Architecture Q - Public access domain integrated pc's

[Jeff Boles <bolesjb () yahoo com>]

Have an issue I'm struggling with, and I know this is
the place to turn:

We are supporting public access pc's which currently
support guest users logging in via a proprietary
database system which also holds some user info
(favorites).  We reset PC system config after use with
the fortres 'cleanslate' product (completely wiped),
providing users with good ability to trash the system
to their content.  These systems all run office
products, a couple rudimentary third party apps, and
internet browsing.

We intend to integrate this into an Active Directory
and terminal services environment, converting from
PC's to thin client hardware.  My concern is over AD
security and controlling system vulnerabilities.  We'd
like to integrate into an AD architecture which also
supports the core enterprise (non-public users) as
well.  Public users would be identity-less guest
accounts with automatic logon, with passwordless
terminal services accounts setup on a per device
basis, and desktop access controlled via the third
party logon product.  The need for Active Directory
integration is to manage these terminal server, as
well as some non-terminal public systems (updates and
patches) with the same management infrastructure in
place on the enterprise network (SUS, SMS, etc.).

On to the question - 

Has anyone integrated and locked down to a level of
comfort a public access architecture and active
directory?  These will be separate wiring
infrastructures, so cross segment traffic can be
closely controlled.
What about with terminal services?
Any pointers, tips, or best practices?
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards