Managing Systems and Configurations

When an organization starts planning the management of its desktop systems, the initial thought is simply the management of office desktop and laptop systems. However, there are typically five different types of systems where user sessions and connections need to be managed. They include the following:

• Managing desktops remotely

• Managing multi-user desktops

• Managing mobile computers

• Managing public or kiosk workstations

• Managing administrator workstations

Managing Desktops Remotely

For administrative tasks to be performed on workstations such as installing new hardware or configuring user profile settings that are not configured using group policy settings, you can use the tools provided with Windows Server 2003 and Windows XP. Remote Desktop can not only be used to install software remotely, but also it can be used to configure just about everything that could be performed from the local console. The only limitation is that the BIOS settings cannot be controlled so if a remote reboot is performed, and the BIOS is configured to first boot from a floppy disk, if a disk is in the drive the system might never restart and a visit to the workstation will be required.

Starting with Windows Server 2003 and Windows XP the Computer Management console can be used to perform several system- related software and hardware tasks remotely. New features include adding new hardware by scanning for hardware changes or adding local user accounts or local shares or manipulating system services. This tool is very flexible for remote administration.

Managing Multiuser Desktops

The multiuser desktop is commonly used in public access situations where the desktop experiences high traffic and must be flexible for some customization, but should remain reliable and unbreakable . Keep the following items in mind when managing multiuser desktops:

• Some level of modification to the desktop must be allowed to the users while maintaining a high level of security. Users should not have access to hardware or connection settings.

• Enable users to modify Internet Explorer and the desktop, run needed applications, and configure some Control Panel options.

• Restrict users via group policy from using the command prompt or the run command, accessing network settings, accessing Add/Remove programs, or running executables from disk, CD, or the Internet.

• Set up roaming profiles so that the user's desktop settings follow him regardless of the workstation in use. Remove local copies of roaming profiles when the user logs off to preserve disk space. The user profile will synchronize with the network before it is removed so they will be available if the user logs on again. If a profile is not available, a new local profile will be created based on the default user profile. Computers can easily be replaced because all settings are on the network profile.

• To conserve disk space, applications should be server-based when possible. Configure shares that store applications for automatic caching so application files are cached at the workstation. You can also enforce disk quota limits through Group Policy. To do this in the Group Policy Editor, navigate to Computer Configuration/Administrative Templates/System/Disk Quotas.

• Use folder redirection to save My Documents and Application data on server shares. Use Group policy to prevent users from storing data locally.

Managing Mobile Computers

Many companies have employees who either frequently travel or are located away from the typical office environment. These mobile users differ from desktop users in that they often log on to the network through a portable computer over a slow-link dial-up modem connection. A good management strategy for this type of user should take into account the lack of local access and connecting to the network over slow-link connection.

Because mobile users spend a majority, if not all, of their time away from the local office they will often find themselves in the unique position of having to provide their own computer support. As this is the case, mobile users often require more privileges than the standard office user. To do this, apply a separate Group Policy Object to your mobile clients that would enable users to perform software and local printer installs while at the same time restricting them from critical system files that might disable their system.

Whether or not the mobile user is connected to the network mobile users will expect to have access to their critical data. Intellimirror simplifies management of the mobile user in that it enables users to work on network files when they are not connected to the network and to have the offline version and the network version synchronize upon the next time the user connects to the network. Although Offline Files is a default feature of Windows XP, you still need to select the network files and folders that will be made available offline.

Another key management concern regarding the mobile user is software installation. It is not recommended to assign or publish software to mobile users who are rarely in the office. If they periodically work in the office, one can set the Group Policy slow-link detection to the default in the user interface so that software will install when the user is connected directly to the local area network (LAN).

One can verify or adjust the connection speed for Group Policy settings in the Group Policy slow-link detection setting. To do this in the Group Policy Object Editor, navigate to Computer Configuration/Administrative Templates/System/Group Policy or User Configuration/Administrative Templates/System/Group Policy.

Mobile users should not, for the most part, be running served applications. Typically, the mobile users' portable computers should have all the core software installed before they have to work outside the office. If users require additional software after they are in the field and cannot return to the office to have it installed, it might make sense to copy your software packages to CD to be installed locally by the mobile users with elevated privileges.

