Re: training lab security - Active Directory

[Aaron Childs <aaron () WSC MA EDU>]

Hi Kevin,
  We've been running AD since 2002 and for our lab computers we made a security group for all of our students, and 
another security group for all faculty and staff and put those groups in the local guest group on each of the machines. 
 This prevents the installation of malware (provided the local admin account is secured) and prevents the user's 
profile from being saved on the computer as well.
 
Have a good weekend,
  Aaron
 
-------------
Aaron Childs
Assistant Director, Networking
Westfield State College
http://www.wsc.ma.edu/it/ 
 
"Laughter is the closest distance between two people."  
                -- Victor Borge

________________________________

From: Kevin Shalla [mailto:kshalla () UIC EDU]
Sent: Fri 12/15/2006 5:13 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] training lab security - Active Directory



I'm new to Active Directory, and am looking for ways to improve the
security on our PCs.  My hardware management staff is resisting my
strategy of putting all our training room computers into Active
Directory and having them all log in with their own AD
accounts.  Their preference is to have users log in to a local guest
account on the computers. I'm thinking that if someone loads spyware
or other nasty stuff, then other users won't be affected by that
because the accounts do not have administrator access.  My staff's
contention is that once malware is on a PC, it is NOT limited to one
account, but infects the whole machine.  Further, they believe that
having individuals logging in with their own accounts would create
too many profiles, filling up the machines.  What are the best
practices for managing Windows machines in lab facilities?