Re: securing files in a public PC
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 01/21/05
- Next message: Roger Abell: "Re: Windows 2003 standard permissions"
- Previous message: Larry: "RE: Windows 2003 standard permissions"
- In reply to: Steve Clark [MSFT]: "Re: securing files in a public PC"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 21 Jan 2005 11:47:33 -0700
Great (and finally.) !!
-- Roger "Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message news:eqxCou9$EHA.612@TK2MSFTNGP09.phx.gbl... > Hold that thought. There will be some forthcoming information in the very > near future that will address this exact scenario with very prescriptive > guidance, some tools, and excellent demonstrations. > > More info later. > > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message > news:%237j9zy5$EHA.2876@TK2MSFTNGP12.phx.gbl... > > IMO there is no (well, sometimes one) reasonably simple solution. > > Since to function for login an account must have write access in > > some places, it is not possible to simply deny NTFS write across > > the board. > > > > One can remove the many ways the OS provides to be able > > to get at a command prompt or open access to the filesystem. > > But one also needs to make sure that one cannot escape out > > from the applications that are allowed to run and get to a > > cmd prompt (or any of a number of other applications). > > > > XP provides the best default NTFS and registry permissions > > of any MS OS to date in terms of helping toward your objective. > > If you are using W2k then you have more work to do. > > > > With XP one can look at using Software Restriction Policy > > to control what can execute. However, if you are in a non-domain > > environment then this will have to be defined repetitiously on each > > machine. Also, in XP and prior, one can set NTFS permissions on > > applications so that the public use account has not been granted > > execute permission on (a long list of) applications. > > > > Now, that said, one can also explore replacing the default user > > shell (Explorer) with the one application that the account is > > supposed to be able to run. This may or may not work, and if > > it does this may or may not be what one needs. > > > > MS has provided some guidance and security templates for > > typical desktop scenarios, including one for a kiosk environment. > > It does however only go so far down the road. > > > > In short, SAFER (Software Restriction Policy) may be your > > best bet after you have stripped the user interface down. > > -- > > Roger Abell > > Microsoft MVP (Windows Security) > > MCSE (W2k3,W2k,Nt4) MCDBA > > "Jell" <jell@a.com> wrote in message news:vL3Id.10526$Vx2.4137@trndny01... > >> I'm installing a Win2k computer with a kiosk software in my restaurant > >> and > > I > >> want to allow only printing. The kiosk handles IE pretty well security > > wise > >> but when opening Word docs from the browser I leave my Windows files wide > >> open for deletion. I also do not want to allow saving to the hard drive. > >> I > >> looked into securing the computer using security permissions but got in > > way > >> over my head. I investigated software that 'hides' files and folders but > >> none panned out as effective because they mainly focus on hiding things > > like > >> the My Documents folder which to me is the least of my concerns. I know > > all > >> the registry hacks to hide desktop items, Control panel, etc... > >> Does anyone have a solution that is reasonably simple? > >> > >> thanks > >> > >> > > > > > >
- Next message: Roger Abell: "Re: Windows 2003 standard permissions"
- Previous message: Larry: "RE: Windows 2003 standard permissions"
- In reply to: Steve Clark [MSFT]: "Re: securing files in a public PC"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
