[WEB4LIB] Making Netscape safe - another wild scheme
James Klock
j-klock at evanston.lib.il.us
Wed Feb 24 10:33:01 EST 1999
At 04:38 AM 2/24/99 -0800, you wrote:
>[Using Windows NT,] has anyone
>tried to set an entire drive to read-only, and then enabling only
>what is needed to run netscape?
The hard part appears to be figuring out just what rights a user needs to
run any particular application. Write privelidges to the TEMP directory is
almost always required. Many applications will fail to run (for no good
reason I know of) if particular DLLs are read-only. I can't speak for
Netscape Navigator in particular, but it seems to be relatively free of
strange constraints, probably because Netscape's programmers are more of a
unix mindset (where it is assumed that there's more than one user and that
not everyone can be trusted not to break things) than a DOS/Windows one
(where it's assumed that it's your computer, and you can break what you want).
>Combined with restrictive desktop-settings in the registry, this should
>be fairly safe?
We've had considerable success with a combination of restrictive registry
settings (including Autologon) and restricted disk access on a group of
workstations which are accessing both web-based resources and CD-ROM
products. They authenticate against an NT Server, so the logon information
is generic across these several machines and is not stored locally. The
restricted registry settings are handled as a mandatory system policy (now
that I've finally tracked down how to implement system policies. Yeesh.
"You just save the registry settings as
%SYSTEMROOT%\system32\repl\import\scripts\NTCONFIG.POL". How rediculous!)
We currently restrict registry editing, any sign of anything on the
desktop, access to the Settings, Find and Run options in the Start menu,
listing of drives in Explorer, and access to the Network Neighborhood and
Entire Network. If we wanted, we could also easily turn off contextual
menus in the Explorer, which would more or less prevent people from
launching the Explorer through any normal means (I've found one workaround
using Netscape to get a command-line shell, from which explorer can be run,
but it's sufficiently twisty and there's little enough that can be done
from it that I haven't bothered to apply the fix for it, which is to
disable all contextual menus (which would prevent the right mouse button
from working in any application).
So, yes, it takes a bit of doing, but NT can basically be locked up tight
without any real need for third party tools. Supporting this configuration
with an NT server is generally desirable, since it allows everything to be
centrally managed and ensures identical setups across multiple machines,
but the NT server isn't neccesary (by the way, from what I hear, there
isn't much that NT Server does in this context that linux's most recent
version of SAMBA doesn't do...)
And lastly, the Academic Edition Open License Program price for Windows NT
Server is $135.00. You must buy enough "units" of product at one time to
qualify for the OLP. Last I heard, a single NT server *was* enough units...
James
More information about the Web4lib
mailing list