Announcement

Collapse
No announcement yet.

Locking down an XP machine in a domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Locking down an XP machine in a domain

    My question is how can I lock down an XP machine through Group policy?

    here is the plan



    A generic logon to a terminal server
    User then logs with their username and password
    Necessary drives and printers are mapped
    On the terminal server there is the office products and the web.
    Basically the the old PC's are thin clients
    Any ideas on to do this with Group policy in a domain

    Does anyone have any ideas

    thanks in advance

  • #2
    Re: Locking down an XP machine in a domain

    Sorry, but I am not certain I understand. What do you want to lock?
    A generic logon to a terminal server
    User then logs with their username and password
    This you have to accomplish within the old PC itself. When you say "thin clients", you mean they are diskless? Based on what OS? Linux?
    Necessary drives and printers are mapped
    This is achieved by the right login script.
    On the terminal server there is the office products and the web.
    OK, so where is the locking issue?

    Sorin Solomon


    In order to succeed, your desire for success should be greater than your fear of failure.
    -

    Comment


    • #3
      Re: Locking down an XP machine in a domain

      What I want to do is auto logon the computers to a terminal server 2003 so the students can then logon with their username and password.

      They can then access their shared drive.

      I want to do this for the purpose of using old machines with only a p3 and 10g hd.

      Basically I don't want the students to use the machine for anything else.

      The computers will have XP Pro on them.

      Sorry if this doesn't clear it up

      thanks

      Comment


      • #4
        Re: Locking down an XP machine in a domain

        If I understand right, you want to boot the old PC, and it will connect automatically to a TS server.
        To do so, you need an OS on the computer. There are a number of solutions available, most used are Windows-based and Linux-based.
        The Windows-based solutions use Windows2000 Pro on the computers. They boot, do automatic login (with TweakUI or a registry setting), connect to the TS server/farm through a shortcut of the RDP connection in the Startup folder of the user and voila! You have a TS session, on a old computer.
        Pros:
        - you can use an old PIII computer with Win2000 Pro. Even less than that ( I used PII with this scenario until six months ago);
        - if you have the OSes already, you don't have to purchase anything else; You have to install the RDP Client, that is free;
        - the setup is simple and pretty straight-forward;
        - you can lock the station with GPO (that is not possible with clients running Win98, for instance) in such a manner that even when the user manage to close the session and get back the Desktop, he/she won't be able to do anything.
        Cons:
        - if you don't have the OS, it's a total waste of money to buy it for every machine;
        - you are depending on an old OS, that is end-of-life, with no more security updates and pretty insecure. You'll have to check it for intrusions and keep it's antivirus updated. In two words: administrative overhead;
        - you need a hard-disk on the old machine. This will give you in time a point of failure;
        - the boot process takes a long time. The machines are old and weak, it can take few minutes;
        - any problem in the old OS will make your station useless;
        - a clever user can close the session without problems: even if you set the display to Full Screen and uncheck the "Display the connection bar ..." checkbox, pressing Alt+Ctrl+Break will give take the session out of Full Screen. You will have to find a way to start the session again, for the next student.

        The Linux-based solutions use a Linux that has a small footprint, that can be installed on a small HD, on a CD ( a customized Live-CD) or even on a special card. I know a firm here in Israel that developed a small PCI device, with a 64MB flash on it. It boots a small Linux, based on Knoppix, that loads drivers and searches on the network for a DHCP and a PXE server. It then sets an RDP connection to a TS server.
        Pros:
        - in certain scenarios, like the one I described above, with the special card, no need of HD;
        - no need of licenses, since Linux is free;
        - the boot time is minimal, up to 30 seconds on a PIII;
        - no actions to take to secure the station, since there's no interaction with the user;
        Cons:
        - the setup is not simple. You have to set a DHCP server and a PXE server, to configure them and maintain them;
        - purchases are to be made, if you want the card (what I know it's $90 each);
        - depending on the implementation method, you can reach a point that the user cannot close the session;

        I can go on with these lists. I only put here the things I got into when studying the issue. There are a lot of solutions available, based on both Windows and Linux.
        Some useful links:
        - Linux Terminal Server Project;
        - 2X ThinClientServer PXES edition;
        - PC Reviver - a PCI card;
        - Windows Fundamentals and an article in ComputerWorld.

