I've been tasked with deploying w2000 pro in a peer-to-peer workgroup environment - in a student lab. There must be only one generic user account. These students have a reputation for hacking the OS to pieces through unauthorized reconfigurations. I have a basic understanding of NTFS permissions and user rights, but don't see any clean way to really bolt-down the system. The students need rights to run only one application and use win explorer to delete their own files. Beyond that, I don't want to let them do ANYTHING lest I have to re-install the OS regularly. Any suggestions?

Signed,

Worried.

Chris,

Oh but there is a very clean way to lock down the workstation. Use the Group Policy snap in to configure the local policy. You can lock down almost every conceivable area within Windows 2000. The first thing you want to configure is Disable Registry Editing Tools. You can also configure Run Only Specified Windows Applications to further lock down the ability to even start other programs, such as Internet Explorer. Also, by default, the normal Users group has much more restrictive permissions in Windows 2000 than they did in NT 4.

I might also suggest throwing away the generic account model, in favor for accounts for each individual user, then you can turn on auditing and follow their every move.

Good luck,

Sean
www.swynk.com/friends/stecker


------------
Chris Scott at 12/19/00 11:23:17 AM

I've been tasked with deploying w2000 pro in a peer-to-peer workgroup environment - in a student lab. There must be only one generic user account. These students have a reputation for hacking the OS to pieces through unauthorized reconfigurations. I have a basic understanding of NTFS permissions and user rights, but don't see any clean way to really bolt-down the system. The students need rights to run only one application and use win explorer to delete their own files. Beyond that, I don't want to let them do ANYTHING lest I have to re-install the OS regularly. Any suggestions?

Signed,

Worried.

Thanx Sean.
I'll look at those options. I didn't know about the "run only specified win apps" ... In our peer net, with six boxes and about fifty students which change every semester, I figured it would be a real pain to manage all those accounts on individual boxes ...

Chris


------------
Sean Stecker at 12/19/00 7:51:19 PM

Chris,

Oh but there is a very clean way to lock down the workstation. Use the Group Policy snap in to configure the local policy. You can lock down almost every conceivable area within Windows 2000. The first thing you want to configure is Disable Registry Editing Tools. You can also configure Run Only Specified Windows Applications to further lock down the ability to even start other programs, such as Internet Explorer. Also, by default, the normal Users group has much more restrictive permissions in Windows 2000 than they did in NT 4.

I might also suggest throwing away the generic account model, in favor for accounts for each individual user, then you can turn on auditing and follow their every move.

Good luck,

Sean
www.swynk.com/friends/stecker


------------
Chris Scott at 12/19/00 11:23:17 AM

I've been tasked with deploying w2000 pro in a peer-to-peer workgroup environment - in a student lab. There must be only one generic user account. These students have a reputation for hacking the OS to pieces through unauthorized reconfigurations. I have a basic understanding of NTFS permissions and user rights, but don't see any clean way to really bolt-down the system. The students need rights to run only one application and use win explorer to delete their own files. Beyond that, I don't want to let them do ANYTHING lest I have to re-install the OS regularly. Any suggestions?

Signed,

Worried.

Chris,

Have you given any thought to implementing a small domain for these students? This way you would only have to create the account once, not worry about synchronized passwords, and enforce permissions on a domain level instead of the local level.

Just a thought.

Sean
www.swynk.com/friends/stecker


------------
Chris Scott at 12/20/00 11:02:48 AM

Thanx Sean.
I'll look at those options. I didn't know about the "run only specified win apps" ... In our peer net, with six boxes and about fifty students which change every semester, I figured it would be a real pain to manage all those accounts on individual boxes ...

Chris


------------
Sean Stecker at 12/19/00 7:51:19 PM

Chris,

Oh but there is a very clean way to lock down the workstation. Use the Group Policy snap in to configure the local policy. You can lock down almost every conceivable area within Windows 2000. The first thing you want to configure is Disable Registry Editing Tools. You can also configure Run Only Specified Windows Applications to further lock down the ability to even start other programs, such as Internet Explorer. Also, by default, the normal Users group has much more restrictive permissions in Windows 2000 than they did in NT 4.

I might also suggest throwing away the generic account model, in favor for accounts for each individual user, then you can turn on auditing and follow their every move.

Good luck,

Sean
www.swynk.com/friends/stecker


------------
Chris Scott at 12/19/00 11:23:17 AM

I've been tasked with deploying w2000 pro in a peer-to-peer workgroup environment - in a student lab. There must be only one generic user account. These students have a reputation for hacking the OS to pieces through unauthorized reconfigurations. I have a basic understanding of NTFS permissions and user rights, but don't see any clean way to really bolt-down the system. The students need rights to run only one application and use win explorer to delete their own files. Beyond that, I don't want to let them do ANYTHING lest I have to re-install the OS regularly. Any suggestions?

Signed,

Worried.