advertisement
Forums

The Forum is sponsored by 
 

AAPL stock: Click Here

You are currently viewing the Tips and Deals forum
Tips for "locking down" Win 7 workstations in a reasonable way?
Posted by: clay
Date: August 13, 2014 08:39AM
I manage a small "fleet" of 4 Win 7 Pro desktops for a family member's small business. Their needs are very pedestrian overall. The issue lies with the users in that from time to time, they do things that get themselves into trouble (blindly opening spam email attachments, force shutting off computer if it "takes too long" doing something, etc). I get to support them, and other than extra hours put in, I keep them running pretty well. But I'd like to see if there are ways I can make their machines a little more fault-tolerant, without significant ongoing expense or investment of time on my part.

They still need to be able to install programs without my intervention. I have TeamViewer setup for remote login, which has been great. They have a backup "server" in use solely for accepting incoming Crashplan backups for their daily-use workstations.

I know that education of the users is the best long-term solution, but I'd like to implement some tech that can reduce my workload, and increase the amount of uptime they have on their workstations. I'm looking for general advice and also any specific software/hardware/techniques that will meet those objectives.



Edited 1 time(s). Last edit at 08/13/2014 08:40AM by clay.
Options:  Reply • Quote
Re: Tips for "locking down" Win 7 workstations in a reasonable way?
Posted by: cbelt3
Date: August 13, 2014 08:45AM
Sadly, maintaining the ability to install programs is the primary incompatibility with your goals. Is there a way that an 'onsite power user' can be named who has enough know-how and can be trusted to handle the 'install the program' requests without requiring your support ?

Most malware or just 'annoyware' like Toolbars Of Doom installations can be avoided by not granting administrative rights to the users.
Options:  Reply • Quote
Re: Tips for "locking down" Win 7 workstations in a reasonable way?
Posted by: lost in space
Date: August 13, 2014 08:49AM
In the Win 7 lab I used to manage, we used DeepFreeze, which locks the boot volume. It allows a separate partition that can be used for data. Users can do anything they want, but on reboot, the system returns to the state it was in when last locked, so your users wouldn't be able to install anything permanent. Installed apps would disappear on reboot. DF was a great product for us.



Options:  Reply • Quote
Re: Tips for "locking down" Win 7 workstations in a reasonable way?
Posted by: clay
Date: August 13, 2014 08:51AM
Quote
cbelt3
Is there a way that an 'onsite power user' can be named who has enough know-how and can be trusted to handle the 'install the program' requests without requiring your support ?

Unfortunately not. They're all just about equally "in the dark" about how to reasonably responsibly use a computer. I have given them several "tip sheets" that attempt to prevent further issues after I've dealt with something numerous times, but that doesn't always prevent inadvertent issues that they seem to face/create.
Options:  Reply • Quote
Re: Tips for "locking down" Win 7 workstations in a reasonable way?
Posted by: clay
Date: August 13, 2014 08:52AM
Quote
lost in space
In the Win 7 lab I used to manage, we used DeepFreeze, which locks the boot volume. It allows a separate partition that can be used for data. Users can do anything they want, but on reboot, the system returns to the state it was in when last locked, so your users wouldn't be able to install anything permanent. Installed apps would disappear on reboot. DF was a great product for us.

That's one that I've come across before, too. Used it in a lab setting about 10 years ago and worked very well. That would prevent the user install of programs, but might save me some headaches in the long run. I should consider this option again.
Options:  Reply • Quote
Re: Tips for "locking down" Win 7 workstations in a reasonable way?
Posted by: Speedy
Date: August 13, 2014 08:56AM
Good. Luck. With. That.



Saint Cloud, Minnesota, where the weather is wonderful even when it isn't.
Options:  Reply • Quote
Re: Tips for "locking down" Win 7 workstations in a reasonable way?
Posted by: bazookaman
Date: August 13, 2014 09:30AM
Why do they need to install programs? If it's for a business, shouldn't there just be a set app list and nothing beyond that is allowed? Seems like a small price to pay to avoid continually shooting themselves in the foot.



Options:  Reply • Quote
Re: Tips for "locking down" Win 7 workstations in a reasonable way?
Posted by: cbelt3
Date: August 13, 2014 10:06AM
I hate to say this since it's a family member's business, but it's time to put your pro hat on. A simple statement:

"You have problems because your staff installs stuff on the computers. You need to turn that off for everyone except for one trusted user. If you don't turn that off, here is my hourly rate to fix problems. If the trusted user makes a mistake, here is my other hourly rate to fix them."

