How to Lock down a computer
One of the things most people don’t do is manage their computer. For our office environment this is exactly one of the things I had to do. How do you force all users to make sure they save all their documents on the shared folders. This is how I lock down a computer.
You setup the Illusion of No Access.
So what do I mean by this, you need to know windows cannot be completely locked down, it will crash on you. But you can prevent users from accessing location other than the specified location.
How will we lock down a computer
- Hide all the drives you don’t want data to be saved.
- Lock any Saving for the Desktop, Documents, Multimedia (Pictures, Video, Music)
- Block USB Access
- Set Account control and UAC
So the above steps it what I used. You need to select the best options for yourself.
Hide Drives
The drives will be hidden so that users cannot double click on it to save. If you need to access the drives you can simply type in the drive letter in the Run Prompt and Windows will give access to the drive.
There is Multiple ways of Hiding various drives on your machine, from Disk Management to Registry to GPO’s. The one I prefer is the Registry, Open RegEdit in Administrative mode and browse to the following location:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer
Once there you create a new DWORD (32) and name it NoDrives. Edit the new Key and choose Decimal. The Decimal Value determines which drives will be hidden for every drive you want to hide just add the numbers together and that is the Value you will Enter.
Below is the value for each different Drive:
A | 1 | I | 256 | Q | 65536 | Y | 16777216 |
B | 2 | J | 512 | R | 131072 | Z | 33554432 |
C | 4 | K | 1024 | S | 262144 | All | 67108863 |
D | 8 | L | 2048 | T | 524288 | ||
E | 16 | M | 4096 | U | 1048576 | ||
F | 32 | N | 8192 | V | 2097152 | ||
G | 64 | O | 16384 | W | 4194304 | ||
H | 128 | P | 32768 | X | 8388608 |
Lock Down Profile Saving
This is where it gets tricky depending on which OS you are working on your user profiles might be in a different location. For this I used Windows 10, you browse to your users profiles (C:\Users) and right click on the profile we are going to lock and go to properties then to the Security Tab go to the advance tab and choose the account that you want to limit. Remove everything from the profile except the Read Privileges. Oops… We broke windows.
Now go into the profile and choose the AppData, Same thing go and edit the permissions with the difference being you disable inheritance, give the user full access to only this folder and choose the option Replace Child Permissions. The User profile is fixed again.
Note this has to happen from a Admin User account and not the user account you will be locking down.
So what did we do here. We stopped the user from Saving anywhere on their Local profile, but left the windows AppData as this is where all windows back end system read and write from for the user.
PS on older versions of windows the Public Profile was mapped to also display in the Explorer. You will have to either block the users there as well or remove the links to the public profile by right clicking each shortcut and removing the public location.
Block USB Access
Heading back to the registry, browse too HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbstor
Search for the Value Start, and change the Value to 4, this will disable any USB Access.
To Enable again change the value back to 3 and the access will be back immediately.
Set Account control and UAC
So the illusion of no access has been setup and I am sure there is more that can be done for now this is what I did, so how do you prevent nosy users from undoing the work you have been doing.
In the control panel search for user accounts, you have to set the user as a Standard Account. If you are using AD all users that is not part of the Administrators group will be a standard user account.
Then set the User Access Control (UAC). To do this go to control panel and search UAC and set it to level 3. You do this because if you need to run as Administrator it will pop up with an authentication screen.
There are many other ways to do a lock down on computers, each one has its own advantages. These ways I choose was the easiest for a small environment of about 50 to 100 users. Remember this is PC and profile dependent if a new user logs in the access needs to be redone.