Lock it down! Possible?

[Skirge01]

I want to truly lock down my Sage client PC, so that nobody can mess anything up. I'm running XP Pro on the client and WHS on the server.

Theoretically, I only need two things:

1. Block access to the SageTV folder (to protect my properties file and the rest)
2. Block access to all media shares outside of Sage, so that only Sage can actually get to the files. (keeps the kids away from stuff they shouldn't be watching)

I have some ideas on how to go about this, but I'd like some experienced advice, rather than going into this blindly. Or, maybe this isn't even possible and I'd be wasting my time.

[Striker:WG]

Can you give some more detail about how exactly this is setup?

Is the client pc connected to a TV and accessed via a remote or is it used as a desktop workstation (keyboard/mouse) and used for other functions as well?

Are you trying to block access to any other shares or just the shares that Sage has access to?

-Striker-

[Skirge01]

Sure thing, Striker! My pleasure.

Client PC is connected via DVI to the TV and SPDIF to the receiver. Control is via a Harmony 880 through a USB-UIRT, controlled by EventGhost. The client PC is also used for browsing the internet with a keyboard and mouse on an almost daily basis, as well as less frequently being used for minor Word or Excel document editing. There is currently no gaming on the client PC. Requiring the user to log off and log back in under another account in order to do something other than Sage would NOT be an issue.

Primarily, I am concerned about the Sage folders and the media directories (photos, music, videos, and recordings). I don't have a need to lock down any other folders, but it wouldn't be a bad thing, either.

I already have PIN codes via SageMC on certain menus, including the setup menu. I want to ensure that a savvy person would not be able to simply open up the .xml file and see the pin codes. I also intend to use PIN codes for any other menus I want to lock users out of.

A good side effect of this is that the security will probably make ME less prone to tinkering with a working setup! ;D

Let me know if you need further details.

[dvd_maniac]

I wish the pin code feature of SageMC could be used outside of SageMC and maybe built into it's own STVI...

[GKusnick]

Are you using SageTV Client or Placeshifter on the client PC? If it's SageTV Client, I think you're going to have a tough time securing it adequately since the properties file is stored locally and must remain writable so that routine UI setting changes (sorting and filtering options, for instance) can be saved. But if the properties file is writable, then anybody can edit it with Notepad to load up the stock UI and bypass your SageMC PIN security.

Placeshifter (or an extender appliance) would probably be a better choice since all the config files live on the server where it's easier to control access.

But the real question is what level of security are you looking for? If you're just trying to stop the kids from accidentally deleting files or screwing up settings, that's probably achievable with PIN codes and such. But if you have files you don't want the kids to see under any circumstances, and smart teens who really want to see them, that's a whole different level of problem that I don't think you're going to solve without some sort of file-level content encryption and/or lock-and-key physical security.

[Skirge01]

I'm using the SageTV Client on the client PC. You're correct in your final assessment, though. I'm looking to keep "other people" (take your pick: kids, guests, babysitter, parents) out of certain files.

I'm wondering if using an administrator account through "Run As" to start SageTV while logged into Windows under a guest account would work? If I ensure that the shares and folders are completely inaccessible to the guest account, but fully available to the account I use for the "Run As" command, perhaps this would work.

[Striker:WG]

That's what I was going to suggest actually.

You should be able to lock down the account that is currently running so they can't browse or change anything they're not supposed to with standard windows file permissions, then use the RunAs command to execute Sage under a different login that will bypass the permission restrictions.

The only thing i'm not 100% sure on, is if you can store that password in a secure way that they can launch Sage from an icon on the desktop without having to input the username/password or be able to extract the password from it to then login to the admin account...

-Striker-

[GKusnick]

Quote:

Originally Posted by Striker:WG

The only thing i'm not 100% sure on, is if you can store that password in a secure way that they can launch Sage from an icon on the desktop without having to input the username/password or be able to extract the password from it to then login to the admin account...

Another possible loophole is opening a Studio window that would then let the user execute arbitrary Java code with admin privileges, including (say) launching a Windows command prompt that would inherit the permissions Sage runs with.

Again, SageTV Client exposes a lot of unsecured infrastructure on the client machine that Placeshifter and Extender clients don't expose.

[Striker:WG]

Quote:

Originally Posted by GKusnick

Another possible loophole is opening a Studio window that would then let the user execute arbitrary Java code with admin privileges, including (say) launching a Windows command prompt that would inherit the permissions Sage runs with.

Again, SageTV Client exposes a lot of unsecured infrastructure on the client machine that Placeshifter and Extender clients don't expose.

Well, while you are correct I think that goes beyond the scope of who he's trying to protect his system/files from.

