Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security Operating Systems Software Windows

How Would You Lock Down a Windows XP Machine? 119

Posted by Cliff from the throw-away-the-key dept.
Kronos666 asks: "I've been working with a network of about 50 computers, and a few of them have to be locked down. What I mean is that there is an application running, and the users must not be able to do anything else on it. The computers (Windows XP), are in a Windows 2000 domain and I've tried everything that comes to mind with the group policies. Now, I know it might seem contradictory to some, but is there a way to make those computers completely locked down? Maybe someone has had previous experience with something like this?"
This discussion has been archived. No new comments can be posted.

How Would You Lock Down a Windows XP Machine? More

How Would You Lock Down a Windows XP Machine?

Comments Filter:

  • Have you tried.... (Score:5, Funny)

    by HotNeedleOfInquiry ( 598897 ) on Tuesday June 29, 2004 @07:41PM (#9566179)
    A blob of expoxy in the keyboard jack?
    • ...railway spike hammered down through the case into the CPU and the surface of the desk beneath.

      Being MS-Windows, you might need to use hardwood stake instead, in which case I recommend either Wandoo or what the PNG call "Ironwood" (which loosely corresponds with San Martin's Ferran from David Weber's Honorverse [baen.com]).

      I'd recommend first off porting the apps in question to Linux (well, to not-MS-Windows) where that can be readily done because it's easy to make the program into the WM (if they exit, they get a
    • I was thinking that hammering a railroad spike through the motherboard would do it.

  • surely there's programs for this? (Score:5, Informative)

    by gl4ss ( 559668 ) on Tuesday June 29, 2004 @07:44PM (#9566203) Homepage Journal
    for turning them into 'kiosk' style machines, with the ability to only run 1 program. removing explorer & etc.

    it's not foolproof but it's a start, and make them copy themselfs from the network everytime they're started.

    http://www.google.com/search?q=windows+xp+kiosk&so urceid=mozilla-search&start=0&start=0&ie=utf-8&oe= utf-8 [google.com], and remember, there's no ask-slashdot that google couldn't solve...

    • With Google, as with life... (Score:5, Insightful)

      by CaptainCheese ( 724779 ) on Tuesday June 29, 2004 @08:41PM (#9566574) Journal
      there's no ask-slashdot that google couldn't solve...

      But 90% of the answer is in knowing how to ask exactly the right question.

      The same is true of life.

      That's kind of the point of "42" in Hitchhikers.. by Douglas Adams.
      • Baloney. As long as you know the right keywords, Google does the rest. Or do you query Google thusly: "Dear Google, My name is CaptainCheese and I work in an office. I need to know how to lock down 50 Windows XP boxes so that only one application can run at a time and so that IE is disabled. Thanks." Please. Google for XP and kiosk mode and you're done. Smarten up.
    • Simple. Just rename the finder to something else, then take the target application and rename it "Finder" with file type "FNDR" and application "MOVR." Voila! Instant Kiosk!

      That not working? Well, log in as root. Move the Finder out of your /System/Library/CoreServices/ directory. Rename whatever you want "Finder" and plop it in that folder.

      Still not working? Oh, you meant Windows. Can't help you there.

    • I would say that phrase is the #1 reason i never, ever use microsoft windows.

      if you have to download a program for every single little thing you do on your computer, the operating system is broken. don't bother trying to fix it, just switch.

      honestly, that really struck home with me. you need a program for everything you want to do on your computer? oh, you must be using windows ...
    • Couldn't you simply set the shell to your application for the applicable users? It's the Windows equivalent of setting the WM to your app on Linux, which was already suggested. I know it can be done on a per-user basis - you might want to ask the people at Blackbox for Windows [bb4win.org] how they got that done.
  • Unplug the network cable and remove the floppy drive

  • Remove all drives (Score:5, Informative)

    by Marxist Hacker 42 ( 638312 ) <seebert42@gmail.com> on Tuesday June 29, 2004 @07:51PM (#9566246) Homepage Journal
    And boot off the network. In addition, the truly best way is to avoid the problem to begin with- by coding your kiosk software as it's own operating system, booting off of network or ROM chip, and having the data held elsewhere.

