Making windows run only one program visible to the user - windows

So I have been charged with the task of making all of the computers for a small company only able to access a single website, sort of like a web kiosk. After playing with a lot of the whitelist web filtering software out there and finding nothing that is in the company's budget that really does what they want. (blocking user access to all programs except IE, and IE can only access one domain) I'm not the greatest programmer in the world but I figured I could throw together a really simple C# web browser that only allowed access to a particular domain and make the users use that. Problem is that C# relies on other things existing in Windows to work properly. If it were possible to then setup a windows machine so that when a user logs on, all Windows functions are hidden, but still running in the background, and one specific program is running, then this C# web browser would start on the right domain and that would really be all that the user could do. Does anyone know of a way to make this happen?
Other solutions to my problem would be greatly appreciated. I would prefer a solution that is user specific on individual machines, not a network filter or something higher up. So that I can access the full web and computers when I do maintenance on them and because users could just access one of the many wifi networks available from neighboring offices if it was network level.
Oh yeah, and some machines are windows 7, and others are running XP.

I suggest you use the CreateDesktop/ SwitchDesktop WinAPI Calls from user32.
E.g. http://msdn.microsoft.com/en-us/library/ms686347(v=vs.85).aspx
Don't know how to call this from C#, but I think it is possible.
So your should integrate a desktop creation and switching inside your simple C# browser (at start of it) or in separate application, which does start your browser. Add this application (or browser) to the user's autorun.
Be very careful, when you does a desktop switch, is it very hard (I think impossible) to switch back.

Related

Can a website directly interface with os? WebUSB? Access windows dism?

I am lucky and thankful to be home for the holidays, and I wish everyone who reads this the best! I have an annual habit of doing windows clean installs on many of my family members' pcs along with my own.
I use dism in cmd/PowerShell on windows to create custom images for certain pcs, like adding drivers, removing preinstalled windows apps, updating preinstalled programs, etc. I made a small little PowerShell script that helps in the process as it is very tedious. (I normally do this while watching TV or something else.)
That got me thinking. Google created Android Flash Tool that sends commands to android devices directly from a website. It even can download new android images/builds and flash them to the device. I also stumbled upon Simon Chan's WebADB.
Those two examples are pretty cool; massive kudos to the developers of both. I was just hoping for some rough ideas. Is running say dism.exe possible on the web? Like taking a cloud file (like Google's android images) and running dism to make some user-selected customizations?
This process would entail being like a web-based Rufus by formatting and putting files on a user-selected USB Stick. (This should be possible?) However, the next step would require "talking to windows" and accessing dism.exe directly on the local windows machine. Then mounting an ESD/wim file that was just put on the USB stick, then making changes to it using dism, and then unmounting and committing changes to the stick. Would this be possible?
This is just a very early stage idea and would honestly probably be more hassle than it is worth. But I could totally work on it during my spare time just to learn. Frankly, before I should have asked the above questions, I should have asked:
Can a website talk directly to "windows."
Can a website say tell windows to unzip a file locally or zip a bunch of files?
Create folders or simple tasks such as writing files directly to a directory (without chrome/file explorer holding its hand)?
I have built websites before, I have used npm/node, angular, and familiar with Google Firebase/GCP. However, this seems more complicated and out of my knowledge base. Hilariously, I am a computing security/networking engineer, and I can't even begin to fathom the sheer amount of security issues that would be possible with something like this. The site basically needs access to run cmd/terminals on the client machine. The thought of that gives me nightmares.
As computing and, namely, the web continues to evolve with the advent of new APIs, PWAs, etc., it is interesting what one can do with a "simple" website. If what I am describing is not possible now, I hope that someday it can be—in a fully secure way.
Thank you to whoever reads this and responds! I am looking for a "yes/no, your crazy" and hopefully a rough description of how/what. However, I am open to anything! Thank you again.

