Re: Disable share GUI while keeping File and printer sharing

---

• From: Harry Johnston <harry@xxxxxxxxxxxxxxxxxx>
• Date: Mon, 26 Mar 2007 13:40:01 +1200

---

tzvikaz@xxxxxxxxx wrote:

I have a "kiosk" machine that runs on XP SP2.
It must have File and Printer Service.
The logged user is an admin.
I want to somehow not allow him to add shares on folders/drives

If the logged on user really needs to be an admin, your best bet is to use software restriction policies (try doing a search of MSDN or the Microsoft Knowledge Base on that phrase if you aren't familiar with the concept) to configure a set of allowed executables and block everything else. You need to think carefully about the effects of each executable on the list; for example, Windows Explorer should not be permitted, so you'll also need to provide an alternative shell. In general, any software that allows copying an arbitrary file or editing a text file isn't safe.

In almost all cases it would be both safer and easier to work around the need for the user to be an admin. Are you certain this isn't an option?

Microsoft provide a toolkit for shared computers which restores the computer to the initial state after a reboot, this may provide some additional protection. Or (better) you could run the kiosk functions on a virtual machine, configured not to keep changes after reboot. (This might make it OK to allow Windows Explorer, since it blocks the obvious attack of installing a second operating system; however, I suspect Windows Explorer would still allow more subtle attacks even if I can't identify them offhand. You also need to think about possible attacks on your kiosk application, though you might be able to block those by putting the kiosk application and data files on the host OS and accessing them over a virtual network.)

In this context, the File and Printer Service might not need to be on the same virtual machine as the logged on user, which could provide additional protection.

Harry.
.

---

• References:
  • Disable share GUI while keeping File and printer sharing
    • From: tzvikaz

• Prev by Date: Re: XP and cookies directory
• Next by Date: Re: Disable share GUI while keeping File and printer sharing
• Previous by thread: Re: Disable share GUI while keeping File and printer sharing
• Next by thread: Re: wga
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Hacking to Xp box ... and an admin with knowledge of their environment would be able ... I think there was a misunderstanding in the firewall point: ... > restricts most of the attacks that use anonymous connections. ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... (Pen-Test) Re: Layer 2 Trace ... Well yes and no it depends somewhat on your kit and if you have admin ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ... (Pen-Test) RE: Hacked NT/2K box ... Buffer overrun attack will unlikely cause admin level access, ... > hacker wouldn't be able to use an XP box for DDoS attacks. ... (Focus-Microsoft) Re: I messed up my VPC login somehow ... admin status options. ... Now when I start my XP machine in VPC and I get ... there's no username at all on the right side of ... Steve Jain, Virtual Machine MVP ... (microsoft.public.mac.virtualpc) Disable share GUI while keeping File and printer sharing ... It must have File and Printer Service. ... The logged user is an admin. ... I want to somehow not allow him to add shares on folders/drives or if ... (microsoft.public.windowsxp.security_admin)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.windowsxp.security_admin  > 2007-03