    But if you're stuck with XP, I'd suggest a VERY minimal install of XP, with your program loaded in the registry full screen, and Windows.Form.KeyPreview on, Windows.Form.KeyDown testing for and disabling all standard keys (like alt-tab and ctrl-alt-del). For extra fun, link those keys to nasty messages from "The Master Programer". And remove the floppy & cd Rom drives completely from the machine. If the kisok can get by with just mouse or touchscreen access, remove the keyboard as well, or at least a blob of superglue under the Windows and Right Menu keys.

    • Re:Remove all drives (Score:3, Informative)

      by Foolhardy ( 664051 )

      But if you're stuck with XP, I'd suggest a VERY minimal install of XP, with your program loaded in the registry full screen, and Windows.Form.KeyPreview on, Windows.Form.KeyDown testing for and disabling all standard keys (like alt-tab and ctrl-alt-del).

      Windows.Form.KeyPreview? From .NET? First, .NET is a bit heavyweight for that; a keyboard journal hook in win32 is much better. Second, it's excessive: what's so bad about alt-tab? Third, it will be ineffective: ctrl-alt-delete is a security attention sequen


    • But if you're stuck with XP, I'd suggest a VERY minimal install of XP,

      My thought, too. If the kiosk app had to be running Windows and not be able to run anything else, I'd probably look into Windows XP Embedded [microsoft.com].

      From what little I've heard, XP Embedded would even make a pretty good desktop OS because it doesn't have as much gratuitous intertangling with browsers [com.com] and media players [infoworld.com] as plain XP.

      Nice limited functionality; you add only components that you want. Technically a good way to go for the general

  • Another solution (Score:4, Funny)

    by foidulus ( 743482 ) * on Tuesday June 29, 2004 @07:52PM (#9566256)
    rather than a technical solution, just strike fear into the heart of the user. Put an empty camera shell above the computer tied to a fake, but realistic looking revolver.
    Tell them the camera can detect them messing with the system, and if caught, the camera/gun combo will grow legs and make them wish they hadn't installed the random screensaver exe sent to them in the mail.
    Or maybe you would get sued, I dunno, I'm not a lawyer.

  • activedir.org (Score:2, Informative)

    by scupper ( 687418 ) *
    Share your group policies with a few other minds on the mailing list at http://www.activedir.org [activedir.org]
  • Disconnect it from the network, remove all drives, smash it with an axe and then, for good measure, install GNU/Linux.

    My apologies if this seems unhelpful. It's very early and I haven't had my coffee yet.

  • Thin client (Score:5, Interesting)

    by 0x0d0a ( 568518 ) on Tuesday June 29, 2004 @08:10PM (#9566381) Journal
    It's a pain, because it's so much harder to build Windows-from-scratch barebones systems than their Linux equivalents. I've seen a lot of Windows kiosks, and they're almost always loaded with scads of things they don't need because it's so hard to really pare down a Windows box.

    I'm going to be blunt and say that the best way to do this is with Linux, because it's much easier to pare down.

    Set up a bunch of thin clients with netbooting enabled. That means no CD drive, floppy drive, hard drive. Lock the BIOS. Buy cases that are physically securable.

    Have one or several Windows Terminal Server boxes set up.

    Set up your netboot server to serve a Linux distro something like Red Hat (or an even more bare-bones system), installing a minimal set of packages necessary. You'll want to install rdesktop so that your clients can act as Terminal Server clients, but no terminals or anything. In /etc/inittab, remove all VTs. In /etc/X11/XF86Config, kill the "special" xorg key combinations (like control-alt-backspace). Don't have xterm or any such terminals installed. Use an xsession set up to start rdesktop, and a window manager of your choice that can slap something up fullscreen and disable all other functionality -- almost all can do this, but you'll probably want something more barebones than the sawfish that I use. Have rdesktop running fullscreen. Set up X to respawn logged in to whatever user you have using the program.

    The user should have no write access to anything on the Linux distro (if you want to include a small swap drive, you might want to have a local hard drive, but only root should be able to write to the thing).

    The user should have no write access to anything on the Windows TS system (unless as required by your application). Hence, the users can't install anything. It's easy to administer. You don't have to pay for each client, since they're running Linux, which makes a decent thin client OS.

    Now, you can do whatever you want in a trusted manner on the TS system(s), since the users don't have the ability to reboot or muck with it, since they have no local access (and rebooting or mucking with their thin client does nothing that gives them any influence over what applications are running on the server). Kill all processes that you don't recognize automatically or whatnot.

    • Re:Thin client (Score:1, Informative)

      by Anonymous Coward
      Be careful...
      "You don't have to pay for each client, since they're running Linux, which makes a decent thin client OS."