Managing Public or Kiosk Workstations

The public or kiosk workstation exists in the public environment and generally is used to provide access to one or a limited set of applications. You should implement a highly managed configuration that restricts the user from performing any data management, software installs, or system configuration.

Another aspect of the kiosk workstation is that users should not be logging on with username and password; it is better to create a user account that automatically logs on when the computer starts. All users will use this one account to allow access to the applications provided for their use. The application that is being accessed should also be loaded automatically when the computer starts up.

The user should not be able to access Windows Explorer or the command prompt because these can be used to access the system directly. The application itself should be examined to confirm that it does not allow users a backdoor to any part of the system.

Characteristics of the policies associated with locking down the Kiosk workstation include the following:

• Desktops have a limited set of applications that the user can run. You can limit, through Group Policy, which applications the user can execute. To do this in the Group Policy Editor, navigate to User Configuration/Administrative Templates and expand the Start menu and taskbar.

• Desktops have no Start menu and might have limited desktop icons. You need to hide Network Neighborhood and other icons that normally appear on the desktop. As shown in Figure 7.5, many options are available for limiting the Start menu and taskbar.

  Figure 7.5. Group Policy options for limiting the Start menu and taskbar of a managed workstation.

  

• Users cannot install software. The software the users require is already installed on their computers.

• Users cannot access the hard disk, floppy drives , or CD-ROM. Again, you will find these policy settings under User Configuration/Administrative Templates.

• All data (if any) is stored on the network. You can implement folder redirection to satisfy this requirement.

Managing Administrator Workstations

In many companies, the administrators' workstations have no controls in place at all. The accounts the administrators use to log on to the network give them access to control every aspect of the workstation, as well as the servers. Because these accounts have so much power over the network, it is recommended that policies be in place to protect that power. This section suggests some recommendations in the proper configuration and use of the administrator workstation.

To make changes in Active Directory, perform system maintenance, run backups and restores , and install software, administrators require a logon account that gives them elevated privileges. At the same time, administrators also perform normal network activity such as reading e-mail, writing documents, and setting schedules. For this reason, administrators should have two or more accounts. They should have an account that behaves as a normal network client account with the same privileges and subject to the same Group Policies as most normal users or power users. This account would then be used as the standard logon for the administrator workstation. Administrators should then have other accounts for workstation administration and network or domain administration that remain secure in virtue of not being used during the day-to-day network client work. Even administrators can inadvertently make damaging changes to a workstation or server configuration if they are logged in with Domain Admin privileges all the time.

To perform many of the tasks required of an administrator the Windows Server 2003 Administration Tool Pack should be installed from the Windows Server 2003 CD. These tools are packaged as adminpak .msi.

The Run As feature can be used from any administrator workstation or any network client to elevate privileges temporarily to perform administrative functions. For example, while logged in to a workstation with a user account that has standard user privileges, you can run Active Directory Users and Computers using the Run As command to execute the utility from an administrative account.

To run an application with the Run As command, do the following:

1. While holding down the Shift key on the keyboard, right-click the application you want to run.

2. Click Run As.

3. In the Run As Other User dialog box, type the username, password, and domain name of the administrative account.

You should also enforce a password-protected screensaver with a short timeout interval on administrator workstations. This protects the workstation from malicious users taking advantage of the administrator's credentials should the administrator be temporarily away from the machine.

To specify a particular screensaver with password protection and timeout in a Group Policy, do the following:

1. In the Group Policy Object Editor, navigate to User Configuration/Administrative Templates/Control Panel/Display.

2. Enable the following settings: Screen Saver Executable Name, Password Protect the Screen Saver, and Screen Saver Timeout.

Finally, when dealing with a large organization with distributed administration, it is a good idea to delegate authority for network clients to administrator groups based on geographical location. Some organizations make the mistake of creating a global administrators group populated with every administrator in the company. Just because an administrator in the Santa Clara office requires administrative rights over the network clients in his office does not mean that he should also get administrative rights over network clients in Papua, New Guinea. Keeping administrators organized also protects the network clients from receiving improper Group Policy assignments.