RE: Question: How To Secure a Public Access Workstation

From: Eric Devine (devineeric@yahoo.com)
Date: 04/25/02 

Date: Thu, 25 Apr 2002 08:21:04 -0700 (PDT)
From: Eric Devine <devineeric@yahoo.com>
To: focus-ms@securityfocus.com

You could look into hard drive protection
equipment.
The local collage is using a product called (I
Think) Data Centurion, it is pretty nifty. It
attaches directly to the IDE cable and is key
locked. It halves the hard drive space and uses
one half as an image file and the other half as
the OS drive, every time you reboot it starts of
with a fresh image from the protected side. This
seems to work fairly well at the collage, I
formatted the drive and installed linux, on the
reboot it was W2K again. that would protect
against the basic keylogger software and things
like Sub7 or backoriface. as for the Floppy...
who needs one, bootable CD's are easy to make
just don't install(or remove after it is all set
up) the Floppy disk, and password protect the
bios. Just some ideas, I am kind of new at this,
I have been lurking for a few months though.

<---Begin Previous Message
They made it easy by using fat. With NTFS, you
would have had to pull in
other tools to pull this off. You have a good
point, but I would definitely
use NTFS so you can ACL the filesystem while
running.

Also, can you actually secure this computer so
the floppy drive is not
accessible/nonexistent, and that they cannot
reset the bios by pulling the
battery? Really there are a lot of things that
could be done with physical
access to the box... like adding hardware
keyloggers?

-----Original Message-----
From: Joseph Brown
[mailto:emailjoebrown@yahoo.com]
Sent: Wednesday, April 24, 2002 9:50 AM
To: Borkin, Mike; 'Information Security';
focus-ms@securityfocus.com
Subject: RE: Question: How To Secure a Public
Access Workstation

Also important is BIOS protection. Password
protect
and boot from HDD. During a pen-test I inserted
a 98
boot disk, rebooted a kiosk box into DOS, copied
the
sam._, and the admin had the same password on the
Domain. BAD....

--- "Borkin, Mike" <mike.borkin@eds.com> wrote:
> I had to totally lockdown an NT workstation to
only
> hit a single corporate
> intranet website last year and, so hopefully
these
> references and my thought
> process will help. I started the planning by
> deciding to have the machine
> do an automatic logon and change the startup
shell
> to IE in Kiosk mode
> rather than Windows Explorer. In addition, the
> logon username/password that
> I used only had user rights to the local
machine
> (although you might want
> utilize a special domain account with rights
limited
> to your apps). I did a
> bunch of reg hacks to limit access to the local
> machine, and after that it
> was just a question of trying to stop anyone
from
> breaking out of the shell
> utilizing key combinations, such as the choices
at
> CTRL-ALT-DEL and the
> windows key. Hopefully, this will help with
your
> project.
>
> Mike
>
> Microsoft Knowledge Base Articles -
>
> q97597 - How to Enable Automatic Logon in
Windows NT
> 3.x and 4.0
> q143164 - INF: How to Protect Windows NT
Desktops in
> Public Areas
> q154780 - How to Use Kiosk Mode in Microsoft
> Internet Explorer
> q179221 - How to Limit User Access to Local
Computer
> or Hard Disks with
> Internet Explorer 4.01
> q216893 - How to Disable the Keyboard Windows
Key
>
> Web Articles
>
> http://is-it-true.org/nt/registry/rtips3.html -
> Registry Tip #3: Disable
> Windows NT Ctrl-Alt-Del dialog button
>
>
>
> -----Original Message-----
> From: Information Security
> [mailto:InformationSecurity@federatedinv.com]
> Sent: Monday, April 22, 2002 11:32 AM
> To: focus-ms@securityfocus.com
> Subject: Question: How To Secure a Public
Access
> Workstation
>
>
> Can anyone point me to reference materials on
how to
> secure Windows NT /
> 2000 / XP Pro workstations for use at a
publicly
> accessible location?
>
> I'm looking for ideas on how to secure normal
> corporate workstations that
> need limited access to a few corporate apps,
but are
> on the fringe of our
> physical perimiter. Places like receptionist
areas,
> attended customer
> service booths, etc.
>
> I've found a few references to get started
with, the
> best one seems to be
> at:
>
http://www.psynch.com/docs/instguide/node121.html.
> However, this article
> from Microsoft
>
http://www.microsoft.com/office/ork/2000/journ/KioskMode.htm
> points to one of many other details that should
be
> considered. I'm hoping
> someone has compiled a list of suggestions, and
any
> additional help or
> experiences would be appreciated.
>
> Thanks.

__________________________________________________
Do You Yahoo!?
Yahoo! Games - play chess, backgammon, pool and more
http://games.yahoo.com/

Quantcast