How can I enumerate shared folder sessions on a remote computer without WMI (preferably in C#)

First allow me to start off with a short explanation of why I must do this with out WMI.
I am trying to list all the sessions attached to an EMC Celerra NS20. This particular device allows you to connected to it with the Computer Management MMC snap-in to view shares, but I quickly found out that it is NOT MS Windows based and does not support WMI.
The reason I want to do this without using the snap-in is simply because I am trying to create a tool to monitor sessions across a set of servers (most of which are Windows Servers) to track what users are logged in, from where, and how many computers, etc.
I have searched and read extensively about the Celerra exposing and XML API (I thought this might be what the Computer Management Console used). However, after running a packet capture to see what Compmgmt.msc was actually sending back and forth, it appears to be using SMB2 protocol.
So I am trying to figure out if there is:
A) A good library for doing this kind of work with SMB/Samba (preferably for C#).
B) If anyone knows a better way to retrieve this information.
If anyone has a good idea of how to do this but just not in C#, I am willing to implement this in any language and then pipe it into my program if necessary.
I hope I have clearly explained my problem. Any help regarding this is greatly appreciated. Thank you for you time.

How to register custom program to handle mailto protocol on Windows 7

OK, it might be a problem with my system but I'm having a very difficult time getting Windows 7 to recognize my custom exe as the default handler of the mailto protocol.
First, I've seen this:
Register Windows program with the mailto protocol programmatically
Next, I've seen these:
How to Register an Internet Browser or Email Client With the Windows Start Menu
Registering an Application to a URL Protocol
I've added what seemed the appropriate registry entries but I still get Windows Live Mail coming up every time I click a mailto link (whether in a browser or via the Run window). I've set the registry entries for all users and for the current user, still it doesn't work.
When I go to the 'default programs' app and scroll down to the mailto protocol, I only see Outlook and Windows Live Mail listed. My custom app doesn't even appear.
I figure that it's either something special with Windows 7 or it's something with my computer.
My custom app is a WinForms .Net app but I don't think that matters.
Any ideas are greatly welcome.
The way described in the answer which you referenced in your question seems correct way for Windows 7 as for other operation systems.
I suppose that you use 64-bit version of Windows 7 and your program is 32-bit application. So if your application write in the HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mailto\shell\open\command key it modifies only the key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\mailto\shell\open\command used for 32-bit applications. You can read more about registry virtualisation here and here.
If it's your case you can call directly native Win32 API RegOpenKeyEx with the KEY_WOW64_64KEY flag which will be ignored on 32-bit operation system.
Though a pretty late answer, what worked out for me is this: On regedit, this supersedes the registry keys mentioned in other answers:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\URLAssociations\MAILTO\Userchoice
Have a look at this page:
Default Mailto Registry
How can I add a custom url handler on Windows. Like iTunes itms:// Related but not.
