0

I would like to create multiple small computers with Windows 7 Pro, and would like to know how I can turn this client into a "dummy" computer. In other words, I'd like to disable anything in Windows which is not related to its sole purpose.

Each machine will run a single business application only, and do nothing else. I have experimented with disabling unnecessary services and applications, and am currently online posting this question successfully with my limited Windows Services.

These are the services which are currently running: Dummy Services

And these are the processes (in exception of Chrome): Dummy Processes

My application which will run on these machines will require only the ability to connect to an HTTP Server via a DNS name. Nothing else. No web browsers, no file browsing, nothing. Based on this requirement and the services/processes I've narrowed it down to, what else could I disable for a dummy machine?

PS - They will have Static IP addresses, so the DHCP isn't necessary either, but DNS is because it looks up the host by a DNS name.

EDIT

In addition, these machines are joined to a domain with a group policy, and it would be ideal if this can be controlled by group policies, if at all possible.

Jerry Dodge
  • 147
  • 3
  • 14

1 Answers1

4

AppLocker and Software Restriction GPO policies will allow you to whitelist individual applications and prevent the launching of all others.

Then, you can lock down the computer using other common GPOs like removing the run menu, disabling task manager, hiding control panel applets, etc.

Also, use a policy to make outbound firewall rules that only allow your whitelisted application and DNS requests to leave the client. Complex outbound rules in Windows 7 are much improved when compared to XP/2003. Don't be afraid to use them.

GPO is your friend here, don't bother fiddling in services.msc.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • Thanks, I assume you saw my edit about group policies in a domain? – Jerry Dodge Jan 17 '13 at 02:03
  • My whole answer is basically "use GPO in these ways" - not sure what the edit changes. – MDMarra Jan 17 '13 at 02:03
  • The scope of the question, it was a critical piece I forgot to mention when initially posting – Jerry Dodge Jan 17 '13 at 02:04
  • Sorry, I'm not understanding you apparently. What is unclear about my answer or what else are you looking for from it? If you want to only allow one application, use the AppLocker or Software Restrictions policies to achieve this and configure peripheral policies like the one that I mentioned to lock down the rest of the machine. – MDMarra Jan 17 '13 at 02:06
  • I'm not looking for anything else, that's great, I was just making sure you saw my edit – Jerry Dodge Jan 17 '13 at 02:08
  • Oh, ok. Well, in that case - glad to help! – MDMarra Jan 17 '13 at 02:08