Locking down machines in Tanzania.
December 29, 2008 7:49 AM Subscribe
What programs should I install on a lab of PCs in Tanzania, to make them as useful and tamperproof as possible?
(Posting this for a friend)
I'm a Peace Corps volunteer serving as an education volunteer at a secondary school in Tanzania. I'm teaching computers and have a lab of 15 Windows XP machines (13 of them functional) that I have to take care of. Problem is, I'm fresh out of college with an engineering degree and I've been using OSX and Linux for the past four years, so I'm not really up on Windows. Also, I've never been a sysadmin. If you were in my shoes, knowing nothing and with no money and limited Internet access, what programs would you install? How would you foolproof the computers? In an ideal world I'd like to make it so the students can't even accidentally drag desktop icons across the screen, so all the computers look identical when they log in, but I don't know a way of doing that...
(Posting this for a friend)
I'm a Peace Corps volunteer serving as an education volunteer at a secondary school in Tanzania. I'm teaching computers and have a lab of 15 Windows XP machines (13 of them functional) that I have to take care of. Problem is, I'm fresh out of college with an engineering degree and I've been using OSX and Linux for the past four years, so I'm not really up on Windows. Also, I've never been a sysadmin. If you were in my shoes, knowing nothing and with no money and limited Internet access, what programs would you install? How would you foolproof the computers? In an ideal world I'd like to make it so the students can't even accidentally drag desktop icons across the screen, so all the computers look identical when they log in, but I don't know a way of doing that...
repost:
What jstarlee said. Or some other means of complete restoration. You can probably automate the entire process, or at least reduce it to less than 5 commands / pointnclicks. This prevents the ongoing interruption of fixing little broken things here and there. It also gives each participant greater access, which is ultimately ideal. Breaking apps and the OS is part of the joy and offers much for learning. Too much admin control in learning environments can be a real drag. Instill structure as part of the curriculum (eg, must have working system to complete final assignment) but not globally enforced. Give the particpants a chance to explore and break stuff --fix with automation not troubleshooting.
Apps that help keep xp together: ccleaner, avg anti-virus, privoxy. I also suggest "adjust for best performance" with xp (cp -> advanced -> performance).
posted by ezekieldas at 8:17 AM on December 29, 2008
I wouldnt install any programs to add security, I would take away rights and then explicity give them access to what they need. No app can provide security, you need to take away rights from the user. This is called the principle of least privilege and is sometimes abbreviated as LUA for least-privileged user account. Theres a great msdn blog about LUA here.
The first thing you should do is make accounts for the users and put them in the users group, not the administrators group. This right here takes away all their rights to make system changs, install most software, etc.
Then I would fire up group policy editor gpedit.msc from run and start disabling whatever they dont need. Disable task manager, remove control panel, remove desktop icons, etc. There are guides on the internet on more items and their location.
The downside with this approach is that some software doesnt like to be run without administrator priveledges. In this case you'll have to give the user group the ability to read or write wherever the application needs to read or write. Nowadays this is pretty rare, but it still comes up.
On preview: Windows steadystate just reapplies an image at a set schedule. That doesnt give you uniformity or security. Its just a quick way to re-install windows to your liking. Betwee re-imaging your users still have full admin powers and can still run trojans, mess up your configuration, etc. You can use steadystate with LUA, but it really shouldnt be needed.
posted by damn dirty ape at 8:28 AM on December 29, 2008
The first thing you should do is make accounts for the users and put them in the users group, not the administrators group. This right here takes away all their rights to make system changs, install most software, etc.
Then I would fire up group policy editor gpedit.msc from run and start disabling whatever they dont need. Disable task manager, remove control panel, remove desktop icons, etc. There are guides on the internet on more items and their location.
The downside with this approach is that some software doesnt like to be run without administrator priveledges. In this case you'll have to give the user group the ability to read or write wherever the application needs to read or write. Nowadays this is pretty rare, but it still comes up.
On preview: Windows steadystate just reapplies an image at a set schedule. That doesnt give you uniformity or security. Its just a quick way to re-install windows to your liking. Betwee re-imaging your users still have full admin powers and can still run trojans, mess up your configuration, etc. You can use steadystate with LUA, but it really shouldnt be needed.
posted by damn dirty ape at 8:28 AM on December 29, 2008
I think it depends on what you mean exactly when you say "foolproof" the computers.
If you mean, you want to be able to let kids mess around with them, but be able to restore them to their original state when they're done, so that the next time they log in the computers are back where they started, then I'd second the recommendation for SteadyState.
If, on the other hand, you want to let kids use the computers for a significant period of time, and keep them safe while they're using the computers, damn dirty ape is (once again) right on the money. The key is to not run as administrator, just like you wouldn't run as root on Unix. My favorite LUA link is nonadmin.
Keep in mind, in the first case, if a problem arises, SteadyState will restore the computer to its original state, losing all sorts of stuff that may be important to you or your kids. SteadyState is great for things like computer labs, where that's exactly the result you want, but it isn't great for ongoing use of a computer by a specific person.
posted by me & my monkey at 1:21 PM on December 29, 2008
If you mean, you want to be able to let kids mess around with them, but be able to restore them to their original state when they're done, so that the next time they log in the computers are back where they started, then I'd second the recommendation for SteadyState.
If, on the other hand, you want to let kids use the computers for a significant period of time, and keep them safe while they're using the computers, damn dirty ape is (once again) right on the money. The key is to not run as administrator, just like you wouldn't run as root on Unix. My favorite LUA link is nonadmin.
Keep in mind, in the first case, if a problem arises, SteadyState will restore the computer to its original state, losing all sorts of stuff that may be important to you or your kids. SteadyState is great for things like computer labs, where that's exactly the result you want, but it isn't great for ongoing use of a computer by a specific person.
posted by me & my monkey at 1:21 PM on December 29, 2008
For the users, look at the software on the Open Disc.
posted by PueExMachina at 4:45 PM on December 29, 2008
posted by PueExMachina at 4:45 PM on December 29, 2008
This thread is closed to new comments.
Free and re-images the PC at time of your choice (daily or per session) I believe.
posted by jstarlee at 7:58 AM on December 29, 2008