Applies To: |
|
Summary: |
What options are there to prevent operators from gaining access to the taskbar, running commands, using CTRL+ALT+DEL so that they cannot crash out of Citect or run other software etc in Windows NT. |
Solution: |
I managed to achieve this with a
combination of methods. The following relates to NT4.0 workstation,
and, for example purposes I have used "CITECT_01" as the user..
1) Force automatic NT Logon. This is desirable so that the PC will autostart in the event of a power failure. It also stops users trying to "hack" the NT Logon. Logon as Administrator, run REGEDT32.exe and edit the following key HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon. Set the Autologon flag to a 1 and enter the default domain, userID (CITECT_01) and password - NOTE: the passwords display here, so make sure you are not watched. Once the autologon flag is set, if an operator takes a "Shutdown and Restart" option, NT will just cycle back into Citect (or whatever is in the startup folder). You can still logon as Administrator, but you must hold down the SHIFT key whilst NT is booting for the logon screen to appear. If you do this, it will modify the registry to whatever you logon as, so remember to restart again at the end, hold down the SHIFT key and logon as your default user. 2) Preventing unauthorised Shutdown from within Citect. This can most easily achieved by providing a Shutdown button which has a high level of access security on it. This stops any lower level operators from dropping back to the Desktop. 3) Change Citect to be the Shell. This prevents the CTRL+ESC sequence from selecting the taskbar. It DOES NOT prevent CTRL+ALT+DEL from bringing up the Task Manager, which will still allow RUN and SHUTDOWN options. See Knowledge Base Q1898 for these instructions. It is important that you create a button with a high level of security set on it to run REGEDT32.EXE from within Citect, because it will now always run Citect as soon as it boots and logs on. I have two buttons which only appear when the appropriate level of security login (within Citect) has been made. One runs REGEDT32, the other runs EXPLORER. They normally do not show, as the button's Access property is set to "Disable on insufficient area or privilege" and the style is "Hidden". 4) Prevent shutdown from Task Manager. Login to NT as Administrator and in User Manager, remove Citect users (or group) from the option to "Shutdown the system" under User Rights. They will still get the button under CTRL+ALT+DEL, but, if they click on "Shutdown", it will display a message "Insufficient Rights to shutdown". 5) Prevent programs from being run from the Task Manager (CTRL+ALT+ESC popup) If your users can get into the Task Manager, they can launch any task they can browse. The following steps prevent them from launching any programs. This is quite complicated, and it works per user and per display station so it will have to be set up separately for every user who can logon to NT. I only have "Administrator" and the one, automatic logon of CITECT_01 on my server, and an autologon of CITECT_02 on the display station, so the change had to be made once on both PCs. 5a) Allow the Citect user group to take ownership of files. This is necessary to allow modification of the Registry keys in the next steps. By default, the key we need to change is set by NT to "read", and we must be able to modify it to "Full Control". This is only a temporary step and will be reversed later. Sign on as Administrator (if you are using the Auto logon option from above, you will need to shutdown Citect, and then immediately hold down the SHIFT key to force the NT Logon prompt to display). In User Manager, go to User Rights on menu bar, scroll down to "Take ownership" and then add your Citect user group or users to those already on the list. This will be revoked later. 5b) Take ownership of the key. Logon to NT as the default user e.g Citect_01, then logon to Citect, using your high level access to enable the REGEDT32 button. Run REGEDT32 and go to the following key:- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. Select "Security" on the Menu Bar, then "Owner". Click on the "Take Ownership" button, so that user "CITECT_01" now owns the registry key. Click on "Security" again but select "Permissions". Check the box to change all sub-directories and add your user "CITECT_01" to the list allowed to access this key. Remember to select "Full Control" (the default is "Read"). 5c) Change (or Add) RestrictRun key. Logon to NT as the default user e.g Citect_01, then logon to Citect, using your high level access to enable the REGEDT32 button. Run REGEDT32 and go to the following key:- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun. If it is not there at the ...~\Explorer level then click on the Menu Bar "Edit", then "Add Value". Value=RestrictRun, Type REG_DWORD and the Value is 1 to restrict or 0 (zero) to allow. NOTE: Unless you have changed ownership of the key 5d) Revoke Ownership. Similar to step 5a, sign on as Administrator and remove the user's ability to take ownership, using User Manager. 5e) Repeat for each other user (if necessary). One final note, if it is not desirable to use Citect as a Shell because your users may need to run other allowed programs from the Desktop or TaskBar, there is a very good article available from Microsoft's Support site. Article ID Q185590, which outlines what can be disabled from the Taskbar so that a "safe" desktop environment can be achieved. |
Keywords: |
Related Links
Attachments