1

So I'm curious about managing remote windows xp/or windows 7 boxes. Basically, I want to be able to lock the computers down so that junk doesn't get installed and disk space wasted (restart should set back to my settings) but I also want the functionality to remotely unlock and update the machines somehow.

Similar to deepfreeze with the ability to remotely unlock and update. Any ideas?

I'm up for anything.

Thanks, Anthony Hurst

user9517
  • 114,104
  • 20
  • 206
  • 289
AnthonyHurst
  • 11
  • 2
  • anyway identical setup ? why not use disk images ? –  Jan 19 '11 at 03:30
  • I had a multicast software package and imaging was going well but it's over a network that doesn't want multicasting –  Jan 19 '11 at 03:34

2 Answers2

4

How draconian do you want to get? I work for a largish Higher Ed and our computer lab machines (somewhere between 1200-1700 of 'em) all have to be locked down to a high degree. It's pretty well locked down. Malware outbreaks are usually handled by just reimaging instead of cleaning them up, and such outbreaks are pretty rare.

This sort of thing is made a LOT easier in an AD Domain, as the GPO framework greatly enhances the ability to manage these stations. Even the basic "Normal User" mode for Win 7 is restrictive enough for most of our needs.

Group Policy can be used to do the following with no admin-access required:

  • Set when the workstation will download and apply Windows Updates, no admin-login needed.
  • A whole constellation of UI tweaks to remove things like command-line access, registry-editing access, and other such things.
  • Prevent USB mass-storage devices from being accessed.
  • Prevent network drives from being mapped.
  • And much, much more.

Also, Microsoft SteadyState used to be a good product, but MS killed it a couple of weeks ago. We'll probably move to Deep Freeze or something else if we need to.

Locking down workstations used daily by the same Generic Office User is trickier, though. They tend to like more customization than a one-time lab-user, and get cranky when their bookmarks disappear after a reimaging.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
  • Very similar situation. Domain is unfavorable and won't be supported, imaging is great except I'd have to write my own solution since multicast isn't going to be allowed and the machines are across campus, and the users need the admin privies to get their work done. Might consider new imaging software or figure out what's so bad about multicasting across campus. – AnthonyHurst Jan 19 '11 at 04:55
  • Multicast is the only way to really bulk-load a bunch of machines, otherwise it takes FOR FREAKING EVER and the switch uplinks are saturated for a lot longer than they would be with mcast. Roaming Profiles are the sadly traditional method for preserving settings across images. – sysadmin1138 Jan 19 '11 at 05:07
0

So besides sysadmin1138's very good answer...

You can use gpedit to create a local security policy template, then you will need to push it to each machine. Also, most enterprise AV apps have an admin console where you can disable users' ability to modify your settings.

Lastly, you can check out solutions like Bit9 that white/black list applications. Or patch management solutions like Secunia.

Honestly though, I highly recommend setting up an AD structure to make your administration life easier.

cwheeler33
  • 764
  • 2
  • 5
  • 16