– Soli Deo Gloria
Recently, I was presented with an opportunity to create a locked down, autologin PC running Windows XP. I had also read about the Shared Computer Toolkit for Windows XP on a recent Technet article. The Shared Computer Toolkit for Windows XP allows you easily lock down a machine through a GUI interface. No longer do you have to do ugly registry hacks! In my case, all the computer had to do was run an AS/400 client. These users had a AS/400 login, but not a network login. Best practices dictate the “the principle of least privilege”. Haha, this is going to be fun!
During the installation of the toolkit, you are prompted to download the user profile hive cleanup utility. Go ahead and do so. After installing UPHClean, re-run the toolkit setup. You are presented with several options. Let’s pick “User Restrictions”. This will lock down a specific user’s profile. That means you have to have created a user account and logged in as that account at least once (so the profile gets created). Let’s take a look at some of the options:
There is a copious amount of features at our disposal. You can lock it down so far that the only thing the user will have is the option to run a program that you specify! There are, however, a few words of caution. Under the software restrictions section there is an option “Only allow software in Program Files and Windows folders to run”. If you are installing a program outside Program Files, be sure to NOT enable this feature. Also, under additional Start Menu restrictions, there is an option “Prevent programs from the All Users folder from appearing on the Start Menu”. That exactly where I put icons for all users of the machine, so I left that disabled.
Let’s create a kiosk Windows XP machine where I want allow users to surf the Internet and be able to do nothing else. Further assume that I have proxy server which blocks out pornographic sites. I’m going to turn off themes by stopping and disabling the themes service. Now I will login as the user I want to restrict and switch the start menu back to classic mode. I’ll also change the background to a plain blue color. I’ll rip everything off the start menu and place an Internet Explorer icon on the desktop. Make sure that the user just has read/execute rights to the icon so they cannot modify or delete the icon. To make cleaning up the start menu easier, open up C:documents and settings and keep deleting the items you don’t want from the user’s profile directory AND the All Users directory. After doing this, here is the result:
There are two folders you cannot delete because Windows XP says they are protected: Administrative Tools and Startup. That is OK though: the toolkit can disable them for the profile. The toolkit will also let us get rid of the Recycle Bin and everything else on the Start Menu. Lets lock this bad boy down and see the result:
Hahaha! Well hacker boy, where do you want to go today? Certainly no where on this locked down PC! When you hit CTRL-ALT-DEL, you are presented with this message:
Where art thou hacker boy? If we go back to the toolkit you’ll notice another option: lock profile. What exactly does this do? It makes the profile a mandatory profile by renaming NTUSER.DAT TO NTUSER.MAN. Basically, any changes made to the profile will be flushed when the computer reboots. As if the user could make any changes to the profile to begin with! Let’s lock the profile and continue on to the autologin potion. The toolkit does not come with any type of auto-login capability, but we don’t need it to. There is a slick utility made by Tommy Mikkelsen called Autolog which will do exactly that. Before running it, go into the User Accounts icon in the Contol Panel and turn off the “Welcome Screen”.
This utility was made for computers running Novell, but don’t worry: if you are not running Novell that is OK.
Erase the domain/workstation information. Enter in the name and password of the account you are using. Under mode, pick “Autologin to workstation, do not use E-dir”. Edirectory is Novell Netware’s Directory Services. Click Enable Autologin. Logout and watch the magic! Using this method is a lot better then registry hacks, because it seems the autologin portion does NOT break when you use the shift-logoff method. When you want to login to the workstation as an administrator, you hold down the left shift key and then hit logoff. It will then give you the login screen to login as yourself. After you are done and logout, the script resumes. How cool is that?
There is another feature of the toolkit: disk protection. It allows you to create a hidden partition which rolls back any changes made during the login session. Unforunately, when I tried it at work on a Compaq Deskpro 733 MHz, it would cause the computer to freeze up when I logged in as the restricted user. Logging in as an administrator worked fine though.
