Real basic security question.

[pjp]

New install of XP Pro by a 20+ year programmer that's more or less a pc
"guru" but have never had longterm exposure to network concerns except at
the application coding level, e.g. how to connect in code etc.

I run a small ethernet inside my home with this pc running XP (now but will
retain dual-boot back to 98SE for foreseeable future) and my wife and kids
each with their own pc.

I'm not concerned or seeking information about "ethernet security" as I
think I have a handle on that. I'm looking for insight into the multipule
accounts I have setup under XP (never bothered under 98) so I can allow the
other members of my family, friends etc.to use this pc (which has the
"fancy" hardware attached, e.g. video capture, dvd player, webcam, scanner,
3daccel games) but under restricted conditions.

Everything seems to be centered around "Groups", e.g. I have the Admin
account, one for each of my kids (users) and wife (power user), myself
(Admin) and as well as the Guest account all setup. I'd like to concentrate
on the Guest account and what I'd like for that Guest account. I'm willing
to create a "Group" for every user if that's what it takes. Here's what I
have imagined for the Guest account ...

Just icons I choose on desktop are "runable". No right click menu for any
icon (including taskbar, trayicons and start menu), no anything in the start
menu of any sort except the Log Off button. No special key combo's to invoke
pop-up dialogs etc. of any sort. No ability to "Browse" anywhere from within
any "Open/Save" option (e.g. they're at root of drive with no other
drives/folders available) within any program I do allow them to run. No
ability to change any IE settings and certainly not the ability to install,
run or save to disk any "anything" off the net (e.g. ActiveX controls etc.
included).

I know I'm new to this but I don't seem to be able to find anyway to
indicate "this user" and then specify "can do this" and "not this". I'm
finding it difficult that things seem to propagate across "Groups". The
Group Policy Editor etc. all seem to make sense but I'll be damned if I can
infer from what I've tried so far to accomplish what I want.

Any suggestions, how to's etc. appreciated, including I don't mind reading
so url's welcome.

 

[Bruce Chambers]

Greetings --

HOW TO Create and Configure User Accounts in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;279783

HOW TO Set, View, Change, or Remove File and Folder Permissions
http://support.microsoft.com/default.aspx?scid=kb;en-us;q308418

HOW TO Set, View, Change, or Remove Special Permissions for Files and
Folders
http://support.microsoft.com/default.aspx?scid=kb;[LN];Q308419

HOW TO Use the Group Policy Editor to Manage Local Computer Policy in
Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;307882


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[Roger Abell]

First, for local login, there is nothing special about the Guest
account. When logged in over the net is different, but once it
is logged in at the console it is not different from other limited
accounts.

Local policy affects all accounts equally. To make specific
policy type settings per account you need a third-party tool.
Doug Knox has a helpful tool at www.dougknox.com for this.

Limited (members of the Users group) accounts are fairly well
compartmentalized out of the box. You will likely run into issues
with things that worked just fine in 98 only working when logged
in as a admin, but there are usually way to correct the inadequacies
of the software that is designed outside of the Windows certification
spec.

 

[pjp]

Well, the middle two of those links were useless as I have no intention of
changing from Fat32 because at least I know I can always boot to a 98SE
startup disk and copy files.

The top and bottom ones are why I asked my question in the first place. It
appeasr that the answer is NO, you cannot simply select an account and
specify what they can and cannot see and do. Straight forward simple idea
convoluted by "groups" and the like.

I don't even find it clear what you're actually doing in "this" account
rather than in "all" accounts, e.g. don't even seem to able to dictate the
screen resolution on a per user basis.

Greetings --

HOW TO Create and Configure User Accounts in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;279783

HOW TO Set, View, Change, or Remove File and Folder Permissions
http://support.microsoft.com/default.aspx?scid=kb;en-us;q308418

HOW TO Set, View, Change, or Remove Special Permissions for Files and
Folders
http://support.microsoft.com/default.aspx?scid=kb;[LN];Q308419

HOW TO Use the Group Policy Editor to Manage Local Computer Policy in
Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;307882


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

New install of XP Pro by a 20+ year programmer that's more or less a
pc
"guru" but have never had longterm exposure to network concerns
except at
the application coding level, e.g. how to connect in code etc.

I run a small ethernet inside my home with this pc running XP (now
but will
retain dual-boot back to 98SE for foreseeable future) and my wife
and kids
each with their own pc.

