When an organization starts planning the management of its desktop systems, the initial thought is simply the management of office desktop and laptop systems. However, there are typically five different types of systems where user sessions and connections need to be managed. They include the following:
Managing Desktops RemotelyFor administrative tasks to be performed on workstations such as installing new hardware or configuring user profile settings that are not configured using group policy settings, you can use the tools provided with Windows Server 2003 and Windows XP. Remote Desktop can not only be used to install software remotely, but also it can be used to configure just about everything that could be performed from the local console. The only limitation is that the BIOS settings cannot be controlled so if a remote reboot is performed, and the BIOS is configured to first boot from a floppy disk, if a disk is in the drive the system might never restart and a visit to the workstation will be required. Starting with Windows Server 2003 and Windows XP the Computer Management console can be used to perform several system- related software and hardware tasks remotely. New features include adding new hardware by scanning for hardware changes or adding local user accounts or local shares or manipulating system services. This tool is very flexible for remote administration. Managing Multiuser DesktopsThe multiuser desktop is commonly used in public access situations where the desktop experiences high traffic and must be flexible for some customization, but should remain reliable and unbreakable . Keep the following items in mind when managing multiuser desktops:
Managing Mobile ComputersMany companies have employees who either frequently travel or are located away from the typical office environment. These mobile users differ from desktop users in that they often log on to the network through a portable computer over a slow-link dial-up modem connection. A good management strategy for this type of user should take into account the lack of local access and connecting to the network over slow-link connection. Because mobile users spend a majority, if not all, of their time away from the local office they will often find themselves in the unique position of having to provide their own computer support. As this is the case, mobile users often require more privileges than the standard office user. To do this, apply a separate Group Policy Object to your mobile clients that would enable users to perform software and local printer installs while at the same time restricting them from critical system files that might disable their system. Whether or not the mobile user is connected to the network mobile users will expect to have access to their critical data. Intellimirror simplifies management of the mobile user in that it enables users to work on network files when they are not connected to the network and to have the offline version and the network version synchronize upon the next time the user connects to the network. Although Offline Files is a default feature of Windows XP, you still need to select the network files and folders that will be made available offline. Another key management concern regarding the mobile user is software installation. It is not recommended to assign or publish software to mobile users who are rarely in the office. If they periodically work in the office, one can set the Group Policy slow-link detection to the default in the user interface so that software will install when the user is connected directly to the local area network (LAN). Set Offline Files to Synchronize Set Offline Files to synchronize when users log on and to periodically synchronize in the background. One can verify or adjust the connection speed for Group Policy settings in the Group Policy slow-link detection setting. To do this in the Group Policy Object Editor, navigate to Computer Configuration/Administrative Templates/System/Group Policy or User Configuration/Administrative Templates/System/Group Policy. Mobile users should not, for the most part, be running served applications. Typically, the mobile users' portable computers should have all the core software installed before they have to work outside the office. If users require additional software after they are in the field and cannot return to the office to have it installed, it might make sense to copy your software packages to CD to be installed locally by the mobile users with elevated privileges. Managing Public or Kiosk WorkstationsThe public or kiosk workstation exists in the public environment and generally is used to provide access to one or a limited set of applications. You should implement a highly managed configuration that restricts the user from performing any data management, software installs, or system configuration. Another aspect of the kiosk workstation is that users should not be logging on with username and password; it is better to create a user account that automatically logs on when the computer starts. All users will use this one account to allow access to the applications provided for their use. The application that is being accessed should also be loaded automatically when the computer starts up. The user should not be able to access Windows Explorer or the command prompt because these can be used to access the system directly. The application itself should be examined to confirm that it does not allow users a backdoor to any part of the system. Characteristics of the policies associated with locking down the Kiosk workstation include the following:
Managing Administrator WorkstationsIn many companies, the administrators' workstations have no controls in place at all. The accounts the administrators use to log on to the network give them access to control every aspect of the workstation, as well as the servers. Because these accounts have so much power over the network, it is recommended that policies be in place to protect that power. This section suggests some recommendations in the proper configuration and use of the administrator workstation. To make changes in Active Directory, perform system maintenance, run backups and restores , and install software, administrators require a logon account that gives them elevated privileges. At the same time, administrators also perform normal network activity such as reading e-mail, writing documents, and setting schedules. For this reason, administrators should have two or more accounts. They should have an account that behaves as a normal network client account with the same privileges and subject to the same Group Policies as most normal users or power users. This account would then be used as the standard logon for the administrator workstation. Administrators should then have other accounts for workstation administration and network or domain administration that remain secure in virtue of not being used during the day-to-day network client work. Even administrators can inadvertently make damaging changes to a workstation or server configuration if they are logged in with Domain Admin privileges all the time. To perform many of the tasks required of an administrator the Windows Server 2003 Administration Tool Pack should be installed from the Windows Server 2003 CD. These tools are packaged as adminpak .msi. Before Installing the Administration Tool Pack Administration workstations should be at XP Service Pack 1 and have the QFE Q3289357 installed before installing the Administration Tool Pack. The Run As feature can be used from any administrator workstation or any network client to elevate privileges temporarily to perform administrative functions. For example, while logged in to a workstation with a user account that has standard user privileges, you can run Active Directory Users and Computers using the Run As command to execute the utility from an administrative account. To run an application with the Run As command, do the following:
You should also enforce a password-protected screensaver with a short timeout interval on administrator workstations. This protects the workstation from malicious users taking advantage of the administrator's credentials should the administrator be temporarily away from the machine. To specify a particular screensaver with password protection and timeout in a Group Policy, do the following:
Finally, when dealing with a large organization with distributed administration, it is a good idea to delegate authority for network clients to administrator groups based on geographical location. Some organizations make the mistake of creating a global administrators group populated with every administrator in the company. Just because an administrator in the Santa Clara office requires administrative rights over the network clients in his office does not mean that he should also get administrative rights over network clients in Papua, New Guinea. Keeping administrators organized also protects the network clients from receiving improper Group Policy assignments.
|