Entries:
Comments:
Posts:

Loading User Information from Channel 9

Something went wrong getting user information from Channel 9

Latest Achievement:

Loading User Information from MSDN

Something went wrong getting user information from MSDN

Visual Studio Achievements

Latest Achievement:

Loading Visual Studio Achievements

Something went wrong getting the Visual Studio Achievements

Bill Reid - Introducing the Shared Computer Toolkit

Download

Right click “Save as…”

Got a shared computer? You know, one that sits in a library, a school, a store, or a lobby where lots of people will share one computer?

Well, the Shared Computer Toolkit makes it really easy to administrate and protect such a computer. You can download a beta now.

The team here explains (and demos) what it's all about. Also seen here is Derick Campbell and Jose Maldonado.

Follow the Discussion

  • tsilbSlackmasterK This Space ​Intentional​ly Left Blank

    Great idea.  Seems it could be improved with a separate hard drive image and physical security on the case.  Reminds me of an old security system called Centurion.

  • tsilbSlackmasterK This Space ​Intentional​ly Left Blank
    Whoop, scratch that; looks like there is a seperate partition...

    Note to self: Finish video before posting. Being first isn't the biggest concern.
  • In the video they say that this is all built on existing Windows tech.

    What is the Windows Disk Protection built based on in Windows XP?

  • If this is all built on existing tech, will there be a new version for Longhorn?
  • Can you lock the screen resolution and colour quality settings? Because some people will change the resolution down to 640x480 and then logout, all other settings restore but the resolution remains.

    Also if you have 500~ computers you should be running a server. A public service I believe could run a server for next to nothing if they could find the right volunteer. You have Linux, samba and a cheap old desktop PC. You get your Linux engineer who has volunteered a Saturday and he sets it up as your domain and you're sorted.

  • PerfectPhasePerfectPhase "This is not war, this is pest control!" - Dalek to Cyberman
    Intreasting, the Disk protection sounds like an extension of the overlay driver from XP-Embedded.  A very handy technology.

    Stephen
  • I have some experience with shared computers. I recently got 3 new Dell boxes to set up that had French XP home on them and they also had Deep Freeze installed on the but I didn't know it. I kept trying to change the resolution to something useful (same problem with LCDs Robert was talking about) but all changed kept going away when after I installed new stuff and rebooted. It took me a few restarts to realize what was happening Smiley

    This toolkit looks WAY more useful than DeepFreeze.

    NOW: I've asked this question here and on other forums before and I just seems to get nobody who known or cares about my situation.

    We have 7 computers connected to a simple little DLink router. They share printers and My Documents folders like most small offices do.

    THE PROBLEM: 3 of those computers are "shared computers". They're there for the general public to use during business hours as part of the Community Access Program.
    The problem is that most of the time these machines are also being used as regular office machines by the employees.

    The Shared Computer Toolkit would be nice but it's actually more than what they need.
    There's always somebody monitoring what's happening with these machines and nobody's messed a machine up too badly after all these years. Once in a while a stupid messaging app or a toolbar gets installed but nothing serious.

    QUESTION: The only thing I don't like is that anybody can see ALL the shared folders on ALL the machines on the network. XP doesn't seem to have any way to set passwords on shared folders like you used to in Win98 or at least a simple way that even they can figure out like in Win98.

    Is there any way for them to password protect the shared folders on the XP machines so that only the employees can have access to them?

    These all use XP Pro so YES I can go there and turn off simple file sharing if it needs to be.
  • PerfectPhasePerfectPhase "This is not war, this is pest control!" - Dalek to Cyberman
    dentaku wrote:

    QUESTION: The only thing I don't like is that anybody can see ALL the shared folders on ALL the machines on the network. XP doesn't seem to have any way to set passwords on shared folders like you used to in Win98 or at least a simple way that even they can figure out like in Win98.

    Is there any way for them to password protect the shared folders on the XP machines so that only the employees can have access to them?

    These all use XP Pro so YES I can go there and turn off simple file sharing if it needs to be.


    I think the only option on all these machines is if you use NTFS, to create a user on each machine, same username and password, an give only this account access to the files either through NTFS or the share permissions then you will be prompted for username/password when you attempt to connect to the share.

    Or get a domain!

    Stephen.
  • William Staceystaceyw Before C# there was darkness...
    Great app guys.  That is something I can use right away and have wanted for some time.  Suppose you will need Partion Magic or something to do it on an existing computer that does was already formated with only a single partion?
    --
    wjs
  • We've also hooked up with TeraByte Unlimited, who have a similar disk utility called BootIt Next Generation.

