Kids Laptops - Win10 - LockDown Dilemma
Discussion
I've obtained a pair of Lenovo Miix 310's for the kids to have/use for school work and general become inseparable from.
I'm debating how much, if at all i should lock their systems down.
One one hand, I feel that i should just take a copy of the W10 Reg Key from each and just let them run riot whilst periodically re-installing the OS when it gets tooo borked. This is because they have BBC Microbits and a raspberry pi zero each and id love them to be able to hack around with them without have to run to me every 30 secs for an admin pass.
On another hand, i feel very slight locking down by refusing them an admin account should be sufficient to keeping them out of trouble whilst still allowing enough freedom to explore and try stuff within reason.
the last option is to completely screw the thing down to the floorboards with local policy and not allow anything to run except edge and MS office with edge only able to access a small white-list of sites
this last option i do not feel will help their development or assist them is setting themselves boundaries. they may even just stop using them entirely as whats the point.. they cant do anything on it. besides.. their mum has already given them cheap android phones that they can pretty much do what they like on.
suggestions?
I'm debating how much, if at all i should lock their systems down.
One one hand, I feel that i should just take a copy of the W10 Reg Key from each and just let them run riot whilst periodically re-installing the OS when it gets tooo borked. This is because they have BBC Microbits and a raspberry pi zero each and id love them to be able to hack around with them without have to run to me every 30 secs for an admin pass.
On another hand, i feel very slight locking down by refusing them an admin account should be sufficient to keeping them out of trouble whilst still allowing enough freedom to explore and try stuff within reason.
the last option is to completely screw the thing down to the floorboards with local policy and not allow anything to run except edge and MS office with edge only able to access a small white-list of sites
this last option i do not feel will help their development or assist them is setting themselves boundaries. they may even just stop using them entirely as whats the point.. they cant do anything on it. besides.. their mum has already given them cheap android phones that they can pretty much do what they like on.
suggestions?
They're both 11
Ive looked into microsoft 'family' but id rather not rely on that.
Until now, they will have only ever used Linux at home.. they have had Bunsen labs linux on a usb for the past couple of years to use wherever they want and overall seem pretty responsible.
I just want to keep them away from social media and porn for as long as possible
Supervision is a problem... mum wont supervise, and i only see the kids for a few days every week. so assume absolutely no supervision, and unlimited access to broadband!
If i add group policy to their machines, and prevent them being able to clear their internet history.. will that also prevent them from removing it from other browsers or only edge ?
ETA:
On the USB linux dongles they have, i have them setup VPN back to my home server and run all traffic via my squid proxy invisibly in the background. ( they also run autossh to create a reverse SSH bridge that i can dial into at anytime to get a live feed from the desktop )
can windows do this without leaving a visual clue in the taskbar?
Edit:
I suppose i could just monitor them via OpenDNS and keep it simple. but that pretty easy to circumvent, and they could even bypass it accidentally when messing with network settings for whatever reason
Ive looked into microsoft 'family' but id rather not rely on that.
Until now, they will have only ever used Linux at home.. they have had Bunsen labs linux on a usb for the past couple of years to use wherever they want and overall seem pretty responsible.
I just want to keep them away from social media and porn for as long as possible
Supervision is a problem... mum wont supervise, and i only see the kids for a few days every week. so assume absolutely no supervision, and unlimited access to broadband!
If i add group policy to their machines, and prevent them being able to clear their internet history.. will that also prevent them from removing it from other browsers or only edge ?
ETA:
On the USB linux dongles they have, i have them setup VPN back to my home server and run all traffic via my squid proxy invisibly in the background. ( they also run autossh to create a reverse SSH bridge that i can dial into at anytime to get a live feed from the desktop )
can windows do this without leaving a visual clue in the taskbar?
Edited by SystemParanoia on Thursday 21st September 10:01
Edit:
I suppose i could just monitor them via OpenDNS and keep it simple. but that pretty easy to circumvent, and they could even bypass it accidentally when messing with network settings for whatever reason
Edited by SystemParanoia on Thursday 21st September 10:06
probably,
One has successfully created a system image of itself... the other has failed 4 times claiming the network location is unreadable
It then cannot restart the backup as the files are 'in use' and you cant delete the failed backup for the same reason.
on the 4th attempt i even changed the destination folder to chmod 777 permissions
Each time I could only remove the failed backup from my server with a root rm -rf *
So it seems the built in backup system is dogs
t 
what a surprise!
