So since no one seems to or can't lock down their FOH security using logins that don't have administrator access
Have you tried anything else besides mag cards smartcards and fingerprint readers
I won't go into exact details at the moment but another way I have tried (and succeeded)in locking things down a bit is to replace the windows explorer.exe with cmd.exe running ibercfg.bat
I also locked it down with other policies so that the task manager could not be run to shutdown iber.exe (no ctrl-alt-del)
A fair hacker with a keyboard and access to the terminal can be kept out this way
Once Aloha terminal is running it is almost impossible to:
1) get to a command prompt
2) close aloha other than by allowed access or power down
3) get into windows
4) do anything on the computer except run aloha
I used the current user key to setup the change of shell so that you could get control of machine back by logging in as a different user. If you do this in the HKLM instead of HCCU branch no user has access to explorer but it can make troubleshooting work on the terminal more difficult
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\NT\CurrentVersion\Winlogon
Shell=Explorer.exe
Instead of explorer.exe I substituted the full path to run aloha
cmd /c C:\CBBQ\Aloha\IBERCFG.BAT
This worked pretty good for a while but has become fairly useless to me lately because I don't get the 100% reliable loading of aloha I use to get from 5.3 (now that we are on 6.5)
It also played hell when the aloha enterprise guys needed to login to fix something with my aloha stored value gift cards
Why do this....
because it is more secure from a PCI compliance perspective and can be said to be a "compensating control" Along with a few other policies to lock things down you can say you are PCI compliant on Windows XP terminals for 10+ more years.
Now if I could only get VNC to work over netbeui for remote access to terminals I could get rid of TCP/IP (yes you can get netbeui on XP
warning: don't try to disable ctrl-alt-del unless you have thoroughly tested anything that removes explorer.exe as your shell because you can make your computer inaccessable or very hard to access; especially if there is no way to boot from a CD or from a USB flash drive
Have you tried anything else besides mag cards smartcards and fingerprint readers
I won't go into exact details at the moment but another way I have tried (and succeeded)in locking things down a bit is to replace the windows explorer.exe with cmd.exe running ibercfg.bat
I also locked it down with other policies so that the task manager could not be run to shutdown iber.exe (no ctrl-alt-del)
A fair hacker with a keyboard and access to the terminal can be kept out this way
Once Aloha terminal is running it is almost impossible to:
1) get to a command prompt
2) close aloha other than by allowed access or power down
3) get into windows
4) do anything on the computer except run aloha
I used the current user key to setup the change of shell so that you could get control of machine back by logging in as a different user. If you do this in the HKLM instead of HCCU branch no user has access to explorer but it can make troubleshooting work on the terminal more difficult
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\NT\CurrentVersion\Winlogon
Shell=Explorer.exe
Instead of explorer.exe I substituted the full path to run aloha
cmd /c C:\CBBQ\Aloha\IBERCFG.BAT
This worked pretty good for a while but has become fairly useless to me lately because I don't get the 100% reliable loading of aloha I use to get from 5.3 (now that we are on 6.5)
It also played hell when the aloha enterprise guys needed to login to fix something with my aloha stored value gift cards
Why do this....
because it is more secure from a PCI compliance perspective and can be said to be a "compensating control" Along with a few other policies to lock things down you can say you are PCI compliant on Windows XP terminals for 10+ more years.
Now if I could only get VNC to work over netbeui for remote access to terminals I could get rid of TCP/IP (yes you can get netbeui on XP
warning: don't try to disable ctrl-alt-del unless you have thoroughly tested anything that removes explorer.exe as your shell because you can make your computer inaccessable or very hard to access; especially if there is no way to boot from a CD or from a USB flash drive
