Locking down a PC configuration....

Associate
Joined
18 Oct 2002
Posts
1,283
My mum has decided to take in foreign exchange students to supplement her meagre pension. She's putting them in a room housing her desktop PC - a good idea in that the swine will retreat to their room and stay out of her hair. However, giving unhindered access could be problematic - I can see me being called around to restore a disk image on a weekly basis...

What I have done so far is setup a limited account. With my admin account, I've fiddled with gpedit to disallow tampering with system tray items, and right click context menus. For the partitions housing her photo backups etc I'm denying all access. I tried to deploy K9 web filter to stop access to dodgy sites but this caused havoc - it wouldn't allow any access to any sites at all.

I'm new to this though and I have no access to tray items on my admin account now either. How do I modify a limited user account whilst leaving mine untouched?

I also considered using steadystate or deepfreeze but the PC is sluggish to start with and it could be a bit of a mither.

So, how would you go about it all?

Thanks!

;)
 
Last edited:
I'm guessing you're using Windows XP. First of all, I'd make sure those photos are indeed the backup and not the originals. Assume you're going to lose them.

The reason why your policy changes are affecting yourself is because there is only one local policy. A change is a change for everyone, including the administrator - the only difference is the administrator can change it back. Short answer is you can't have a policy for one user and a different one for another on a stand alone workstation.

The real problem for you is physical access to the machine. You might have changed the file permissions for the partitions the photos are on, but this is easily bypassed if you know what you are doing. If you really want to keep people out you need to encrypt that partition with something like TrueCrypt (back up first.) Also set up a BIOS password (this is also easily bypassed unless you lock up the PC case with a kensington lock or something, but it makes it a little harder for them) and make sure the primary boot drive is the hard disk. Also, disable the default administrator account otherwise all someone has to do is boot into safe mode and they're golden.

Even after all this, I can still think of a couple of ways to break in. But you'll have done a decent job.
 
Back
Top Bottom