Network Admins - How do you secure Windows XP systems for network deployment?

[GHSTECH]

I am finalizing an system image for a rollout to a school network. I am planning on using group policies and profiles I have those ready, but in addition to them what settings do you usually change on the local machine to secure it or for added stability? I.E. Do you disable printer and file sharing? or disable any specific services? I am covered as far as anti-virus soft and basic settings like classic destop and start menu, along with visual performance setting reduced to speed things up, but I want to make sure I don't miss a setting before i load up hundreds of machines...

[Chris_MacMahon]

shamus might have some ideas for you...

one of the things that he has brought to my attention was a product called deep freeze....nothing can be stored on the hard drive...so every reboot you get a clean new computer...


here

[confus-ed]

Often I'm asked to secure bios with p/w, & remove both floppy & cd drives, stops the little blighters loading stuff except from elsewhere on the network.....which of course you can secure.

I think if you disable file & print sharing you are defeating yourself, as that would mean only local files are accessable then why do we have a network?

Your services will depend on what you actually want to run so I can't really say what you can turn off.

You mention a/v s/w but generally you don't need that on client machines only on the gateway....

A little more detail would definately help here......


BTW shouldn't this topic be in Security or the xp forums it might get better/more answers there???

[silencio]

It always amazes me when organizations spend a huge amount of money on a bunch of computers that will be locked down as tight as terminals.

Why not use terminal services and put that money into IT raises?

[NeuromancerIV]

TS and/or Citrix would sound ideal on some little compaq EVO T20 thin clients...sw3333t boxes...

That'd have been the cheapest and most likely secure deployment. But alas, we in the trenches are rarely the ones who get to choose the equipment

To secure XP on a network, wow...tall order. Youncould litterally

WinXP exploits List some of the obvious attacks on unpatched systems. But the other posters ideas of diabling floopy, removing CD's strong PWs on shared drives/devices, no servies/protcols running other than what is absolutely required, strong user policies that are ENFORCED, set your user permissions appropriately, group policies,... I could go on and on and on

The Fortres software has gotten some good reviews, a good web content filter might not be a bad idea..

[tech_wannabe]

Hello,

I am in the same boat as you. I don’t do much to the staff machines, and only a few things to the lab machines.

In the lab

1. Disable "Lock Computer" - In a computer lab, a locked computer is one I have to unlock.

2. Enable "Do not automatically make re-directed folders available offline" - learned about this one the hard way. All the students’ home files were cashing on the local hard drive.

3. Force classic (actually I get the desktops to look like all the win98 machines).

4. Disable the help balloons.

Other than that I don't do much. There is no point. Auto Cad requires all users to be in the Power Users Group, and other kiddy software won't run without being able to write to the registry.

On the bright side, the District bought Ghost 7.5 corporate. The console allows for remote imaging. So, once a month I set the labs to re-image in the middle of the night.