        I hope this info helps.

        Sorin Solomon


        In order to succeed, your desire for success should be greater than your fear of failure.
        -

        Comment


        • #5
          Re: Locking down an XP machine in a domain

          Thanks alot for the info.

          We have a volume lic. for 2000 & XP that is not a problem.
          That is what I'm try to find out how to lock the workstation with GPO.
          As for breaking the session don't you think by restarting the machine in will go back into the TS session.
          I don't want the kids to break the session.
          We have a HD on each machine not a problem.
          Starting the machine we can have teacher start them in the morning before the kids get in.
          We can just re-image the PC we Altiris.

          Linux:
          We don't have anyone on are team that knows Linux inside and out.
          Linux is out of the question.

          We have tried X not a bad idea but worried about third party software and down time figuring out if there are any problems.

          Haven't tried PC Reviver will look into this one.

          Currently trying out Windows Fundamentals still not completely locked down.

          This is what I want to do.

          you can lock the station with GPO (that is not possible with clients running Win98, for instance) in such a manner that even when the user manage to close the session and get back the Desktop, he/she won't be able to do anything.

          Thanks a lot

          Comment


          • #6
            Re: Locking down an XP machine in a domain

            Originally posted by dbotelho View Post
            As for breaking the session don't you think by restarting the machine in will go back into the TS session.
            Of course it will. If you set the automatic login and run the RDC on Startup, no problem. Would you like to do this often? As I said, the boot time is pretty long. And you should hold the services to a minimum. I use The Elder Geeks' list for reference.
            Originally posted by dbotelho View Post
            I don't want the kids to break the session.
            That might be a problem. I couldn't find any way to prevent that. Let's hope they don't read this forum
            Originally posted by dbotelho View Post
            Starting the machine we can have teacher start them in the morning before the kids get in.
            This is what we usually did.
            Originally posted by dbotelho View Post
            We can just re-image the PC we Altiris.
            On a daily basis? We use a solution like DeepFreeze, only on hardware (it's an Israeli vendor, don't kow if it's rellevant to give you the link).
            Originally posted by dbotelho View Post
            We don't have anyone on are team that knows Linux inside and out.
            Linux is out of the question.
            Check outsourcing. Linux has enough advantages over Windows to be left aside only for this. And you only need implementation. In the minute it runs, should be problemless...
            Originally posted by dbotelho View Post
            Haven't tried PC Reviver will look into this one.
            Tell us what do you think.
            Originally posted by dbotelho View Post
            you can lock the station with GPO (that is not possible with clients running Win98, for instance) in such a manner that even when the user manage to close the session and get back the Desktop, he/she won't be able to do anything.
            That isn't supposed to be a problem. I hope you don't want exactly what to set (keys and values).
            After all, you need to:
            - set automatic login;
            - RDC on Startup;
            - hide all icons on the Desktop;
            - hide anything in Start Menu, except Logoff and Shutdown (you need Logoff to allow you doing maintenance on the computer);
            - deny changes to Taskbar, Language Bar (if exists), QuickLaunch, clock and so on;
            - deny running any application, except for mstsc.exe;
            - disable right click.

            I hope I didn't forget anything.
            Good luck.

            Sorin Solomon


            In order to succeed, your desire for success should be greater than your fear of failure.
            -

            Comment


            • #7
              Re: Locking down an XP machine in a domain

              Use this at you're own risk and test it before putting it in production:

              There is an option to change the Explorer.exe to Mstsc.exe.
              However, you need to make some scripts to monitor if mstsc.exe is still running. If not, shutdown OS.

