Re: Securing Kiosks after adding MS Office apps?

"Matt Gehrisch" <> wrote:
>Hello,
>I work in the computer services department at a public library.
>
>We offer internet access to library patrons on about 40 internet kiosks
>throughout the library's three branches. We have been getting an increasing
>number of requests to provide Microsoft Word on these machines in addition
>to the basic internet software. For the time being, we only provide office
>software on 8 machines that are not granted internet access.
>
>We are currently using Centurion Guard and WinSelect 5.0 to secure our
>internet terminals, which are running Windows2000 Professional.
>
>I have been asked to begin researching the steps that we will need to take
>in order to secure our internet Kiosks with the addition of MS Office
>components. We would like to install the Word and Excel portions of
>Microsoft Office 2000.
>
>Specifically, we need to be able to lock out a few menu items, and only
>allow file access to the floppy drive. WinSelect has worked well for us,
>but it seems to be fairly oblivious to MS Word/Excel.
>
>Has anyone setup similar configurations in a library or school environment?

Hi Matt,

Yes, I have a private school as a client.

You can do a good job of locking down drive access with policies and XCACLS.EXE
(from the RK). Specifically, check out and use the difference between perms on
existing files, and the inherrited permissions on new files... Word
specifically requires write access to your %systemroot% folder (.\winnt by
default) for a scratch file. This is BAD.

Also, I have not seen any method of blocking specific menu items in Office
products.

And finally, regardless of how you secure the machines, I recommend making a
Ghost image of the completed, secured production machine, and regularly burning
that image back onto the PCs... This will undo anything someone has found a way
to leave or change on the machine, making them start over.

HTH,
- AJS

- AJS

In article <3ef72b6e$1_7@127.0.0.1>, - AJS <a smith att window products
dit com> says...
> "Matt Gehrisch" <> wrote:
> >Hello,
> >I work in the computer services department at a public library.
> >
> >We offer internet access to library patrons on about 40 internet kiosks
> >throughout the library's three branches. We have been getting an increasing
> >number of requests to provide Microsoft Word on these machines in addition
> >to the basic internet software. For the time being, we only provide office
> >software on 8 machines that are not granted internet access.
> >
> >We are currently using Centurion Guard and WinSelect 5.0 to secure our
> >internet terminals, which are running Windows2000 Professional.
> >
> >I have been asked to begin researching the steps that we will need to take
> >in order to secure our internet Kiosks with the addition of MS Office
> >components. We would like to install the Word and Excel portions of
> >Microsoft Office 2000.
> >
> >Specifically, we need to be able to lock out a few menu items, and only
> >allow file access to the floppy drive. WinSelect has worked well for us,
> >but it seems to be fairly oblivious to MS Word/Excel.
> >
> >Has anyone setup similar configurations in a library or school environment?
>
> Hi Matt,
>
> Yes, I have a private school as a client.
>
> You can do a good job of locking down drive access with policies and XCACLS.EXE
> (from the RK). Specifically, check out and use the difference between perms on
> existing files, and the inherrited permissions on new files... Word
> specifically requires write access to your %systemroot% folder (.\winnt by
> default) for a scratch file. This is BAD.
>
> Also, I have not seen any method of blocking specific menu items in Office
> products.
>
> And finally, regardless of how you secure the machines, I recommend making a
> Ghost image of the completed, secured production machine, and regularly burning
> that image back onto the PCs... This will undo anything someone has found a way
> to leave or change on the machine, making them start over.

Don't forget to block the HELP menu, once they get to the System Info
box they can open / save files and do all sorts of wonderful things.
Most people miss that one.

--
--

(Remove 999 to reply to me)