How can I lock down ubuntu?

I would start by investigating whether using Ubuntu standard Guest account would suit your needs regarding preventing users from installing stuff/modifying configs etc. So your machines would have a password-protected admin account to install/configure things and a password-less Guest account for your users.

For restricting Internet access I'd use Dans Guardian.


It sounds like you want users to share a single account. You should investigate whether you really want this. There is a large number of reasons why this usually is a very bad idea. One is that you really cannot prevent users from spying on each other, obtaining personal information like passwords to webmail. You can try to prevent that by locking down network access, but then you're setting yourself up as a ghostbuster, forever fighting loopholes.

This kind of setup is common in Windows environments because the software to provide a proper multi-user environment is so expensive. But with Ubuntu, you get everything you need without any associated costs. If I were you, I'd really examine that choice. Trying to lock down a computer system is a very time consuming task, and very, very difficult. On the other hand, setting up a proper environment where users have their own accounts, and you're able to easily revert any bad decisions, is much easier and will give you a much better result in nearly all cases.


For locking down overall operating system access I would run and configure bastille-linux on the host computer. This will walk you through a series of options and will harden the operating system based on your answers. If your not familiar with the tool you can accept the defaults and that should suffice. I would also recommend consulting the CIS Debian Benchmark document that outlines a number of procedures for locking down the operating system even further.