Use of MinLogon with user accounts and other issues

[Ronan Stokes]

Hi all

I am in the process of developing a consumer device for a client based
around XPE. I have a number of questions regarding use of XPE to build a
consumer device - I am hoping some people here may some answers to some of
the following questions

1) As part of the device operation, the device will use the same
local user for operation across all machines as security does not rely on
domain level user security. However as third party software may be installed
on the device, I want to secure parts of the shell and OS by running various
services under different users. The question is can I use different users
for running processes if I use MinLogon rather than WinLogon and manually
add LSA etc, or is there some other restriction imposed on MinLogon

2) The .Net component has a dependency on MSMQ which for security reasons
we cannot include in our image. I am assuming that this dependency is only
required if we use any of the queue APIs in .Net or is there another
dependency outside of that ?

3) The .Net component has a dependency on DTC which for security reasons we
cannot include in our image. I am assuming that this dependency is only
required if we use any of the System.Data APIs in .Net or is there another
dependency outside of that ?

4) The .Net component has a dependency on Remote Registry Component which
for security reasons we cannot include in our image. I am assuming that this
dependency is only required if we use specific .Net APIs or is there another
dependency outside of that ?

5) Why does client for Microsoft Networks require the Print Spooler

6) Why does DOS Windows on Windows require File Sharing ? Again we cannot
include this component for security reasons.

7) Why does FBA: SCE require Netlogon / Netjoin ?

8) Why does WMI core require Volume Shadow Copy Service






Regards

Ronan Stokes,

Independent Technology Consultant

 

[Sean Liming \(eMVP\)]

Ronan,

To answer teh Minlogon questions: Windows Logon (Standard) has the security
infrustructure (GINA) to support different user logons. MinLogon does not,
it only supports one account: Administrator.

Regards,

Sean Liming
www.seanliming.com
Author: Windows XP Embedded Advanced and Windows NT Embedded Step-by-Step

 

[KM]

To answer teh Minlogon questions: Windows Logon (Standard) has the
security

infrustructure (GINA) to support different user logons. MinLogon does not,
it only supports one account: Administrator.

Local System. (not Administrator)

KM

 

[Lasse]

Hi
1) I am using Minlogon. I use Windows APIs to create users and set
privilieges for the users. File access rights are set with cacls.exe.

My custom shell, (started at power on, running under the system account)
starts different processes under different user accunts.
My services runs under the system account.

All this is to get a better security.

1) ... The question is can I use different users
for running processes if I use MinLogon rather than WinLogon and manually
add LSA etc, or is there some other restriction imposed on MinLogon

5) - 9)

My soulution for all this unwanted functions was a script running after FBA.
It disables several drivers and services and deletes lots of unwanted files.
(e.g. the printer spooler)
Lasse

 

[Ronan Stokes]

Thanks for your help. This sounds like a good potential approach for us

Regards
Ronan Stokes

 

[Sean Gahan]

Ronan,
The .Net Framework requires authentication, additionally the ASPNET user
account will be installed. Basically if you try to put the .NET Framework
on a MiniLogon rather than WinLogon by the time all of the dependencies are
resolved you will come up with an image like the MiniLogon.

Regards,

Sean Gahan