Forgot your password?
typodupeerror
Businesses Software Linux IT

Locking Down Linux Desktops In an Enterprise? 904

Posted by kdawson
from the just-the-policy-ma'am dept.
supermehra writes "How do you move 300 desktops, locked down with Windows ADS Group Policies (GPO), over to Ubuntu desktop? We have tried Centrify, Likewise, Gnome Gconf, and the like. Of course, we evaluated SuSe Desktop Enterprise and RedHat Desktop. Samba 4.0 promises the server side, however nothing for desktop lockdown. And while gnome gconf does offer promise, no real tools for remotely managing 300 desktops running gnome + gconf exist. All the options listed above are expensive, in fact so expensive that it's cheaper to leave M$ on! So while we've figured out the Office suite, email client, browser, VPN, drawing tools, and pretty much everything else, there seems to be no reasonable, open source alternative to locking down Linux terminals to comply with company policies. We're not looking for kiosk mode — we're looking for IT policy enforcement across the enterprise. Any ideas ladies & gentlemen?"
This discussion has been archived. No new comments can be posted.

Locking Down Linux Desktops In an Enterprise?

Comments Filter:
  • Puppet (Score:5, Informative)

    by BSAtHome (455370) on Monday March 09, 2009 @08:02PM (#27128559)

    Use puppet to enforce configuration: http://reductivelabs.com/products/puppet/ [reductivelabs.com]

    • Re:Puppet (Score:5, Informative)

      by binner1 (516856) <bdwalton@g3.1415926mail.com minus pi> on Monday March 09, 2009 @08:17PM (#27128723) Homepage

      I was going to say CFEngine, but that's only because it's what I'm currently using. I'd love to move to puppet but at the time we deployed CFEngine, puppet wasn't ready for all the things we needed it to do (windows and solaris in addition to linux)...this has likely changed now, but we've got a lot of cf scripts that would need conversion.

      Whichever tool is chosen (there are others in this space too), I believe this is the correct answer. I know that CFEngine scares a lot of people off (and maybe puppet does too?), but it is an excellent way to manage a large set of hosts.

      -Ben

      • Re: (Score:3, Informative)

        by Anonymous Coward

        Yes, Puppet and CFEngine look like the modern solution.

        At our small office (up to 10 desktops), we use Fedora (from Core 6 to 9), plus NIS+NFS+autofs for user account+directory file management, installed from a centralized DHCP+PXE+NFS+Kickstart installation.
        Then we have our own home-brewed root crontab scripts (deployed by kickstart post-install) that:
        - replaces local files from centralized versions (some are just text files, others are sym-links, others are firefox plugins - like Adobe's flash player).
        - i

  • Mittens!!! (Score:5, Funny)

    by RecursiveLoop (1264802) on Monday March 09, 2009 @08:03PM (#27128573)
    Issue everyone Mittens!!!! They are relatively cheap and make it oh so hard to type terminal commands when worn.
  • Is Samba 4 ready? (Score:5, Informative)

    by ikirudennis (1138621) * on Monday March 09, 2009 @08:05PM (#27128591) Homepage
    from the FAQ:

    Can I use Samba 4 on my production server right now? No. Samba 4 is still under heavy development. Samba 4 is not due to replace Samba 3 soon. Many of the required core features are present, but the code is still alpha and user tools as well as some core features are still missing.

  • LSTP (Score:5, Insightful)

    by IANAAC (692242) on Monday March 09, 2009 @08:06PM (#27128599)
    Why not use LSTP? That way you only have to worry about whatever image(s) you keep on the server.
  • Come on... (Score:3, Insightful)

    by Anonymous Coward on Monday March 09, 2009 @08:08PM (#27128615)

    so expensive that it's cheaper to leave M$ on!

    If you want to be taken seriously, please lern 2 spel currektly. I'm not a Microsoft fan, but it sure is annoying seeing it spelt like that.