      This is true for the Linux piece of the solution, but Microsoft's TS licensing is more invasive than you think. To run a TS session, the licesning states that you must have a Windows OS license (regardless of what the clietn platform really is!), plus a Windows Server CAL, plus a TS CAL, then licesning for each app you are accessing via terminal services.
    • Why does the app need Windows XP? If it's the ONLY thing running, 95 or 98 could do the job. Brooks Software (the people behind 98lite) got 98 down to 8MB, and OSFocus got 95 down to 5MB, and both of those have 95's explorer.exe. Trim that fat off, and put only the necessary drivers back in, and you can get your app running alone.
      • Windows XP embedded could achieve that. Basically you choose from thousand components and build a customized XP Pro. I tried its evaluation copy and got a 50M image (shell included). There is a kiosk/game console design template in it.

  • Replace the shell (Score:5, Informative)

    by Foolhardy ( 664051 ) <[csmith32] [at] [gmail.com]> on Tuesday June 29, 2004 @08:15PM (#9566415)
    First, create a user group for the locked-down users. Give it the least privledges possible. You can have everyone log on with the same user; use autologon [winnetmag.com] for simplicity. Use the account property that prevents the user from changing the password.
    Then replace the shell for that group with the app you want to run. That property is User->Admin. Templates->Custom User Interface.
    In ctrl-alt-delete settings remove task manager if you want.
    Turn off autoplay.
    For a really locked down mode, use Software Restriction Policies [microsoft.com]. Create a whitelist of runnable apps by hash; if the program isn't on the list for users affected by the group policy, they cannot start the program. You can still admin the systems by logging on as a real user; just use ctrl-alt-delete to log off. Use this for shutdown/restart too.
    You may need to set SRP from an XP machine or install the server 2003 admin kit [microsoft.com] (free) because SRP didn't exist yet in the win2k era; it's only supported locally on XP and later. The win2k AD server can still enforce the policy but the standard interface doesn't list the option.
    Now, I know it might seem contradictory to some, but is there a way to make those computers completely locked down?
    It's not contradictory. SRP does a great job of locking a Windows system down completely.
    • You can have everyone log on with the same user; use autologon for simplicity. Use the account property that prevents the user from changing the password.

      I disagree. Accounts exists so that people are accountable for what happens under them. If someone breaks out of your environment or tries to, you'll have a better chance of finding out who did it with one-account per person.
      • Which doesn't work very well in a public setting where the PC is basically a kiosk. Think of a museum. Do you really think that every visitor should have their own login?

      • One account per person certainly is more secure. I just meant that it was possible if you want to trade security for simplicity. The author was a bit vague as to what he wanted.
    • Everything you said is spot-on...except for logging on with the same user. That makes tracking and auditing more difficult. I suggest creating different users for each machine, and just adding them to a security group and/or OU for management. you can also restrict Logon hours and/or machines to logon to if need be.

      One thing I've had trouble with custom shells is that they don't restart if exited normally. I wrote a WSH script to handle that - it simply checks the process list and starts the shell if it's

  • Plenty of options... (Score:5, Informative)

    by ezraekman ( 650090 ) on Tuesday June 29, 2004 @08:16PM (#9566425) Homepage

    Well, if I'm understanding what you're trying to do, you've got both software [rixler.com] and operating [microsoft.com] system [nodak.edu] options [google.com], as well as a [securitykit.com] whole [anytimeproducts.com] bunch [industrial...sure.co.uk] of [iboxcabinets.com] hardware [server-rack-online.com] solutions [startech.com].

    Of course, you can also enable a screensaver password, and have the screensaver running all the time, configure the BIOS not to allow booting from the floppy drive, and use password access to the BIOS to disallow unauthorized changes to it.

    It sounds like your easiest (read: less time to deal with and less worry of hacking headaches) solutions is just to toss the suckers into one of those cabinets listed above. Hell, you can build the cabinet yourself for under $100, if you're any good with power tools and have a spare afternoon.

  • Go to (Score:4, Informative)

    by DaveJay ( 133437 ) on Tuesday June 29, 2004 @08:17PM (#9566431)
    Sitekiosk.com.

    Worked well for me.
  • Do you need internet access with this app?

    Do you need only internet access?

    I am going to assume that this is a data entry teminal with a windows (VB/Access) app.

