Locking Down a PC for use by rambunctious children.

[pradeep1]

Hello Everyone,

I need some help. Over the past year, I have been helping my local Boys & Girls Club build out their computer lab. This little lab now contains about 12 computers, and they were mostly built using parts purchased from / donated by members of this forum. (Thanks!).

The computers are standardized on Windows 2000 Professional and have on them virus protection (Norton) and Spyware protection (AdAware, Spybot, Spywareblaster, MS Anti-spyware beta, Spyware Guard).

About 100-150 kids use the computers daily, and they mostly use them for completing class assignments, surfing the internet, playing internet games, etc. Not much heavy use.

After a few months, I noticed that whenever I went back to the BGC, the teachers there would complain about certain computers not working. Everytime I go back, I notice that at least 30% are not operational. These machines range in power from Athlon XP 1700+ machines with 512 MB RAM for the high end, to 600 MHz Celerons with 256 MB RAM for the low end.

The problem with these computers are that these kids download everything and anything in sight and install them on the machines. I brought one of the higher end machines to work on and after running a virus and spyware scan, found something like 200+ spyware programs running, and maybe 2-3 virus infections. Granted, this was a worst case of the lot.

So here is what I'd like to do:

1. Lock down all the PCs so they can be used for only a limited set of things:

a) Surf the Internet
b) Work on Word, Excel, Powerpoint
c) Run educational software titles that the teacher(s) install

2. Prevent the kids from changing the wallpaper, taskbar settings, internet settings, etc.

3. Prevent installation of spyware, IM and chatting software, downloadable games, etc.

4. Make it simple for the teachers to maintain these machines. The teachers are basically computer technically illiterate, and the kids can swim circles around them.

5. Do this with incurring additional software costs, since we have no budget for this.

One thought...install some type of rollback software. What it should do is take a snapshot of the baseline install that I put on these machines and roll back everything each time the computers is started. Sort of like a re-ghosting of the hard drive each time the computer starts. Nothing gets retained, everything is reset back to the way it was, and no more problems.

Your thoughts and suggestions would be much appreciated.

Thanks,

Pradeep

 

[nsafreak]

You know I am aware of a software program (can't remember the name) that does exactly what you want. It basically freezes an image of the hard drive and every restart it puts the frozen image back in place. Unfortunately this is commercial software so there would be a cost involved although there might be a discount for a non profit organization such as the Boys & Girls club. The other option would be to setup a basic user account and go through the user policy and only allow the programs you want to have run to run. It can be done but it will take some time to do. You would do this by accessing the Local Security MMC snapin. If you need additional help with this I can walk you through it.

 

[RebateMonger]

The Free Microsoft Shared Computer Toolkit for Windows XP is designed to do what you want.

 

[pradeep1]

Originally posted by: RebateMonger
The Free Microsoft Shared Computer Toolkit for Windows XP is designed to do what you want.

Very cool, but we have Windows 2000 Professional, no XP. 🙁

 

[phisrow]

I always used to see http://www.faronics.com/html/deepfreeze.asp Deep Freeze running on lockdown machines back in the day. I don't know if MS has basically made that unnecessary with the software RebateMonger mentioned; but it might be worth a look.

 

[nweaver]

You MAY not like to hear this....


Use Ubuntu, easy to install, has web, a few games, word processing, and is immune to current spyware/virii.

It's also (imho) easier to lock down, and easier to keep up to date (click, put password in, click again, click done after they install)

Linux is starting to be my answer to problems with family computers (all they do is web, email, word processing) and they don't seem to care now.

 

[Fattz]

Theres also a program out there called Deep Freeze. Locks down a computer well.

 

[Matthias99]

Originally posted by: nsafreak
You know I am aware of a software program (can't remember the name) that does exactly what you want. It basically freezes an image of the hard drive and every restart it puts the frozen image back in place. Unfortunately this is commercial software so there would be a cost involved although there might be a discount for a non profit organization such as the Boys & Girls club.

They used this at the computer labs at my school on the PCs (also can't remember the name, though, and I have no idea how much it costs). They also forced the systems to reboot as soon as you logged off. It was painfully slow waiting for those reboots, but they almost never broke due to bad software or people installing crap they shouldn't.