  • dumb terminals? (Score:5, Insightful)

    by timmarhy (659436) on Monday March 09, 2009 @08:08PM (#27128621)
    if your talking about dumb terminals, your making me hot. sexy little gadgets with no fans or moving parts. in this instance you can lock down any of the major desktop environments by modifying their default user to have a really low level of user access , so when you create a new user it inherits these settings. gnome,kde and xfce all have this ability. and since they are terminals an logging into a central server management is dead easy.

    if you are talking stand alone desktops then it's not so great. linux doesn't really have anything as good as group polices and active directory, it's part of the reason corperate networks are mostly windows.

  • by Todd Knarr (15451) on Monday March 09, 2009 @08:09PM (#27128629) Homepage

    I guess the first question is: what are you trying to accomplish? Are you trying to prevent users from installing additional software locally? Are you trying to insure that particular applications get particular preferences set and users are prevented from changing those settings? What? Just saying "lock down the desktops" doesn't say what you're trying to actually do.

    Remember that Unix is, in large part, designed to work correctly without needing to be locked down. Much is controlled simply by the system-wide configuration files. The rest tends to be controlled on the server side, so that users simply can't do unacceptable things regardless of how they configure their local user account.

    • by jtownatpunk.net (245670) on Monday March 09, 2009 @08:17PM (#27128713)

      Never underestimate a user's ability to fark up something that is, in theory, unfarkupable.

      • by fm6 (162816) on Monday March 09, 2009 @08:43PM (#27128993) Homepage Journal

        I like this version better: No system is foolproof, because fools are fiendishly clever.

        • by jamstar7 (694492) on Monday March 09, 2009 @10:01PM (#27129633)

          I like this version better: No system is foolproof, because fools are fiendishly clever.

          The problem with making things idiot proof is you generate a better class of idiot.

          As to the problem at hand, there are tons of things you can do to keep users out of trouble. Biggest one is, keep them from accessing sudo. Easiest way to do that is, create an 'admin' account on the machine before generating user accounts. Only the first user account on a Ubuntu machine has sudo access automagically. Additional users need to be added manually to the sudo group. Remove any and all software that you don't need. What those software pieces are would depend on your application. Then add the necessary maintanance scripting run as cron jobs, things like apt. Edit the /etc/apt/sources.list to restrict repositories. What I'd do then is, recut a master CD using Ubuntu Customisation Kit [sourceforge.net] so you have a 'standard' install, and set up an inhouse repository for updates, fed from the inhouse server. Since the workstations only look at the inhouse repository, they should only be able to install from the local server. And if they're locked away from apt, that shouldn't be a problem.

      • Re: (Score:3, Funny)

        by Darkness404 (1287218)
        Yes but considering this is enterprise, we can assume that people either A) Know what they are doing B) Know not to mess with things they don't know what they do or C) Have a nice IT staff that can fix some of the mistakes they make.
    • by QuantumRiff (120817) on Monday March 09, 2009 @08:23PM (#27128789)

      You are looking at it from a system security perspective, not "IT Policies" perspective. He needs to be able to disallow solitare, force all connections through a proxy server for web filtering, pass down 802.1x keys, force people to use a certain network printer, etc...

      • by whoever57 (658626) on Monday March 09, 2009 @08:32PM (#27128871) Journal

        You are looking at it from a system security perspective, not "IT Policies" perspective. He needs to be able to disallow solitare, force all connections through a proxy server for web filtering, pass down 802.1x keys, force people to use a certain network printer, etc...

        All these can be enforced using control of the services. The problem statement reflects the Microsoft/Windows way of doing things. Turn it around and ask how the network can enforce the policies.

        Proxy: the firewall can enforce this. Users don't use the correct proxy? No web access. Printers: Configure the printer to allow only certain users/groups, etc. etc..

      • by mysidia (191772) on Monday March 09, 2009 @08:44PM (#27129011)

        (1) Don't install any solitaire program. Mount users' home directories noexec, don't give users root access. They won't be playing solitaire. This also prevents them from downloading solitaire off the web... blocking winsol.exe in Windows group policy doesn't stop any of this, and doesn't stop users from copying winsol.exe to some innocuous filename like C:\excel.exe

        (2) iptables rules can be set to deny web access except through the proxy.

