Implementing User Account Control

From RPOWERWiki

Jump to: navigation, search

User account control is accomplished by setting up password protection on your shared drive and adding an extra user account on your office machine that will be only used by the RPOWER process.

This setup has several benefits, including:

  • Limiting the potential harm of malware and ransomware attacks. Setup properly, this will isolate the damage to the machine running the malware (typically an office machine).
  • Preventing accidental modifications to the sys folder by administrative staff.
  • Keeps network users from being able to freely browse and access the RPOWER system.

This process works on Windows 7 and up.

Contents

User Setup

  1. Create a user which the POS machines log in as and with which the office machine will connect to the share.
    • A single username and password combo will need to be settled on. Do not use a blank password. This user will be referred to as the POS system user.
    • Create this user on all machines (POS and office) using the same password on each computer.
    • Make it a standard user (not administrator). Additionally, any normal office users should be running as a standard user.
    • This must not be the user that will be logged on during normal usage on the office machine. Additionally, the password should be kept a secret so nobody accidentally logs in as the POS system user.

Password Protected Shares

  1. Log in as the POS system user created in the "User Setup" section.
  2. On the file server, navigate to "Control Panel", then "Network and Sharing Center", and finally "Change advanced sharing options". Set the following settings:
    • Turn on file and printer sharing.
    • Turn off Public folder sharing.
    • Turn on password protected sharing.
  3. Share the Sys folder by right clicking and selecting "Properties", go to the "Sharing" tab, and press "Share...".
  4. Under "Choose people to share with", make sure the only person listed is the POS system user, and the "Permission Level" should be set to "Owner". Then press share.
  5. At this point you should be able to log into the POS system user on any machine and connect to the network shared sys folder. However, if you log in as a different user it will ask for credentials to access the share.

Auto Login

It will typically be desired for the POS machines to boot directly to RPOWER. In order to do this with a password protected user account auto login will need to be setup. If punching in a password at boot time is not an issue or is desired, this step can be skipped.

  1. Press Win-R to bring up the run dialog. Enter in and run "control userpasswords2".
  2. On the "User Accounts" screen that pops up, highlight the POS system user so it's blue and uncheck "Users must enter a user name and password to use this computer".
  3. When you hit ok, it will ask you to confirm the password for that user. Do so and hit ok again.
  4. Now reboot. When the system comes back up this user will be logged in automatically.

Run RPOWER as a Different User

Log in to the office machine as the normal office user and create a shortcut on the desktop. For the shortcut target enter the following (replacing POSUSER with your POS system username and FILESVR with your file server name):

C:\Windows\System32\runas.exe /savecred "/user:POSUSER" "\\FILESVR\SYS\rpower\winrun\RPOWER.exe"

Now launch the shortcut. The first time, it will prompt you for a password. Enter the password for the POS system user.

You should now have RPOWER running on your desktop but navigation to the network share will not be possible without entering credentials.

Removing Saved Network Credentials

If for some reason credentials are entered for the share and need to be removed, you can do so by running "control keymgr.dll". Then, under "Windows Credentials" remove the entry for the POS system user.

Views
Personal tools