    Remove all drives, usb, and anything else except: mouse, keyboard, and video output.

    put a 1 gig hd in the machine, install linux with bare minimum, and use rDesktop to remote into a win2003 machine with nothing enabled. now you have just one machine to manage, and win2k3TS has more options than a win2kbox for lockdown.

    More costly, yes. But they won't be surfing the net or installing bonzibuddy.

  • I used to play this game... (Score:4, Insightful)

    by Ianoo ( 711633 ) on Tuesday June 29, 2004 @08:25PM (#9566477) Journal
    ... and it's no fun for the network administrator. A big problem we (and by 'we' I mean a school where I used to do volunteer work) had with NT4 years ago was network messaging using 'net send' from the command line. No matter what we tried, locking down local hard disks, removing applications, whatever, the little fsckers still found ways to access it. The most innovative was using the File -> Open dialog of an MS Office dialog to get to c:\winnt\system32 (since thanks to Microsoft's code re-use, these dialogs are custom, not the system-wide standard ones), using the dialog to add cmd32 as an IE Favorite, launching IE and clicking on Favorites -> cmd32. Voila, the command line.

    I hear Win2K and WinXP are improved, but to be honest I think trying to completely lock down a system that clearly isn't designed to be locked down is a lost cause.

    Think about exactly what you're doing, and try not to catch Diebold syndrome*. If you want to provide a terminal for web browsing and e-mail, is a full Windows install necessary? Why not go for Mozilla on Linux, which will connect to your Windows-based TCP/IP network and provide the functions you want. Of course, your requirements might be a lot more complex, so this might not be an option.

    If so, why not consider enforcement rather than prevention? Tell the users they can't do this, can't do that, and track them if necessary. If they break the rules, suspend them from the network. Placing software restrictions on people will often upset them, especially if they have a legitimate use for doing odd things (like installing a new media codec to watch a video they need for their work).

    * Diebold syndrome: believing that a full multi-tasking memory-protected graphical operating system that consumes 300MHz of processor power and 500MB of disk space is the best basis for a dumb embedded system such as eVoting or an ATM

  • Some good reading... (Score:5, Informative)

    by (H)elix1 ( 231155 ) <slashdot.helix@nOSPaM.gmail.com> on Tuesday June 29, 2004 @09:07PM (#9566724) Homepage Journal
    I'd check out what these guys [nsa.gov] had to say about locking down xp.

  • Try the NSA Security guides (Score:4, Informative)

    by hardreset ( 775806 ) on Tuesday June 29, 2004 @09:24PM (#9566855)
    Take a look at the NSA [nsa.gov] security guides for Windows NT, [nsa.gov] 2000 [nsa.gov], XP [nsa.gov], and 2003 [nsa.gov]. Normal users on the machine will have no ability to modify the machine if the policy is applied (especially the policies that apply to the file system.)
    I've used these policies for Windows 2000 lab machines, and have no known incidents with virii/trojans/stupid user tricks/etc...
  • If you have to use Windows for your app, and it isn't too picky over which version of Windows, try using Windows 98 (hear me out before flaming). In c:\windows\win.ini, change the shell=explorer.exe line to shell=c:\path\to\your\app.exe. Make sure the machine is set to autologin as a user if you need samba access. I used a win98 based touch screen POS system, and it is 90% impossible to escape from it once its running. Alt-Tab is disabled, the Windows key does nothing. The only thing I didn't try is CT
    • The only thing I didn't try is CTRL+ALT+DEL to escape out.

      CtrlAltDel seems exactly the way to foil this.

      90% impossible to escape from it once its running

      Look, it is either impossible, or possible. It can't be some fraction impossible. Even if you mean that 90% of users can't get out, those 10% that can are the same ones who would be messing up the system anyway.

      if you ever need full windows, just boot off a boot disk and edit the shell line back

      If you can boot off a boot disk, so ca

      • If you can boot off a boot disk, no OS is secure, unless you are using a custom FS that only the kernel on the install OS can read. Otherwise, I can boot whatever, mount the HD and undo restrictions (change shell, bypass startup files, reset passwords, etc, etc).
        • It wouldn't be too hard to remove the floppy and cdrom drives.
          • Is this necessary? Couldn't you just disable booting from them in the BIOS and then put a password on the BIOS? You're screwed then if someone is going to physically open the case and mess with the BIOS (e.g., replace it with another one), but if they can do that, they could also hook up a floppy drive or cdrom drive anyway.