              Something like this:
              Code:
              @Echo off
              :: Determine the PID in Windows XP
               Setlocal
              :LOOP
              
                  Set Mypid=
                  FOR /F "tokens=1 delims= " %%A IN ('TASKLIST /V ^| FIND /I "mstsc.exe"') DO SET 
              
                  MyPID=%%A
               
                IF %MyPID%. ==.  goto HighPrio
                IF NOt %MyPID%. == "Explorer.exe"  goto Explorer
                IF NOT %MyPID%. == "taskmgr.exe"  goto Taskmgr
                IF NOT %MyPID%. ==.  goto end
              
              :Explorer
              Echo Access violation; Explorer is running!!!! 
              ECHO Reported to admin (or something like that :))
              Taskkill /IM Explorer.exe
              
              :taskmgr
              Echo Access violation; Taskmanager is running!!!! 
              ECHO Reported to admin (or something like that :))
              
              Taskkill /IM Taskmgr.exe
              
              
              :END
              ECHO My own Process ID (PID) is %MyPID%
              GOTO Loop
              
              :Highprio
                Echo Mstsc is nog running.. shutting down...
                endlocal
                Shutdown /S /F /t 60

              To hide the window, you can use the tool below.. works as a charm.
              http://www.commandline.co.uk/cmdow/

              If i remember it correctly you should follow the procedure i've written below
              To replace the explorer change the following registry entry:

              Code:
              HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon
              RightClick on Shell and change the value from explorer.exe to mstsc.exe

              Also, Lock down the computer entirely via GPO's
              Last edited by Dumber; 3rd February 2007, 18:41.
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment


              • #8
                Re: Locking down an XP machine in a domain

                Thanks for the reply you have been a big help.


                If you don't mind, could you send me any of the Linux links to what you mentioned it would be helpful.

                Thanks

                Comment


                • #9
                  Re: Locking down an XP machine in a domain

                  I am glad this info helped.
                  Regarding Linux, I have only those to links I already gave you. You should check local companies for solutions. The solutions I have are local relative to me, here, in Israel, so will be irrelevant for you.

                  Sorin Solomon


                  In order to succeed, your desire for success should be greater than your fear of failure.
                  -

                  Comment


                  • #10
                    Re: Locking down an XP machine in a domain

                    One last point I will make for you; you cannot guarantee getting back into the same session with simple Terminal Services.

                    To guarantee that, you must run a Windows Server 2003 Enterprise on the network, and install "Session Directory" on it. I can't remember the exact details, but your TS Licensing Server must be installed by an Enterprise Admin and available to the Enterprise, and your Session Directory must also be installed by an Ent Admin.

                    Session Directory GUARANTEES that a broken session will be the one you return to when the user of that session logs back in; REGARDLESS of which client machine he uses. Cracking bit of kit, but expensive LOL.


                    Tom
                    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                    Anything you say will be misquoted and used against you

                    Comment


                    • #11
                      Re: Locking down an XP machine in a domain

                      Hi, Tom.
                      Session Directory is for a Terminal Services farm. The OP did not say anything about more than one server.
                      Two more problematic points regarding this free service:
                      - it is relevant for environments with distinct users. I had all my clients login with the same username, because my environment is public, and the users do not have any personal files and settings. Because of this, I could not use Session Directory;
                      - to implement Session Directory you need some Load Balancing solution. When I checked this back in December 2004, Microsoft said they can work only with their NLB. Their NLB solution sucks, both because it's features (it does not do real, resource-based Load Balancing) and because it's implementation. I didn't manage to make it run properly, most because how my switches tried to understand Microsoft's NLB multicast packets.
                      Microsoft updated their recommendations and now declare that a 3rd party Load Balancing solution may be used. I would check this thoroughly. The servers should be declared as part of a cluster. My solution does Load Balancing without the servers knowing they are part of a cluster.

                      Useful links:
                      - Microsoft's white paper on the subject.

                      Hope this info helped.

                      Sorin Solomon


                      In order to succeed, your desire for success should be greater than your fear of failure.
                      -

                      Comment


                      • #12
                        Re: Locking down an XP machine in a domain

                        Ahhh - of course, you're right, my bad. By the way to make Microsoft's NLB work I had to use DNS Round-Robin in the end... very very nasty, and not resource based at all.


                        Tom
                        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                        Anything you say will be misquoted and used against you

                        Comment


                        • #13
                          Re: Locking down an XP machine in a domain

                          I'm using 2X Load Balancer. Not free, but it does a great job. I have 4 servers and 100 thin clients. Works resource-based or round-robin and its network noise is acceptable. And it gives you the Session Directory solution too.
                          I'm not trying to sell it. Just to let you know about a product that solved me a big headache.

                          Sorin Solomon


                          In order to succeed, your desire for success should be greater than your fear of failure.
                          -

                          Comment

                          Working...
                          X