Security For XP Pro

[DasFox]

I started working for a internet/gaming cafe. I'm pretty good with Windows, using it about 20 years, but over the past decade, I got heavily into Unix, so I lost out on some of my Windows skills.

Anyone know a great site that shows the best in security tips for XP Pro and how to go about them, especially for setting them up for a cafe?

The problem is from what I have seen so far, but we are tying to work around or find another application, is getting one that can run under a Guest account, not Admin, then half the problems would be fixed.

ALOHA

 

[cleverhandle]

Originally posted by: DasFox
The problem is from what I have seen so far, but we are tying to work around or find another application, is getting one that can run under a Guest account, not Admin, then half the problems would be fixed.

That's by far the biggest single issue. If you can keep everything in a limited account, you've solved most of your problems. Worst case scenario is that somebody hoses their profile, but then you can just delete and recreate the user and the profile and you're pretty much back in business.

Tip: For stubbornly "admin-only" applications (stuff that can't be solved just by changing a couple directory permissions), investigate the use of the /savecred switch with runas.

 

[DasFox]

cleverhandle do you know a link that shows all the runsas stuff and info on it?

THANKS

 

[DasFox]

Found this:

http://www.microsoft.com/resources/docu...all/proddocs/en-us/runas.mspx?mfr=true

Ok runas I have never used before, is this JUST to allow specific tools and programs with different permissions is all?

So if like a guest account was being used, then with runas you could allow greater use of tools and apps then you would normally have under this account?

I mean as far as I see it now, "runas" is to allow greater access?

Is this also to shut down tools and apps as well to admininster security also, or just to allow more for a guest, limited user account?

So was your point cleverhandle with this, that if I could run a guest account for a cafe program, then use runas on it, to allow it to have more system acess that it might need under this account?

Ok I see also to run the box as a Admin too under another account, but I'm not sure in what way I can run SmartLaunch that needs a Admin account with runas.

http://www.smartlaunch.net

THANKS

 

[cleverhandle]

Originally posted by: DasFox
Ok runas I have never used before, is this JUST to allow specific tools and programs with different permissions is all?

Correct.

So was your point cleverhandle with this, that if I could run a guest account for a cafe program, then use runas on it, to allow it to have more system acess that it might need under this account?

I think you understand the principle, though your sentence would be more accurate changing "might need" to "would otherwise have." But yeah, you've got the idea - run in a lower-privilege account, and use runas to elevate privileges when you have to. Adding /savecred to the command will prompt for the appropriate password and then stash those credential so that you don't need to enter them again in the future. There are two notable things to keep in mind here:

1) You shouldn't usually need to use runas - XP Pro allows precise control of permissions on folders and on registry keys. Use those first, and use runas as a last resort when you can't find any easy way to set the permissions manually.

2) Using /savecred can be a security hole in a "hostile" environment. Once you've saved the credentials for a command, there's nothing stopping the user from running an entirely different command through runas (like, say, iexplore.exe c and using the credentials stashed from the other command. This would take some small amount of technical savvy, but not very much. Using /savecred makes the most sense when you're protecting well-intentioned, but clueless, users from themselves, not when you're defending against people that might intentionally try to mess with your systems. So it all depends on how paranoid you are. If I were to use /savecred switches in a more hostile environment, I'd try to runas accounts that have very specific permissions set rather than a full-on adminstrative account. But in that case, you can probably just use groups and permissions to begin with and not bother with runas at all.

You might also want to look into software like Deepfreeze that "locks" the machine into a given configuration. It doesn't always play well with every system configuration and it does cost some money, but it can be useful to keep people from trashing a machine by installing all sorts of Internet garbage on it.

 

[cleverhandle]

Originally posted by: DasFox
http://www.smartlaunch.net

I'm looking at this and not understanding why in the world it would need full administrative rights once the basics (IP address, comp #, etc.) have been setup. I guess it would probably need access to some directories if saves are stored under Program Files, but that should be easy to handle. Does the program die with any particular error if you try to run it as a limited account, or is it just coded to bail as soon as it sees it's not an admin? It seems terribly sloppy for a cafe program to demand the customers have admin privileges, even in the usually sloppy context of programming around Windows privileges.

 

[DasFox]

cleverhandle, yes I agree, I can't see why it would need Admin access to run.

One other thing I didn't mention, according to the SmartLaunch tech support it's better for the app to run without the Fast User Switching and the Welcome screen.

Now I'm not sure why that was this was a few days ago he told me about this, but if I'm going to have a guest account for this thing to run under, then I don't see how you'll get XP to automatically boot into the guest account.

I remember in the days with Win2K you could set it to automatically boot into a account, or maybe that was the Admin account automatically.

Anyhow is there a way to have XP Pro boot automatically into the Guest account for this thing to then run under?

THANKS

 

[mechBgon]

Here's a screencapture demo showing me logged on as Patron, a Limited account. I make a RunAs shortcut to run Pinball under the Administrator account.

movie clip

Due to the /savecred switch, I have to answer the password prompt the first time. After that, it's cached, so the Limited-class user doesn't need to know the password and is not flyin' around with unnecessary blanket Admin powars.

 

[DasFox]

mechBgon, ahhh so possibly for a "Guest" account name I can do the samething as you did in the demo for the "SmartLaunch" client?

But the problem I have is, how do you get Windows to boot up automatically into a Guest account without the Fast User Switching and the Welcome screen options?

As I mentioned before according to SmartLaunch tech support I needed to disable these. With those disabled from what I know of, you are always greeted with a login prompt, now even if you don't password protect the account, you still have to be at the keyboard to hit "Enter" so how can you get past this prompt without the need to hit enter and just boot into the account?

THANKS

 

[mechBgon]

There's a fancy way, but I only remember the lowbrow way at the moment: install TweakUI (find it at Microsoft.com) and you can set up auto-logon from there. I wouldn't use the Guest account; make one called Patron or Customer or whatever, and make it a Limited account, then base your software out of that.

If desired, you can put the RunAs shortcut right into the C:\Documents and Settings\Patron\Start Menu\Programs\Startup directory so it auto-runs upon startup, although you may have to give it a Start In: location that the user can access, such as their directory within Documents and Settings.

 

[cleverhandle]

Originally posted by: DasFox
But the problem I have is, how do you get Windows to boot up automatically into a Guest account without the Fast User Switching and the Welcome screen options?

Is there a local security policy setting for this? I'm not at a Windows machine right now, and it's not really my area of expertise, but you might want to look.

Even if the machines need to be logged in manually, is that a huge deal? I'd think you'd just login each morning. Maybe once in a while someone logs off and an employee has to tell to "just hit Enter" to log back in. Doesn't seem like a show-stopper.

Also, did the program actually have a problem running with FUS turned on, or was that just a piece of tech support BS? Again, I can't see why it should make any difference.

 

[DasFox]

mechBgon ok "Limited" account, tweakui for auto login, I think personally that is all that would be needed as long as the auto login starts the limited account, because the Smartlaunch would autostart anyways, so I don't think I would need to place it in the startup direc.

Actually with tweakui doing a auto login of the Limited user account then this solves the problems of needing runas. Let me play with just a limted account and the tweakui and see if this helps.

BTW how did you make the video clip?

THANKS

 

[DasFox]

cleverhandle tweakui fixed this.

mechBgon what's wrong with turning the "Guest" account on and just using it? I mean it's more restrictive and secure then a limited account isn't it?

I just booted up the Limited account I created and the tweakui auto logged it on, that's nice. I'd have to say it's been ages since I looked at TweakUI, didn't know it had this feature.

Now I thought the Limited account couldn't install anything, that is something I want to shut down this ability, BUT if need be turn it back on easy. I don't think with TweakUI you can do this.

But I just downloaded Gaim and it installed under the Limited account which is not a good thing for the cafe. PLEASE let me know how I easily make the Limited account not allow any downloads or installs.

mechBgon also one thing I don't like even though no one can do any harm, is people can still run ctrl alt del and get to the taskmanager and run it.

I know how to deal with the taskmanager in the Group Policy Editor, but does TweakUI have any options to disable it as well as the shutdown?

Basically for Ctrl Alt Del I'd like to have all those options greyed out so no one can touch anything there, not even restart the box.

THANKS

 

[mechBgon]

With the built-in Guest account, stuff keeps getting erased when you log out. Which could be a good thing, or a bad thing, but if you wanted any persistent settings, then a Limited account would retain them while still being decently restrictive for normal daily uses, especially if you pair it with a Software Restriction Policy so people can't execute stuff where they can write executable stuff to, or vice versa.

The screencapture videos are being done by the free Windows Media Encoder 9 Series, try it out It's a cinch to use, and you can also narrate if you enable the audio input and hook up a microphone.

If you want to really drop the hammer on downloads/installs then (aside from investing in VirusScan Enterprise 8.0i and using mech's tricks) you could use the Run Only Allowed Windows Programs thing: http://pics.bbzzdd.com/users/mechBgon/GPEDIT_RUN_ONLY_ALLOWED_APPS.gif You'd have to whitelist everything you want to be able to run.

 

[DasFox]

CRAP I locked myself out of the box, meaning I killed "run" and some other options and hide the drives in TweakUI and I can't get them back, to Admin the box, I didn't figure to put in a backdoor somewhere in case of this.

HOW the heck can I get back to the group policy editor with the run removed and the drives hidden? TweakUI won't let me run it, says I don't have permission.

CRAP this sucks, LOL

 

[mechBgon]

Originally posted by: DasFox
CRAP I locked myself out of the box, meaning I killed "run" and some other options and hide the drives in TweakUI and I can't get them back, to Admin the box, I didn't figure to put in a backdoor somewhere in case of this.

Quick, the Undo button on your forehead! :Q

HOW the heck can I get back to the group policy editor with the run removed and the drives hidden? TweakUI won't let me run it, says I don't have permission.

CRAP this sucks, LOL

Try making a Scheduled Task that runs cmd.exe one minute from now, then wait for it. If that works, run tweakui.cpl and/or gpedit.msc. Any good?

 

[cleverhandle]

Originally posted by: mechBgon
...you could use the Run Only Allowed Windows Programs thing.

Can you do that without a domain setup?

 

[mechBgon]

Originally posted by: cleverhandle

Originally posted by: mechBgon
...you could use the Run Only Allowed Windows Programs thing.

Can you do that without a domain setup?

I assume so... that pic's from a stand-alone WinXP system, anyway. I haven't tried it in real life, but if I had a gaming cafe, I'd at least experiment with it.

 

[DasFox]

If I don't put in a password nothing happens, it doesn't start it, and if I put in a password this is what I get:

http://img322.imageshack.us/my.php?image=screen6hp.jpg


Errrrr bonehead me, LOL

 

[DasFox]

I disabled the cmd prompt in the Group policy editor, BUT I didn't touch anything to do with TweakUI, so I don't know why I don't have any access to it.

CRAP

 

[DasFox]

Ahh I figured it out, I created a shortcut to the gpedit:

C:\WINDOWS\system32\gpedit.msc

OK TweakUI is back and running, I'm not sure what Group Policy affected this to shut it down, hmm

THANKS

 

[DasFox]

mechBgon will the TweakUI setting for the autologin always stay there time after time, each and everyday we restart the systems in the morning when we open the cafe?

Because when I went back into TweakUI to check out the settings and look at the autologin after I had set it, it was then unchecked and didn't have the username in it anymore?

http://img75.imageshack.us/my.php?image=screen0ec.jpg

I just want to make sure this thing works reliable and won't be a pain to have to mess with all the time.

THANKS

 

[DasFox]

Oh well no worries I guess all this and now we are using something different and I don't need to do all this, sheesh all this for nothing, well I at least learned a little something.

ALOHA