Why not just netboot them from a central image repository
You define the authorization levels within the image itself. Use Samba3 + Kerberos + LDAP to handle user accounts/authentication against a centralized LDAP store (with appropriate backup LDAP servers, also), handling things such as email addresses, etc (Postfix + LDAP).
This provides the better solution, in that to update all the workstations, you only need to update the boot image and maybe the DHCP server depending on how you choose to do it.
Secure the network using Squid + add ons with a proxy firewall. This way, you scan for virii at the network level also, and you can control your users' surfing. (The lower-level goof-offs and administrative assistants will hate it. The bosses will love it -- it can increase productivity significantly, and its all open-source).
Done correctly, you will also be able to lock down Windows/Solaris desktops via the LDAP server and group policy management tools from the respective OS.
Done correctly, you should deploy hard-drive-less machines and only allow device connections and media of your choice. You can force a virus-scan of inserted media (i.e. CD or key). You can limit what can be copied/burned to CD (prevents data theft). If you really know what you're doing, you could even permit only "authorized" USB keys to be connected -- or more easily none at all. (Disallowing the connection of USB key drives further prevents data theft or virus-importation.)
Its not just about controlling the desktop, you *must* secure the network and the data via all means possible to make any of it worthwhile. If you only secure the desktops and basic privileges, then users or miscreants can exploit it accidentally or intentionally.
While what I've outlined is not detailed (or complete), I've built out this exact system (including netbooting Windows/Linux/Solaris/FreeBSD on multiple architectures), and it provides simple central management (I used open-source GUI tools for LDAP management), a high level of security, and by being centralized, providing backup & redundancy is a breeze.
Slashdot Mirror
Why not just netboot them from a central image repository
You define the authorization levels within the image itself. Use Samba3 + Kerberos + LDAP to handle user accounts/authentication against a centralized LDAP store (with appropriate backup LDAP servers, also), handling things such as email addresses, etc (Postfix + LDAP).
This provides the better solution, in that to update all the workstations, you only need to update the boot image and maybe the DHCP server depending on how you choose to do it.
Secure the network using Squid + add ons with a proxy firewall. This way, you scan for virii at the network level also, and you can control your users' surfing. (The lower-level goof-offs and administrative assistants will hate it. The bosses will love it -- it can increase productivity significantly, and its all open-source).
Done correctly, you will also be able to lock down Windows/Solaris desktops via the LDAP server and group policy management tools from the respective OS.
Done correctly, you should deploy hard-drive-less machines and only allow device connections and media of your choice. You can force a virus-scan of inserted media (i.e. CD or key). You can limit what can be copied/burned to CD (prevents data theft). If you really know what you're doing, you could even permit only "authorized" USB keys to be connected -- or more easily none at all. (Disallowing the connection of USB key drives further prevents data theft or virus-importation.)
Its not just about controlling the desktop, you *must* secure the network and the data via all means possible to make any of it worthwhile. If you only secure the desktops and basic privileges, then users or miscreants can exploit it accidentally or intentionally.
While what I've outlined is not detailed (or complete), I've built out this exact system (including netbooting Windows/Linux/Solaris/FreeBSD on multiple architectures), and it provides simple central management (I used open-source GUI tools for LDAP management), a high level of security, and by being centralized, providing backup & redundancy is a breeze.