Win 7 workstation lockdown

[LithiumKid1976]

hi
i have server 2008 r2 as a Dc, and 16 desktops running win 7.
i have been asked to lockdown the workstations to students who will be logging on.
(this is my 1st time using gp...)

i have the Group policy in place and it seems to be ok so far.
currently i have

1. Desktop locked down to stop users from making changes to backround.
2. Cmd locked down, users cannot run dos commands
3. Usb ports locked down, no saving or installing or accessing files from the usb ports.
4. DVD/CD drives disabled.
5. Users cannot access add / remove programs
6. Users cannot access control panel
7. Users cannot access “recently accessed files”
8. Taskbars / start menus locked down


so i think its fairly well locked down.....but im no expert ... would anyone have any other suggestions on how i could make the workstations more secure, or would that just be overkill.

any suggestions welcome...thanks

[MikeBY]

I'm assuming that the students will be logging in as "Users" without any kind of admin rights.
If you are running MS Office, MS has ADMX files you can install to your domain to control settings for Office via GPO. In particular, there are browser settings for web-enabled office documents that need to be set in addition to the normal IE security settings.

MS has a free tool "Microsoft Security Compliance Manger" and a set of baseline GPO policies that are good starting points for building from 'scratch'. If you want maximum lockdown, look at the SSLF (specialized security - limited functionality) baseline policies.

You may want to consider using applocker to prevent users from installing Firefox or Google Chrome, (assuming you do not have these browsers already installed). Both of those browsers can be installed by "users" without admin rights. I'm not sure what you mean by "desktop" locked down. You can also remove their ability to get to the personalization and desktop properties so they can't change themes, oh, and disable widget installation. Check IE settings, in particular RSS/Web Slice feeds (they are a security risk).

Just remember, being locked down, you will need to spend more time supporting the machines. You will probably want to deploy printers and perhaps install plug-ins, etc. via GPO.

[LithiumKid1976]

hi
mikeBY
thanks for that input. hopefully ill tweak what i have, but it should be ok...


ill check out the mstools shortly.
thanks again..

[jeff_longley]

Just to echo Mikes Recomendation - the Security Compliance Manger is a godsend of a tool; One of those "I can't believe it took them so long to release something like this" ones!

Remember that locked down enviroments are great but test, test and test some more LONG before you roll it out; Last thing you want it to be sat in front of a class of 16 students who can't print their work or access the schools intranet cos someone went one step too far with the lockdown! :-)