Configuring Restricted Systems

May 15th, 2007

Programmers who are on projects that involve writing point-of-sale, information kiosk, industrial control, and other such systems are often tasked with blocking users from accessing any other programs on the system, particularly things like task manager or other system applications. One of the biggest programming mistakes you can make is to allow such users local administrative access and then try to block them in code.

The reason it is a mistake is that unless you code to a very low level your measures can easily be circumvented by a knowledgeable user who has local administrative access. They can easily boot the system in safe mode and disable your ‘protection’ and do whatever they want to do with the system. Low level solutions, which would have to be written in unmanaged C++ code or Assembly, may have undesirable side effects and are really a waste of programming resources when Windows already provides tools for this purpose.

Another benefit to using policies is that the system will be easier to support because local system admins who can login without restrictions to perform routine maintenance tasks. System administrators really don’t have time to deal with ’secret handshakes’ and the like to get around your security when they’re trying to maintain 100’s, if not 1000’s, of systems.

Therefore, it is important that you work with a system administrator to set policies that limit what users who need to be restricted can do on the system. This Microsoft Knowledge base article covers the basics and has links to other articles with more details on how to administer group policies: How to implement system policies for Windows XP-based, Windows 2000-based, and Windows Server 2003-based client computers in non-Active Directory environments. You can also search MSDN and TechNet articles to find additional information that would apply better to your particular network configuration.

Entry Filed under: Tip Sheets

Rate This Article:

(No Ratings Yet)

 Loading ...