Announcement

Collapse
No announcement yet.

List of allowed applications

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • List of allowed applications

    I want to create some PB code to control which applications are permitted
    to execute in a PC.

    Basically what im trying to do is to leave a user (lets say i dont trust him)
    use my PC and i only want him to use office and maybe some pre-approved
    games.

    I dont want to reinvent the wheel, if someone has any idea where should i
    start and wants to share, I would appreciate it.


  • #2
    Every file has security privileges that can be set. Perhaps that is the easiest approach depending upon your network/computer security setup. One setting for EXE files is to allow execution. I have not done this but I can't image it is too difficult.
    Radue Software -Software 100% Developed with PowerBasic

    Comment


    • #3
      Originally posted by Elias Montoya View Post
      I want to create some PB code to control which applications are permitted
      to execute in a PC.

      Basically what im trying to do is to leave a user (lets say i dont trust him)
      use my PC and i only want him to use office and maybe some pre-approved
      games.

      I dont want to reinvent the wheel, if someone has any idea where should i
      start and wants to share, I would appreciate it.



      * If you are using NT based OS, create a guest account that only has access to the application you want.

      * Windows Steady State: http://www.microsoft.com/windows/pro...s/default.mspx

      Advantage of Steady State is that it can be configured to restart at the clean system again for the next guest.

      Comment


      • #4
        The point is that i would like to specify what exe's to allow, because user will have access to internet, giving them a possibility to download and execute tools to tweak windows.

        For example, i have disabled the control panel, and i disabled regedit... but if they download another registry editor they can enable control panel easily... Thats the point.

        Giving permissions to local Exes would work, but not if they download them from the internet.

        Comment


        • #5
          Is preventing Exe enough?

          Originally posted by Elias Montoya View Post
          The point is that i would like to specify what exe's to allow, because user will have access to internet, giving them a possibility to download and execute tools to tweak windows.

          For example, i have disabled the control panel, and i disabled regedit... but if they download another registry editor they can enable control panel easily... Thats the point.

          Giving permissions to local Exes would work, but not if they download them from the internet.
          Don't give them Admin access. Without admin access software can't be installed. Setting the correct group policies you can prevent them from even using the right click context menus. There are group policies to allow only read access to individual keys in the registry. Even with a different registry editor, a secured registry can't be modified. I also believe that you can control the list of software the user can execute via group policies.

          If you want to do this on your own, you could write a root kit that checks every file name and if not on a white list prevent it. This could also be accomplished with file create (during download). If an exe is downloaded, prevent it.

          If this person really isn't trusted. Let's say this person has malicious intent aren't the following also required:

          Disable renaming a files. If they can run notepad.exe, they can just rename any exe to notepad.exe and execute it (if your white listing files). This could be managed by checking the name in the version tags (if the file has one) in addition to a MD5 hash to make sure the file hasn't been modified.

          File Deletion. You also want to prevent the user from deleting your files. If you really don't trust the user you don't want them deleting the directory containing your personal files.

          File Overwrite. You don't want the untrusted user to open your financial files delete or modify the contents and save the file overwriting the data.

          File copy: You don't want the user to copy files by uploading them to the internet or to a USB flash drive.

          Of course, there is the possibility that the user could have a bootable flash drive, boot to another OS and just take an image of your hard drive to look at later at their convenience. This can be prevented by using the BIOS password protection to the drive.

          I am sure there are many other features you would need to prevent. I guess it depends how much you trust the person your lending your computer to.

          Policy: Trust No One

          Comment


          • #6
            Yes, you don't need to write this yourself, from Win2000/XP forward, almost all aspects of security can be set. Some apps (especially games) will refuse to run in limited account mode, especially if they write to "Program Files" or other restricted folders. I expect Windows can be reconfigured if there is an access problem with a particular folder.

            TIP: One way to test whether your app works with Vista's UAC is to run it under 2000/XP's "Guest" account
            kgpsoftware.com | Slam DBMS | PrpT Control | Other Downloads | Contact Me

            Comment


            • #7
              Thanx for the tips guys, i will look into Group Policies.

              I already disabled a bunch of stuff via the control panel of my app,
              like, Control panel, Execute option, File menu from WIndows explorer, Renaming Files, registri editor (I will look into registry permissions), Right click on desktop and on Start button, Properties on "My PC"... And a bunch of stuff more.

              Pretty good tips, thanx for the input!

              Comment


              • #8
                By The way... Im looking for a way to temporarily (and inmediately) disable the Alt+Tab feature. I need it to work right away (no need to restart).

                Keyboard Hooks didnt do the trick, Unless i did it wrong. subclassing didnt work either.
                If you have some tips i wouls appreciate them.

                Comment


                • #9
                  Perhaps you could modify Jim Seekamp's code at: http://www.powerbasic.com/support/fo...ML/014359.html (the last thread).

                  That gives you a list of all running processes. Build up a list of DATA statements of (dis)approved programs. If it finds one, react accordingly.
                  There are no atheists in a fox hole or the morning of a math test.
                  If my flag offends you, I'll help you pack.

                  Comment


                  • #10
                    Silly me!!!! I already know that code! I am using it to terminate the
                    task bar temporarily (so the Windows key doesn pop up anu windows)!!!

                    I will modify it to keep looking for unwanted applications.

                    Thanx for the reminder Mel!

                    I wonder if it also works with the Fast Switch of ALt+Tab...

                    Comment


                    • #11
                      According to this article:

                      Alt-Tab may be intercepted (or effectively disabled) by means of a low-level keyboard hook.[5] Such a technique is used by applications such as the Virtual Network Computing (VNC) viewer to pass Alt-Tab keystrokes to the remote desktop when the VNC window is active.
                      I translated that example to PB but it doesnt seem to catch Alt or Tab.

                      Comment


                      • #12
                        Disregard the alt+tab issue. I decided to make my app a screensaver so windows
                        does all the ugly tramits.

                        Comment


                        • #13
                          Kiosk?

                          Hi Elias,

                          It seems to me that what you're really looking for is a kiosk app. The following four articles have some interesting info on the subject. I think they're written for RealBasic, but it's pretty much all API calls, so you should be able to translate quite easily.

                          Part one
                          Part two
                          Part Three
                          Part four

                          Regards,

                          Pete.

                          PS: If you do decide to go down this path, I'd strongly recommend developing in a Virtual Machine, unless you enjoy rebooting.
                          Last edited by Peter Jinks; 17 Dec 2008, 07:12 PM. Reason: Adding PS

                          Comment


                          • #14
                            Perfect! Just perfect.

                            http://www.microsoft.com/technet/pro....mspx?mfr=true

                            Comment

                            Working...
                            X