Results 1 to 12 of 12

Thread: Locking down a system

  1. #1
    Bronze Member
    Join Date
    Dec 2002
    Location
    Derbyshire, England
    Posts
    104

    Locking down a system

    I've got a machine running XP (pro IIRC) and it sits in a showroom so visitors can access our website.

    I need to be able to stop them doing anything else.

    I've been able to control the browser so that it can only get to our website but how (if at all) can I prevent a more knowledgeable user from running programs, using shortcut keys (Windows/E, Windows/R, etc) or even Ctrl+Alt+Del?

    Unusually I need to be able to say that the only program which a user is allowed to start is Internet Explorer. In fact, they don;t even need to do that; I'll start it for them! Actually, all they need to do is use IE which is already running and shutdown the machine!

    I suppose I could remove the keyboard which would certainly slow them down a bit!

    It doesn't have to be a perfect solution; just one which would stop an enthusiastic youngster!

  2. #2
    Banned
    Join Date
    Apr 2002
    Posts
    109
    You can run:
    gpedit.msc -> User Configuration -> Administrative Templates -> System -> Run only allowed Windows applications and create a list of progs users are allowed to run. If you take this approach, make sure you add gpedit.msc to the list of allowed applications (!), and ensure only Admins can run it. Alternatively you could use the "Don't run specified Windows applications" and create a list of apps users aren't allowed to run.

    Another approach is to use a prog like Clean Slate:
    http://www.fortres.com/products/cleanslate.htm
    Or Deep Freeze:
    http://www.faronics.com/html/deepfreeze.asp
    Basically, users can do whatever they want, but as soon as they log off or a PC is rebooted, all changes they have made are undone, and any programs and malware installed are gone. I installed Deep Freeze three months ago on all the PCs in a cyber-cafe, where the PCs are regularly used by teenagers (go figure) and haven't had a single problem.

  3. #3
    Bronze Member
    Join Date
    Dec 2002
    Location
    Derbyshire, England
    Posts
    104
    Thanks very much for that. Some very useful info. I'd done stuff in the dim and distant (W98) past with policies but hadn't had a need to get involved under W2K or XP.

    I assume (and hence your warning) that this configuration applies to all users?

    Ken.

  4. #4
    Banned
    Join Date
    Apr 2002
    Posts
    109
    Quote Originally Posted by Ken Moore
    Thanks very much for that. Some very useful info. I'd done stuff in the dim and distant (W98) past with policies but hadn't had a need to get involved under W2K or XP.

    I assume (and hence your warning) that this configuration applies to all users?

    Ken.
    It does, indeed. If you create a list of allowed programs without adding gpedit.msc to the list then you cannot run gpedit.msc to change the list. You can, presumably, but not easily afaik, edit the registry to undo this, but only if regedit (or similar) was added to the list of allowable programs. In other words, Handle With Care.

  5. #5
    Banned
    Join Date
    Apr 2002
    Posts
    109
    Quote Originally Posted by Nikto
    It does, indeed. If you create a list of allowed programs without adding gpedit.msc to the list then you cannot run gpedit.msc to change the list. You can, presumably, but not easily afaik, edit the registry to undo this, but only if regedit (or similar) was added to the list of allowable programs. In other words, Handle With Care.
    Edit: More precisely, as far as I know, it does - I'm no expert on gpedit, and its name (group policy editor) implies that its settings can be applied to groups. I have heard of people getting into real trouble with it, however, so use with caution.

  6. #6
    Bronze Member
    Join Date
    Dec 2002
    Location
    Derbyshire, England
    Posts
    104
    Many thanks. I'll do a bit more investiagtion to see if I can apply it to a specific user (via group membership).

  7. #7
    Silver Member joshsiao's Avatar
    Join Date
    Jun 2003
    Location
    Singapore
    Posts
    340
    Quote Originally Posted by Nikto
    Edit: More precisely, as far as I know, it does - I'm no expert on gpedit, and its name (group policy editor) implies that its settings can be applied to groups. I have heard of people getting into real trouble with it, however, so use with caution.
    I truly agree. That adds to my list of programs that need caution including the registry, system32 folder, services...

    Always ensure you have back-up ready of there is so a need to reformatt due to accidental corruption of the system.
    "Never seem more learnt then the people you are with. Wear your learning like a watch and keep it hidden. Do not pull it out to count the hours, but give the time when you are asked."
    ~Chesterfield

  8. #8
    Bronze Member
    Join Date
    Dec 2002
    Location
    Derbyshire, England
    Posts
    104
    I'm testing it using VMware which means I can get back when I mess things up!

    I does seem that these setting can only be applied to the machine, although the registry entries do seem to be being made in HKCU, so I may be wrong. The documentation states that windows groups are not the same as these policy groups.

    I did manage to lock out everything I wanted although I couldn't get back in again since adding gpedit.msc to the list of programs didn't work. I guess I need to add the Microsoft Management Console application executable itself.

  9. #9
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    You do apply it to groups or users via a GPO (Group Policy Object) Locking down is not as simple as it seems though - there are many shortcuts which can be used to jump from the 'sandbox'.

    GPOs can be applied to Computers (top half) or users(bottom half of the GP editor) but not both in the same link. Most of what you want to configure is in the bottom half (hide My Computer, hide Run, hide Control panel etc...etc...). Force them to log on as guest and rename or remove things like cmd.exe, ftp.exe .....etc....

    A determined and knowledgable user may still be able to subvert your box by booting from CD and changing the admin password or just using the box from a bootable distro like knoppix. BIOS password the machine and remove CD, Floppy and USB disks from the boot sequence.
    I'm using Windows 7 - you got a problem with that?

  10. #10
    Bronze Member
    Join Date
    Dec 2002
    Location
    Derbyshire, England
    Posts
    104
    I've managed to lock things down fairly tightly (it was mmc.exe I had to make available to get at the group policies!), thought there are an awful lot of things which need to be 'taken away' and I had to explicitly say 'don not allow explorer.exe to run' or else the <windows>/E key combination would start it.

    I've not yet managed to apply it just to a single user but shall persevere after what you said, although I thought such faciities were only available if Active Directory was in force.

    I'm not looking for a total solution; I know there are lots of ways I can get round it, but I'm just looking to stop the enthusiastic kid and he'll tend to give up if it's not easy and what he expects ;-)

    Of course, it's made even more difficult by the fact that the base unit is locked away!

  11. #11
    Member Hawkers's Avatar
    Join Date
    Feb 2005
    Location
    Seattle, WA
    Posts
    59
    Here is a free article with some background on what your doing to the registry

    http://www.theeldergeek.com/group_po...ws_xp_prof.htm

    If your looking for more detail you'll probably want to invest in a book like this one

    http://www.desktopstandard.com/eBooks/Implementing.aspx

  12. #12
    Bronze Member
    Join Date
    Dec 2002
    Location
    Derbyshire, England
    Posts
    104
    Excellent! That article has pointed me in the right direction to be able to set the group policies for a single user.

    Many thanks.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •