Re: Desktop Security


*Deep freeze, but with 2 partitions on the drive, one frozen, one thawed. I stopped using “thawspace”.

*The Default profile has My docs & IE6 favorites moved to the thawed partition. All new user profiles end up with the same mydocs.

*profiles go away at restart via deep freeze. There are only 4or5 per machine permanently. My Docs stays.

*Few have admin rights; almost everything is already installed, little need for customized machines {Sped, adminassistants}

*re-imaging as things get updated. Once per year? Our vendor starts new machines with our image.

*turn off most updates, like Java etc.


*Ghost solution suite does auto backup images of servers once per week. Client licenses for Ghost cost too much for all workstations; I visit them for re-imaging.

*Images are stored on the network.

*No roaming profiles.


David Isham
Grand Isle Supervisory
US Rte 2
Hero, VT 05474
802-372-6921 vox
802-372-4898 fax

-----Original Message-----
School Information Technology Discussion [mailto:[log in to unmask]] On Behalf Of Eric Hall
Sent: Wednesday, February 13, 2008 1:35 PM
To: [log in to unmask]
Subject: Re: Desktop Security


Craig & All -

I recall a similar conversation over pizza last fall, in which I was surprised to discover that many folks have users (even students) with admin rights running workstations. I have gone back and forth about it, but will maintain that locking down machines by restricting user rights still feels like the most efficient method of control. I would rather have tech staff spend time doing individual software installations as needed vs. reimaging screwed up machines! The payoff is having consistency: my early experiences in tech support involved walking up to machines and never knowing what was installed or what had been done to the machine. Every one was unique, and the hours spent supporting this environment were significant. I started imaging for this reason, and if I allowed everyone to customize and install what they wanted to I would be back in the same situation! I have occasional “power users” who get frustrated by this approach, but by and large I hear very few complaints. There are one or two people with admin rights, but they know they are supporting themselves.

As additional evidence, I also tend to turn off automatic software updates except Windows updates. Nothing is more frustrating than to find that an update has changed file associations so that media players do not work properly or consistently, OR installation options have not been chosen carefully, OR users have registered software in their own name, OR multiple versions of software have been installed (older software that installs Acrobat 5, for instance) etc. etc. etc. I surprise myself in sounding like a control freak, but our computers run smoothly and efficiently and we rarely have to deal with individual machine issues short of failed hardware!

Yes, we take on the load “up front” by creating new images over the summer and scrambling to reimage and reconfigure everything in August. September is Hell, but the rest of the year is smooth. Over the years I have developed a pretty solid “base” image for both platforms, and the work gets easier and easier as we learn how to use the tools (Ghost, NetRestore) more efficiently. We are even at the point of reimaging labs and staff machines twice a year to keep all software current. We do enjoy the benefit of consistent hardware: of our 320 computers there are only 7 distinct machine types, all running WinXP or OSX. All machines use the same “base” image, with software packages differentiated by deployment (lab, teacher, student, etc.)

No roaming profiles, and even in our Mac environment user profiles are local and we do not manage clients from the server. Simplicity and no load on servers – the possible “bloat” in user profiles has always concerned me.

At home, watching the rain turn to snow at last,

Eric Hall
Technology Coordinator
Waterbury/Duxbury Schools
Washington West Supervisory Union
Waterbury, VT
(802) 244-6100

on 2/13/08 11:02 AM, Craig Lyndes wrote:

Your mail has been scanned by InterScan VirusWall.

Dear Folks,

I know that this topic has been on the list recently (I have been
lurking).  However at my new job I have observed that their attempt at
desktop security has some negative consequences that I would like to
fix.  They are currently using Windows Domain Logins with profiles that
on their older, slower machines make boot-up take up to 5 minutes
(creating a new profile for each student) and clutter up the hard drives
with old profiles.

Cut to the chase - Are there any schools out there that are using Disk
Imaging as a part of their desktop security system?

What I am proposing is to have some computers where the users have full
access to the local machine.  They can install plugins, change the
desktop, do whatever they wish with the computer.  If something happens
to the machine that causes it to become compromised then the computer is
reimaged from a standard image stored on the network.  If you are using
an imaging solution, which one, what are its benefits and how much does
it cost?  Are there any repercussions to having unlocked desktops (not
everywhere, but where appropriate and requested)?

Question #2 - What are people using for desktop security that is
installed locally on the computer, not a server/login based solution?

I am not enamored with Windows servers and am thinking of going open
source for network resources.  This would require the machines that need
to have the desktop managed have something locally installed.  I am
familiar with Deep Freeze, which seems to work very well.  I've also
struggled with Fortress, which I found to be very good at disabling the
machine upon which it is installed, and therefore a less than ideal
solution.  What are people using?  We are using Icon Lock successfully
on the Win 98 machines (approx 1/3 of the machines still).

Thanks In Advance
Craig Lyndes
Franklin Central SU