Sign in with
Sign up | Sign in
Your question

classroom/kiosk type security

Last response: in Windows XP
Share
Anonymous
a b 8 Security
February 19, 2005 8:51:15 AM

Archived from groups: microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.security_admin (More info?)

hi all.

I'm looking into securing xp workstations in a classroom lab that are being
shared by the students (AD domain users). Epecially that I found out they
can install Gaim/chat applications, as well as being able to freely creating
folders under the c:\ drive.

On one machine, i'm experimenting by removing "everyone" access to the c:\
drive, also removed the local "Users" group, this is so that no students who
login can create a folder under the C:\ drive, and force them to save files
and create folders only under their own profile.

--- isn't this a good idea? or isn't what I just did more or less a standard
approach to prevent login users to pile up their own personal files under
the c:\ drive?

Or is there like a group policy template that you can apply so that the
machine can quickly be configured as a public kiosk?

Any ideas I appreciate, thankx!

joe
Anonymous
a b 8 Security
February 19, 2005 8:51:16 AM

Archived from groups: microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.security_admin (More info?)

I would use a kiosk software and push put INI files as needed using AD/WSH.

There's a lot to modify and registry entries, the kiosk software is pretty
much point, click, and go. Modifications are fairly easy and updates can be
pushed via AD/GPOs.

Here's a good kiosk s/w I've used to secure a manufacturing facility from
day laborers:
http://www.softheap.com/newadmin.html

"joe haydn" wrote:

> hi all.
>
> I'm looking into securing xp workstations in a classroom lab that are being
> shared by the students (AD domain users). Epecially that I found out they
> can install Gaim/chat applications, as well as being able to freely creating
> folders under the c:\ drive.
>
> On one machine, i'm experimenting by removing "everyone" access to the c:\
> drive, also removed the local "Users" group, this is so that no students who
> login can create a folder under the C:\ drive, and force them to save files
> and create folders only under their own profile.
>
> --- isn't this a good idea? or isn't what I just did more or less a standard
> approach to prevent login users to pile up their own personal files under
> the c:\ drive?
>
> Or is there like a group policy template that you can apply so that the
> machine can quickly be configured as a public kiosk?
>
> Any ideas I appreciate, thankx!
>
> joe
>
>
>
Anonymous
a b 8 Security
February 21, 2005 2:02:49 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi Joe,

Thanks for posting!

My understanding on the issue is: you want to prevent domain users from
installing software and creating folders in drive C. If I have
misunderstood your concerns, please feel free to let me know.

By default, standard domain user will be a member of Local User on the
domain machine. You may prevent domain user from installing software and
creating folders and files. I would like to provide you the following
method for your reference:

Right-click C: -> click Properties item-> click Security tab -> click Users
->click Advanced button-> click Permissions -> remove

Name Permission
Users Create files/Write data
Users Create folders/Append data

Note: Do not remove local "Users" group.

Please note that the partner managed newsgroups provide assistance to
resolve break/fix issues. We also recommend Microsoft Advisory Services, a
remotely-delivered, consultative support option that adds the element of
proactive support, providing a comprehensive result beyond your break-fix
product maintenance needs. More information on this service here:
http://support.microsoft.com/gp/advisoryservice

Thanks & Regards,

Jason Tan
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Anonymous
a b 8 Security
February 21, 2005 2:07:15 PM

Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)

Hi Joe,

Thanks for posting!

I notice that you have posted the same question 27574998 in our
microsoft.public.windowsxp.security_admin newsgroup, to which I have
already responded. I will follow up your issue on that thread.

For your convenience, I have included my reply as follows:
==================================================================
Hi Joe,

Thanks for posting!

My understanding on the issue is: you want to prevent domain users from
installing software and creating folders in drive C. If I have
misunderstood your concerns, please feel free to let me know.

By default, standard domain user will be a member of Local User on the
domain machine. You may prevent domain user from installing software and
creating folders and files. I would like to provide you the following
method for your reference:

Right-click C: -> click Properties item-> click Security tab -> click Users
->click Advanced button-> click Permissions -> remove

Name Permission
Users Create files/Write data
Users Create folders/Append data

Note: Do not remove local "Users" group.

Please note that the partner managed newsgroups provide assistance to
resolve break/fix issues. We also recommend Microsoft Advisory Services, a
remotely-delivered, consultative support option that adds the element of
proactive support, providing a comprehensive result beyond your break-fix
product maintenance needs. More information on this service here:
http://support.microsoft.com/gp/advisoryservice

Thanks & Regards,

Jason Tan
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
!