limit what programs appear when students log on

Tell me more

New Member
Messages
3
Hi, Brink. I'm new to the forum, but I am already a fan of your work. I work at a large school district wherein computers running Win8 are shared by staff and students. How can I create a new account type (i.e. Student) and apply the fix above to limit what programs appear when students log on. I have an image for what the student access will comprise, but I don't want to cut off teachers and principals from their resources.

Thanks for your time and great posts.
 
Last edited by a moderator:

My Computer

System One

  • OS
    Windows 8
    Computer type
    PC/Desktop
Out of interest, is this a not for profit school with 0 resources? I've never heard of an educational system that doesn't have a filtering (cafe type) system implemented. In fact I thought that the Children's Internet Protection Act required it?

Just curious, Tell Me More

Microsoft has Applocker. There is an article here about how to use it in windows 8. There are plenty of articles around the net and at Microsoft.

Link: How To


What is AppLocker? AppLocker is a feature in Windows Server 2012, Windows Server 2008 R2, Windows 8, and Windows 7 that advances the functionality of the Software Restriction Policies feature. AppLocker contains new capabilities and extensions that reduce administrative overhead and help administrators control how users can access and use files, such as executable files, scripts, Windows Installer files, and DLLs. By using AppLocker, you can:

  • Define rules based on file attributes that persist across application updates, such as the publisher name (derived from the digital signature), product name, file name, and file version. You can also create rules based on the file path and hash.
  • Assign a rule to a security group or an individual user.
  • Create exceptions to rules. For example, you can create a rule that allows all users to run all Windows binaries except the Registry Editor (Regedit.exe).
  • Use audit-only mode to deploy the policy and understand its impact before enforcing it.
  • Create rules on a staging server, test them, export them to your production environment, and then import them into a Group Policy Object.
  • Simplify creating and managing AppLocker rules by using Windows PowerShell cmdlets for AppLocker.


Link: Source
 

My Computer

System One

  • OS
    Windows 8.1 x64
    Computer type
    PC/Desktop
    System Manufacturer/Model
    0i812
    CPU
    Intel Core i7 4770K LGA1150
    Motherboard
    Asus Maximus VI Formula
    Memory
    Corsair 32GB (4x8GB) DDR3 CMY32GX3M4A1866C9 1866MH
    Graphics Card(s)
    2 x Crappy GeForce GT 640 2GB DDR3
    Sound Card
    I haz lollies ..
    Monitor(s) Displays
    2 x LG / 2 x Samsung 21 Inch
    Screen Resolution
    Crispy
    Hard Drives
    2 x Samsung 250GB SSD 840 EVO (OS / Other)
    1 x Kingston 120G HyperX SSD (Swap)
    3 x Seagate SATA III 2TB Barracuda (Data Drives)
    1 x Seagate SATA III 1TB Barracuda (Media to XBox)
    1 x W/Digital SATA II 300G VelociRaptor (Image)
    PSU
    Silverstone 1500w
    Case
    NZXT Phantom 820 White Full Tower
    Cooling
    Noctua NH-D14
    Keyboard
    Logitech G19
    Mouse
    Logitech G700 / Logitech T650 Touchpad Thingy
    Internet Speed
    ADSL 2+ (Australian version ... lol)
    Browser
    All of them
    Antivirus
    Nortons IS
    Other Info
    This one time at band camp ...
Thanks for the reply, ants. We have sufficient resources for our needs, I suppose. We run pretty robust filtering on the internet, and it works fine. I mostly want to stop teacher-specific software from loading on kids' accounts. I wasn't aware of Applocker, but it sounds like the right place to investigate.
Thanks for the help. I will let you know how it works.
 

My Computer

System One

  • OS
    Windows 8
    Computer type
    PC/Desktop
You can do GPO, and all machines have to be running the Pro or Enterprise edition of Windows. For the Domain Controller, you can either use a Linux Server project like ClearOS, which will charge you. But less then what Microsoft Small Business Server will for licenses.

There are other Linux Server projects, but they do have a learning curve. I would use the locks for the USB ports that you do not want to be used, and also use a locking mechanism to lock the keyboard and mouse onto the workstation.

They also have lock plates to keep users from using the DVD drives, which you can also lock out in the GPO.

What are you using for Filtering, and network equipment? The biggest thing is that even if the teacher tried to load say something from their email, you would need a way to make sure that the teacher did not pull an oops and upload something that should stay at home or on their own personal phone.

This day and age, it is getting really harder to keep on top of everything, due to it changes day to day.

If you want to make this a group project of a group of us in this forum helping you look for ways to make sure you are securing everything, or wanting to run across what GPO stuff that you need. I say go ahead and post those details.

Give us an idea of the Network infrastructure, server software, if this is a domain, what you are using as the domain controller, etc.. Also Google has a Corporate version of Chrome. But I think Firefox would be better, due to you can fine tune what users can and cannot do with it (ie download attachments from webmail, download anything period).
 

My Computer

System One

  • OS
    Linux Mint 17.2
    Computer type
    Laptop
    System Manufacturer/Model
    Toshiba Satellite C850D-st3nx1
    CPU
    AMD E1-1200 APU with Radeon (tm) HD Graphics 1.40 GHZ
    Memory
    12GB
    Graphics Card(s)
    AMD Radeon™ HD 7310 Graphics
    Sound Card
    Realtek HD
    Monitor(s) Displays
    LCD
    Screen Resolution
    1366 x 768
    Hard Drives
    Crucial M500 240GB SSD
    Mouse
    Logitech M525
    Internet Speed
    45/6 - ATT U-Verse
    Browser
    Google Chrome
    Antivirus
    None needed. It is Linux.
    Other Info
    Arris NVG589 Gateway; Router - Cisco RV320; Switch - Netgear GS108 8-Port Switch & Trendnet TEG-S50g 5-Port Switch; Access Points - Engenius ECB350, Trendnet TEW-638APB; NAS - Lenovo ix2-4; Printer - Brother HL-2280DW; Air Print Server - Lantronix XPrintServer

    A/V UPS - Tripp-Lite Smart 1500LCD 1500 Va/900 W.
Back
Top