It's a cost of doing business. If you got hit by a bus, they would have to hire someone anyway. After visiting you in the hospital, of course. smiley-shocked003
Options:  Reply • Quote
Re: Tips for "locking down" Win 7 workstations in a reasonable way?
Posted by: DP
Date: August 13, 2014 10:43AM
Quote
cbelt3
I hate to say this since it's a family member's business, but it's time to put your pro hat on. A simple statement:

"You have problems because your staff installs stuff on the computers. You need to turn that off for everyone except for one trusted user. If you don't turn that off, here is my hourly rate to fix problems. If the trusted user makes a mistake, here is my other hourly rate to fix them."

It's a cost of doing business. If you got hit by a bus, they would have to hire someone anyway. After visiting you in the hospital, of course. smiley-shocked003

agree smiley
Options:  Reply • Quote
Re: Tips for "locking down" Win 7 workstations in a reasonable way?
Posted by: ztirffritz
Date: August 13, 2014 11:01AM
Create an admin account for each computer. Set the user's account to be a standard user/power user. If they try to install anything they'll be required to enter admin credentials, or logout and login as the admin to install it. It won't stop them from doing something stupid, but it will slow them down, perhaps enough to think about what they are doing. There is no defense for the ID10T error.



**************************************
MacResource User Map: [www.zeemaps.com]#
Options:  Reply • Quote
Re: Tips for "locking down" Win 7 workstations in a reasonable way?
Posted by: ADent
Date: August 13, 2014 11:06AM
They need to run as a non-admin.

There was a report that 85% of the problems would be prevented by non-admin use.

ztirffritz has good advice.
Options:  Reply • Quote
Re: Tips for "locking down" Win 7 workstations in a reasonable way?
Posted by: ztirffritz
Date: August 13, 2014 01:16PM
Are they part of a Windows domain, or are they standalone machines belonging to a workgroup? That will affect the way that you solve the issue too.

If they're standalone machines in a workgroup then you change their standard account (eg Joe.Cool) to a Standard User account. Then create another 'Admin' account that is elevated to a local Administrator user. That 'Admin' account and password are unique to that computer.

If they have a Windows Domain (not likely with 4 PCs) you have to set up an a single account in Active Directory Users & Computers. You can probably give that single account limited/restricted admin rights (ie NOT Domain Admin rights!) You don't want them logging in as Domain Admins if they are part of a domain. Domain Admins are 'gods' on the network. Bad things happen when average users are logged in as Domain Admins. Give them just enough rope to slip the noose around their neck and not an inch more. The user will then login with their own domain credentials. By default, they will be 'Standard Users' on the PC with their domain credentials unless a Domain Admin logs in and elevates them locally on that PC. If the user wants to perform actions which require admin rights they will have to logout and login as the limited admin account to perform the install/virus configuration. As I said earlier, it won't stop the problem, but it will make it a little bit more difficult. I'd recommend making backup images of the hard drives after a clean install so that 'repairing' after an incident is easier on you.



**************************************
MacResource User Map: [www.zeemaps.com]#
Options:  Reply • Quote
Re: Tips for "locking down" Win 7 workstations in a reasonable way?
Posted by: silvarios
Date: August 13, 2014 02:39PM
Quote
Speedy
Good. Luck. With. That.

Yet. It. Isn't. Hard. At. All. And. In. Many. Ways. There. Are. More. And. Better. Solutions. On. Windows.

smiling smiley

Back to normal cadence. Granted, the OP is trying to lock down Windows, but still allow app installs. That is tougher and a large part why you lock down the OS to begin with.



Edited 1 time(s). Last edit at 08/13/2014 02:39PM by silvarios.
Options:  Reply • Quote
Re: Tips for "locking down" Win 7 workstations in a reasonable way?
Posted by: silvarios
Date: August 13, 2014 02:40PM
Quote
bazookaman
Why do they need to install programs? If it's for a business, shouldn't there just be a set app list and nothing beyond that is allowed? Seems like a small price to pay to avoid continually shooting themselves in the foot.

I agree.
Options:  Reply • Quote
Re: Tips for "locking down" Win 7 workstations in a reasonable way?
Posted by: silvarios
Date: August 13, 2014 02:41PM
Quote
ztirffritz
Create an admin account for each computer. Set the user's account to be a standard user/power user. If they try to install anything they'll be required to enter admin credentials, or logout and login as the admin to install it. It won't stop them from doing something stupid, but it will slow them down, perhaps enough to think about what they are doing. There is no defense for the ID10T error.

I agree. I do this for my single home user clients. I explain the difference between the two accounts and tell them if we've set things up correctly, they can ignore the other account 99% of the time.
Options:  Reply • Quote
Re: Tips for "locking down" Win 7 workstations in a reasonable way?
Posted by: silvarios
Date: August 13, 2014 02:41PM
Quote
ADent
They need to run as a non-admin.

There was a report that 85% of the problems would be prevented by non-admin use.

ztirffritz has good advice.

Yes.
Options:  Reply • Quote
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 140
Record Number of Users: 186 on February 20, 2020
Record Number of Guests: 5122 on October 03, 2020