I need Ideas on securing a remote Win2k machine
From: Dirk Gently (dirknews@nycap.rr_REMOVE_ME.com)
Date: 01/31/03
- Next message: James Walker: "Do I Really Need SP3?"
- Previous message: Eric Fitzgerald [MSFT]: "Re: Event object Access"
- Next in thread: Ralph D. Worgul: "Re: I need Ideas on securing a remote Win2k machine"
- Reply: Ralph D. Worgul: "Re: I need Ideas on securing a remote Win2k machine"
- Reply: Rhynier Myburgh [MSFT]: "Re: I need Ideas on securing a remote Win2k machine"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Dirk Gently <dirknews@nycap.rr_REMOVE_ME.com> Date: Fri, 31 Jan 2003 00:07:45 GMT
Hey folks,
I'm trying to put together a type of secure "Kiosk", where remote
users will be able to run a specific application, and only have access
to that app. I would probably setup that application as their shell,
unless I can find another configureable secure "shell" that will allow
me to just specify a few apps to run.
Anyway - to the root of my difficulty. We run in a domain
environment, and in general - anyone who has an account on that
domain, can logon to that PC and create a profile. I want to find a
way to limit that. (I personally will be accessing this remote PC via
PC Anywhere public-key encryption, across our intranet)
I could run the machine as a workstation, not logged into the domain -
and just remotely administer individual accounts, but I've seen
recomendations against that, suggesting the domain approach is more
secure. (Although it does give domain admins full access to that
machine, which I also don't really like)
What I'm looking for is ideas on how to control what people can login
to that machine, so that only domain accounts I "grant" access to, can
login. I'd also like to entertain ideas on how I can restrict new
account access to a special shell - while the main admin accounts (me)
have the normal shell. The investigating I have done has left me with
few solutions... gpedit basically would apply to all accounts - and I
clearly want some accounts to have full access to that machine and
it's resources.
One thought I had was to replace the default explorer shell, and hence
all new users created would automatically boot into that program I am
looking to lock people into. (And manually set the admin accounts to
a custom shell - which just happens to be a renamed windows explorer
shell)
Thanks for reading
Dirk
- Next message: James Walker: "Do I Really Need SP3?"
- Previous message: Eric Fitzgerald [MSFT]: "Re: Event object Access"
- Next in thread: Ralph D. Worgul: "Re: I need Ideas on securing a remote Win2k machine"
- Reply: Ralph D. Worgul: "Re: I need Ideas on securing a remote Win2k machine"
- Reply: Rhynier Myburgh [MSFT]: "Re: I need Ideas on securing a remote Win2k machine"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