        (3) Passing keys is just a single example of central config management, there are tools for this as well, like cfengine, bcfg2.

        • by magamiako1 (1026318) on Monday March 09, 2009 @08:51PM (#27129069)
          Multiply this by about 500 machines, and then the ability to later on down the road be able to change it without having to completely redo them or find some screwed up roundabout way to push out to every machine via scripts...

          You'll quickly turn to the Windows way of doing it.
          • by mysidia (191772) on Monday March 09, 2009 @09:08PM (#27129233)

            Didn't I mention bcfg2? cfengine and bcfg2 are tools that is used to do just that, force tens of thousands of machines to comply with approved configurations, and remediate machines that don't, by making them match the approved configurations.

            And yes, you can remove software, set iptables rules, distribute keys, etc, using pre-made open source software available for Linux.

          • Re: (Score:3, Informative)

            by tedrlord (95173)

            Custom kickstart with all the required configurations, and some basic configuration management software, makes it -extremely- easy to manage. The requirement is having an admin that knows how to set it up correctly in the first place.

            Lock out root accounts, mount user home directories from a separate partition/disk/network share and you can even reinstall the base OS without touching their files. Any decent configuration management software (there are a lot of choices) would also allow IT to add rpms or mak

      • Re: (Score:3, Insightful)

        by Eil (82413)

        You are looking at it from a system security perspective, not "IT Policies" perspective.

        Most "I.T. Policies" are stupid and written by control freaks with no managerial sense.

        force all connections through a proxy server for web filtering

        The ridiculousness of web filtering aside, this is easily accomplished by pre-made config files in /etc/skel.

        pass down 802.1x keys, force people to use a certain network printer,

        Again, /etc/skel or something like Puppet [reductivelabs.com] works fine here.

        He needs to be able to disallow solitar

        • Re: (Score:3, Insightful)

          by ozphx (1061292)

          In a large organisation the poor admin implementing the policy is not the person who created the policy.

          Web filtering is put in because Suzy once saw Joe in accounting see this site [tubgirl.com] after I linked to it here, because I'm a bit of a cunt like that. She then caused massive panic, which spread upwards to the CEO, who decreed that The Internets Shall Be Filtered to prevent the company being sued.

          Most GP isn't implemented to be totally bulletproof, its there to create a standardised config, and mostly prevent pe

        • by mcrbids (148650) on Monday March 09, 2009 @10:29PM (#27129863) Journal

          What you are forgetting is that most companies, especially large companies ARE boring places staffed by a high percentage of mediocre people. Large organizations have a large amount of administrative overhead, and the vetting process is long, convoluted, and inefficient. It's just the nature of the beast.

          1) IT staffed by control freaks? Well duh! It's the only way they can appear to be doing something and not getting their asses handed back to them if anything goes wrong...

          2) Trust? How much do YOU trust people you know just barely well enough to remember their name? And anytime you get more than 5 people together, they start grouping up and taking sides. Disputes soon follow. Care to guess what it's like when there are 500?

          3) Hiring standards? Have you seen who applies to Monster.com ads? As an employer, I can say the domain name is appropriate...

          4) unrealistc expectations... It's often hard enough to simply establish expectations at all. 5) Morale? You want to talk about morale!?!? Large companies spend months rolling out big updates like using actual coffe in the coffe makers at their 2,000 store fronts, or on 6 month programs toget locations to clean their bathrooms. Wait until you spend a man-week working yer ass off because somebody didn't know what 'historic' meant, only to find you didn't need to do anything at all. Then see what your morale is like.

          6) Unmotivated employees? Your average wage slave is motivated by a desire to do as little as possible and not get yelled at.

          Go work at/for/with some large organizations sometime. You'll see why Dilbert is so popular - not because it's quirky and off-beat but because IT'S TRUE!

