Managing Computer Labs with ZENworks for Desktops

1
Managing Computer Labs with ZENworks for Desktops

• Kristi Wall
• University of Georgia
• kew_at_uga.edu

2
What is ZENworks for Desktops?

• ZENworks for Desktops is Novells full featured
  desktop management system
• Directory enabled desktop management system
  utilizes Novells eDirectory
• Offers both desktop management and application
  management capabilities

3
What does ZENworks for Desktops give me?

• Workstation Imaging image one or many
  workstations at a time
• Application management, distribution and repair
  on and off the network
• Desktop Management Policies secure
  workstations, manage users experiences and
  remotely manage users and workstations
• Inventory collect software and hardware info

4
What do I need to run ZFD?

• Runs on either NetWare or Windows
• eDirectory is required
• Current version (ZFD 4) does not require the
  traditional Novell client
• Modular agents necessary to provide various ZFD
  functions
• ZFD functions outside a firewall

5
Our Focus Today

• Lab deployment and maintenance strategies
• Locking down workstations with desktop policies
  how do you handle exceptions?
• Restricting applications
• Directory design considerations
• UGAs MyID lab authentication

6
Interesting Imaging Aspects

• ZFD imaging is based on a Linux kernel
• Three ways to initiate an imaging session
• Linux partition on the workstation, Imaging media
  (CD or diskettes), PXE (Preboot Services)
• File level imaging solution take advantage of
  add on imaging
• ZENworks Image Safe Data safely store
  workstation specific information

7
New Lab Deployment

• Multicast from workstation or server
• New machines dynamically retrieve IP, Windows
  Networking and DNS info
• Image selection can be based on hardware rules
  you define
• Use add on images for machines with different
  software requirements

8
Lab Upgrades or Maintenance

• Flag machine(s) for automatic imaging operations
  when necessary
• After an image is restored the Image Safe Data
  overwrites values stored in the image
• Netbios Name
• IP information (DHCP or static)
• Workgroup membership
• eDirectory workstation object information, if any
• Randomizes the SID
• Scheduled Wake-on-LAN services

9
Using ZFD for Workstation Security

• Control user authentication and access
• Use ZFD policies to control what users can do
• Policies applied to workstations will apply to
  all users who use that workstation
• Policies applied to users will apply wherever
  that user logs in
• Using workstation and user policies give a
  combined security effect

10
User Authentication and Access

• How do users authenticate?
• Dont use single account for lab logins
• Dynamic Local User policy for NT/2K/XP
• Designate local group membership
• Can be tied to specific workstations
• Volatile or nonvolatile local user accounts
• Use NTFS, if possible, to enhance ZFDs security
  policies
• Change default group security settings!

11
What rights do users need?

• For Application Launcher to work properly, the
  logged-in user requires the following rights
• Full Control access to the NAL cache directory
  (typically, C\NALCACHE).
• Full Control access to the user's TEMP directory
  (typically, C\DOCUMENTS AND SETTINGS\username\LOC
  AL SETTINGS\TEMP).
• Read\Write rights to the HKEY_CURRENT_USER\
  Software\NetWare\NAL\.1.0 registry key.
• Read rights to the HKEY_LOCAL_MACHINE\Software\Net
  Ware\NAL\1.0 registry key
• Read rights to the HKEY_LOCAL_MACHINE\Software\Nov
  ell\ZENworks registry key.
• In addition, the System user requires full access
  to all areas of the workstation. By default, this
  access is granted to the System user as a member
  of the Administrators group. Do not limit the
  default rights given to the Administrators group.

