Windows 7: Best Practices Documentation

Hello,
I am looking for some documentation around locking down the workstation. We are migrating from XP to Windows 7 and as a part of this migration we are trying to implement a lot tighter security. We are receiving a significant amount of push back from people wanting to know why we would do things like remove access to cmd.exe and regedit.exe from normal users. We have explained the rationale, but are now getting static about "who else does this?" and "where is that written?". If anyone has any links that might be helpful, please post them. Thank you.

I would ask them why in the world would they ever need regedit if they are normal users. Also CMD is not needed at all for normal users.

I don't understand where or why they would want this in writing. Every company has different needs and Windows 7 allows that flexibility through group policy.

Not sure as to where it's actually written down, some things are now so accepted in the industry that hey are now just accepted

You could have a look here Total Workstation Lockdown: Your Action Plan for some suggestions on Technet, and a search for the technologies mentioned on the presentation should hopefully provide access to white-papers etc

event3horizon, I guess it's because the level of complaining from the technical/developer types that want to retain admin rights on the workstations. Management wants to be able to "back up" their decisions.

BarMan58, I agree that these things should just be commonly accepted practices, but we're moving from the wild west into a more controlled environment. Thanks for the link, also. I will take a look and see what I can take away from this.

Speaking from a System Admin point of view I always had the IT agreement as an integral part of the Job acceptance - so if you didn't sign it you didn't get the job. Even the MD and the board were subject to restrictions, for their own protection, and it stopped any complaints from lower echelons. Good old days

You should find a fair number of Microsoft White-papers on the technet site, that should be official enough. they are actually more likely to be found in the server sections rather than the workstations.

Normal users can make use of the cmd command for lots of things. Perhaps to see if they can ping a server. Perhaps to see if they can get DNS name resolution. Perhaps to see what their IP address is. Lots of reasons an average person would need cmd.exe. I don't see how locking it down solves any security risks.

pparks1, thanks for the feedback. Our concern is the possibility of command prompts being used to launch malicious code. We have access to cmd.exe for administrative functions like you mentioned, but one needs to launch it with elevated rights. For our users, I can't think of an instance where they would need to run under their own limited access. Of course, that's not to say that there isn't a legitimate reason for it. In the meantime, I am still searching for the documentation. There is a group policy setting out there; there must be a reason why Microsoft put it in. I just can't find it...yet