This seems like a very high-nerd-level context to a fairly common problem. As a nerd, I'm swept up by the discourse on 64 vs x86 and the pseudo-universal binary aspects of .net. But the tech support troubleshooter in me can't help but think that the core problem needs to be made plain and addressed systematically...
So your real problem, regardless of the mail client (as you said yourself), and regardless of your CPU, is that you can't get your mail client to be the default protocol handler for mailto. Or to make it really simple, you can't get the program you like to be the default program.
I'm inclined to think that the 64/86 aspects of the problem are not relevant. They are interesting, and possibly having some effect, but if the program is running just fine (no issues with the code in that architecture, etc), and if it does email just fine (emails get send and received, all SMTP and IMAP all the way), then I doubt the OS is plotting to keep the client from taking over as the leader of the porch dogs.
If anything, I would say that the client had self-esteem issues and is afraid to be the mailto protocol handler. Most clients can't resist asking if the should be the primary and if you say yes, they pass the word along to the other apps and to the registry. They make sure everyone knows they are the new Mailbox king in the house.
So, what I would try first (basic troubleshooting): install another mail client and see if it has the same issue. If it does, your OS is a bully and you'll want to explore such routes.
But if this other client can get into the default programs club and be made the mailto handler, then the problem is with your app. It's a big wimp that doesn't know how to properly assert himself.
But like so many underdogs waiting for a cool kid to take them under their wing (and by wing, I mean Thunderbird. Don't bother with any other client), your app can stand on the shoulders of the working third-party client.
We have to assume that Thunderbird did at least one and possibly two things that your app didn't do. The first was getting it's name tied to the protocol in the registry. Go poke around and see if you can find his name and how it's associated to the mailto protocol. Chances are good that you can swap out his name for yours, or at the very least try to pin the protocol to you as well.
The second thing that T-Bird may have done was get himself in the "Default Programs" list (a feature of 7 that I didn't really like, because it had a cool concept behind it -- ie, let's group apps together up front rather than wait and see every time if one of them can do a similar job. But Windows screwed that good time (big surprise) by acting like the overprotective parent it always is, and showing up at the kids' party and saying "I think these two should be in this group, don't you?"
Well, my hope is that by getting access to the mailto by borrowing it from Thunderbird, that you'll be welcomed into the default programs club, but if you aren't and you are still the mailto handler, I'd write it off, at least gloat about it for a week or two, before trying to tackle that issue.
Now, if Thunderbird can't get mailto control, I'm very inclined to think that Windows 7 as actually put in to place some sort of strange caste system, where the application and it's installer (eg user) must some how prove their worthiness to be in the group by figuring out what the big secret is.
Oh, and if all else fails, try restarting in Safe Mode with no networking, install your client in that environment, and starting it up. See if you can't make it the default while the others are in suspended animation. Do a test run (with no network, obviously) by writing a basic HTML page with a mailto and see if clicking on it opens your client.
THen cross your fingers when you start back up in normal mode.
Let me know if any of the above proved the least bit helpful.