    • MOD PARENT UP (Score:5, Interesting)

      by serviscope_minor (664417) on Monday March 09, 2009 @08:24PM (#27128797) Journal

      Mod parent UP. The OP is thinking about it wrong: ie how to manage unix in the style of windows. Don't give them root and they can't install software. Make sure the home directories an /tmp is moutes -noexec and there is NO WAY that they can run programs which aren't already installed.

      Now they can have free run of the system and can't do anything harmful. Still not satisfied? Remove all executables that they shouldn't run, or make them a-rx g-rx, and don't have users in the group able to run them.

      You can create an RPM to do this for you, then set up the whole thing automagically using Redhat's or SUSE's tools (one is called kickstart). I suspect it is straightforward on debian based systems, too.

      If you have the autoupdater running (good for security), then update the setup RPM, put it in your local repository, and sit back as all the desktops get updated with new settings.

      Alternatively, you can bodge it with shell scripts and a cron job :-)

       

      • Re:MOD PARENT UP (Score:5, Insightful)

        by binner1 (516856) <bdwalton@g3.1415926mail.com minus pi> on Monday March 09, 2009 @08:41PM (#27128975) Homepage

        While I _mostly_ agree with this, a nice policy management (configuration management mostly) tool is also essential when dealing with lots of boxes. You want a new setting for all Gnome desktops, simply add it to the policy tool and let it distributed any required config files or run commands to change the setting, etc. This type of thing used to be done with things like: for h in $all_my_hosts; do ssh $h /tweak/some/setting; done

        CFEngine and Puppet and friends are a nicer way of doing this. They're "self documenting" in that your write the code and then you can later very easily see when you added some configuration bits, etc...version control your configuration management scripts and you get even better tracking of who did what and when. (A side question: How does one do the version control type stuff in AD?)

        While kickstart is great (I use it), it only goes so far. Having a policy manager on top of that (installed and configured in the kickstart) is a beautiful thing!

        -Ben

      • Re:MOD PARENT UP (Score:4, Interesting)

        by geekboy642 (799087) on Monday March 09, 2009 @08:46PM (#27129033) Journal

        I was going to post almost exactly this.
        If every directory your users can write to is mounted as noexec, and you don't do something boneheaded like giving them sudo access, they will be completely unable to install software. There'll be extra traps, like disabling flash to prevent most of the browser-based time wasters, but those can be managed reactively, and aren't nearly as likely to require a system re-image.
        Transparent automatic proxies are negligibly simple to implement, for instance a pfSense box and a $300 PC. As a bonus, you can easily add web filtering and block things like Slashdot at work. As for printers, Avahi and cups setup can easily make finding and using printers secure and idiot-proof.
        A local .deb or .rpm archive, and making your desktops automatically check for updates at, say, 2am, will alleviate the rest of your problems. It's also quite easy to provide a virtual "our_enterprise" package that you can have depend on any local fixes or changes for your office.

        The answers to subby's question are almost laughably simple.

        • Re: (Score:3, Insightful)

          by QuoteMstr (55051)

          As a bonus, you can easily add web filtering and block things like Slashdot at work.

          Actually, browsing Slashdot, The Old New Thing [msdn.com], lwn.net [lwn.net] and so on has made me more productive overall. Preventing users from accessing "time wasters" is a losing strategy: not only is the blocking technically futile, but by treating employees like children, you kill morale. Instead of micromanaging their days, treat employees like responsible adults and evaluate them based on their work and its results.

        • Re: (Score:3, Informative)

          by maitai (46370)

          This is just wrong. Even in the Windows world. You don't need to be root to "install" a program (and what is with the "install" mentality anyhow?) Someone can happily place a binary in their home directory, or /tmp, or wherever they have write permissions and run it (note the next paragraph).

          And relying on noexec? /usr/bin/perl is usually executable, as is /usr/bin/php, /placeyourfavoriteinterprethere and can run any script you tell it to regardless of the noexec bit on the partition you mounted. For th

      • Re:MOD PARENT UP (Score:4, Insightful)

        by QuoteMstr (55051) <dan.colascione@gmail.com> on Monday March 09, 2009 @08:55PM (#27129099)

        Err, you can still run interpreted programs on a filesystem mounted noexec:

        ~$ python myprogram.py

        A sufficiently clever user could use an interpreter to write his own dynamic linker and thereby run binaries too.

