windows has, though, and that's a cold hard fact.