Realistically, if he doesn't want anyone messing with anything the tower would be in a locked box, not connected to any unsecure network and the only interface would be a remote that doesn't work outside of Sage except for a green button to launch Sage again

-Striker-

[GKusnick]

Quote:

Originally Posted by Striker:WG

Well, while you are correct I think that goes beyond the scope of who he's trying to protect his system/files from.

That's why I asked him earlier to define the scope more precisely. If the babysitter is someone he wants to protect against, then what about the babysitter's hacker boyfriend? The kids' nerdy schoolmates?

Better to close a loophole if possible than to leave it open and hope nobody's smart enough to discover it.

[Skirge01]

You're both right. I hadn't thought about those possible scenarios, since I've never even opened Studio. The hardware firewall is locked up tight for the very reason Greg is mentioning. While that's an option, it would cause issues with the requirement of being able to browse the internet or type Word documents. (No, I'm not willing to use a pop-up screen keyboard! )

Can Studio be disabled by simply unmapping CTRL+SHIFT+F12?

[GKusnick]

Quote:

Originally Posted by Skirge01

Can Studio be disabled by simply unmapping CTRL+SHIFT+F12?

No, that's not sufficient. You can invoke any mappable SageTV command (whether or not it actually has a keystroke mapped) by event number from a command prompt or using SendMessage. So for instance while SageTV Client is running, either of the following command lines will cause it to open a Studio window:

SageTVClient.exe -event 77

SendMessage.exe SageClientApp SageWin 1258 0 77

Disabling this would require an STVI mod to intercept the Customize command (event #77) and prevent its default interpretation from executing. I think that would be sufficient, but maybe someone smarter than me can think up another loophole.

[razrsharpe]

Quote:

Originally Posted by Striker:WG

The only thing i'm not 100% sure on, is if you can store that password in a secure way that they can launch Sage from an icon on the desktop without having to input the username/password or be able to extract the password from it to then login to the admin account...

I haven't done it myself but using runas in a scripted fashion to store and enter in the password should work and keep the pw secure

runas usage: %windir%\system32\runas.exe /user:domain\user "CL_to_program"

See: http://www.windowsnetworking.com/nt/.../atips12.shtml

one of the apps they recommend for scripting the pw is autoit. I haven't used it for this explicitly but i have for other programs and it is a great little piece of software. AutoIt creates an exe that executes a batch.

[sflamm]

what is the xml for adding a pin code to a menu item in the sagemc_menu.xml?

[Skirge01]

Quote:

Originally Posted by razrsharpe

I haven't done it myself but using runas in a scripted fashion to store and enter in the password should work and keep the pw secure

runas usage: %windir%\system32\runas.exe /user:domain\user "CL_to_program"

See: http://www.windowsnetworking.com/nt/.../atips12.shtml

one of the apps they recommend for scripting the pw is autoit. I haven't used it for this explicitly but i have for other programs and it is a great little piece of software. AutoIt creates an exe that executes a batch.

That was absolutely perfect, razrsharpe. Thanks so much! The solution everyone else suggested and I had been thinking of seems to have worked just fine. I unlinked CTRL+SHIFT+F12 as Greg mentioned. Then, your AutoIt idea perfected it!

It took me all of about 15 minutes to download, install, figure out, and try 4 different variations of the RunAs function in AutoIt, build an EXE and test it out on the Guest account. Prior to doing this, I removed all access to "C:\Program Files\" for the Guest account, allowing access only to Internet Explorer's and Firefox's folders.

Doing all of the above removes the Guest account's access to the SageTVClient.exe file EXCEPT via the AutoIt executable I built. I can't think of any other way for someone to get into the setup or server shares any longer. If anyone does, let me know and I'll test it out!

If anyone's interested in using AutoIt for the same purpose, here's the sole command you need to program:

Code:

RunAs ( "username", "domain", "password", 4, "SageTVClient.exe" [, "C:\Program Files\SageTV" [, show_flag [, opt_flag ]]] )

The "4" is for the logon_flag and states, "Inherit the calling processes environment instead of the user's." I tried using a 2 in there and Sage wouldn't load. I also tried using the show_flag "@SW_MAXIMIZED" without success, but I already have EventGhost programmed (uh-oh*) to maximize Sage after it starts up.

This is even better than I imagined. This allows Windows itself to be pretty darn locked down 99% of the time, yet still have access to Sage. This is how we're all supposed to use Windows, right?

Thanks again, everyone!

* I'll need to enable READ and EXECUTE access to EventGhost's folder for the Guest account, as well. Perhaps EG's Docs & Settings folder, too. We'll see.

[razrsharpe]

excellent. Glad you got it working... and thanks for posting that bit of code it will save me the effort of figuring it out for launching other programs

I agree that you should everything locked down now