I have a "kiosk" machine that runs on XP SP2.
It must have File and Printer Service.
The logged user is an admin.
I want to somehow not allow him to add shares on folders/drives
If the logged on user really needs to be an admin, your best bet is to use
software restriction policies (try doing a search of MSDN or the Microsoft
Knowledge Base on that phrase if you aren't familiar with the concept) to
configure a set of allowed executables and block everything else. You need to
think carefully about the effects of each executable on the list; for example,
Windows Explorer should not be permitted, so you'll also need to provide an
alternative shell. In general, any software that allows copying an arbitrary
file or editing a text file isn't safe.
In almost all cases it would be both safer and easier to work around the need
for the user to be an admin. Are you certain this isn't an option?
Microsoft provide a toolkit for shared computers which restores the computer to
the initial state after a reboot, this may provide some additional protection.
Or (better) you could run the kiosk functions on a virtual machine, configured
not to keep changes after reboot. (This might make it OK to allow Windows
Explorer, since it blocks the obvious attack of installing a second operating
system; however, I suspect Windows Explorer would still allow more subtle
attacks even if I can't identify them offhand. You also need to think about
possible attacks on your kiosk application, though you might be able to block
those by putting the kiosk application and data files on the host OS and
accessing them over a virtual network.)
In this context, the File and Printer Service might not need to be on the same
virtual machine as the logged on user, which could provide additional protection.
Harry.
