OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: John Wienand (JWienandbna.com)
Date: Thu Apr 25 2002 - 10:58:27 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I think step one would be to secure the box itself. "Public
    Access workstation" shouldn't necessarily mean access to the
    box itself, should it? In other words, if you were able to
    gain access to the floppy drive in a kiosk box, that's a
    problem unto itself.

    If someone has physical access to the box, you can setup all
    the OS security you want. But a simple floppy boot and a
    FORMAT C: wouldn't take much effort and I think would
    adversely affect the boxes performance/availability.

    John

    |--------+-------------------------------->
    | | "Mark Parry" |
    | | <Mark.Parrypsi-cu-sof|
    | | tware.com> |
    | | |
    | | 04/24/2002 05:43 PM |
    | | |
    |--------+-------------------------------->
    >-------------------------------------------------------------------------------|
      | |
      | To: "Focus Microsoft (E-mail)" <focus-mssecurityfocus.com> |
      | cc: (bcc: John Wienand/BNA Inc) |
      | Subject: RE: Question: How To Secure a Public Access Workstation |
    >-------------------------------------------------------------------------------|

    They made it easy by using fat. With NTFS, you would have
    had to pull in
    other tools to pull this off. You have a good point, but I
    would definitely
    use NTFS so you can ACL the filesystem while running.

    Also, can you actually secure this computer so the floppy
    drive is not
    accessible/nonexistent, and that they cannot reset the bios
    by pulling the
    battery? Really there are a lot of things that could be
    done with physical
    access to the box... like adding hardware keyloggers?

    -----Original Message-----
    From: Joseph Brown [mailto:emailjoebrownyahoo.com]
    Sent: Wednesday, April 24, 2002 9:50 AM
    To: Borkin, Mike; 'Information Security';
    focus-mssecurityfocus.com
    Subject: RE: Question: How To Secure a Public Access
    Workstation

    Also important is BIOS protection. Password protect
    and boot from HDD. During a pen-test I inserted a 98
    boot disk, rebooted a kiosk box into DOS, copied the
    sam._, and the admin had the same password on the
    Domain. BAD....

    --- "Borkin, Mike" <mike.borkineds.com> wrote:
    > I had to totally lockdown an NT workstation to only
    > hit a single corporate
    > intranet website last year and, so hopefully these
    > references and my thought
    > process will help. I started the planning by
    > deciding to have the machine
    > do an automatic logon and change the startup shell
    > to IE in Kiosk mode
    > rather than Windows Explorer. In addition, the
    > logon username/password that
    > I used only had user rights to the local machine
    > (although you might want
    > utilize a special domain account with rights limited
    > to your apps). I did a
    > bunch of reg hacks to limit access to the local
    > machine, and after that it
    > was just a question of trying to stop anyone from
    > breaking out of the shell
    > utilizing key combinations, such as the choices at
    > CTRL-ALT-DEL and the
    > windows key. Hopefully, this will help with your
    > project.
    >
    > Mike
    >
    > Microsoft Knowledge Base Articles -
    >
    > q97597 - How to Enable Automatic Logon in Windows NT
    > 3.x and 4.0
    > q143164 - INF: How to Protect Windows NT Desktops in
    > Public Areas
    > q154780 - How to Use Kiosk Mode in Microsoft
    > Internet Explorer
    > q179221 - How to Limit User Access to Local Computer
    > or Hard Disks with
    > Internet Explorer 4.01
    > q216893 - How to Disable the Keyboard Windows Key
    >
    > Web Articles
    >
    > http://is-it-true.org/nt/registry/rtips3.html -
    > Registry Tip #3: Disable
    > Windows NT Ctrl-Alt-Del dialog button
    >
    >
    >
    > -----Original Message-----
    > From: Information Security
    > [mailto:InformationSecurityfederatedinv.com]
    > Sent: Monday, April 22, 2002 11:32 AM
    > To: focus-mssecurityfocus.com
    > Subject: Question: How To Secure a Public Access
    > Workstation
    >
    >
    > Can anyone point me to reference materials on how to
    > secure Windows NT /
    > 2000 / XP Pro workstations for use at a publicly
    > accessible location?
    >
    > I'm looking for ideas on how to secure normal
    > corporate workstations that
    > need limited access to a few corporate apps, but are
    > on the fringe of our
    > physical perimiter. Places like receptionist areas,
    > attended customer
    > service booths, etc.
    >
    > I've found a few references to get started with, the
    > best one seems to be
    > at:
    > http://www.psynch.com/docs/instguide/node121.html.
    > However, this article
    > from Microsoft
    >
    http://www.microsoft.com/office/ork/2000/journ/KioskMode.htm
    > points to one of many other details that should be
    > considered. I'm hoping
    > someone has compiled a list of suggestions, and any
    > additional help or
    > experiences would be appreciated.
    >
    > Thanks.

    __________________________________________________
    Do You Yahoo!?
    Yahoo! Games - play chess, backgammon, pool and more
    http://games.yahoo.com/