I'm not concerned or seeking information about "ethernet security"
as I
think I have a handle on that. I'm looking for insight into the
multipule
accounts I have setup under XP (never bothered under 98) so I can
allow the
other members of my family, friends etc.to use this pc (which has
the
"fancy" hardware attached, e.g. video capture, dvd player, webcam,
scanner,
3daccel games) but under restricted conditions.

Everything seems to be centered around "Groups", e.g. I have the
Admin
account, one for each of my kids (users) and wife (power user),
myself
(Admin) and as well as the Guest account all setup. I'd like to
concentrate
on the Guest account and what I'd like for that Guest account. I'm
willing
to create a "Group" for every user if that's what it takes. Here's
what I
have imagined for the Guest account ...

Just icons I choose on desktop are "runable". No right click menu
for any
icon (including taskbar, trayicons and start menu), no anything in
the start
menu of any sort except the Log Off button. No special key combo's
to invoke
pop-up dialogs etc. of any sort. No ability to "Browse" anywhere
from within
any "Open/Save" option (e.g. they're at root of drive with no other
drives/folders available) within any program I do allow them to run.
No
ability to change any IE settings and certainly not the ability to
install,
run or save to disk any "anything" off the net (e.g. ActiveX
controls etc.
included).

I know I'm new to this but I don't seem to be able to find anyway to
indicate "this user" and then specify "can do this" and "not this".
I'm
finding it difficult that things seem to propagate across "Groups".
The
Group Policy Editor etc. all seem to make sense but I'll be damned
if I can
infer from what I've tried so far to accomplish what I want.

Any suggestions, how to's etc. appreciated, including I don't mind
reading
so url's welcome.

 

[pjp]

If there's no difference why bother? I have no intention of letting anyone
log in over the net on this pc. In fact, all it's doing in that regard is
sharing a couple of printers using Netbuei (as I did in 98SE all along). The
98SE pcx's do have various shared folders etc. the XP pc can/does access for
some things, e.g. all my mp3's are on an old P90 with 4 hd's in it, e.g. it
acts as a file server for everyone. I do "control" what protocols on which
adapter etc. at least as I understand it to date

I think I already have Doug's tool "xp_secconsole.exe" but he wants money at
some point and think it has a "kill date". That implies changes cannot be
reversed at some point without paying That's hard for me to do when I
give stuff I create away for free if I think it'd benefit the "pc community"
as a whole.

Doug, no chastise intended, just you have to have money before you can spend
money

e.g. http://www.wingmanteam.com/latest_software/gadgets.htm , I wrote the
first utility listed.

 

[Bruce Chambers]

Greetings --

If you're determined to stick to FAT32, than you might as well
abandon any hopes of file security. Of course, the choice is yours.

Also, as it was with WinNT & Win2K before it, WinXP's display
settings are system settings, not variable by user.

Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

Well, the middle two of those links were useless as I have no
intention of
changing from Fat32 because at least I know I can always boot to a
98SE
startup disk and copy files.

The top and bottom ones are why I asked my question in the first
place. It
appeasr that the answer is NO, you cannot simply select an account
and
specify what they can and cannot see and do. Straight forward simple
idea
convoluted by "groups" and the like.

I don't even find it clear what you're actually doing in "this"
account
rather than in "all" accounts, e.g. don't even seem to able to
dictate the
screen resolution on a per user basis.

Greetings --

HOW TO Create and Configure User Accounts in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;279783

HOW TO Set, View, Change, or Remove File and Folder Permissions
http://support.microsoft.com/default.aspx?scid=kb;en-us;q308418

HOW TO Set, View, Change, or Remove Special Permissions for Files
and
Folders
http://support.microsoft.com/default.aspx?scid=kb;[LN];Q308419

HOW TO Use the Group Policy Editor to Manage Local Computer Policy
in
Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;307882


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

New install of XP Pro by a 20+ year programmer that's more or
less a
pc
"guru" but have never had longterm exposure to network concerns
except at
the application coding level, e.g. how to connect in code etc.

I run a small ethernet inside my home with this pc running XP
(now
but will
retain dual-boot back to 98SE for foreseeable future) and my wife
and kids
each with their own pc.

I'm not concerned or seeking information about "ethernet
security"
as I
think I have a handle on that. I'm looking for insight into the
multipule
accounts I have setup under XP (never bothered under 98) so I can
allow the
other members of my family, friends etc.to use this pc (which
has
the
"fancy" hardware attached, e.g. video capture, dvd player,
webcam,
scanner,
3daccel games) but under restricted conditions.

