I talked with Mike Holder from CMS Consulting waaaaaaaay back in the early summer about the TechNet event held in Toronto around Desktop Lockdown.  In case you weren't at the event, but wanted some additional resources that are great references, he passed me on this brief blog posting. 

Better late then never. :)

Hello! My name is Mike Holder and work for CMS Consulting Inc as a senior consultant. As a guest speaker for Microsoft at the May 25 TechNet event in Mississauga, Ontario I wanted to share some of our experiences in locking down desktops – a very import step in securing your infrastructure.

Brian Bourne (the principal of CMS Consulting Inc.) and I developed, refined and presented this content. The PowerPoint slide deck for this presentation is located at: http://www.cms.ca/gpo/DesktopLockdown.pdf. This is definitely a good starting point for locking down your desktops. We tried to cut through the marketing stuff that IT Pro’s hate and get right to the meat and potatoes.

Microsoft had asked us to generate the content for this TechNet event for several reasons. Foremost is that we are an unbiased and separate company from Microsoft able to generate this information based on our own real world experience. And, as a quadruple Microsoft Gold Certified Partner, we have access to many of Canada’s most interesting and challenging IT environments. Delivering the TechNet session, we were actually quite surprised and pleased with the feedback and interest we received – we went over our time allotment by about 30 minutes and very few people left early. I’m sure people didn’t stay for our good looks! :)

I’m particularly excited with sharing our top policies for users and computers. These are items that we at CMS feel are a good start (generally speaking) to locking down a desktop. We broke them down by obvious ones that everyone has likely heard of and not so obvious ones that you might not have considered. I do want to be clear – implementing the above list alone will not make you secure! They are designed to get you to consider some of the items that are often missed or omitted in a lockdown.

We focused on locking down desktop via Group Policy and how to leverage that in an Active Directory environment. We received a lot of questions at the end of the presentation regarding extending Active Directory / Group Policy to non Microsoft platforms. There are solutions available, but we have not had any experience with them. There is a great link on the Microsoft website for some of the products available: http://www.microsoft.com/windowsserver2003/technologies/management/grouppolicy/gptools.mspx. Windows Vista / Longhorn server will extend the number of Group Policies and the granularity of Group Policy once they are released.

One of the other ideas we presented at the event was to include Terminal server in your desktop lockdown. It makes sense as your Terminal Servers (or Citrix servers) are a shared desktop for your users. We also discussed OU structure. A good OU structure is key to a proper lockdown. This is one of the areas we find poorly implemented within many of our engagements. A poor OU structure will either result in too many GPO links, long logon times and a generally confusing layout. Fortunately the OU structure is easy to fix.

I’d like to end this post with some links:

- www.cms.ca/gpo.

- http://download.microsoft.com/download/a/a/3/aa32239c-3a23-46ef-ba8b-da786e167e5e/PolicySettings.xls

- http://www.microsoft.com/technet/traincert/virtuallab/default.mspx

- www.cms.ca/training

Let me know your thoughts, experiences and any additional information you would like to see. Thanks for reading and have a happy lock down!

Mike Holder

CMS Consulting Inc.