  • change shell (Score:3, Informative)

    by Jjeff1 ( 636051 ) on Tuesday June 29, 2004 @09:30PM (#9566893)
    Back in the day, you could edit the win.ini or system.ini and change shell=explorer.exe to shell=myapp.exe. I don't know if this still works, though I know you can do it with a terminal services session, so I'm assuming some googling will help you out. Once windows loaded, it would run your app, and unless your app has the ability to launch other programs, nothing else. You can lock out task manager and whatnot with windows policies. Between those 2 things, you should be in pretty good shape. You might also think about deep-freeze. It locks out the disk such that a user can change anything, and I mean anything, and a reboot will bring it back to a default state.

    • Re:change shell (Score:2, Informative)

      by Anonymous Coward
      All the config data has been moved to the registry. The shell is now in HKCU\Software\Microsoft\ Windows\CurrentVersion\Policies\System\Shell. It defaults to explorer if the value doesn't exist. It's also available as a user policy.

      BTW: Deepfreeze is a great program.
  • I guess it depends upon what type of company you're working for, but, if it's not necessary, one should not go too crazy with locking down the actual machine. As long as all the important data is kept on a server, and the server is secure, who cares if they hose the local machine? Odd's are, you can reimage it, and, hopefully, folks can get it trouble for doing such things.

    At my company, we have kiosk-like machines for hourly employees to clock in at. For them, the restrictions really aren't that comp

  • NIST Guide (Score:3, Informative)

    by Introspective ( 71476 ) on Wednesday June 30, 2004 @12:12AM (#9567896) Homepage
    NIST have recently released a good guide on securing XP boxes here [nist.gov]

    I haven't had the time to read it yet, but from the high quality of their other documents it is probably well worth printing and reading.

  • Enable Windows RAM Policy (Score:3, Funny)

    by prabha ( 538549 ) on Wednesday June 30, 2004 @12:29AM (#9568002)
    Boot the XP systems with 32MB RAM.

  • ...is that it can be locked down.

    You might stand a chance if you:
    1, remove all network access;
    2, lock it in a hardened shelter;
    3, post a platoon of U.S. Marines.

    Otherwise, why bother: People who want secure and robust don't use MS products and there is simply no way you can't know that -- you be a troll?

  • You need lockdown software... popular choices include: Fortres [fortres.com], WinU/Full Control [bardon.com], Foolproof [smartstuff.com] (it's not, but about as good as the others).

    This really isn't a guarantee, though. Windows is inherently impossible to prevent users from performing certain actions; but the above software will certainly help. I reccommend Fortres if you want a standard Windows interface with restrictions, and WinU if you want to run only a single application. The Ontario Science Centre uses it (for their Internet Cafe), and

  • There are probably better solutions, but from what I know, I would wipe down that single user of every app (minux one you want to use), make it so that the program is always on top (vitrite can do that), set it to run on start-up, and disallow the user from installing anything.

  • Two words (Score:3, Funny)

    by Lars T. ( 470328 ) <[moc.liamelgoog] [ta] [regearT.sraL]> on Wednesday June 30, 2004 @01:59AM (#9568432) Journal
    Kensington Chain ;-)
  • Windows provide you with Group Policies.

    These can be set on domain level (and applied to your OU's)

    or you can set them per computer

    Start -> Run -> gpedit.msc

    Apply restrictions through policies and rights

    Hide drives in My Computer
    Hide My Network Places
    Hide the Internet Explorer icon
    Disable Add/Remove Programs
    Disable changes to the taskbar
    Remove Run from the Start menu
    Disable and remove the Shutdown command from the Start menu
    Disable the Control Panel

    etc.

    The Windows XP has more group policy objec
  • There are several predefined security templates [microsoft.com] you could try. Some come with windows, others are created by third parties. They may be a helpful starting point for creating your own template, so long as you don't turn your pc into a brick, which is little more secure but not too useful.
  • Try whatever you like at http://www.j79zlr.com/gphome.php [j79zlr.com].

    And in addition the last hint at

    http://silverstr.ufies.org/blog/archives/000257.ht ml [ufies.org] about how to limit which programs are allowed.

    I have not tried any of these myself, except the few I have had to "hack" (reset) on computers, where some admin didn't allow me to even use Notepad. To "hack" them, I had to use third party software, which the sloppy admin for some reason had installed. Perhaps it was just a silly test of my curiosity or integrity.

  • This is not a troll.

