Client wants to lock down their business machines.

N

nelsonm

Member
Reaction score
1
Location
Michigan, USA.
I have a new client that has asked me to lock down their W7 desktop machines to prevent users from downloading, installing or running anything that's not company approved. They also use some web based apps.

Are there any scripts, apps or links for info you folks have knowledge of other than setting user accounts to standard?

thanks.
 
If the PC's are Professional, Ultimate, or Enterprise you can use Software Restriction Policies. Otherwise, in the XP days a program known as Windows Steady State existed. Microsoft discontinued this program, but 3rd party alternatives, such as Deep Freeze exist. I haven't used Deep Freeze (only steady state). Be advised that with a solution like this the PC will revert it's HDD back to your base line every so often (you can control it), but any user data not saved in the correct location will be lost.

I'd also suggest pulling admin privileges from the users and let the UAC that's built in do it's job. Also, password protect the anti-virus, and set it to be aggressive.

Is installing a gateway network protection device an option? If so, look at http://www.untangle.com/shop/NG-Firewall-Free . It's a linux distro that is 100% GUI setup, and if you can install it on the network you can really lock things down (esp. with the web filter -- you can do white list only).
 
One office has W7 home premium machines, the other office has W7 Pro machines. Neither are on a domain, simply peer to peer networks.

Client still needs to let users create/save/PDF documents from vendor websites and to email to customers. The client just wants to prevent the users from downloading/installing and running unauthorized apps/games and playing online games. With respect to restricting online content and gaming, I'm guessing that IE has internal setting that can be tweeked like Firefox does. I'll look into the "gateway network protection device" mentioned above as well.

I'm aware of Deep Freeze but I don't feel that i would be suitable for this situation. I know that group policies are available for the Pro versions of W7 but would prefer an app with an intutive GUI that would allow me to select typical levels of security but still allow me to modify them manually. Although you can install the Group Policy Editor for W7HP, The tree structure of the Group Policy Editor can be confusing and cryptic. There is a product called SiteKiosk which i have used for a client but i found it to be a bit difficult and unintutive.
 
Last edited:
nelsonm said:
One office has W7 home premium machines, the other office has W7 Pro machines. Neither are on a domain, simply peer to peer networks.

Client still needs to let users create/save/PDF documents from vendor websites and to email to customers. The client just wants to prevent the users from downloading/installing and running unauthorized apps/games and playing online games. With respect to restricting online content and gaming, I'm guessing that IE has internal setting that can be tweeked like Firefox does. I'll look into the "gateway network protection device" mentioned above as well.
Click to expand...

Since it's a workgroup environment, have you considered Microsoft Family Safety?

Haven't used it myself for a while but, if I remember correctly, it has all the features you're looking for, with the added benefit of user activity monitoring, so the boss can see a record of any attempts to thwart the system.

You can make sure that adult websites are blocked or specify which sites you want your kids to see. .... Kids can ask your permission to keep browsing when their time is up, or to see or download anything that's blocked – together, you can decide the level of restriction that's right for them.

  • Allow or block specific programs. You can prevent children from running programs that you don't want them to run. For more information, see Prevent children from using specific programs.

  • Games. You can control access to games, choose an age-rating level, choose the types of content you want to block, and decide whether you want to allow or block unrated or specific games. For more information, see Choose which games children can play.
Click to expand...
 
Try Kaspersky Internet Security. Top rated antivirus with solid parental controls built-in.
 
You can also try for something at the edge to perform content filtering and block specific applications and web sites.
 
Do you use an RMM package?
I know Logicnow/gfi has its web filter you block catergories or specific websites.
i also have a script that alerts me if a program is installed.
that or some form of edge protection/UTM device to block stuff.
 
nelsonm said:
I have a new client that has asked me to lock down their W7 desktop machines to prevent users from downloading, installing or running anything that's not company approved. They also use some web based apps.

Are there any scripts, apps or links for info you folks have knowledge of other than setting user accounts to standard?

thanks.
Click to expand...
How about:

Limited user accounts
UAC turned to "always notify" - That should require admin privs to allow, I believe.

Does this give you enough control. Although anybody "tech" savvy, shouldn't have a problem getting around this. Then...strict disciplinary action when caught.
 
Lack of domain ...you can still do about the same via local policy, you just have to visit each workstation. And ensure you have a back door Admin account on the system.

I second the use of a good UTM, we're big Untangle partners...and with its policy manager and multiple racks, you can get very creative with different rules for different computers and/or users.
 
Thank you all for your responses.

I think I'll try Windows 7's Parental Controls first and download the "Family Safety" add-on. It adds; web filtering, activity reporting, requests restrictions. I will look into additional controls (service providers) provided by third party providers - if there are any.

Then I'll try the Untangle UTM product.

I'll visit the Local Group Policy Editor as a last resort.

Is there a third party product like Parental Controls which included the extended features of Microsoft's "Family Safety" or is Untangle (i looked at it briefly) what I'm looking for?

