One of the things that comes around is how do I lock down the desktop while allowing a session to start and run. The requirements are pretty simple. No interaction with the desktop except for logging off or shutting down and the session must start automatically. We’ll be looking at this from a Microsoft Windows XP and Vista perspective.
So what do we need to accomplish something like this? Surprisingly enough, Group Policy will be our tool of choice. Group Policy by itself will allow us to lock down the end point PC and give administrators the flexibility we need to make changes on the fly if needed. It also allows administrators to allow for administration of the PC when needed by Group Policies ability to customize desktops based on user/group accounts.
Desktop
Let’s start by locking down the desktop itself. There are two ways of doing this and they are not mutually exclusive. The first is by simply applying the Group Policy setting User Settings\Administrative Templates\Desktop\Hide and disable all items on the desktop. This simple setting will do exactly what it says and it leaves a very simple background (or whatever background you choose to put there).
Another way to lock down the desktop is to use folder redirection. Folder redirection allows you to redirect the desktop to a network share, or locally if you prefer, of your choice. This gives you the ability to populate the desktop with your icons of choice and change them on the fly. It also allows you to easily set NTFS permissions on the folder. For example, setting it to Read Only for end users so they cannot add their icons. You can then use Group Policy again to lock down other pieces of the desktop at User Settings\Administrative Templates\Desktop.
Start Menu
The start menu can also be locked down in two ways. Again, let’s start with folder redirection. Folder redirection gives administrators maximum flexibility when dealing with the start menu. The administrator can add and remove any portion of the start menu when it is redirected. The administrator can choose to add an icon or two or have none whatsoever and leave only a logout button. A key setting in this though comes from Group Policy. It is advisable to always use the classic view of the start menu that can be set here: User Settings\Administrative Templates\Start Menu and Taskbar\Force classic start menu. It makes locking down the menu that much easier. I’m not going to go over every option to lock down the start menu but I have included a file to show what I did. Keep in mind this is a very basic, very simple lock down and is not comprehensive at all. It does show with a bit of effort though how easy it is to create a completely locked down start menu. Don’t forget to set the NTFS/Share permissions to read only for the users.
Another way to lock down the start menu is without redirection. The admin can write a script that removes and adds the icons needed for the user. I, personally, don’t like this way as it leaves open to many variables and relies on a stable profile.
The Settings
The settings were configured from Windows 2008 Active Directory Controller so they may not match exactly to a Windows 2003 environment. Again, I stress, this is not a fully locked down environment. This is simply to demonstrate how easy it is to start to turn Windows XP into a dumb terminal. The file can be downloaded here.
The last bit is to add a small script in the start up folder or the run key in the registry that will kick off a premade rdp file (or ica if you like) and you're golden. Good luck.
Article Tags
Trackback this Article
http://www.dabcc.com/trackback.aspx?nCdType=1&nCdContent=10454
Latest Articles