        But I agree: locking down the desktop is the wrong approach. Better is to separate sensitive information from things that aren't sensitive, and have a standard user environment to restore to if the user does manage to mess up his configuration.

        • Re: (Score:3, Insightful)

          by Darkness404 (1287218)
          Ok, first though, these are ordinary workers. They aren't blackhats, they don't want to screw up their system, and if they know how to do that, they most likely work in the IT department.

          Don't treat your employees like criminals, if they break enough things all the time, fire them for incompetence, but there is no need to totally lock down everything.
      • Re:MOD PARENT UP (Score:5, Insightful)

        by magamiako1 (1026318) on Monday March 09, 2009 @08:55PM (#27129103)
        You kids still think that what the OP is asking for has anything to do with "preventing users from doing something harmful to the computer".

        Get it out of your heads. Many of the things group policy can do has nothing to do with "security" or "preventing users" from doing anything. It has a lot to do with quickly standardizing departments, offices, rooms, or whatever your business structure is.

        When you move a computer to a different department you simply drag the computer in AD to the different OU and BAM! That computer now gets everything new with its policies. There's no bringing the computer in to the IT department and reloading its configuration with "Configuration A for Department B".

        Want to make a change to how a whole department does things? There's no pushing a script out later on to the whole department. You simply change it in group policy and the entire thing gets taken care of automatically.

        You can spend more time focusing on actually getting shit done than fussing around with HOW to solve the problem with roundabout tool sets.
        • Re:MOD PARENT UP (Score:5, Informative)

          by QuoteMstr (55051) <dan.colascione@gmail.com> on Monday March 09, 2009 @09:04PM (#27129181)

          This kind of stuff is why NFS-mounted home directories are just wonderful. If my machine kicks the bucket, I can grab a new one, install an OS on it, and get back to where I was before in half an hour. In a larger organization, an imaged system would work even better.

          Now, as for mass configuration changes, cfengine [cfengine.org] is your friend.

        • Re: (Score:3, Interesting)

          by EvilRyry (1025309)

          Use puppet. Not only can you configure policies and configuration, but you can _sanely_ manage software as well.

        • Many of the things group policy can do has nothing to do with "security" or "preventing users" from doing anything. It has a lot to do with quickly standardizing departments, offices, rooms, or whatever your business structure is.

          When you move a computer to a different department you simply drag the computer in AD to the different OU and BAM! That computer now gets everything new with its policies. There's no bringing the computer in to the IT department and reloading its configuration with "Configuration A

          • by Ungrounded Lightning (62228) on Monday March 09, 2009 @09:50PM (#27129569) Journal

            Move it to a new department? Change the entry for the machine on the DHCP server. No need to pull it in for retweaking.

            Or even plugged in when you make the change.

            You can use the whole disk for swap and /tmp. No individual installs. No local copies.

            And the user's entire persistent state is on your fileservers, where you control the backup, maintain history (and let the user recover his OWN lost files), etc.

            Meanwhile, with nothing persistent on the user's machine there's no info lost if it fries or is stolen, or if you need to upgrade his hardware. Just configure a fresh machine for netboot and replace the MAC address of his workstation with the new machine. Instant gratification.

            You also get to update the software on ALL the machines by updating ONE image on the servers.

    • by msobkow (48369) on Monday March 09, 2009 @08:28PM (#27128843) Homepage Journal

      I admit I'm puzzled at the issue of "lockdown" myself.

      For years whenever we needed to lock down a *nix account, the sysadmins would install the software as root and set up the user accounts in capture mode (i.e. .login starts the X session, and the X session doesn't have the ability to add/remove programs.)

      I can't imagine needing to lock down a session any tighter than that, and I've never seen a Windows desktop that was locked down any tighter, either.

