Lab PCs Best Practices for Ease of Use yet Secure?

Microsoft Windows 7 home premium
October 17, 2012 at 11:55:15
Specs: Windows 7 x64, Intel i7 / 4 GB
Hi, I'm the network admin at a school. I went to school for Cisco networking and ended up getting a job that I am a Microsoft server guy. I've been the network admin at this school for over 4 years now. I wish the labs worked a little better. I started out locking the labs down via group policy. But over time, due to bad performance, I redid most of the labs to use local policy.

Most labs in the district are pretty generic. They run either XP or Vista, on the domain, and they browse the web, run Microsoft Office apps, and print. Pretty generic.

I have almost all my labs locked down via local policy. I use folder redirection for the start menu and desktops with ntfs permissions on the share so the kids can't change them. I want every PC to work 100% identical.

Are there any tutorials or best practices guide that says how to setup a lab PC and the network side of the lab PCs in AD that is super simple to use for the end user yet is as secure as most enterprise labs?


See More: Lab PCs Best Practices for Ease of Use yet Secure?

Report •

#1
October 18, 2012 at 07:24:58
If it were me in a lab environment with kids, I'd use something like "Deep Freeze" to lock the computers down.

Deep Freeze is one of many different flavors of this type of software that basically boots the computer from an image. Users can make whatever changes they want while in a session but the second you shut it down, all changes are gone and you're back to the basic image again.

I'm not saying use Deep Freeze, I was merely giving that as an example.

As far as the networking side of things goes, I would have all the labs segregated from the rest of your network and give them internet access only.

Since you have cisco training I shouldn't need to explain to you how to go about segregating a segment of the network from the rest of your LAN using VLAN's

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#2
October 18, 2012 at 07:34:58
Sadily, I have a Cisco background, but the network here is 100% 3com... lol. But I can configure vlans.

I've pondered the "deep freeze" idea. But I kind of considered that old school to the new wave of technologies of using published apps. But we don't use published apps either here because we don't have any app servers and the network backbone we don't think is fast enough.

So, I was just hoping there was a best practices on exactly how to build a lab PC to be as accessible as possible so the end user isn't restricted because they can't install a plugin on a website, yet is as locked down as possible so hackers on the outside can't compromise the PCs and they're as protected as possible from viruses and trojans.

One thing I haven't been able to figure out is how to stop kids from installing apps on the PCs. I have the local desktop and start menu hidden so all they see is the folder redirected stuff and they don't have permissions to add icons to the folder redirections. But when I login as the local administrator, I see all the apps they installed. I think most kids that prefer Firefox, install it everytime they login so they can use it... because the ony way they can use it, seeing they can't get an icon, is to download it and install it everytime.

But, we had an issue were one admin's PC got a virus on it that the virus hacker attempted to steal a ton of money from the school. A security consultant came in and said one thing I'm doing wrong is I have the local administrators account on every machine enabled and I need to disable them all. So, I'm looking in to how to do that yet leave the programs working.

That's why I'm looking for a best practices. How do I disable the local administrator yet be able to administer a PC at a local level if need be?


Report •

#3
October 18, 2012 at 10:58:08
Sadily, I have a Cisco background, but the network here is 100% 3com... lol. But I can configure vlans.

I agree.............sadly I too have a Cisco background. Thank goodness I was able to talk the powers that be where I work into replacing the all Cisco with Avaya! It's ok, Cisco hates guys like me anyhow because I didn't pay them for their overpriced training. I learned on the job with the help of someone else who knew their way around Cisco. Not that I have a problem with Cisco's equipment, I don't. I have a problem with their gouging on everything from support to training.

When I first started here we had Cisco, 3COM and Nortel (now Avaya). 3COM's are pretty simple to work with so you shouldn't have an issue configuring the separate VLAN(s) for your lab(s).

From a strictly networking point of view, if you segregate the lab network, then if it's compromised by a virus or trojan, at least the hacker won't be able to access anything sensitive and potentially steal money or credit card numbers etc.

That's why I'm looking for a best practices. How do I disable the local administrator yet be able to administer a PC at a local level if need be?

You'll forgive me for being a little hazy, it's been 7+ years since I did any domain admin and my skills are rusting badly so I'm afraid I won't be much help with this issue.

All I can think of is it sounds to me like you've made whatever accounts the users are logging in with part of the local administrator group on each PC. If they weren't, you would be able to easily restrict them from installing anything. Of course, I may be wrong, like I said, it's been a while.

What server version are you running? I'll move this thread over to that forum where you're more likely to get the help you need than in here in the networking forum.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •
Related Solutions


Ask Question