Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Alexander Sinitsyn2021-08-10 07:36:15
System administration
Alexander Sinitsyn, 2021-08-10 07:36:15

What are the best practices when setting up a computer lab for workgroups?

Win7Pro system So far,

the list is as follows:
- close the BIOS with a password
- Admin with a password and admin rights
- Student without a password with user rights (loaded automatically at system startup)
- Preinstalled set of programs

Group policies:
- Disable all desktop settings (wallpaper, colors, fonts , cursors...)
- Prohibition of connection and removal of the printer - Fixing
and prohibition of all taskbar settings (changing the composition of shortcuts, resize, drag and drop ) switch to Python) (added) Software Restriction Policy (SRP):


- prohibition of launching programs except: Windows, ProgramFiles, ProgramFiles (x86), drive Z

Folders:
- "Student Files" folder on D with modification rights
- "Desktop" with removal of modification rights (so as not to turn the table into a trash can)

Not found how to prevent pinned apps from being dragged across the taskbar and desktop shortcuts.

Can you suggest something else?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
A
Artem @Jump, 2021-08-10
Tag

You forgot one essential detail.
There are many programs that do not require installation, or are installed directly into the user's profile.
Therefore, you should configure software restriction policies - Software Restriction Policy.
Here is an example setup.
As a result, the user will be able to run only the programs specified in the policies.
Other executable files, even if it downloads, will not be able to run at all.
Regarding the ban on files - the entry should be allowed only in your folder and in your profile.
All other places are prohibited.
Desktop - yes, let them write, it's convenient for many, just delete everything superfluous with a script when the user logs in. As a result, every time a clean table.
You can also backup user profiles and restore them if necessary.

Report
V
Viktor, 2021-08-10
@MadLor

1. Disable booting from removable media (USB, etc.) in the BIOS.
2. Be sure to set a password for the built-in "Administrator" account, even if it is not used and is disabled.
3. Disable "System Restore" or delete restore points, otherwise a "surprise" is possible.
4. Deny flash drives for writing / reading in Windows if this does not interfere with the educational process. For example, you can copy any files to the "Windows\tracing" folder without administrator rights and, accordingly ... well, you understand))
5. If you have access to the Internet, then prohibit the installation of extensions in the browser ... I would use Chrome and limit it opportunities through GPO.

Similar questions
X
XXXprog2017-07-09 20:39:02
How to block script execution if it is already running? 3Reply
E
Evgeny Kalibrov2014-12-22 12:37:35
How to increase disk size in a virtual machine? 5Reply
D
Dextale2021-01-16 22:10:26
Can't connect to server using Tunnelblick OpenVPN on Mac OS? 1Reply
I
Ilya T.2016-12-20 11:15:01
How to raise your evernote with blackjack and pops? 7Reply
N
nApoBo32016-12-22 08:42:15
Where can I find a good docker security guide? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question