[OPLINTECH] lockdown Save As on Windows 7 public computers

[Nathan Eady]

Marlene Pelyhes <mpl_marlenep at yahoo.com> writes:

> I would like to deploy windows 7 computers for public computer use.
>
> When you click "Save AS" on a MS Office document, windows
> brings up Windows Explorer with directory and Network links.
> Has anyone locked that down to provide accesss to onlye
> public areas  such as Desktop and FlashStick?

Fundamentally, limiting the locations that show up in the MS Office
Save As dialog wouldn't actually "lock down" anything.  That's just
one out of hundreds of ways to save a file in a particular location.
Trying to limit how the user can employ each of hundreds of different
interfaces to store files in various places would be prohibitively
time-consuming and difficult, if not theoretically impossible.

If you want to actually prevent access to non-public areas, then the
user(s) in question shouldn't have the relevant access permissions.
If you are running Explorer with admin privileges, you can right-click
on any filesystem object (e.g., a directory folder), click Properties,
find the Security tab (or Permissions tab or whatever they're calling
it these days), and investigate who has what permissions.  (There are
other ways to do this too, but the security/permissions tab in the
Properties dialog is probably the easiest one to learn.)

By default, any given object will inherit whatever permission rules
its parent directory ("folder") has, but you can also assign
additional permissions (on a per-user or per-group basis) to an object
that its parent directory does not have, and some permissions (e.g.,
Read access) can be revoked on an object even if the user has them on
the parent.  Other permissions, such as Full Control, are always
inherited; if you give the user Full Control of an entire drive, for
example, you cannot take it away for just certain areas on that drive.
What you can do is only give them Full Control over specific
directories where you want them to have it.  

Note that for network fileshares the permissions are controlled on the
file server that hosts the share, not on the workstation.

As a general rule, the most secure way to handle permissions is to
deny the user everything by default and grant them only the specific
things you need them to be able to do, but the tradeoff is that this
means you have to discover and ennumerate, one by one, each and every
location that the users (or programs the users needs to use) need to
be able to access.  

The quick-and-dirty way is to start with the default permissions and
only make the changes you need to make to prevent specific abuses you
discover.  This is significantly less secure, but it also has less
tendency to cause unexpected consequences at first.  (Applications can
sometimes surprise you with all the many and various places they want
to write data during the course of normal operation.  This is not
nearly as bad as it used to be in the early days of Windows XP when
many programs had been hastily ported over from Windows 98, but the
problem has not entirely gone away, either.)  

If we were talking about introducing new computers, I'd be strongly
inclined to recommend the secure way (give the user no permissions
except what you specifically know they need, developing and
maintaining a list of what is actually needed and why as you go), but
since you're talking about already-deployed computers the choice is
less clear-cut.  There are arguments to be made either way.

-- 
Nathan Eady
Galion Public Library