      • Re: (Score:3, Interesting)

        by poetmatt (793785)

        This was the idea that came in my mind as to a method of locking down desktops. I mean really, it's not that hard considering they won't be able to run a .deb or .rpm or whatever package they attempt once it's locked like that anyway.

        It honestly surprises me this is a slashdot article asking for an answer that is as simple as you wrote.

  • by Anonymous Coward on Monday March 09, 2009 @08:09PM (#27128635)

    In linux world, there is yet to be a quick, 3 question and 1 button way to add the computer to a domain and then receive straight away:
    - group policies - security and software install
    - single password store (with cached passwords for notebooks that go away from the network)
    - Patch update policy

    The only thing linux does right is work on technologies such as DHCP that were written for OTHER unix O/S'.

    Ubuntu is not interested in those things, they're more interested in making stories about koalas and hiding popup boxes.

    Gnome is dead, Mono and moonlight took all their brains away.

    kde is making a next-gen desktop but have yet to understand why so many IT shops have kept Windows at the office.

    This is all depressing. Windoze will never be replaced at the current rate.

    • by Arker (91948) on Monday March 09, 2009 @08:44PM (#27129009) Homepage

      This is very much like when (several years back) I was told Linux wasnt ready because there was no antivirus or defrag available.

      If all you know is Windows then you imagine these things are critical to the operation of a corporate network. They arent. They're patches plastered all over an inherently poor design to allow it to (sort of) function in that environment.

      With a real OS the actual underlying goals these things serve are served without the need for the specific windows-centric functions to patch windows-specific problems.

  • by whoever57 (658626) on Monday March 09, 2009 @08:10PM (#27128641) Journal

    A desktop where the user does not have su/sudo access is already pretty locked down -- the user can only write to his home directory and other directories that he/she has access to through normal permissions.

    If you really want to lock it down, the user's home directory can be mounted in such a way that files cannot be executed from there.

    What elso is required?

    • by shutdown -p now (807394) on Monday March 09, 2009 @08:26PM (#27128831) Journal

      What elso is required?

      The ability to quickly and easily set it all up on all machines on the network at once, and to change permissions later with equal ease, without having to ssh into each and every machine on the network.

      • Re: (Score:3, Interesting)

        by whoever57 (658626)

        The ability to quickly and easily set it all up on all machines on the network at once, and to change permissions later with equal ease, without having to ssh into each and every machine on the network.

        A quickstart file to install the machine correctly in the first place, use the autoupdater to update based on your own repository, with custom RPMs to push out further changes. Or, have the machine run a crontab that runs a script from a network-accessible location periodically -- and that script can set up

      • Re: (Score:3, Informative)

        by mysidia (191772)

        The ability to quickly and easily set it all up on all machines on the network at once, and to change permissions later with equal ease, without having to ssh into each and every machine on the network.

        That's a job for cfengine/bcfg2 or puppet, and a couple scripts to maintain exactly what you want. There are tools that can do this sort of thing very well.

        And you can also easily set it up so you can detect if a system has fallen out of compliance for some reason, and possibly send you an e-mail.

        Wind

      • Re: (Score:3, Interesting)

        by Spit (23158)

        Have you evaluated the canonical commercial tools?

  • Huh? Its unix (Score:5, Informative)

    by nurb432 (527695) on Monday March 09, 2009 @08:13PM (#27128671) Homepage Journal

    If you just manage the users properly and NFS mount applications it almost takes care of its self and don't need an extra layer of complexity.

    use PXE+XDMCP and the workstations be come irrelevant

    • Re:Huh? Its unix (Score:4, Insightful)

      by Facetious (710885) on Monday March 09, 2009 @08:37PM (#27128935) Journal
      Finally! Thank you. I can't believe I had to read so many posts on slashdot of all places before someone points out the obvious. I recommend the OP googles "root over NFS." To reiterate, don't try to do Linux the Microsoft way. Also, please disregard all these stupid AC posts about Linux not being ready for the corporate desktop. Unemployed MCSEs are just yanking your chain.
  • by darthwader (130012) on Monday March 09, 2009 @08:14PM (#27128689) Homepage

    You set up the machines to all boot over the network, from a common image, and to load all system files from a NFS share.

