Necessita de ajuda para bloquear muitos computadores públicos em rede

1

Alguém conhece algum tipo de software de bloqueio de sistemas / controle parental que funcione para máquinas em rede, com usuários que podem ou não já ter configurado uma conta na máquina local?

Estou trabalhando em um departamento público relativamente grande e preciso impedir, mais importante, o acesso à Internet para todos, mas apenas para alguns sites. Além disso, eu também gostaria de restringir a máquina a aplicativos específicos.

Eu tentei instalar o Microsoft Family Safety, mas acho que você precisa configurá-lo manualmente para as contas que já estão conectadas na máquina em que está sendo instalado e o problema é que todas as nossas máquinas estão em rede e temos muitos usuários através do Active Directory.

Atualmente usamos "Fortres 101" / "Fortres Grand", mas não é prático e causa muitos problemas, é também uma versão de demonstração / teste. Estamos usando uma mistura do Windows XP & Windows 7, mas se funcionar apenas com o Windows 7, também é legal.

    
por jfraczek 01.05.2013 / 21:12

2 respostas

0

Eu usei com sucesso o pfsense em combinação com o Dansguardian para filtragem da Internet. Foi uma configuração bastante indolor e esta é uma opção gratuita. Eu não configurei a lista de permissões, mas parece que é isso que você quer e é uma opção oferecida pela Dansguardian.

Como alternativa, você deve ter algum tipo de firewall já em vigor e, em caso afirmativo, poderá usar um produto de filtragem específico para o seu firewall.

Você tem acesso ao gateway padrão dessas máquinas? Em caso afirmativo, você pode configurar um proxy transparente no pfsense. Caso contrário, você pode usar a política de grupo para definir a caixa pfsense como o servidor proxy.

Você deve ter um software antivírus no lugar. Esse será um bom local para configurar restrições de aplicativos. Caso contrário, você pode usar a Diretiva de Grupo para defini-las também. A política de grupo não seria o melhor lugar para tentar configurar uma lista de sites permitidos. Você realmente quer separar o proxy e as restrições do aplicativo.

    
por 02.05.2013 / 19:46
0

A Microsoft oferece uma lista de Cenários Comuns de Política de Grupo Usando o GPMC . Isso tem algumas políticas de modelo que você pode usar em seu domínio de diretório ativo para usar como ponto de partida para bloquear suas máquinas. Pelo que você descreve, parece que você quer o modelo Multi-User .

Overview of the Scenarios

The following is a list of the scenarios along with typical usage examples.

Lightly Managed

Use this scenario for power users or developers who require considerable control over their computer. You can also use this scenario in an organization where tightly managed desktops are not acceptable to users or where desktop management is highly delegated. Along with the other scenarios, the Lightly Managed scenario supports increased security and promotes consistency of user experience, both of which can be beneficial even where a tightly managed desktop is not appropriate.

The Lightly Managed scenario has the following characteristics:

  • Is the least managed of all of the scenarios.
  • Allows users to customize most settings that affect them but prevents them from making harmful system changes.
  • Includes settings that reduce help desk costs and user downtime.
  • Supports free-seating, which means users can sit down at any computer and access all their resources, applications, and data as if they were sitting at their own computer. This also simplifies your file-backup scenarios, because users’ files are all stored on designated file servers.
  • Typically has a core set of applications assigned to either the user or the computer, which are always available. Users can also install applications that have been published for them, which they can choose to install.

Mobile

The Mobile scenario is relevant to mobile/laptop computers and their users. This scenario pays particular attention to the disconnected user who frequently needs to work offline and occasionally “resynchronize” with the corporate network.

The Mobile scenario has the following characteristics:

  • Can be used by users who are away from the office most of the time, who log on using low-speed, dial-up links, but who also occasionally log on using high-speed network links.
  • Can also be used by users who are away from the office only occasionally and who log on by using remote access or remote network links.
  • Allows users continuous access to their data and configuration settings whether the computer is connected to or disconnected from the network.
  • Partially supports free-seating (can optionally support full free-seating) to facilitate centralized data backup and to enable users to access important data and settings from additional computers.
  • Allows users to disconnect from the network without logging off or shutting down.

Multi-User

Use this scenario in a university computer laboratory or library where users can save some customizations, such as desktop wallpaper and color scheme preferences, but are not allowed to change hardware or connection settings.

The Multi-User scenario has the following characteristics:

  • Allows basic customization of the desktop environment. Users can save desktop configurations, but they cannot customize network, hardware, and system settings.
  • Supports free-seating; users can log onto any computer and get their data and settings. No cached state is maintained on the computer when they leave.
  • Users have restricted write access to the local computer and can only write data to their user profile and to redirected folders.
  • Has a set of applications that are always available (assigned), as well as applications that can be installed and removed as necessary (published).
  • Is highly secure.

AppStation

The AppStation scenario is used when you require highly restricted configurations with only a few applications. Use this scenario in “vertical” applications such as marketing, claims and loan processing, and customer-service scenarios.

The AppStation scenario has the following characteristics:

  • Allows minimal customization by the user.
  • Allows users to access a small number of applications appropriate to their job role.
  • Does not allow users to add or remove applications.
  • Supports free-seating.
  • Provides a simplified desktop and Start menu.
  • Users have restricted write access to the local computer and can only write data to their user profile and to redirected folders.
  • Is highly secure.

TaskStation

Use the TaskStation scenario when you need the computer dedicated to running a single application, such as on a manufacturing floor, as an entry terminal for orders, or in a call center.

The TaskStation scenario is similar to the AppStation scenario, with the following changes:

  • It has only one application installed, which automatically starts when the user logs on.
  • No desktop or Start menu is present.

Kiosk

Use this scenario in a public area, such as in an airport where passengers check in and view their flight information. Because the computer is normally unattended, it needs to be highly secure.

The Kiosk scenario has the following characteristics:

  • Is a public workstation.
  • Runs only one application.
  • Uses only one user account and automatically logs on. The system automatically resets to a default state at the start of each session.
  • Runs unattended.
  • Is highly secure.
  • Is simple to operate, with no logon procedure.
  • Does not allow users to make changes to the default user or system settings.
  • Does not save data to the disk.
  • Is always on (the user cannot log off or shut down the computer).

A workstation that uses the Kiosk scenario is similar to a TaskStation, but users are anonymous in that they all share a single user account that automatically logs on at computer startup. This is achieved by modifying the Kiosk machine in a manner described later in this document. No customizations can be made and no user state is preserved.

Although user sessions are usually anonymous, the user can log on to an application-specific account, such as to a Web-based application through Internet Explorer (assuming Internet Explorer is the “kiosk application” launched at startup).

The dedicated application could be a Line of Business (LOB) application, an application hosted in Internet Explorer, or another application, such as one available in Microsoft Office. The default application should not be Windows Explorer or any other shell-like application. Windows Explorer allows more access to the computer than is appropriate for a Kiosk computer. Be sure the command prompt is disabled and Windows Explorer cannot be accessed from any application you use for this purpose.

Applications used for kiosk scenarios should be carefully checked to ensure they do not contain “back doors” that allow users to circumvent system policies. For example, they should not allow users access to applications that access the file system. Ideally, you should only use applications that comply with “The Application Specification for Windows 2000”, are Certified for Windows, and that check for Group Policy settings before giving users access to prohibited features. Older applications will not normally be Group Policy-aware, so try to disable any features that allow users to bypass administrative policy.

The registry entries Run and RunOnce are disabled in the Kiosk scenario through associated policy settings.

    
por 01.05.2013 / 22:57