Wikipedia does have a page that lists a number of possible parental pontrol programs and services: https://en.wikipedia.org/wiki/Comparison_of_content-control_software_and_providers
 
Last edited:
Can't count the number of business owners / partners who have requested this only to very quickly realize what a nightmare it can be. This depends on the business type obviously. We have mostly medical clients who constantly update their line of business software and they pay monthly support to these vendors. They would have to call us every time an update was needed or the vendor support guys would call us frustrated they couldn't solve a problem because the systems were so locked down. It's gotten to a point now where Eaglesoft in particular recommends users have admin rights to their workstations. Another example is IDEAL (lawn equipment LoB vendor) who won't even provide support unless UAC is completely disabled on workstations AND the server.
 
Yes, i can see where it can be a double edged sword. Unfortunately, you can't have it both ways. As long as there is an account on each workstation with administrative privileges and no restrictions (the admin account), updating should not be a problem. All employees would be required to use the standard user account with restrictions applied.

I this situation, I believe it will work for the most part because most of the apps the employees use are web based. So I only have to allow access to websites used for business and a few installed apps like MS Office.

I guess we'll just have to see how it works out.

PS.
I wish MS would stop goofing around with the user interface for "Family Safety"! Now it appears you can't disallow an entire day in Screen Time and setting up allowed apps is on a request only basis. You can't just browse and pick the apps to allow or disallow like you could in Parental Controls before adding the Family Safety extension.

You don't turn on - additional - controls, Family Safety takes over Parental Controls forcing you to use the Family Safety web site interface and it's controls.

I'm definitely going to look for a third party product.
 
Last edited:
nelsonm said:
Is there a third party product like Parental Controls which included the extended features of Microsoft's "Family Safety" or is Untangle (i looked at it briefly) what I'm looking for?
Click to expand...

Untangle has a "Web filter lite" and it can be set to block all web sites except those on an allow list. I would also use the firewall to block all traffic apart from ports: 80, 443, 53, and 123 (HTTP, HTTPS, DNS, NTP [network time protocol]). This would take care of Bittorrent, IM, and most other issues (and since websites are restricted, not much will be getting in.....). The other nice part about this solution is that no configuration needs to be done on the workstations (if they are DHCP or you set Untangle up in bridge mode).
 
Have a look at Bit9 (http://www.bit9.com) - The heart of Bit9’s proactive prevention capabilities, our proven approach to policy-driven and trust-based application control has been optimized to make it easy to ensure only software you trust runs in your environment.
 
Isn't this a maintenance nightmare and a security issue bundled in one?

Are you going to manually update each workstation each month for updates to Java, Flash, FF, IE, Windows, etc.?

Even in domain environments we usually end up capitulating and granting local admin rights as a) some programs simply require admin rights, and b) our support tickets went through the roof when each user required escalation to install basic updates

We prefer ESET endpoint solutions and some logical (but not too restrictive) GPO's to handle most of our workload.

With some good security appliances (Meraki), we've kept infections to 0 (but yes, malware sometimes does sneak in), our users happy, and our ticket numbers in check.

(I am very interested in Untangle, after reading all of your comments, and don't know a thing about it).

Also, I am a firm believer in company policies... the human ones, not the technical ones... we usually get really good results when rules and code of conduct are clearly laid out in a policy / handbook. People sometimes violate them, but usually in minimal ways (i.e., Facebook)... and if it is known that our network filters know about this activity and we are aware of it... people tend to keep in line.
 
Mainstay said:
(I am very interested in Untangle, after reading all of your comments, and don't know a thing about it).
Click to expand...

The Untangle I linked to is the free version, and it has the ability for Web filtering, a stateless firewall (more config but more control), IPS, ad blocking, spam and phishing blocking (if you run a SMTP server), VPN support via Open VPN, and extremely detailed logs (it e-mails PDFs out, and they are ~60 pages...). The free version will also do a captive portal and use ClamAV to do virus filtering.

I have done lots of work with Untangle devices (running a malware debugging lab...) and they are quite the device. I have only used the free version, and for a home/small business I think the free version is all you'd need.

The professional version comes in a few licensing flavors, and it can connect to Active Directory, have different filtering combinations for different users (aka different racks in Untangle-ese) and you get the paid versions of the free apps, which offer more control and features.
 
Matthew Bradley said:
It's gotten to a point now where Eaglesoft in particular recommends users have admin rights to their workstations. Another example is IDEAL (lawn equipment LoB vendor) who won't even provide support unless UAC is completely disabled on workstations AND the server.
Click to expand...

I've run into this as well. Most recently, Officemate, a practice management software 2 of my optometrists use, requires UAC and local Windows firewall being disabled as a prerequisite for support. It's maddening. How about this, how about YOU program YOUR software to work in the real frickin' world?
 
You must log in or register to reply here.

Similar threads

LordX
'Complete' business management software for a client
Replies
5
Views
470
LordX
LordX
britechguy
What's going on here? [Samsung Galaxy S24]
Replies
18
Views
753
GTP
GTP
HCHTech
reading M365 encrypted email
Replies
1
Views
276
Sky-Knight
Sky-Knight
Appletax
[SOLVED] Client wants someone to hack Facebook to get him back into his account
Replies
6
Views
942
frase
frase
britechguy
Latest Phishing Attempt, latest reply to a client who asked me "is this legitimate" before doing anything . . .
Replies
10
Views
910
britechguy
britechguy
Back
Top