Jump to content
carrseom

Disable access to windows on windows platform recorders

Recommended Posts

One of the major reasons I do not like using windows based recorders is there is usually never much thought given in disabling access to windows, the start menu and worst of all the hard drives.

 

lack of windows critical patching is another. Really, there are too many to mention here.

 

How do you guys disable access to windows, patch and generally get these systems not to crash on a regular basis.

 

I am not slinging mud, but I am being forced to have to look back into windows based recorders due to lack of a company that has produced a hybrid (analog/ip support) linux based software and hardware.

Share this post


Link to post
Share on other sites

How important is disabling access to windows?

 

If someone has access to the hardware, they can easily do whatever they want, no matter what you have done software wise. All disabling windows access will do is stop people who are clueless from accessing files etc, but those people being clueless would not be able to do it even if windows access was allowed.

 

No software can stop someone from doing something as simple as booting from a boot disk, even bios passwords are a waste of time.

 

Either you trust the people with access to the machine, or you dont, in which case, they should not have access.

 

If disabling windows is required, geo has a lockdown utility, not tried it yet, so cant say if its any good or not. You can also change the icon on the start menu to something sinister like "panic button" or something, so no one messes with it, and change the hotkeys to non standard ones. That sort of thing cant be done via windows per se, you would need to edit the explorer resources with a resource editor, but it can be done.

 

Remove all non required dlls, and programs (although xp is a pain in the but as it complains when many system dlls are removed). Get a custom keyboard made with only a few required keys on if absolutely required, but again, fairly pointless as if someone has access to the machine they can just plug in a standard keyboard.

 

Personally I would just put a camera watching the server/dvr and keep it a hidden camera so I could see if anyone was messing with the pc.

 

Trying to lock down windows is hard, and pointless at the end of the day, unless Im missing something?

 

As for not crashing, other than removing all non needed services and programs, its in the hands of others, microsoft, etc etc.

 

Patching is the same problem for both windows and linux.

 

Automatic, or manual, you have the worry, will the patch break what is there already? Will the patch introduce a bigger problem?

 

Its a personal preference, either update on auto, or do it after testing on a test machine. Auto is nice and easy, the test machine method is a pain in the butt, but a lot safer in the long run.

 

 

End of the day, if your worried about people doing stuff to the pc, lock the pc away safely so NO ONE can touch it without the key.

Share this post


Link to post
Share on other sites

Thanks for the reply.

 

Most users are not that familier with back door methods, if they are locked down and disabled, but if there is an employee who knows how to format hard drives, they can cause all kinds of problems. I have seen it first hand.

 

In fact, I have been to service call where the store managers was checking their email on the supposed "secure DVR". Not one that I sold, though. There was all kinds of intresting "stuff" on that machine.

 

Jim

Share this post


Link to post
Share on other sites

BTW, I am not a linux snob.

 

I do believe that certain operating systems are better at certain tasks, even windows at times.

Share this post


Link to post
Share on other sites

One of the main reason's why I decided on Video Insight and the Windows platform it runs with is because VI's WEB viewer isolates the viewer to only viewing. The client software allows much more control, and using remote admin software like logmein does the final trick.

 

Most of my clients want to view and review only and therefore only need that capability. When I have a client that needs to go further it's ok by me as they normally are technically minded and can handle it.

 

There are 3rd party software add on's that you can use to lock down Windows.....good luck.

Share this post


Link to post
Share on other sites

Hmmm ..well first you strip it right down, turn off all non essential services, and block all ports in TCP/IP Filtering, besides those needed for Remote Access. If you can, run a shell other than Explorer.exe. Even better, create your own version of XP and install only the components you want, seting up the services, etc. preinstall. You can remove some of the components after the install but its a bit trickier.

 

Geo has a keylock utility which will do, well the Key locks, as well as block access to the start menu and desktop, etc. I made my own little program though, which i use.

 

Use a DVR software that goes into full screen mode, and as a limited user locks them out of exiting that. Coupled with the keylock they will always be in full screen mode until they login as an admin.

 

In the end though, all they have to do with any DVR is pull the plug, and if they want the Video, take the hard drive.

 

PS. and one of the components I live to disable is Automatic Updates

Install SP2 and thats it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×