The Lockdown Question
Hey Jeremy, what's the best way to lock down my Windows machines? I hear this question dozens of times a year from students who are sitting down at the first day of my Group Policy training workshops. They are often very eager to get right down to business and wrestle this particular problem to the ground because they know that when they go back to their offices and implement what they're about to learn, that their environment will be more predictable and more secure.
See, I know we all feel it would be best if our pesky users would just stop playing with stuff within Windows, their applications and on their desktops.
And, sure, that's part of the art of desktop lockdown. But my suggestion would be to look at desktop lockdown from a holistic and incremental approach. There's no one best way to lock down your Windows machines.
But what is true, is that the technologies built-in to Windows 7 have enabled more control than ever and enabled a wide variety of situations. Lets explore some of my favorite ways to get started with desktop lockdown, then I'll give you some tips on how to expand your controls as you need to.
Lead with Group Policy and Group Policy Preferences
This pair of technologies is arguably the most powerful arrow in your quiver. But using Group Policy, you can restrict a user from some of Windows most tempting locations such as the control panel, desktop, Start Menu, Task Bar and more. Once a GPO is created, most of these settings are found within the User Configuration | Administrative Templates section. There are way too many settings to review here, but I would encourage you to poke around, take stock of the ones that are most interesting to you then try them out in your test lab — before rolling out into production.
When performing lockdown tests, I would suggest that you use two people, a designer and a tester. The Designer should set up the Group Policy settings and lockdown tests, then the Tester would validate the tests and try to wiggle around the designers intentions. Using two people during testing ensures good feedback. One person always validates the other.
As you're working through your resting, do note that some policy settings are reliant upon other policy settings being enabled or other conditions being set or present on the client machine before you actually see the result you're expecting. So again, having a Designer design and a Tester test helps make sure the settings you want to achieve have actually occurred on the client machine.
Group Policy Preferences also enables you to deliver desktop settings. Though not specifically designed for desktop lockdown, they can helpful in guiding users away from temptation and toward standardization.
Caption: The Group Policy Preferences can implement IE settings
Sometimes what the doctor ordered is a blend between both Group Policy and Group Policy Preferences. For instance, you might want use Group Policy Preferences to set a particular setting, plus use Group Policy controls to lock down certain areas of IE.
This is an advanced skill, which takes a little practice and patience. But with enough time, you'll find the right balance using the two.
I would also suggest that you check out a favorite document of mine entitled Group Policy Settings for Creating a Steady State which can be found here with literally dozens of ideas to help you get started.
Focus, then Expand
So going back to my students who ask me Hey Jeremy, what's the best way to lock down my Windows machines? As you can tell, I love to lead with the core lockdown starting with Group Policy and Group Policy Preferences, then expand outward using additional Windows 7 technologies.
If you're looking for more hard-core controls, you might want to consider checking out this the recently published document from Microsoft entitled Creating a Steady State by Using Microsoft Technologies.
Inside you'll discover some extra ideas you can try out, such as mandatory profiles, working with AppLocker to prevent applications from running, and even wiping back the hard drive of a machine every night!
We've just scratched the surface. For additional specific tips and tricks on desktop lockdown, it's a common feature in my GPanswers.com Tip of the Week. You can sign up the free tip of the week at https://www.gpanswers.com/register. You can also get hands-on experience with Group Policy and desktop lockdown in my in-person or online-based Group Policy Master Class at www.GPanswers.com/training.
Jeremy Moskowitz, GPanswers.com and PolicyPak.com
Jeremy Moskowitz is a Group Policy MVP, the Chief Propeller-Head for GPanswers.com and Founder of PolicyPak, which makes software to increase desktop lockdown using Group Policy. Thousands of IT professionals have taken his Group Policy training. GPanswers.com was ranked as one of “The 20 most useful Microsoft sites for IT professionals” by ComputerWorld magazine. Jeremy is also a STEP member.