    They offer a fully-working trial download and have full instructions on their Web site.
  • Most likely there will be a version for Longhorn.
  • Iain Rae LennoxSkriker V1.0 Need more money...

    Support for x64? where is it guys? I know its beta.

  • rjdohnertrjdohnert You will never know success until you know failure
    I have seen this toolkit before.  Not from MS but from someone else who also makes it for NT/2000/XP.  I will try to find it but the concept has been around for awhile.
  • rjdohnertrjdohnert You will never know success until you know failure
    Downloading it now
  • Why would having them all use the same username and password do that? It seems to me that it should be the other way around.
    Someone logged in with a different username and password is exactly the person I would want to restrict access to.

    I just wish the old password protect box appeared in the Sharing and Security tab. It would make it so much easier and people would actually use it. The way it is now, regular people can't see any way to do this so they don't and this makes them less secure than they used to be with the old OS (not that I would ever want to go back to Win98).

  • dentaku wrote:
    QUESTION: The only thing I don't like is that anybody can see ALL the shared folders on ALL the machines on the network. XP doesn't seem to have any way to set passwords on shared folders like you used to in Win98 or at least a simple way that even they can figure out like in Win98.

    Is there any way for them to password protect the shared folders on the XP machines so that only the employees can have access to them?

    If I understand your scenario, you might want to check out the Windows Restrictions tool in the Toolkit.

    Create a Public account and user profile on all of your shared computers... restrict access to Network places (although I'd recommend taking all of the Recommended Restrictions for the best security)... and then let public users use the Public account while employees use other, unrestricted, accounts.

    You can even hide employee accounts from the Welcome screen using our Welcome command-line tool... so as not to entice anyone. Wink
  • First impressions:
    The registration is a pane. Let me make this clear: I don't mind having to register. However:
    1. why do you need all these personal information? (Name, lastname, ok I understand that. Company address, `why? I might not have a company! Role as administrator of Shared Computers: I might just be interested in the software and have no role.) Ie. some info you ask might not apply.
    2. I might not want you to keep my personal info. From what I understand Microsoft retains my personal info accross registrations. There should be a way to delete them. Ie. a better way of controlling my info which should be deleted after the beta program is over. This is important: The info is collected only for the Beta and should be deleted afterwards.
    3. I might not want to be contacted about "Security, product and event offers" as it says, "from Microsoft and partners" but I might want to give feedback on the software only. So, what do I do? Do I check the checkboxes for contacting me or not. How should I know that you will contact me only for feedback concerning the Shared Toolkit and not on anything else. After all, it says "for security, product and events from MS and Partners", so it should be much more than Shared Toolkit feedback.
    4. The same with my telephone number. Why is it required to give one. I might not want to or simply I might not have a public tel. ie. no business or organization, (not everything is a business you know!). So why is it required. Or: I might want to give a telephone number but I might only want you to contact me about the Shared Computer Toolkit. Nothing else: No promotional matterial, even on so called security events.
    5. Funny: on the first page it says "Yes register me, or something like that". And below "No do not register". Well, the Yes is a link whilst the No is not a link. So the No is actually not an option. Why put it there then?
    Install:
    For the proper functioning of the program you should install to c:\program files\microsoft shared toolkit\ only. Why?
    All installation programs allow both changing the install location and the Start menu shortcuts. Why not this one?
    The software:
    1. No cancel button: In many screens there is only Ok and Apply add Cancel.
    2. Accessibility tool: No toggle Keys, I use these a lot so include them as well.
    Some of the options in Step2 of the Getting Started should be made clearer (in their wording I mean):
    1. Prevent logon names from being saved ..., should be Prevent the last user's logon name from being remembered ... It makes it more clear because in actual fact nothing is being saved, but only the last username is remembered.
    2. Prevent logon to locked and roaming user profiles that cannot be found to improve security??? What does it mean?
    A) How do you mean, "locked accounts"? Locked accounts are, ..., well locked. So how can someone logon to them anyway, so why prevent logon to those.
    B) Roaming: Well I thought that the tool is not for domains, so roaming should not apply anyway.
    C) "cannot be found to improve security" What do you mean? What is to be found and how can a profile improve security and the security of what , the whole system or that user only, or what?
    I know, I know, I should be reading the help. But these are my first impressions.
    3. Remove the Shutdown and Turn off logon options should be Remove the Turn-off and/or the Shutdown commands from the Logon screen. From the logon Screen is clearer than logon options which might not be understood by some users. and/or is to show that Shutdown and Turn-off do not appear at the same time.
    4. Remove accounts from the Welcome Screen: What a good idea. Why doesn't Windows provide a gui for this? I think that Windows should have an option in Control Panel that does exactly that. Not only available through this Toolkit.
    Windows Disk protection:
    I have not tried this out since it requires to aulter my partition with a 3rd party tool (a horrible idea), why should I go download something, it is trial version anyway. And I don't want to mess up anything so I will leave this job for some other time. Isn't there a Windows free tool for managing partitions?
    Other:
    I might have more feedback on the restrictions after I check if they can be broken into.
    Shared code:
    It is easy for anyone to open up the files and look at the code. But the license forbits that. So, why don't you publish the code under a sharedcode license. If you don't want people to create commercial apps on your code you can publish it only for educational purposes. What I mean is that the code is already available so make it clear in the license as well. Why don't you acknowledge legally the fact that people will read the code. Or, you can publish the code under derivative license, ie. users for example might be able to port the code to run on Win2k for their own internal organization's use only. I mean what is it so secret in your code that you might not want to build a community on it? It is written in HTA.

