Hey everyone! I'm in the process of setting up restrictions for standard user workstations and would love to hear your thoughts. Besides restricting access to Command Prompt, PowerShell, Run, and the Registry, what other settings do you often restrict in the Control Panel? I'm looking for best practices or recommendations that can help strengthen our policy. Thanks for any insights you can share!
6 Answers
Honestly, I wouldn't overthink it. Make sure users are standard users and allow them some freedom. I find the overly restrictive days are behind us, because updates can break functionality when too much is locked down. It’s more hassle than it’s worth to try and micromanage every single access point.
We don't really restrict much. We follow CIS Level 1 guidelines to ensure that no end users have local admin rights, and that's pretty much it. It's not the 90s anymore—overly restricting the OS doesn't really help. Having access to Command Prompt and similar tools isn't dangerous if they don’t have admin rights, so who really cares?
Totally! I agree, it’s more about managing privileges rather than excessively restricting access.
Looking at DISA STIGs can be really beneficial. They offer detailed guidelines for Windows 11 on what should be locked down. Check out their site for a comprehensive list of things you might want to restrict based on best practices. It’s already been pretty well researched.
I think the approach of focusing on least privilege rather than blocking essential tools is the way to go. Making sure users have just enough access to do their jobs without unnecessary risk can reduce complications. It’s all about balancing security with efficiency.
From what I’ve seen, creating a strong written policy with clear enforcement is crucial, including consequences for rule-breaking. Also, make sure to keep technical controls like antivirus or VPN in place. You’ll want to prevent any unauthorized software installations without IT approval. Additionally, implementing MFA will help secure access to corporate resources.
For me, the key is no local admin access. Just keep users in the 'users' group and avoid letting them be 'administrators' or 'power users.' I used to customize access a lot using GPO, but with things like the MS App Store, it became more efficient to use allowlisting/deny listing strategies with tools like Applocker or WDAC. It’s better to work with the permissions users need rather than restricting them so much.
Thanks for the insight!