Everything seems to be centered around "Groups", e.g. I have the
Admin
account, one for each of my kids (users) and wife (power user),
myself
(Admin) and as well as the Guest account all setup. I'd like to
concentrate
on the Guest account and what I'd like for that Guest account.
I'm
willing
to create a "Group" for every user if that's what it takes.
Here's
what I
have imagined for the Guest account ...

Just icons I choose on desktop are "runable". No right click menu
for any
icon (including taskbar, trayicons and start menu), no anything
in
the start
menu of any sort except the Log Off button. No special key
combo's
to invoke
pop-up dialogs etc. of any sort. No ability to "Browse" anywhere
from within
any "Open/Save" option (e.g. they're at root of drive with no
other
drives/folders available) within any program I do allow them to
run.
No
ability to change any IE settings and certainly not the ability
to
install,
run or save to disk any "anything" off the net (e.g. ActiveX
controls etc.
included).

I know I'm new to this but I don't seem to be able to find anyway
to
indicate "this user" and then specify "can do this" and "not
this".
I'm
finding it difficult that things seem to propagate across
"Groups".
The
Group Policy Editor etc. all seem to make sense but I'll be
damned
if I can
infer from what I've tried so far to accomplish what I want.

Any suggestions, how to's etc. appreciated, including I don't
mind
reading
so url's welcome.

 

[Roger Abell]

If there's no difference why bother?
Exactly. That is why I mentioned it.

If you hunt around you can find a few sites that document the
per-user registry keys for different policy-like customizations.
And, there are more expensive third-party tools for it.

 

[Will Denny]

Hi

Doug's Utility isn't worth $10/£5? If you think that you can do better, do so and stop moaning.

--

Will Denny
MS-MVP Windows - Shell/User


<snip>
| I think I already have Doug's tool "xp_secconsole.exe" but he wants money at
| some point and think it has a "kill date". That implies changes cannot be
| reversed at some point without paying That's hard for me to do when I
| give stuff I create away for free if I think it'd benefit the "pc community"
| as a whole.
|
| Doug, no chastise intended, just you have to have money before you can spend
| money
|
| e.g. http://www.wingmanteam.com/latest_software/gadgets.htm , I wrote the
| first utility listed.
|
|
| | > First, for local login, there is nothing special about the Guest
| > account. When logged in over the net is different, but once it
| > is logged in at the console it is not different from other limited
| > accounts.
| >
| > Local policy affects all accounts equally. To make specific
| > policy type settings per account you need a third-party tool.
| > Doug Knox has a helpful tool at www.dougknox.com for this.
| >
| > Limited (members of the Users group) accounts are fairly well
| > compartmentalized out of the box. You will likely run into issues
| > with things that worked just fine in 98 only working when logged
| > in as a admin, but there are usually way to correct the inadequacies
| > of the software that is designed outside of the Windows certification
| > spec.
| >
| > --
| > Roger Abell
| > Microsoft MVP (Windows Server System: Security)
| > MCSE (W2k3,W2k,Nt4) MCDBA
| > | > > New install of XP Pro by a 20+ year programmer that's more or less a pc
| > > "guru" but have never had longterm exposure to network concerns except
| at
| > > the application coding level, e.g. how to connect in code etc.
| > >
| > > I run a small ethernet inside my home with this pc running XP (now but
| > will
| > > retain dual-boot back to 98SE for foreseeable future) and my wife and
| kids
| > > each with their own pc.
| > >
| > > I'm not concerned or seeking information about "ethernet security" as I
| > > think I have a handle on that. I'm looking for insight into the
| multipule
| > > accounts I have setup under XP (never bothered under 98) so I can allow
| > the
| > > other members of my family, friends etc.to use this pc (which has the
| > > "fancy" hardware attached, e.g. video capture, dvd player, webcam,
| > scanner,
| > > 3daccel games) but under restricted conditions.
| > >
| > > Everything seems to be centered around "Groups", e.g. I have the Admin
| > > account, one for each of my kids (users) and wife (power user), myself
| > > (Admin) and as well as the Guest account all setup. I'd like to
| > concentrate
| > > on the Guest account and what I'd like for that Guest account. I'm
| > willing
| > > to create a "Group" for every user if that's what it takes. Here's what
| I
| > > have imagined for the Guest account ...
| > >
| > > Just icons I choose on desktop are "runable". No right click menu for
| any
| > > icon (including taskbar, trayicons and start menu), no anything in the
| > start
| > > menu of any sort except the Log Off button. No special key combo's to
| > invoke
| > > pop-up dialogs etc. of any sort. No ability to "Browse" anywhere from
| > within
| > > any "Open/Save" option (e.g. they're at root of drive with no other
| > > drives/folders available) within any program I do allow them to run. No
| > > ability to change any IE settings and certainly not the ability to
| > install,
| > > run or save to disk any "anything" off the net (e.g. ActiveX controls
| etc.
| > > included).
| > >
| > > I know I'm new to this but I don't seem to be able to find anyway to
| > > indicate "this user" and then specify "can do this" and "not this". I'm
| > > finding it difficult that things seem to propagate across "Groups". The
| > > Group Policy Editor etc. all seem to make sense but I'll be damned if I
| > can
| > > infer from what I've tried so far to accomplish what I want.
| > >
| > > Any suggestions, how to's etc. appreciated, including I don't mind
| reading
| > > so url's welcome.
| > >
| > >
| >
| >
|
|

