Linked by Thom Holwerda on Thu 29th Dec 2005 23:14 UTC, submitted by DigitalDame
Windows "Microsoft's free Shared Computer Toolkit lets you configure a PC that can be used to search the Internet, look up resources, and run approved programs; it also stops users from making permanent system changes, running arbitrary programs, or introducing malware. Administrators on domain-based PCs have long been able to do this; the toolkit offers a similar level for any PC. You don't need an IT degree - the kit leads an administrator through the steps of locking down a system."
Thread beginning with comment 79729
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Indestructible...?
by on Fri 30th Dec 2005 00:27 UTC in reply to "Indestructible...?"

Member since:

"but it's kinda of an hack using this WDP partition: "

This is the same principal some CD based linux distributions use, except I seem to remember at least one of them will write the session to the CD at the end of a session rather than discarding them.

However, if you have to use windows, (And I have to admit for specialist tasks such as public access internet areas, it wouldnt be my first choice), it seems to be quite effective.

Any changes from Viruses and other Malware wouldnt survive reboot unless they specifically knew what they were attacking, AND knew how to work around it.

However, it seems to be a tacit admission that NTFS's security model can be worked around by those dedicated enough. Which makes we wonder exactly how.

As for the second post about booting from other media:
Its pretty easy to lock down a machine so it will only boot from the HD. Yes, you can reset the BIOS password, but i think someone may query you taking the back of the machine, and this can be prevented by case locks anyway (Certinly everything I have seen from Dell recently has come with easy padlock attachment points.)

If you make your own, or have a pile of donations, you can put a hole through the top lip to put a padlock through. Personally I would remove the CD drive and floppy drive as well (If anyone still bothers with such things as a floppy drive).

Reply Parent Score: 0

RE[2]: Indestructible...?
by Knuckles on Fri 30th Dec 2005 00:44 in reply to "RE: Indestructible...?"
Knuckles Member since:
2005-06-29

I think the better "way" would be to do exactly how other linux distros do it: create a ramdisk and programs just write to it, and when you log off all changes are lost. I just don't get the *need* for another partition, if there are other (simpler) ways.

Also, if you are using a bug or something to gain higher access than you are allowed, what's preventing you from tricking WDP from thinking your are and administrator logging in and turning it off? And if your WDP partition fills up with logged changes, what then?

Also, reading the rest of the article, it prooves again the kind of hack it is:
"If you decide to uninstall the toolkit, you'll want to be very careful.[...] Before uninstalling, you must work backwards through the steps in the Getting Started applet, turning off WDP and undoing the restrictions for all accounts. Only then can you safely uninstall.

You might think it would be easier to uninstall the toolkit by restoring an earlier drive-image backup, but even here you need to act with care. WDP uses a nonstandard configuration for both the main partition and its data storage partition. If your drive-imaging tool supports it, you'd have to delete both partitions and restore the image into the resulting free space. You'd also have to configure the tool to restore the Master Boot Record and mark the restored partition as active."

Reply Parent Score: 1

RE[3]: Indestructible...?
by Googlesaurus on Fri 30th Dec 2005 03:08 in reply to "RE[2]: Indestructible...?"
Googlesaurus Member since:
2005-10-19

"You might think it would be easier to uninstall the toolkit by restoring an earlier drive-image backup, but even here you need to act with care. WDP uses a nonstandard configuration for both the main partition and its data storage partition."

Systems configured with this application are task-driven and built for a specific task. It's was never intended to be something you would install at home, just to dick around with.

In other words; Uninstalling the shared toolkit would seem a technical exercise for those with entire too much time on their hands. The intended audience for this toolkit certainly isn't going to attempt to uninstall it, shy of an MBR wipe.

Reply Parent Score: 1

RE[2]: Indestructible...?
by Sphinx on Fri 30th Dec 2005 05:12 in reply to "RE: Indestructible...?"
Sphinx Member since:
2005-07-09

Ah yes, there is always the higher level of function as written in the Tao, book 8 Hardware and Software, chapter 2;

Reply Parent Score: 1