    Set up Fedora 2 on the box, then tweak it such that it automatically logs into a given user, and set that user's windowmanager to be the application that you want to run. Have it automatically restart if it closes (not terribly hard). Then you'd basically have a screenful of that application with no window decorations, you wouln't be able to close it (save for CTRL+ALT+DELETE, which would ideally just restart X and put you back into that application if not disabled entirely).

    I think th
  • I know "Ask Slashdot" is normally full of stupid posts, but this takes the biscuit.
    USE GROUP POLICIES. if you don't know how, ask an admin who knows their job. This is bloody obvious, and just far too easy for linux zealots to start jumping up and down and adding nothing of use to the argument.
    Any admin worth their salt knows how to do this, and does it already where appropriate.
  • This isn't hard to do at all, there are many options that come to mind, all that are built in and would do what you need.

    Hit MSDN.microsoft.com or even do a few searches on Microsoft.com.

    I'm not sure if you realize this, but getting a solid answer to a Windows solution on Slashdot is like asking Charlie Manson where the best nearby starbucks is... Not going to be an answer he will have, and if he gives you one, it won't be one you will want...

  • I've seen some good ideas running through this article and thought I'ld contribute my $0.02. First up is the "Local Security Policy" part of Windows XP (start->control panel->administrative tools->local security policy). On XP there is a "software security policy." Configure it to have 2 lines. First line gives permissions to run anything in a specified directory (and subdirectories). This is for where your application is installed. Second line is deny permission to run anything from drive C:
    1. Use NTFS (kinda obvious but required for later)
    2. Rename Guest account and then disable.
    3. Rename Administrator account then change the password to something hellishly long.
    4. Create a new user account the belongs to the "Guests" group.
    5. Create a new group policy for the Guest account. Ensure you have a Software Restriction policy [microsoft.com] that only allows the usershell to run that you want.
    6. Use this trick [microsoft.com] to ensure the highly restrictive group policy doesn't apply to the Administrator account
    7. Ensure that Automatic upd
  • Windows XP embedded [microsoft.com].
  • Woah, slashdotters continue to amaze me, sometimes perfect advice, sometimes they go 'sailing off on a tangent' This guy wants to do what 1000's of schools have to do to preserve their sanity. www.fortres.com is a product that just about every school tech coordinator has heard of and/or used for years! - it will let you make a 'kiosk' machine that users only have IE and not much else, it'll prevent users from changing desktops, deleting printers, no network settings changes....etc...etc... www.fortres.
    • Fortres, the security software that actually makes Windows more bloated and slow than it already is.

      My school's library has Fortres installed on all of their computers, and it doesn't work at all. It simply makes everything 1000% slower. (IE takes 10 minutes to start and 5 minutes to load Google.) That, and it can easily be bypassed without knowing the password. (Enter "C:" into Internet Explorer to access the hard drive.)
  • The college I work at uses Deep Freeze, which along with your other precautions will make is so that any change made to the computer (even a complete reformat) will be erased and the computer will revert back to it's orginal form.
  • Keyboard hook to trap 'switching' and ctrl-escape (amongst other key combinations), mouse hook to prevent double clicks on icons or the desktop, calling disable on the toolbar window and the start button which is on the toolbar window. Setting a couple of registry keys which will disable ctrl-alt-delete because irregardless of what you read somewhere else you CANNOT trap ctrl-alt-delete. You can detect it, but you can't trap it.

    I tried to post the class in the comment for you but Slashdot prevented the s
  • there is a program called deepfreeze [faronics.com], you install it onto a drive and from that point on any changes made to the drive will be lost on reset. give the user full admin rights, it will be fine, you can just restart and all is well again. "Incorporating patent-pending, proven technology, Deep Freeze is the benchmark for bulletproof workstation protection. Deep Freeze is simple, easy to use and installs in seconds as configuration only requires a password. All computers are completely restored to their origina
  • Heavy chains, welded to the case, attached to eyebolts sunk in concrete. The chains need to be strong enough to resist commercially available bolt-cutters, and the eyebolts need to be completely immersed. Check with your building management to be sure you can core-drill the floors for setting the bolts; otherwise you will have to get a very heavy concrete block (big enough to double as a computer desk).

    Furthermore, you'll need to replace the case fasteners with snap-off security bolts to prevent thieves

Slashdot Top Deals

As long as we're going to reinvent the wheel again, we might as well try making it round this time. - Mike Dennison

Close