Rapidly Deploy Customizable User Workspaces without Group Policy Simplify Desktop can be used as a solution to overcome the limitations of group policies and scripting. Download your free trial today!

Windows Administrators are well aware of the security holes that are inherent within the Explorer Shell. These issues are compounded when the desktop resides on a Terminal or Citrix Server, due to the fact that multiple users are working on a single server. Administrators often turn to shell policies to modify the way that the Explorer Shell and its components behave. This is somewhat effective in terms of what the user can do within the Explorer Shell, but unfortunately this does not prevent other applications from modifying the same settings that are restricted through Explorer. Let’s face it, shell policy is a far cry from actual security.

Administrators are faced with the task of creating numerous policies, implementing scripts and locking down both the registry and file system through permissions. triCerat software offers two easy solutions that work hand-in-hand to both secure the desktop environment and block users from running applications that are not allowed. The first is Simplify Desktop. This is an Explorer Shell replacement. The basic concept is that the users only have access to see the applications and shortcuts that the Administrator wants them to see. Simplify Desktop eliminates the Explorer Shell altogether, which in turn eliminates the need for shell policies.

By itself this would prevent most users from accessing files and applications that the Administrator has deemed unnecessary or unsafe. But why lock the front door only to leave the side door open? Enter Simplify Lockdown. Simplify Lockdown is a process restriction technology that allows Administrators to dictate the processes that users are able to execute. Child process restriction can be enabled on a per-application basis to prevent a user from launching an unnecessary or unwanted child process through the parent application. Both products integrate with Active Directory to enable Administrators to be as granular with their user settings as necessary. Shell settings and application assignments can be made at any level within the AD structure (Domain, OU, Group, User, etc.).

The Explorer Shell is inherently unsecure. By default users have access to see pretty much anything that they want to see. Shell policies only modify the user interface, allowing users that have a little bit of knowhow to find other ways to access files and applications through other applications. Doing away with the Explorer shell and implementing a process restriction technology is the quickest, easiest and most secure method to address the issue of desktop security.