Securing Win7 Home Premium

[KampKounslr1]

Hi everyone,

I work at an apartment community in Arizona and we have a public computer for our residents to use. For better (or worse) it came with Win7 Home Premium, and I need to block certain functionality of the computer. As such, I have some questions and I haven't found any clear cut answers on these items.

1) How can I disable save-access for a non-admin account to the HDD? Ultimately, I would like residents to be able to save to USB drives, but not to the HDD.
2) Can I set Windows to auto-clear any recently opened docs from the Start Menu?
3) I have the non-admin account not set as a Guest account because doing so disabled wireless connectivity. Am I missing something in setting up the account to work this way? I only have wifi access on the PC, no ethernet.
4) Can I block users from disabling any background apps?

I get the feeling that most of these items I would need to be running Pro, but unfortunately that isn't an option. I am hoping that someone out there has some helpful hints

Thanks in advance!

 

[mechBgon]

To start with, you can upgrade it to Pro for $80, Newegg's got the Anytime Upgrade pack. When you consider what your time's worth... hey. But if I were stuck with Home Premium, I'd at least set up Parental Controls to start off with. And if the background processes are running as SYSTEM or Admin, they should be tamper-resistant.


Oh, and here's some further security suggestions: http://www.mechbgon.com/security The Parental Controls feature actually uses Software Restriction Policy (the final tip there) in a limited way.

 

[KampKounslr1]

At the moment, Corporate is not interested in spending money on this. So I have to make do with what I have :\ However, I really appreciate the help Mech! Hopefully when the next fiscal budget rolls around they will consider the upgrade and saving me the time from having to manually maintain the pc!

Thanks again, I do really appreciate the info!

 

[VinylxScratches]

Might be able to do something with Sandboxie? http://www.sandboxie.com/

If you want to limit users modification, make sure the account is set to non-administrative values. You could possible setup a batch file to delete files in users folder everyday via using task manager.

Sucks that it's not a corporate version OS because GPEDIT.msc is pretty powerful.

 

[Gamingphreek]

Hi everyone,

I work at an apartment community in Arizona and we have a public computer for our residents to use. For better (or worse) it came with Win7 Home Premium, and I need to block certain functionality of the computer. As such, I have some questions and I haven't found any clear cut answers on these items.

1) How can I disable save-access for a non-admin account to the HDD? Ultimately, I would like residents to be able to save to USB drives, but not to the HDD.
2) Can I set Windows to auto-clear any recently opened docs from the Start Menu?
3) I have the non-admin account not set as a Guest account because doing so disabled wireless connectivity. Am I missing something in setting up the account to work this way? I only have wifi access on the PC, no ethernet.
4) Can I block users from disabling any background apps?

I get the feeling that most of these items I would need to be running Pro, but unfortunately that isn't an option. I am hoping that someone out there has some helpful hints

Thanks in advance!

Sandboxie and stuff will not affect user policy.

1. There is no such thing as save-access. You are referring to write access. There is no way to disable write access for a given user. Without write access you would not be able to do anything on the computer (including start it up). You CAN limit a user's write access to their specific User directory with Group/Local User policy.

2. You can tell it to not save a list of or auto-clear recently opened documents in Group/Local User policy again.

3. I'm not entirely sure what you are asking to do right here.... You can limit local accounts by changing the Group/Local User policy when logged into the Administrator account (Not your account with Administrator privileges)

4. If you start up the app as a SYSTEM app, no user except the System Administrator will be able to kill the process.

None of the above should require Windows 7 Professional. This is basic User Policy that dates back to the Windows 200 days

-Kevin

 

[Ken90630]

Another option would be to go to your local Kinko's (assuming there's one nearby), ask to speak to whoever locks down their public computers, and ask how they do it. I had to use a Kinko's public PC awhile back while my PC was down (needing a part), and it was pretty well locked down. I would assume public libraries' computers are similarly secured.

Just a thought.