12
ZFD Desktop Management Policies

• Extensible Policies still available POLEDIT
  anyone?
• Win98/NT/2K/XP
• Import custom ADM files
• Group Policies provide more control
• Win2K/XP
• Same as Group Policies in AD
• Settings stored in eDirectory and applied when
  necessary

13
Interesting GP Aspects

• By default User based group policies dont remain
  in effect after a user logs out.
• User, Computer and Security group policy settings
  can be applied to a user or workstation.
• Policys can be scheduled to be applied at a
  certain time (event or time)
• Workstation group policies have loopback support
• Replace mode (dont apply users settings)
• Merge mode (apply workstations settings last
  last policy applied wins)

14
Common Group Policy Settings for Labs

• Configure Windows Components
• Internet Explorer
• NetMeeting
• Task Scheduler
• Windows Installer
• Remove Options from Windows Explorer
• Control Desktop environment
• Remove access to Control Panels
• Remove System Settings and Apps

15
Locking down Windows Explorer

• Remove dangerous options from Explorer
• Map/Disconnect Network Drive
• Folder Options from Tools Menu (view file types,
  active desktop)
• Context Menus (shortcut menus when you right
  click an item)
• Hardware tab
• Search button
• Request alternate credentials for installs

16
Controlling Drive Access

• Prevent or hide access to drives
• Designate which drives are available (or not) to
  users.
• Can prevent access completely
• Causes some warnings when opening Explorer and
  dialog boxes within applications
• Recommended Hide drives and handle security
  through NTFS file rights

17
Controlling the Desktop

• Start Menu and Taskbar control
• Remove Settings (no control panel, printer)
• Remove Run from Start Menu
• Desktop control
• Hide Icons on Desktop (all or some)
• Control Active Desktop (enable, disable, prohibit
  changes)

18
Control System Settings Apps

• Dont display Welcome screen at logon
• Disable REGEDIT
• Disable Command Prompt
• Allow command prompt script processing?
• Run or dont run specified Windows apps or
• prevents users from running programs that are
  started by the Windows Explorer process
• Consider Rogue Process Management
• Disable Autoplay

19
What about Admin access?

• If you use extensible policies
• FIRST create a reversed policy that reverses the
  policies you will create for regular users.
• Associate that to YOU and other admins
• If you use group policies
• Create a reversal gp for yourself (just in case)
• Be careful with Workstation Loopback Support
• Arrange search policy to always find and apply
  users policies last

20
Restricting Applications

• Novell Application Launcher (NAL) can be run as
  the shell for more security
• Rogue Process Management
• Application Launcher watches processes run on the
  workstation
• Terminates and/or ignores processes not launched
  through Application Launcher
• Can log rouge processes too
• Allows exceptions

21
eDirectory Design Guidelines

• Tree wide ZFD policies can be provided by one
  server.
• You may want more ZFD servers depending on your
  network design.
• Policies applied to different areas of the tree
  can be located together.
• The search policy checks to find associations of
  policies and applications, not the objects
  themselves.

22
UGAs MyID lab authentication

• EITS run labs authenticate to UGAs central MyID
  service
• Windows 2000 lab utilizing Dynamic Local User
  policy
• DLU is only user policy applied to MyIDs
• Only allowed DLU access to specified workstations
  in tree

23
Limitations Problems

• Dont allow additional user policies
• Recommend using Group Policies applied to
  workstation objects
• Remember group policies containing user settings
  can be applied to workstations
• Search policy only searches for policies and
  applications applied to the MyID container (only
  central EITS settings)
• Departmental applications associated to lab
  workstation objects

24
Possible Futures

• Extend MyID information to contain departmental
  and possibly class information
• Synchronize MyID data to hierarchical eDirectory
  tree
• Allow department policy and application
  associated to MyIDs merge two tree ZFD settings
  on user login
• Applications and policies can be applied to users
  with appropriate departmental affiliation and
  class load

25
ZFD Resources

• This presentation will be posted off the UGA
  ZENworks web pages www.eits.uga.edu/lans/novell/z
  enworks
• Official ZFD documentation www.novell.com/lg/zdpr
  /index
• ZFD Coolsolutions www.novell.com/coolsolutions/z
  enworks
• ZEN Email List
• ZEN_at_listserv.uga.edu