– Soli Deo Gloria
It seems that Best Buy entered into agreement with Winternals to demo their software, specifically, the Administrator’s Pak. Winternals came to Best Buy giving training sessions to Best Buy employees, to show them how to best use the software.
Now, read the following from the news section of Winternals:
The complaint also alleges that, “at these training sessions, certain employees of Defendants approached Winternals’ representatives and stated that many of Defendants’ employees were very familiar with The Winternals Software and, in fact, had already been using The Winternals Software to repair malfunctioning and ‘dead’ computers of Defendants’ customers for some time without a license. These employees expressed that they were glad to see the Defendants finally coming into compliance with Winternals by seeking a license to The Winternals Software.”
As we read through the complaint, things get juicer! Supposedly, Winternals went under cover and contacted the “geeks” from Best Buy to come fix their PC. Guess what they were using? Pirated copies of the Winternals software! Here’s a snippet from the complaint:
“In one instance, a Geek Squad employee was videoed repairing a customer’s computer using a pirated copy of ERD Commander. The copy of ERD Commander used in the videotape is an illegal, “cracked” copy of ERD Commander. This version of ERD Commander is identifiable, because the start up screen conspicuously displays the word “Gold Member” in the licensee information field next to the Winternals logo. Winternals has never granted a license to any person or entity named “Gold Member”
– Soli Deo Gloria
Take a look at this thread. This guy works as a city manager for the city of Tuttle in Oklahoma. His ISP did some reconfiguring of their servers which caused the city’s web sites to point to some unconfigured web sites running CentOS (wrong DNS records). After getting a configuration page for CentOS, he apparently started to e-mail the CentOS tech support and was threatening to call the FBI on them. I love when he states “I have no fear of the media, in fact I welcome this publicity.” It seems he has changed his tune and removed his e-mail address from his web site.
– Soli Deo Gloria
We all have heard of the Windows WMF vunerability and the need to apply patch KB912919. Maybe you don’t run WSUS or any patch management at all. Yet being the lazy administrators we are, we would rather the computer do all the grunt work instead of us. Having been assigned 80 computers to patch, I was looking for a way to do this remotely rather than run around like a mad man patching systems by hand. In order to do this we need a few things. First, we need a list of the NETBIOS names of the computers involved. No sweat here: I had inventoried all the computers I was responsible for in an Excel spreadsheet. Just save as a plain text file and it’s done. Next, we need the server service turned ON, the Windows firewall turned OFF and file and print sharing INSTALLED and ENABLED on the end workstations. You’ll also need the local administrator password and have the remote machine turned on. I found this batch file on the news group and modified it for my purposes. You can look at the script here. To run it, you must first save the TXT file as a BAT file. Then, pass your administrator password as the second argument like this: patchem FuNkYMonk3Y. Finally, make sure there is a plain ASCII text file named PCLIST.TXT in the same directory that PATCHEM.BAT resides. The format of PCLIST.TXT should look like this.
The batch file is pretty slick. It uses PsExec to remotely execute a file on the remote workstation using administrator credentials. The FOR loop keeps cycling through PCLIST.TXT passing each NETBIOS name to PsExec to try. There is a line that copies the file to the workstation before running it. PsExec -c should now work so you can eltimate the copy line and issue that additional parameter instead (PsExec -c didn’t work and I alerted Russinovich to that fact which he acknowledged and fixed in January 2006).
That was pretty cool…but how do we know what computers got the patch and which ones didn’t? Well, we can re-use the script above with a little tweaking. Take a look at it here. Basically, it looks for presence of a $NtUninstallKB912919$ folder under the Windows folder. If it finds it, we assume the system is patched and move on. However, if it doesn’t find it, it writes that computer name out to RESULTS.TXT. We can, in turn, rename RESULTS.TXT back to PCLIST.TXT and feed PATCHEM.BAT this list until we have exhausted the automated route. The computers that are left will have to be done by hand.
Darn, my seat was just getting warm too!
– Soli Deo Gloria