How to Lock down Windows 7 as much as possible?

[soccastar001]

Hello, I was wondering if anybody can tell if it is possible and if so to point me to resources that would tell me how to lock down Windows 7 as much as possible.

We have a need at work to lock down a system so a user cannot ping, use nslookup, network discovery, or even tell if someone else is out there. We would like to lock down access to the C drive and OS as much as possible while still allowing the user to use the system and access a single IIS web instance.

Is this level of exclusion possible, even if through many different processes? If so can someone get me started on how to do all this?

 

[metalmania31]

I'm sure specifically to your situation, but check your "local security policy" in the Administrative tools section. You can tweak all kinds of security in Windows there. I believe you can make custom policies too, but definitely do some homework as you can cause all kinds of problems with access if you input the wrong thing.

 

[arkhi]

Use Group Policy to lock down your system. You need at least Windows 7 Professional in order to access these settings.

There are a whole bunch of policies you can edit, and this is what IT administrators use to lock down a system. I myself used this to lockdown a system in an office my uncle had. You can use it to restrict anything from chaning the wallpaper, to opening the run menu, to opening the task manager, to right clicking the desktop, to preventing any logging off or shut down.

 

[manhunter2826]

Parental controls is another option -- although somewhat limited.

 

[Luckystar]

Or if you have a bit of dosh, think its $40ish, Windows 7 Manager.

Download here

This is very easy to use and you can pretty much lock everything down with this program and all options are explianed when you hover over them

 

[Jacee]

This article might help you All Kinds of Restrictions for Windows 2000, XP, 2003, Vista, 2008 and 7 - Tweaking with Vishal

 

[dajogejr]

Get to know Group Policy Editor.
The only issue is there are so many settings for so many things if you "oops" one of them, you just gotta remember where/what you checked and/or enabled.

Network Administrators use Group Policy for domains to lock down computers...as said.

 

[CarlTR6]

Get to know Group Policy Editor.
The only issue is there are so many settings for so many things if you "oops" one of them, you just gotta remember where/what you checked and/or enabled.

Network Administrators use Group Policy for domains to lock down computers...as said.

Make a log of each change you make to Group Policy. That makes it easy to go back without guessing and without leaving something out.

 

[Desslok]

Make a log of each change you make to Group Policy. That makes it easy to go back without guessing and without leaving something out.

Great advice, as these can quickly get out of control and forgotten. What I like to do is before making a change, clone the policy you want to change, name it accordingly, apply it to a test PC/account. That way you can verify that your desired results are reached. For logging, you can run gpresult /v with an /x to tell it to write to file on the account/PC before and after. You can name the output files with the dates or changes. That way if you need to track down changes you can use a program to compare the files, like windiff.

 

[jeffl012]

We use Secure Lockdown which is a pretty inexpensive product ($20) from Inteset. It's for Windows 7.

 

[Greg S]

Get to know Group Policy Editor.
The only issue is there are so many settings for so many things if you "oops" one of them, you just gotta remember where/what you checked and/or enabled.

Network Administrators use Group Policy for domains to lock down computers...as said.

Make a log of each change you make to Group Policy. That makes it easy to go back without guessing and without leaving something out.

You can also use the filter toolbarbutton option of Group Policy which will show you only the changes you have made