I've just set up an XP Pro machine purely for MP3 at a restaurant. I've never set up a machine before with security in mind, and I want to totally lock down the machine so all anybody has access to is the MP3 player (Musicmatch). I've tried using the guest account, but Musicmatch won't run in this account. How do I do this? I tried setting the rights for the Musicmatch folder using the CACLS utility as recommended by this article

http://insight.zdnet.co.uk/hardware/chips/0,39020436,2110292,00.htm

but with no luck. Is there a more straightforward way I don't know about? And just generally, how can I tightly secure this machine? In my experience with all the machines where I work, from sign in systems, point of sale systems, to amps and AV equipment, if people can find a way to f' them up, they will.....

Have you looked into Security Templates?
From MMC:
Click on File --> Add/Remove Snapin --> Add --> Security Templates.


Its also useful to use the Security Configuration and Analysis
From MMC:
Click on File --> Add/Remove Snapin --> Add --> Security Configuration and Analysis

For starters, I suggest the hisecws template.

Other gee-wiz security is to rename the administrator account and create a fake one with no rights whatsoever. Same with the Guest account.

Oh, and don't forget to run MS's Baseline Security Analyzer (http://www.microsoft.com/technet/security/tools/mbsahome.mspx). Its free and is really decent at pointing out the basic security holes in a Windows OS. Here's the link for their other security tools (http://www.microsoft.com/technet/Security/tools/default.mspx) as well.

Not wanting to sound like a spaz - but -


how do I do that? :p

Thanks for your edit.

Click Start, Run, Type "mmc" and then follow the directions above.

you can use a product like deep freeze to lock down everything, or create a ghost image of the original partition and set up ghost to ghost the image back on there after reboot, that way if anything gets screwed up, you can just reboot the computer

Oh, guess I should have mentioned this place (http://www.nsa.gov) too ;)

http://www.nsa.gov/snac/downloads_winxp.cfm?MenuID=10.3.1.1

Might be a bit of a headach but you could aslo set a local policy

start/run/ gpedit.msc

If this is just playing music and doesn't need to be on the network I'd do this:
Disable the guest account
create a normal user account
Make a local policy that locks down a lot, NO desktop icons, disk access (multiple settings) I would edit their start menu to very minimal
setup the player to start automatically
I would proably set my NTFS permissions as well jst to be safe but don't forget to give them access to where the music is
I would remove and/or disable all network devices.
Don't forget a good password on the administrator account (I'd rename it too) and you are done

They will need access to where the Music is and possibly an optical drive to add more music

physical access to a machine = unprotectable.

Make sure the actual tower is locked away.