Site Directory
Membership
Train-the-Trainer
Trainer Certification
Certified Training Materials
ITinfo E-zine
Responsible Training
White Papers
Trainer Resources
What's New
Speaking Engagements
Onsite Training
ITrain Gear
Popular Links
Speaking Engagements
Training Manuals
Certification
Train the Trainer
The Training Book
Technical Writing
Privacy Policy
Windows NT Security
Preventing unauthorized entry
ITinfo Sponsor
ERROR: Random File Unopenable
The file was not found on your file system. This means that it has either not been created or the path you have specified in $trrandom_file is incorrect.
Securing a Public Windows NT Station
by Dave MurphyISSN 1535-3613
One of the subjects that's most requested of me is network security, specifically, how do I secure a computer from public tampering.
I did a bit of research, and came up with a few recommendations re securing a Windows NT system that's made available to run Microsoft Internet Explorer, such as might be found in a public kiosk or library.
But first, a warning: Using the Registry Editor incorrectly can cause serious, system- wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of the Registry Editor can be solved. Use this tool at your own risk.
- It is the best that the user works with the guest account. You should not allow password changes for this account. Don't allow local shutdown (User Manager: Policies/User Rights). It is also required that all local drives are formatted in NTFS. Steps 7 and 8 also require the workstations to be member of a domain.
- Replace Explorer.exe as a shell with Internet Explorer (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon : Shell). Be sure to place the full path to Iexplore.exe in this entry. For other applications, place the main executable file or a launcher application here.
- Change the permissions for %Systemroot%\System32\Taskmgr.exe so the guest account does not have any privileges for this file (no access). This prevents the user from running Task Manager off the security dialog.
- Rename the administrative account and specify a password so users have a hard time hacking it.
- Use AutoAdminLogon so only experienced users know how to specify a different name for logon (hold shift while logging off). Even if they manage to get to the logon dialog box, they still have to know about an account.
- Disable ShutdownWithoutLogon. It's also located in the Winlogon key mentioned above.
- Create a Default System Policy that only allows Iexplore.exe to run and place it on the NETLOGON share of all DCs. It's in Default User Properties, System\Restrictions\Run only allowed Windows applications. Instead of Iexplore.exe, you can also specify the application(s) of your choice. The main executable file or launcher application does not need to be part of this set.
- Enable all policy restrictions in Shell\Restrictions so the user only sees the computer and files to be saved end up in the %Systemroot%\Profiles\
\desktop directory. - You can also restrict access to %Systemroot%\Profiles\
\desktop so the user only can read files from there. This is the only folder the user will be able to see if you checked all items in step 8. - Hide the keyboard and computer behind a locked door; don't announce that it's even there.
- You can also restrict access to %Systemroot%\Profiles\
Call for Comments
What do you think? How have you kept your systems secure? Leave your comments on the message center.
References
Message Center
Previous issues are on our website at http://itrain.org/itinfo/.
International Association of Information Technology Trainers
PMB 616
6030-M Marshalee Dr
Elkridge, MD 21075-5987
410.567.5366
1.888.290.6200
fax: 801.650.0423
Membership Director: member@itrain.org
Copyright © 2000 International Association of Information Technology Trainers, Ltd., All Rights Reserved
http://itrain.org/itinfo/1999/it991214.html
updated December 14, 1999