securing files in a public PC

Archived from groups: microsoft.public.win2000.security (More info?)

I'm installing a Win2k computer with a kiosk software in my restaurant and I
want to allow only printing. The kiosk handles IE pretty well security wise
but when opening Word docs from the browser I leave my Windows files wide
open for deletion. I also do not want to allow saving to the hard drive. I
looked into securing the computer using security permissions but got in way
over my head. I investigated software that 'hides' files and folders but
none panned out as effective because they mainly focus on hiding things like
the My Documents folder which to me is the least of my concerns. I know all
the registry hacks to hide desktop items, Control panel, etc...
Does anyone have a solution that is reasonably simple?

thanks
3 answers Last reply
More about securing files public
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    IMO there is no (well, sometimes one) reasonably simple solution.
    Since to function for login an account must have write access in
    some places, it is not possible to simply deny NTFS write across
    the board.

    One can remove the many ways the OS provides to be able
    to get at a command prompt or open access to the filesystem.
    But one also needs to make sure that one cannot escape out
    from the applications that are allowed to run and get to a
    cmd prompt (or any of a number of other applications).

    XP provides the best default NTFS and registry permissions
    of any MS OS to date in terms of helping toward your objective.
    If you are using W2k then you have more work to do.

    With XP one can look at using Software Restriction Policy
    to control what can execute. However, if you are in a non-domain
    environment then this will have to be defined repetitiously on each
    machine. Also, in XP and prior, one can set NTFS permissions on
    applications so that the public use account has not been granted
    execute permission on (a long list of) applications.

    Now, that said, one can also explore replacing the default user
    shell (Explorer) with the one application that the account is
    supposed to be able to run. This may or may not work, and if
    it does this may or may not be what one needs.

    MS has provided some guidance and security templates for
    typical desktop scenarios, including one for a kiosk environment.
    It does however only go so far down the road.

    In short, SAFER (Software Restriction Policy) may be your
    best bet after you have stripped the user interface down.
    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Jell" <jell@a.com> wrote in message news:vL3Id.10526$Vx2.4137@trndny01...
    > I'm installing a Win2k computer with a kiosk software in my restaurant and
    I
    > want to allow only printing. The kiosk handles IE pretty well security
    wise
    > but when opening Word docs from the browser I leave my Windows files wide
    > open for deletion. I also do not want to allow saving to the hard drive. I
    > looked into securing the computer using security permissions but got in
    way
    > over my head. I investigated software that 'hides' files and folders but
    > none panned out as effective because they mainly focus on hiding things
    like
    > the My Documents folder which to me is the least of my concerns. I know
    all
    > the registry hacks to hide desktop items, Control panel, etc...
    > Does anyone have a solution that is reasonably simple?
    >
    > thanks
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Hold that thought. There will be some forthcoming information in the very
    near future that will address this exact scenario with very prescriptive
    guidance, some tools, and excellent demonstrations.

    More info later.


    "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    news:%237j9zy5$EHA.2876@TK2MSFTNGP12.phx.gbl...
    > IMO there is no (well, sometimes one) reasonably simple solution.
    > Since to function for login an account must have write access in
    > some places, it is not possible to simply deny NTFS write across
    > the board.
    >
    > One can remove the many ways the OS provides to be able
    > to get at a command prompt or open access to the filesystem.
    > But one also needs to make sure that one cannot escape out
    > from the applications that are allowed to run and get to a
    > cmd prompt (or any of a number of other applications).
    >
    > XP provides the best default NTFS and registry permissions
    > of any MS OS to date in terms of helping toward your objective.
    > If you are using W2k then you have more work to do.
    >
    > With XP one can look at using Software Restriction Policy
    > to control what can execute. However, if you are in a non-domain
    > environment then this will have to be defined repetitiously on each
    > machine. Also, in XP and prior, one can set NTFS permissions on
    > applications so that the public use account has not been granted
    > execute permission on (a long list of) applications.
    >
    > Now, that said, one can also explore replacing the default user
    > shell (Explorer) with the one application that the account is
    > supposed to be able to run. This may or may not work, and if
    > it does this may or may not be what one needs.
    >
    > MS has provided some guidance and security templates for
    > typical desktop scenarios, including one for a kiosk environment.
    > It does however only go so far down the road.
    >
    > In short, SAFER (Software Restriction Policy) may be your
    > best bet after you have stripped the user interface down.
    > --
    > Roger Abell
    > Microsoft MVP (Windows Security)
    > MCSE (W2k3,W2k,Nt4) MCDBA
    > "Jell" <jell@a.com> wrote in message news:vL3Id.10526$Vx2.4137@trndny01...
    >> I'm installing a Win2k computer with a kiosk software in my restaurant
    >> and
    > I
    >> want to allow only printing. The kiosk handles IE pretty well security
    > wise
    >> but when opening Word docs from the browser I leave my Windows files wide
    >> open for deletion. I also do not want to allow saving to the hard drive.
    >> I
    >> looked into securing the computer using security permissions but got in
    > way
    >> over my head. I investigated software that 'hides' files and folders but
    >> none panned out as effective because they mainly focus on hiding things
    > like
    >> the My Documents folder which to me is the least of my concerns. I know
    > all
    >> the registry hacks to hide desktop items, Control panel, etc...
    >> Does anyone have a solution that is reasonably simple?
    >>
    >> thanks
    >>
    >>
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Great (and finally.) !!