It *may* have been Deep Freeze that they were using. It was definitely something similar. Deep Freeze looks like it costs $25 plus $14 per system for 'educational' licenses. I don't know if they have any deeper discounts for nonprofits.

The other option would be to setup a basic user account and go through the user policy and only allow the programs you want to have run to run. It can be done but it will take some time to do. You would do this by accessing the Local Security MMC snapin. If you need additional help with this I can walk you through it.

This is definitely the cheaper alternative, and should meet all your objectives. Just make sure the teachers don't let the kids see them typing in the administrator password. 😛

 

[Saint Nick]

At my college they use something in the computer labs that makes the start menu only have three items on it:

Word
IE
Firefox

Oh yeah, and the "all programs" list shows up too.

If I were you I would set them all up so that they load a ghost image to the drive when the computers are turned on. That would really solve some problems. Then also set them up so that they are locked down by some app.... can't really help you there though. I think you should try the ghost image idea.

 

[kamper]

Originally posted by: jndietz
If I were you I would set them all up so that they load a ghost image to the drive when the computers are turned on. That would really solve some problems. Then also set them up so that they are locked down by some app.... can't really help you there though. I think you should try the ghost image idea.

The problem with that is that if the teachers actually want to install a piece of software (or apply patches or something) then they have to figure out how to regenerate the image so that their work doesn't get wiped out.

 

[zerodeefex]

gpedit.msc is your friend. Give the users limited access and block whatever they shouldn't be able to do. The Group Policy Editor is good enough for what you are trying to do.

 

[mechBgon]

Originally posted by: zerodeefex
gpedit.msc is your friend. Give the users limited access and block whatever they shouldn't be able to do. The Group Policy Editor is good enough for what you are trying to do.

:thumbsup:

Run only allowed apps
It will take some work to whitelist everything you specifically want, but the use of Restricted User accounts is a good start while you're working on your whitelist. This would keep kids from downloading stand-alone IM programs that don't require formal installation, for example.

1) Make sure the Administrator account is password-protected.

2) Put the kids' account(s) in the computer's local Users group (this is the Restricted Users, aka "Limited" if it were WinXP) and remove them from the Administrators and Power Users groups (right-click My Computer > Manage > Local Users & Groups). Among other things, this eliminates the common ActiveX software-installer popups 🙂

3) Scan the systems with Microsoft Baseline Security Analyzer 1.2.1 for other common configuration problems such as the anonymous-access setting: MBSA 1.2.1 download page.

4) Make sure the systems have Automatic Updates enabled, make sure they're updating their virus signatures daily, and make sure the antivirus is using its compressed-file scanning and heuristics for both real-time scanning and for scheduled scans.



If it were me, I'd go in on a weekend and nuke the whole lot of 'em, and set them up tight from scratch, and then you can also develop a Run-Only-Allowed whitelist to supplement that. I would be happy to send you a CD with some resources that I use to streamline fresh installs and patching on our mostly-2000 fleet, drop me a PM if interested.

 

[RebateMonger]

Originally posted by: pradeep1
Very cool, but we have Windows 2000 Professional, no XP. 🙁

I missed the word "2000" in your post. Sorry.

"Deep Freeze" comes highly recommended.

Normally, you'd install a Domain Controller and set the desktop rights from that (using Group Policies). That way, you don't have to touch each computer each time you make a settings change. It might be better to do that if you are going to have to pay for a lockdown program for each desktop. There are numerous other advantages of having a Domain controller besides lockdown.

I don't know exactly how much you can lock down the 2000 desktop. I haven't looked at its lockdown abilities. There are also lockdown capabilities in the Local Policies of Windows 2000. You can apply a local lockdown policy using scripts on each desktop if you don't have a Domain controller, but it's a LOT more work.

 

[doan]

Originally posted by: RebateMonger
The Free Microsoft Shared Computer Toolkit for Windows XP is designed to do what you want.

I need this for my kids puter too....thanks!

 

[aloser]

I'm a fan of Security Administrator - though its $49 price tag may be a slight turnoff.

 

[Rilex]

Get a Domain Controller and lock down the PCs using GPOs instead. Using gpedit.msc locally is a hassle for both editing, implementation, and maintainability since editing policy at that level will also affect any local administrators.