RE: Question: How To Secure a Public Access Workstation

From: Borkin, Mike (mike.borkin@eds.com)
Date: 04/23/02 

From: "Borkin, Mike" <mike.borkin@eds.com>
To: "'Information Security'" <InformationSecurity@federatedinv.com>, focus-ms@securityfocus.com
Date: Tue, 23 Apr 2002 17:55:42 -0400

I had to totally lockdown an NT workstation to only hit a single corporate
intranet website last year and, so hopefully these references and my thought
process will help. I started the planning by deciding to have the machine
do an automatic logon and change the startup shell to IE in Kiosk mode
rather than Windows Explorer. In addition, the logon username/password that
I used only had user rights to the local machine (although you might want
utilize a special domain account with rights limited to your apps). I did a
bunch of reg hacks to limit access to the local machine, and after that it
was just a question of trying to stop anyone from breaking out of the shell
utilizing key combinations, such as the choices at CTRL-ALT-DEL and the
windows key. Hopefully, this will help with your project.

Mike

Microsoft Knowledge Base Articles -

q97597 - How to Enable Automatic Logon in Windows NT 3.x and 4.0
q143164 - INF: How to Protect Windows NT Desktops in Public Areas
q154780 - How to Use Kiosk Mode in Microsoft Internet Explorer
q179221 - How to Limit User Access to Local Computer or Hard Disks with
Internet Explorer 4.01
q216893 - How to Disable the Keyboard Windows Key

Web Articles

http://is-it-true.org/nt/registry/rtips3.html - Registry Tip #3: Disable
Windows NT Ctrl-Alt-Del dialog button

-----Original Message-----
From: Information Security [mailto:InformationSecurity@federatedinv.com]
Sent: Monday, April 22, 2002 11:32 AM
To: focus-ms@securityfocus.com
Subject: Question: How To Secure a Public Access Workstation

Can anyone point me to reference materials on how to secure Windows NT /
2000 / XP Pro workstations for use at a publicly accessible location?

I'm looking for ideas on how to secure normal corporate workstations that
need limited access to a few corporate apps, but are on the fringe of our
physical perimiter. Places like receptionist areas, attended customer
service booths, etc.

I've found a few references to get started with, the best one seems to be
at:
http://www.psynch.com/docs/instguide/node121.html. However, this article
from Microsoft http://www.microsoft.com/office/ork/2000/journ/KioskMode.htm
points to one of many other details that should be considered. I'm hoping
someone has compiled a list of suggestions, and any additional help or
experiences would be appreciated.

Thanks.

Quantcast