    The actual code:
    I looked inside the code and here is a code review by file name.
    bin\AutoRestart.vbs:
    Function IsAppRunning(AppName)
    This function should better be used in the main code routine. Instead you say:
    Do While True
    It should be:
    Do until IsAppRunning(sAppName)
    Function:
    ' ------------------------------------------------------------------------------
    ' Name:   RunApp(AppName)
    ' ------------------------------------------------------------------------------
    ' Purpose:  This function checks the application status
    '   If the application is opened returns true else false
    ' ------------------------------------------------------------------------------
    Wrong! Wrong description!
    Sub RunApp(AppName)
     On Error Resume Next

     If NOT IsAppRunning(sAppName) Then
    Shouldn't it be:
     If NOT IsAppRunning(AppName) Then
    There is no s in front of the AppName in the argument to the function.

     oShell.Exec AppName
    Instead of:   oShell.Exec sAppName
     End If
    End Sub
    Hardcoded installation path:
    C:\Program Files\Microsoft Shared Computer Toolkit\
    First of all Program Files might not be the same in all versions of Windows. Use he GetSpecialFolders function to get the correct path instead of hardcoding it.
    Please include comments in all files: Toast.bs does not have comments.
    Microsoft Update:
    Set oSession       = CreateObject("Microsoft.Update.Session")
    Is the Microsoft Update control documented anywhere? It appears to be useful.
    File WindowsUpdates.vbs:
     ' create collection of upates to download
    Spelling mistake. I get angry when comments have spelling errors.
    Please agree on your variable naming scheme. I mean at times you say oMyObject, at other time you say objMyObject. And for collections always say colMyCollection. For example this line:
     For I = 0 to oSearchResult.Updates.Count-1
    oSearchResult... is a collection so it should be colSearchResult...
    Well there is much more but the time is up.
    It is an excellent tool but I think it needs some more fixing to make it fulproof. And I am not an expert in breaking into Windows.

  • dentaku wrote:

    I just wish the old password protect box appeared in the Sharing and Security tab. It would make it so much easier and people would actually use it. The way it is now, regular people can't see any way to do this so they don't and this makes them less secure than they used to be with the old OS (not that I would ever want to go back to Win98).


    It's missing because Share Level passwords were a nasty hack to add security to an inherently insecure OS (Win 9x)

    You can achieve roughly the same level of security by password protecting the Guest account and then allowing it to access the shares. Or by creating local accounts on the machines and restricting their access to the machines.

    If either of those option starts looking inflexible or inadequate, you should really be thinking about running a Domain, be it Active Directory or (if you can live with the reduced functionality) a Samba setup.

    I'll grant you that this isn't easy enough for home users, but their weren't many home users with home networks when XP came out. From what I've heard, Longhorn should go a long way towards simplifying smaller sharing scenarios like that.
  • AndyC wrote:


    I'll grant you that this isn't easy enough for home users, but their weren't many home users with home networks when XP came out. From what I've heard, Longhorn should go a long way towards simplifying smaller sharing scenarios like that.


    I hope LH make sit much simpler. I don't want to have to mess with these people's computers (I don't work there) and teach them about user accounts.

    I know that Win98 passwords where pretty much just there to keep the honest people honest and weren't terribly secure, but it would be enough for their purposes. Nobody's ever left unsupervised at the public computers anyway.
  • Orbit86 wrote:
    I agree with you nektar,, you have to register 5 different times, get a code, validate windows..this is a piece of %$^%%$t anyway..I uninstalled it

    Registration and validation aside... May I ask what you'd like to see improved?
  • nektar wrote:
    First impressions...