    --
    Roger
    "Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
    news:eqxCou9$EHA.612@TK2MSFTNGP09.phx.gbl...
    > Hold that thought. There will be some forthcoming information in the very
    > near future that will address this exact scenario with very prescriptive
    > guidance, some tools, and excellent demonstrations.
    >
    > More info later.
    >
    >
    >
    > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > news:%237j9zy5$EHA.2876@TK2MSFTNGP12.phx.gbl...
    > > IMO there is no (well, sometimes one) reasonably simple solution.
    > > Since to function for login an account must have write access in
    > > some places, it is not possible to simply deny NTFS write across
    > > the board.
    > >
    > > One can remove the many ways the OS provides to be able
    > > to get at a command prompt or open access to the filesystem.
    > > But one also needs to make sure that one cannot escape out
    > > from the applications that are allowed to run and get to a
    > > cmd prompt (or any of a number of other applications).
    > >
    > > XP provides the best default NTFS and registry permissions
    > > of any MS OS to date in terms of helping toward your objective.
    > > If you are using W2k then you have more work to do.
    > >
    > > With XP one can look at using Software Restriction Policy
    > > to control what can execute. However, if you are in a non-domain
    > > environment then this will have to be defined repetitiously on each
    > > machine. Also, in XP and prior, one can set NTFS permissions on
    > > applications so that the public use account has not been granted
    > > execute permission on (a long list of) applications.
    > >
    > > Now, that said, one can also explore replacing the default user
    > > shell (Explorer) with the one application that the account is
    > > supposed to be able to run. This may or may not work, and if
    > > it does this may or may not be what one needs.
    > >
    > > MS has provided some guidance and security templates for
    > > typical desktop scenarios, including one for a kiosk environment.
    > > It does however only go so far down the road.
    > >
    > > In short, SAFER (Software Restriction Policy) may be your
    > > best bet after you have stripped the user interface down.
    > > --
    > > Roger Abell
    > > Microsoft MVP (Windows Security)
    > > MCSE (W2k3,W2k,Nt4) MCDBA
    > > "Jell" <jell@a.com> wrote in message
    news:vL3Id.10526$Vx2.4137@trndny01...
    > >> I'm installing a Win2k computer with a kiosk software in my restaurant
    > >> and
    > > I
    > >> want to allow only printing. The kiosk handles IE pretty well security
    > > wise
    > >> but when opening Word docs from the browser I leave my Windows files
    wide
    > >> open for deletion. I also do not want to allow saving to the hard
    drive.
    > >> I
    > >> looked into securing the computer using security permissions but got in
    > > way
    > >> over my head. I investigated software that 'hides' files and folders
    but
    > >> none panned out as effective because they mainly focus on hiding things
    > > like
    > >> the My Documents folder which to me is the least of my concerns. I know
    > > all
    > >> the registry hacks to hide desktop items, Control panel, etc...
    > >> Does anyone have a solution that is reasonably simple?
    > >>
    > >> thanks
    > >>
    > >>
    > >
    > >
    >
    >
Ask a new question

Read More

Security Windows