Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Is windows security this bad?

Status
Not open for further replies.
theEclipse

theEclipse

Programmer
Dec 27, 1999
1,190
US
I work for a small private school. We are just getting up our first computer lab (we used to just pass laptops around....) and are using XP-64bit on some new computers. Without the four-figure tech budget required to set up a domain, I am managing the computers without.

It is pretty simple: the computers are all imaged with software, etc preinstalled and three user accounts (admin, teacher, student). It has worked well in the past, but now the board wants the computers locked to prevent students/faculty from accidentally breaking things and changing things like the screensaver, etc. No problem I say...and I use the Group policy editor to lock 'em down.

Problem is, I can't figure out what, except ignorance, is to stop a student from finding the gpedit.msc console in system32 folder and launching it. We all know how ambitious pre-teen boys get when rules are placed above their heads (or on their computers).

Is windows' lockdown-ability (without a domain) this easy to bypass? Can I disable the gpedit.msc (without also crushing my ability to manage the system or unlock it to add a printer)?

Thanks,
Robert

Robert Carpenter
Remember....eternity is much longer than this ~80 years we will spend roaming this earth.
ô¿ô
 
Sort by date Sort by votes
Limited Users do not have enough Privileges to run things like Group Policy, only Administrative Users have that right. For a Limited User to do so he would have to run the program as an Administrator. To do this he would have to know an Administrator's Password.

Make sure the Built-in Administrator is passworded with something other than a blank password too.

Despite the above statements, any machine that is accessible and available is also prone to hacking and finding out things like passwords.

See if any of these are useful. Firstly you must turn off "Simple File Sharing" in Folder Options/ View to access the Security tab (or use Safe Mode).

Set permissions for folders and files

Keep Your Data More Secure

Secure XP - A Windows XP Security Guide

What is Windows SteadyState?
 
Upvote 0 Downvote
Another thing to remember, if the Students have access to the BIOS, they could run any number of programs from CDROM or USB stick...

I would password the BIOS, and set the HDD as first BOOT DEVICE... also restrict USB boot if possible, by either setting the correct section in the BIOS or by turning the USB ports off (only if the PC's use PS/2 KBD and MICE)...


Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."
 
Upvote 0 Downvote
Hi, Robert

It's not just that Windows security is so bad but also that young minds are so clever, quick and energetic. So you have to assume that no matter what you do they will find a way.

Have you looked into Microsoft Steady State, formerly known as the shared computer toolkit? This sets up the system so that (supposedly) no matter what they do, all you have to do is shut down and restart the machine and it is returned to its original state. So even if they install software, change configuration or get infected with malware it all goes away with a simple reboot.

It also gives you the kind of domain-level admin tools over users and groups without having a domain.

And best of all, it's free!

Find it here:
Jock
 
Upvote 0 Downvote
The student account on the computers is under the group 'Users,' while the teacher account is under 'Administrators' (though I have thought about changing it to something between the two -- the teachers don't break things intentionally, but rather accidentally delete printers, etc.). The bios is also password protected, and all boot devices besides the internal HD are disabled. I can't disable USB, because the students are all required to own flash drives for use in computer class, but at least it wont boot from one.


I will definitely check out Steady State -- it sounds like what I am looking for.


But, linney, why does Simple File Sharing top your list? It is turned off, but for other reasons.

Thanks!

PS - IMO, a system is not secure unless it is *secure* -- no matter how enterprising the user. Granted, with physical access to the machine implemented software security has no hold. If only we raised our children with a Unix prompt... YMMV.

Robert Carpenter
Remember....eternity is much longer than this ~80 years we will spend roaming this earth.
ô¿ô
 
Upvote 0 Downvote
why does Simple File Sharing top your list?"

Nothing meant specifically other than you need to do so to access the Security Tab.

If anything was to top my list it would be terms like Discipline and Responsibility, but in these times that's just old fashioned leftovers from the past.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

K
  • Locked
  • Question
Recover Data Windows 10 1
Replies
2
Views
4K
Rick998
Rick998
pjw001
  • Locked
  • Question
Latest Windows Update - End of Service
Replies
2
Views
3K
pjw001
pjw001
pmonett
  • Locked
  • Question
What is this now ? 1
Replies
8
Views
1K
pmonett
pmonett
VicM
  • Locked
  • Question
Problem updating Windows Explorer
Replies
1
Views
925
Nancycaf
Nancycaf
pjw001
  • Locked
  • Question
Windows 11 Screen Colours have changed (slightly) 3
Replies
14
Views
7K
pjw001
pjw001

Part and Inventory Search

Sponsor

Back
Top