    Thanks for all of the details nektar... this is exactly one of the reasons we want code transparency - for this kind of feedback. We'll make sure the final EULA reflects our intended transparency.

    I've shared your registration concerns with marketing. We've got mandatory registration with the Beta, but it will become optional with Gold (no more registration key). WGA Validation is important to us for anti-piracy purposes, especially in emerging markets where piracy is a big problem and shared computers are more prevalent.

    We force the Toolkit to be installed to Program Files specifically because of our Software Restrictions in the Windows Restrictions tool, which only allows software in %ProgramFiles% and %Windir% to run. This is a valuable security technique that our customers want for their shared computers. We realize this is a little less flexible - but it will also prevent lots of extra support calls from folks that don't read the manual (or even the words on the install screen - as we've seen with usability testing). It was my call - you can blame me for this one. But I'm not changing my mind on it.  Wink

    Thanks for the Getting Started suggestions... I'll take those to heart when I update it next.

    Microsoft.Update.Session

    Our latest round of code reviews (happening now) should help with our inconsistent variable naming. Apologies for the occasional spelling mistake in comments... several of our devs have English as a second language.

    If you want a fun hack attempt... I recommend trying to break through our Restricted Administrator scenario... be sure to set it up the way we document in Chapter 9 of the Handbook.  With an admin account you should be able to do anything - right?  Wink

    Thanks again for the thoughtful and detailed feedback.  Very helpful.
  • I agree that all programs in Windows should be in a single folder like Program Files. However, what I am saying is also that Program Files should not be hard-coded in  the code. You should use a way of retrieving the special folder name for the Programs folder because in other Windows version Program Files might be called something else or in especially in other languages this is the case. So, the installer should iether change at install all the references to c:\program files to whatever folder is at the time the default for programs or it should be determined at runtime by the code. After, c: is not always the program partition as well. I have seen many computers which have all programs installed to D:Progrm files, etc.
    I will read the manual. Thanks.
  • Daylight Saving feature and Windows Disk Protection:
    I remember in the past we were using a disk protection system. It work fine but it had one serious issue. It wouldn't apply the setting for Daylight Saving or it would apply it indefinitely. Somewhere, in the registry I guess, Windows stores if it has apply the Daylight Saving change or not. With Disk Protection and since everything is reverted to what it was before, Windows used to lose account of what it had done and so this feature was affect.
    I don't know if you Windows Disk Protection feature suffers from the same issue as our old protection system since I did not test it because I do not want to change my computer clock. But please have that in mind. What about other things that Windows needs to keep count of like, auto-update the time (fixing the time) every x number of days. Is it affect by Windows Disk Protection?

  • nektar wrote:
    ...what I am saying is also that Program Files should not be hard-coded in the code.


    Ah, yes - agreed.  We're getting all those bugs now. Embarassed
  • Orbit86 wrote:
    validating Windows is annoying, it should check if you had it activated and leave you alone, do you have focus groups at MS to see how many barriers a user will handle to install a program?
    We do look at barriers... from our experience registration is a bigger barrier than WGA validation. Since this is a whole new market for us we really need to learn from our customers as much as we can - so we accepted the risk in this particular case.

    WGA has actually been quite successful - I think they've done a good job of making it pretty quick and painless for most scenarios - and putting value in validation. It's really the 'carrot approach' to anti-piracy - as opposed to a stick. Wink
    Orbit86 wrote:
    btw can one user have 2 different passwords? say one user (main) can save files and change settings but when the other password is entered the toolkit kicks in..
    The way to handle two different passwords would be with two different user accounts. Any administrator on the computer can use the tools in the Toolkit - except for our 'restricted administrator' scenario. You could have a limited user or a restricted administrator that can't change the computer - and a Toolkit administrator that can make changes as necessary (and Save Changes using WDP).

    You can also create a Windows Explorer shortcut with 'Run As' selected in a limited account's Start menu... then run it and enter the toolkit administrator account and password. You now have an explorer instance running without restriction - within a restricted account. Need to be cautious with this approach... could get hijacked by a malicious process.
    Orbit86 wrote:
    do all the folders get cleaned up when you reboot? how about being able to assign a folder where the toolkit doesn't touch?
    Everything in the Windows partition is cleared... the only place to keep persistent data is on another partition. This is why we wrote the User Profiles tool - which can be used to create profiles on any partition.
  • We've gone Gold, and the Toolkit is free for genuine copies of Windows XP!

    http://www.microsoft.com/sharedaccess

    Derick
  • Derick> Any word on the Shared Computer Toolkit / Daylight Savings Time problem?

Remove this comment

Remove this thread

close

Comments Closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.