Ill grab a win10 ISO and use that instead
One has successfully created a system image of itself... the other has failed 4 times claiming the network location is unreadable
It then cannot restart the backup as the files are 'in use' and you cant delete the failed backup for the same reason.
on the 4th attempt i even changed the destination folder to chmod 777 permissions
Each time I could only remove the failed backup from my server with a root rm -rf *
So it seems the built in backup system is dogs
t what a surprise!Ill grab a win10 ISO and use that instead
Tried the powershell trick to get the key;
(Get-WmiObject -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey
but that didn't work, so being wary of introducing virii ( viruses? ) to my network i had a quick read around for a reputable prod key extractor..
Ended up using Produkey ... it worked flawlessly, and im currently reinstalling W10 on both devices to get away from all the lenovo bloatware crap.
Ill use the produkey to extract the Key from the W10 install that came with my main laptop before i cloned the drive and nuked it for Arch linux before i even booted it up the first time.
Should be useful in one of my VM's
(Get-WmiObject -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey
but that didn't work, so being wary of introducing virii ( viruses? ) to my network i had a quick read around for a reputable prod key extractor..
Ended up using Produkey ... it worked flawlessly, and im currently reinstalling W10 on both devices to get away from all the lenovo bloatware crap.
Ill use the produkey to extract the Key from the W10 install that came with my main laptop before i cloned the drive and nuked it for Arch linux before i even booted it up the first time.
Should be useful in one of my VM's
wormus said:
They will access illegal content no matter what you do so best to educate rather than restrict them in my opinion. Anyway, what's wrong with wking?
Whilst this is true.. I want there to be at least some hurdles for them to overcome...king?I got my xxx content like this..
Ill be damed if they'll have it easier than me
I use dnsmasq on my lan, so forcing google to safe search has now been done, although ive modified it to whitelist my mac addresses ( if they spot that gap and take advantage, then they deserve to fill their boots to be fair. )
I still need to bake in the openDNS on their systems for when they're off my network though
Looks to be easy enough to change it on their phones.. although ill have to keep an eye on any new networks they add as ill need to change it for each one individually.
https://support.opendns.com/hc/en-us/articles/2280...
Edited by SystemParanoia on Thursday 21st September 22:12
everything i read about the miix 310, and all convertibles of this type says linux is a no-go without some pain. ( touch screen not working or non rotatable or both, and no wifi or bluetooth ) similar to the issues of linux on a laptop in the 90's and early 00's... such a chore finding the correct atheros wifi driver that would not only work, but allow switching to promiscuous mode for packet injection
unfortunately, i wouldn't know the first thing about writing device drivers from scratch!
But i will stick virtualbox on there with raspbian OS, or just install bash-on-ubuntu-on-windows-subsystem
I love linux, ive run it on every computer ive owned since highschool, including my phone(s)... the fact that windows costs so much for a legitimate copy helped with that decision
unfortunately, i wouldn't know the first thing about writing device drivers from scratch!
But i will stick virtualbox on there with raspbian OS, or just install bash-on-ubuntu-on-windows-subsystem
I love linux, ive run it on every computer ive owned since highschool, including my phone(s)... the fact that windows costs so much for a legitimate copy helped with that decision
Edited by SystemParanoia on Friday 22 September 08:52
essayer said:
What do you do when they just reinstall a hacked copy of Win10 off a friend?
i'd be quietly proud of them for circumventing my efforts.( if i end up experiencing what tank planker went though i'd be pretty excited at the prospect of commencing @sysop vs blackhat warfare on my own lan against the kids
)... still tell em off though
as ive said I dont want to lock everything down so tight that they cant do anything.
but i want to at least protect them from themselves for a while now that they're in secondary school and open to alot more influence than ever before.
Edited by SystemParanoia on Friday 22 September 09:54
tankplanker said:
You can use LGPO via a login activated batch file to import the GPO on a workgroup PC: https://blogs.technet.microsoft.com/secguide/2016/...
Ive pulled the trigger and run
Ive Got my Domain up and running, and im currently experimenting with domain users and groups.
Ive decided to put W10 Education Edition onto the kids computers.
things are going surprisingly smoothly so far.
rm -rf /on my Homeserver; its now running a full M$ stack ( thanks to dreamspark ) with Hyper-V on the bottom and many copies of Server 2016 on top.
Ive Got my Domain up and running, and im currently experimenting with domain users and groups.
Ive decided to put W10 Education Edition onto the kids computers.
things are going surprisingly smoothly so far.
Ill give it a try at some point before i hand it over to them
Ive needed an excuse to become a windows household, and MCSE training seems like a good one.
( Hyper-V has already annoyed me as the USB passthrough function i use to give my USB printer to the relevent VM with Proxmox, ESXI, VMWARE is non existant )
Ive needed an excuse to become a windows household, and MCSE training seems like a good one.
( Hyper-V has already annoyed me as the USB passthrough function i use to give my USB printer to the relevent VM with Proxmox, ESXI, VMWARE is non existant )
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff