INF: How to Protect Windows NT Desktops in Public Areas
ID: Q143164
|
The information in this article applies to:
-
Microsoft Windows NT Server version 4.0
-
Microsoft Windows NT Workstation version 4.0
SUMMARY
In certain environments it is necessary to prevent workstation users from
harming the system. For example, you may want to limit the number of
applications a user can use.
This article shows you how to protect a workstation intended for use with
Internet Explorer 3.0. Most of the procedures in this article also apply
to other applications.
MORE INFORMATION
To protect a workstation that will be used with Internet Explorer:
WARNING: Using the Registry Editor incorrectly can cause serious, system-
wide problems that may require you to reinstall Windows NT to correct
them. Microsoft cannot guarantee that any problems resulting from the use
of the Registry Editor can be solved. Use this tool at your own risk.
- It is the best that the user works with the guest account. You should
not allow password changes for this account. Don't allow local shutdown
(User Manager: Policies/User Rights). It is also required that all
local drives are formatted in NTFS. Steps 7 and 8 also require the
workstations to be member of a domain.
- Replace Explorer.exe as a shell with Internet Explorer
(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon : Shell). Be sure to
place the full path to Iexplore.exe in this entry. For other
applications, place the main executable file or a launcher application
here.
- Change the permissions for %Systemroot%\System32\Taskmgr.exe so the
guest account does not have any privileges for this file (no access).
This prevents the user from running Task Manager off the security
dialog.
- Rename the administrative account and specify a password so users have
a hard time hacking it.
- Use AutoAdminLogon so only experienced users know how to specify a
different name for logon (hold shift while logging off). Even if they
manage to get to the logon dialog box, they still have to know about an
account.
- Disable ShutdownWithoutLogon. It's also located in the Winlogon key
mentioned above.
- Create a Default System Policy that only allows Iexplore.exe to run and
place it on the NETLOGON share of all DCs. It's in Default User
Properties, System\Restrictions\Run only allowed Windows applications.
Instead of Iexplore.exe, you can also specify the application(s) of
your choice. The main executable file or launcher application does not
need to be part of this set.
- Enable all policy restrictions in Shell\Restrictions so the user only
sees the computer and files to be saved end up in the
%Systemroot%\Profiles\<user>\desktop directory.
- You can also restrict access to %Systemroot%\Profiles\<user>\desktop so
the user only can read files from there. This is the only folder the
user will be able to see if you checked all items in step 8.
With Internet Explorer 3.0 you can prevent the user from seeing the
Address
Toolbar and thus prevent the user from manually entering URLs:
- You remove the address toolbar in Internet Explorer ("View\Option",
"General" tab, bottom half of dialog box).
- Start Registry Editor (Regedt32.exe). In the HKEY_CURRENT_USER window,
open the key
Software\Microsoft\Internet Explorer\Toolbar
- With the focus on Toolbar, select the menu item Security\Permissions.
Make sure that the guest account is only allowed to read the key.
When you open the dialog box in Internet Explorer, you will be shown the
wrong settings but changes will not take effect. It may be possible to do
similar things with other registry keys of Internet Explorer, but only the
key mentioned in Step 2 above was tested for this article.
Additional query words:
prodnt msiexplore SP2
Keywords : kbinterop ntsecurity ntregistry NTSrvWkst
Version : winnt:4.0
Platform : winnt
Issue type : kbhowto