Sign in with
Sign up | Sign in
Your question

securing files in a public PC

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
January 21, 2005 12:16:11 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I'm installing a Win2k computer with a kiosk software in my restaurant and I
want to allow only printing. The kiosk handles IE pretty well security wise
but when opening Word docs from the browser I leave my Windows files wide
open for deletion. I also do not want to allow saving to the hard drive. I
looked into securing the computer using security permissions but got in way
over my head. I investigated software that 'hides' files and folders but
none panned out as effective because they mainly focus on hiding things like
the My Documents folder which to me is the least of my concerns. I know all
the registry hacks to hide desktop items, Control panel, etc...
Does anyone have a solution that is reasonably simple?

thanks

More about : securing files public

Anonymous
a b 8 Security
January 21, 2005 12:16:12 PM

Archived from groups: microsoft.public.win2000.security (More info?)

IMO there is no (well, sometimes one) reasonably simple solution.
Since to function for login an account must have write access in
some places, it is not possible to simply deny NTFS write across
the board.

One can remove the many ways the OS provides to be able
to get at a command prompt or open access to the filesystem.
But one also needs to make sure that one cannot escape out
from the applications that are allowed to run and get to a
cmd prompt (or any of a number of other applications).

XP provides the best default NTFS and registry permissions
of any MS OS to date in terms of helping toward your objective.
If you are using W2k then you have more work to do.

With XP one can look at using Software Restriction Policy
to control what can execute. However, if you are in a non-domain
environment then this will have to be defined repetitiously on each
machine. Also, in XP and prior, one can set NTFS permissions on
applications so that the public use account has not been granted
execute permission on (a long list of) applications.

Now, that said, one can also explore replacing the default user
shell (Explorer) with the one application that the account is
supposed to be able to run. This may or may not work, and if
it does this may or may not be what one needs.

MS has provided some guidance and security templates for
typical desktop scenarios, including one for a kiosk environment.
It does however only go so far down the road.

In short, SAFER (Software Restriction Policy) may be your
best bet after you have stripped the user interface down.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Jell" <jell@a.com> wrote in message news:vL3Id.10526$Vx2.4137@trndny01...
> I'm installing a Win2k computer with a kiosk software in my restaurant and
I
> want to allow only printing. The kiosk handles IE pretty well security
wise
> but when opening Word docs from the browser I leave my Windows files wide
> open for deletion. I also do not want to allow saving to the hard drive. I
> looked into securing the computer using security permissions but got in
way
> over my head. I investigated software that 'hides' files and folders but
> none panned out as effective because they mainly focus on hiding things
like
> the My Documents folder which to me is the least of my concerns. I know
all
> the registry hacks to hide desktop items, Control panel, etc...
> Does anyone have a solution that is reasonably simple?
>
> thanks
>
>
Anonymous
a b 8 Security
January 21, 2005 12:16:13 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hold that thought. There will be some forthcoming information in the very
near future that will address this exact scenario with very prescriptive
guidance, some tools, and excellent demonstrations.

More info later.