Travelling Visual Studio developers

I am about to travel to Europe (I'm Australian but imagine this is a similar circumstance for US users and simply flipped for European users).
However, there is the slim possibility I will need to do some Visual Studio work while I'm travelling.
As I see it I have three options:
Leave a desktop PC on at home, access remotely via net cafes.
Carry a laptop with me on the trip, upload files as required using public wifi.
Option 2 but instead buy cheap light netbook that is miraculously capable of running VS.
Does anyone have any experience or advice to shed on any of these options?
For reference, this existing post suggests that VS remotely for short distances is okay, but over longer distances could be more problematic. I've used VS via RDP to a US server before and it was pretty laggy but for small changes I could get by.
Concerns I have that you may have some experience with:
Weight of luggage (ideally like to travel light)
Security of laptop (imagine it'll be too heavy to carry around all the time so have to leave it at hotel/hostel etc. and hope for the best)
Security of data (don't want someone stealing RDP access to my home PC)
Security of FTP (don't want someone stealing FTP passwords over wireless)
I'd go with option #2 (carry a laptop that can run VS).
This way you can use the "more convenient" method if it works well (use it as a RDP client if the connection is low-latency enough), but you can still work locally if the connection you find is not reliable.
I think the bottom line is, always have a backup method when depending on networks that are far away and beyond your control.
Edit: Regarding the additional security concerns, most of those are things you should deal with anyway, traveling or not. If the stuff you're working with is that sensitive, you should probably improve the security of your remote work environment with a VPN and more secure file transfer method. Before you take your laptop anywhere, know what your plan is if you were to lose it.
It's a vacation. How do you expect to rest up properly if you're always worrying about work. Leave the phone at home too.
I used to leave a home PC on with VS and use services like GoToMyPc or LogMeIn or some similar service.
Since I have started using a laptop, I just carry the thing with me with VPN connectivity on business trips along with a 3G data card.
But seriously, if on vacation, I do not want to take my laptop with me.
security
First and foremost, encrypt the contents of the HDD - be safe.
If I am on a business trip, the laptop is with me so I am not as concerned with where it is. If I am on vacation, I do not know that I want to take one with me.
If is important then I would keep my laptop/pc at work ON and there will be someone that has access to turn it on/reboot it. So I would carry a light laptop that lets me connect and work if I need it. If that goes down, I can always head into a cybercafe.
database
If you are anticipating working, bring your dev database with you. I know it hogs space and memory (while in use), but it pulling data over the wire has taken long enough to make me lose concentration.
standalone
Make the laptop standalone so that it can work without a connection to VPN or internet - coverage is not the best / uniform in all areas.
Use TrueCrypt for encrypting your harddisk. Use VPN, SSH or something similar for remote connections. I always bring my laptop, but in case I would lose it, it's just a brick for the finder, and I have a good backup system that makes me able to get up and running on another computer quickly.
I tried installing VS2010 on my NetBook and it was a no-go. I was, however, able to install Expression Blend/Web which is good for most tasks.
Edit: To make this more useful... my netbook is HP Mini 1100 Series w/1GB RAM running Windows 7 "Starter"
beware: i don't know where you are going in europe, but do not count on a reliable internet connection in a hotel. it generally works, but when it does not, don't count on the personnel to repair it. of course, if you also carry your own connection (G3 or EDGE on your mobile phone), then this will not be a problem.
I suggest using the option 2 when working on your source code.
I also recommand using Git so you can work with a source control while being disconnected from the office source control. When you get an access, you can sync your whole repository with your office repository.
Of course, it all depend on which source control provider you are using.
For the occasional stuff that are not on Git, use a VPN for enhanced security.
My experience:
1) Purchased a small netbook (Samsung netbook with 2gb or so of RAM, I can lookup exact model number if anyoned interested but I think it's comparable to, or just above the NC10 (just comment if interested)).
2) Internet is bad in Europe (at least the options available to trav ellers). Something to note.
3) The netbook performance was absolutely fine. You don't want to be doing too much dev because of the small screen (though it was only really an issue for me because I got sick of the trackpad and didn't have a separate mouse) but it's honestly pretty fast and easy to use for .NET MVC development in Visual Studio.