    The only thing on the workstation is the user's $HOME directory, and some local stuff like /tmp, /var, etc.

    Your users don't get root on their workstations. They shouldn't need it. This isn't like Windows, where a huge number of apps don't run correctly if you don't have admin rights. Linux is designed under the assumption that users don't have admin rights.

    Maybe I'm being naive, but what more do you need?

    • Re: (Score:3, Insightful)

      by magamiako1 (1026318)
      To protect the users from themselves...PXE booting is not the answer.

      He wants to enforce things such as proxy settings, desktop settings, auditing, etc.
  • by DF5JT (589002) <slashdot@bloatware.de> on Monday March 09, 2009 @08:18PM (#27128731) Homepage
    I remember an article about KDE's long term strategy to be just that: an enterprise ready Desktop with fine grained policies, central administration and all the fluff that makes windows enterprise-ready and the de facto standard for the desktop.

    IToday, we have a colorful disaster that isn't even as usable as its predecessor. Developers should have focused on the need for an enterprise desktop that could actually make a dent in MS corporate sales. Instead we got useless eye candy.

    The fault, of course, lies with the big distributions that pride themselves on providing enterprise ready Linux. Enterprise sans le Desktop. Useless wanking. The requirements for an enterprise ready desktop are out there for anyone to see and it's not just "applications" as everyone usually points out. It's the ability for administrators to create and maintain a usable desktop according to official corporate policies. No more and no less.
  • policies (Score:4, Insightful)

    by TheSHAD0W (258774) on Monday March 09, 2009 @08:19PM (#27128737) Homepage

    locking down Linux terminals to comply with company policies

    Sooo, what exactly ARE these company policies?

    • Re: (Score:3, Funny)

      by Herkum01 (592704)

      Keep employees from installing software unless your an upper level executive who needs a business level package. You know, like Solitaire, their favorite screen saver, a program that will display files (like naked_britney_spears.zip.exe) they get in email.

      You know, the policy that says I am too special to actually follow the rules...

  • Pessulus (Score:3, Informative)

    by Simon80 (874052) on Monday March 09, 2009 @08:20PM (#27128759)

    Pessulus [gnome.org] is a lockdown editor for GNOME. It is included is the admin suite since 2.14.

    What's wrong with that?

  • by PPH (736903) on Monday March 09, 2009 @08:30PM (#27128859)

    ...we just used a script that called useradd pointing to the appropriate skeleton directory and then called chown/chmod to keep people from modifying the rc files in their home directories.

    Really smart users can probably find a way around this. But then at a company I used to work for, we could never lock down Windows NT to keep the shop floor mechanics from setting the wallpaper to a Pamela Anderson, Tommy Lee photo. So I guess its all relative. You may need users that are dumber than a high school dropout welder.

  • Do what's cheaper (Score:5, Insightful)

    by malevolentjelly (1057140) on Monday March 09, 2009 @08:57PM (#27129117) Journal

    If it's cheaper to stay with a Microsoft-based infrastructure, then stay with that. Creating massive infrastructure-wide group policies that go from desktop to web browser is sort of a windows thing. If you're going to maintain security policies in a linux-based system, you better be prepared to start thinking in Unix- that means remembering that you're using a network-based system, not a locally-oriented system on a network.

    If you're setting an IT infrastructure, the costs you're cutting on licensing will probably bite you in either support, security, training, or usability/productivity. There's no such thing as free software, I'm sorry.

  • by mrroot (543673) on Monday March 09, 2009 @09:29PM (#27129375)
    I'm glad this question came up. I read somewhere that 2009 was going to be the year of Linux on the desktop.
  • by v1 (525388) on Monday March 09, 2009 @09:29PM (#27129379) Homepage Journal

    Locking Down Linux Desktops In an Enterprise?

    We leave our security in the hands of Mr. Worf.

If A = B and B = C, then A = C, except where void or prohibited by law. -- Roy Santoro

Working...