"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%237j9zy5$EHA.2876@TK2MSFTNGP12.phx.gbl...
> IMO there is no (well, sometimes one) reasonably simple solution.
> Since to function for login an account must have write access in
> some places, it is not possible to simply deny NTFS write across
> the board.
>
> One can remove the many ways the OS provides to be able
> to get at a command prompt or open access to the filesystem.
> But one also needs to make sure that one cannot escape out
> from the applications that are allowed to run and get to a
> cmd prompt (or any of a number of other applications).
>
> XP provides the best default NTFS and registry permissions
> of any MS OS to date in terms of helping toward your objective.
> If you are using W2k then you have more work to do.
>
> With XP one can look at using Software Restriction Policy
> to control what can execute. However, if you are in a non-domain
> environment then this will have to be defined repetitiously on each
> machine. Also, in XP and prior, one can set NTFS permissions on
> applications so that the public use account has not been granted
> execute permission on (a long list of) applications.
>
> Now, that said, one can also explore replacing the default user
> shell (Explorer) with the one application that the account is
> supposed to be able to run. This may or may not work, and if
> it does this may or may not be what one needs.
>
> MS has provided some guidance and security templates for
> typical desktop scenarios, including one for a kiosk environment.
> It does however only go so far down the road.
>
> In short, SAFER (Software Restriction Policy) may be your
> best bet after you have stripped the user interface down.
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Jell" <jell@a.com> wrote in message news:vL3Id.10526$Vx2.4137@trndny01...
>> I'm installing a Win2k computer with a kiosk software in my restaurant
>> and
> I
>> want to allow only printing. The kiosk handles IE pretty well security
> wise
>> but when opening Word docs from the browser I leave my Windows files wide
>> open for deletion. I also do not want to allow saving to the hard drive.
>> I
>> looked into securing the computer using security permissions but got in
> way
>> over my head. I investigated software that 'hides' files and folders but
>> none panned out as effective because they mainly focus on hiding things
> like
>> the My Documents folder which to me is the least of my concerns. I know
> all
>> the registry hacks to hide desktop items, Control panel, etc...
>> Does anyone have a solution that is reasonably simple?
>>
>> thanks
>>
>>
>
>
Anonymous
a b 8 Security
January 21, 2005 2:47:33 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Great (and finally.) !!

--
Roger
"Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
news:eqxCou9$EHA.612@TK2MSFTNGP09.phx.gbl...
> Hold that thought. There will be some forthcoming information in the very
> near future that will address this exact scenario with very prescriptive
> guidance, some tools, and excellent demonstrations.
>
> More info later.
>
>
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:%237j9zy5$EHA.2876@TK2MSFTNGP12.phx.gbl...
> > IMO there is no (well, sometimes one) reasonably simple solution.
> > Since to function for login an account must have write access in
> > some places, it is not possible to simply deny NTFS write across
> > the board.
> >
> > One can remove the many ways the OS provides to be able
> > to get at a command prompt or open access to the filesystem.
> > But one also needs to make sure that one cannot escape out
> > from the applications that are allowed to run and get to a
> > cmd prompt (or any of a number of other applications).
> >
> > XP provides the best default NTFS and registry permissions
> > of any MS OS to date in terms of helping toward your objective.
> > If you are using W2k then you have more work to do.
> >
> > With XP one can look at using Software Restriction Policy
> > to control what can execute. However, if you are in a non-domain
> > environment then this will have to be defined repetitiously on each
> > machine. Also, in XP and prior, one can set NTFS permissions on
> > applications so that the public use account has not been granted
> > execute permission on (a long list of) applications.
> >
> > Now, that said, one can also explore replacing the default user
> > shell (Explorer) with the one application that the account is
> > supposed to be able to run. This may or may not work, and if
> > it does this may or may not be what one needs.
> >
> > MS has provided some guidance and security templates for
> > typical desktop scenarios, including one for a kiosk environment.
> > It does however only go so far down the road.
> >
> > In short, SAFER (Software Restriction Policy) may be your
> > best bet after you have stripped the user interface down.
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Jell" <jell@a.com> wrote in message
news:vL3Id.10526$Vx2.4137@trndny01...
> >> I'm installing a Win2k computer with a kiosk software in my restaurant
> >> and
> > I
> >> want to allow only printing. The kiosk handles IE pretty well security
> > wise
> >> but when opening Word docs from the browser I leave my Windows files
wide
> >> open for deletion. I also do not want to allow saving to the hard
drive.
> >> I
> >> looked into securing the computer using security permissions but got in
> > way
> >> over my head. I investigated software that 'hides' files and folders
but
> >> none panned out as effective because they mainly focus on hiding things
> > like
> >> the My Documents folder which to me is the least of my concerns. I know
> > all
> >> the registry hacks to hide desktop items, Control panel, etc...
> >> Does anyone have a solution that is reasonably simple?
> >>
> >> thanks
> >>
> >>
> >
> >
>
>
!