How to comply with the new Federal Desktop Core Configuration (FDCC), which will remove local administrator access for all users? [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
As developers, we believe that not having local administrative access is going to severely handicap our productivity. We will be restricted from running IIS (we’re a web development shop), installing applications, running Microsoft power tools, etc. If you’re going through the FDCC process now, it would be great to hear how you are coping with these changes.
Having actively worked as a contract developer at a base that uses the AF Standard Desktop, I can tell you a few things.
1: and most important. Don't fight it and don't do what the first person suggested "and let them choke on it". That is absolutely the wrong attitude. The military/government is fighting lack of funding, overstretched resources and a blossoming technology footprint that they don't understand. The steps they are taking may not be perfect, but they are under attack and we need to be helping, not hindering.
OK, that off my chest.
2: You need to look at creating (and I know this is hard with funding the way it is) a local development lab. Every base that I have worked at has an isolated network segement that you can get on that has external access, that is isolated from the main gov network. You basically have your work PC for e-mail, reports etc.. that is on the protected network. But, you develop in your small lab. I've had a lab be 2 PCs tucked under my desk that were going to be returned during a tech refresh. In other words, be creative with making yourself a development machine +servers that are NOT restricted. Those machines are just not allowed to be connected to the main lan segment.
3: Get the distributions of the desktop configurations. Part of your testing needs to be deploying/running on these configurations. Again, these configurations are not meant for development boxes. They are meant to be the machines the people use for day to day gov work.
4: If you are working on web solutions, be very aware of the restrictions on adding trusted sites, ActiveX components, certs, certain types of script execution that the configuration won't allow. Especially if you are trying to embed widgets/portlets/utils that require communications outside the deployed application domain.
5: Above all remember that very few of the people you work for understand the technology they are asking you to implement. They know they want function X but they want you to follow draconian security rule Y while achieving it. What that usually means is that the "grab some open source lib or plugin and go" is not an option. But, that is exactly what your managers think you are going to do because of the buzz around rapid development.
In summary, it's a mess out there. Try to help solve the problem.
While I've never been through the FDCC process, I once worked for a U.S. defense contractor who's policy was that no one had local administrative access to their machines. In addition, flash drives and CD-ROMs were disabled (if you wanted to listen to music on CDs, you had to have a personal CD player with headphones).
If you needed software installed you had to put in a work order. Someone would show up at your desk with the install media, login to a local admin account, and let you install the software (the reasoning being that you knew what to install better than they did). Surprisingly, the turnaround was pretty quick, usually around 1/2 an hour.
While an inconvenience, this policy didn't really cripple us. We were doing a combination of Java, C++ (MS Visual C++ and GNU/C++), VB 6.0 and some web development. For what little web development we did, we had a remote dev box we would RDP into for testing. Again, a bit of an inconvenience, but it didn't stop us from getting our jobs done.
Without ever having had the problem, today I'd probably try a virtualising solution to run these tools.
Or, as a friend of mine once opined: "Follow the process until They choke on it." In this case this'd probably mean calling the helpdesk each time you needed to have a modification to your local IIS config or you'd needed one of the powertools started.
From what I can tell FDCC is only intended to be a recommended security baseline. I'd give some push back on the privileges that you require and see what they can come up with to accommodate your request. Instead of saying I need to be a local administrator, I'd list the things that you need to be able to do and let them come up with a solution that works (which will likely to be to let you administer your machine or a VM). You need to be able to run the debugger in Visual Studio, run a local web server (Cassini), install patches/updates to your dev tools on your schedule, ...
I recently moved to a "semi-managed" environment with SCCM that gets patches installed on a regular basis from a local update repository. I was doing this myself, but this is marginally more efficient for the enterprise and it makes the security office happy. I did get them to put me, and the other developers, in a special collection so that we could block breaking changes if needed (how could IE7 be a security update?). Not much broke except that now I need to update Windows Defender manually since I updated it more frequently than they do in the managed collection! It wasn't as extreme as your case, obviously, but I think that is, in part, due to the fact that I was able to present the case for things that I needed to do for my job that required more local control.
From the NIST FAQ on Securing WinXP.
Should I make changes to the baseline settings? Given the wide
variation in operational and technical
considerations for operating any major
enterprise, it is appropriate that
some local changes will need to be
made to the baseline and the
associated settings (with hundreds of
settings, a myriad of applications,
and the variety of business functions
supported by Windows XP Systems, this
should be expected). Of course, use
caution and good judgment in making
changes to the security settings.
Always test the settings on a
carefully selected test machine first
and document the implemented settings.
This is quite common within financial institutions. I personally treat this as a game to see how much software I can run on my PC without any admin rights or sending requests to the support group.
So far I have done pretty well I have only sent one software install request which was for "Rational Software Architect" ('cos I need the plugins from the "official" release). Apart from that I have perl, php, python, apache all up and running. In addition I have jetty server, maven, winscp, putty, vim and a several other tools running quite happlily on my desktop.
So it shouldnt really bother you that much, and, even though I am one of the worst offenders when it comes to installing unofficial software I would recommend "no admin rights" to any shop remotly interested in securing their applications and networks.
One common practice is to give developers an "official" locked down PC on which they can run the official applications and do their eMail admin etc. and a bare bones development workstation to which they have admin rights.
Not having local administrative access to your workstation is a pain in the rear for sure. I had to deal with that while I was working for my university as a web developer in one of the academic departments. Every time I needed something installed such as Visual Studio or Dreamweaver I had to make a request to Computing Services.

Resources