 

[cquirke (MVP Win9x)]

If there's no difference why bother? I have no intention of letting anyone
log in over the net on this pc.

In that case, I'd:
- disable hidden admin shares
- do NOT write-share any part of the startup axis
- patch the broken RPC service (and patch generally)
- disable "allow remote assistance invitations..."
- disable IE's "allow third-party browser enhancements"
- turn on XP's firewall on the Internet connection
- turn on XP's firewall on other network connections

The above is terse; ask if you need more detail on any of the above.
If using firewall on LAN, you'd need to open some ports to allow File
and Print Sharing else that will be blocked.

sharing a couple of printers using Netbuei (as I did in 98SE all along).

Nice that you got that to work - I didn't and had to go TCP/IP, at
which point things get entangles with the firewall, etc.

The 98SE pcx's do have various shared folders etc.

Don't write-share C:\, the Windows subtree or (in XP) the whole of
user profiles in "Documents and Settings". Once malware gets write
access to the startup axis, it will spread thru the LAN ++

If sharing any HD volumes from the root, then disable \Autorun.inf
processing for that drive letter at least. TweakUI for XP helps there

If sharing (again, I mean "full" or write-sharing here) any directory
at all, you'd be safest to kill "View As Web Page" as Win9x calls it.
In XP, prolly use Classic views.

I think I already have Doug's tool "xp_secconsole.exe" but he wants money at
some point and think it has a "kill date". That implies changes cannot be
reversed at some point without paying That's hard for me to do when I
give stuff I create away for free if I think it'd benefit the "pc community"
as a whole.

I agree with your decision to avoid NTFS in the interests of data
recovery and the ability to formally clean malware.

I've found multiple user accounts to be more hassle than they are
worth, because of the following:
- each starts off with Microsoft duhfaults
- if set tighter than Admin, all custom settings are lost
- malware's pretty adept at hopping through user rights hoops
- many consumer titles don't run unless Admin
- applying settings to multiple accounts is a drag

For example; every new account starts off with file name extensions
hidden, all data sets located on C:, huge bloated web cache that is
repeated per user )can you say, 1G of FIFO-churning fragmentation?)
etc. With savvy users who are "on my side", I feel they'd be safer
being able to see what files they are dealing with than trusting some
nebulous security rights genie to block malware on their behalf.

Users not "on my side" don't get to sit in the Big Chair

------------ ----- --- -- - - - -

Drugs are usually safe. Inject? (Y/n)

 

[cquirke (MVP Win9x)]

On Sun, 29 Feb 2004 13:56:13 -0700, "Bruce Chambers"

If you're determined to stick to FAT32, than you might as well
abandon any hopes of file security. Of course, the choice is yours.

Yes, that's a given; no system-level per-file security at all in
FAT32, and only rather crude subtree access control via LAN shares
with no equivalent on the local PC itself.

I should make that point clearer when I post - thanks!

Also, as it was with WinNT & Win2K before it, WinXP's display
settings are system settings, not variable by user.

I wasn't referring to resolution, which as you say is not per-user,
but to folder view properties - things like hiding file name
extensions and hidden files, which IMO consitute significant
impediments to the practice of "safe hex".

<fatal context mismatch error: context quotage dumped>

Oops - my bad, I thort you were replying to my post!

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.