On Monday 13 February 2006 15:55, Tim wrote: >On Sun, 2006-02-12 at 12:49 -0600, Mikkel L. Ellertson wrote: >> But preventing a user that has physical access to the machine from >> rebooting it or shutting it down is rather pointless. They can >> always pull the plug to do a shutdown. (Unless you have an internal >> UPS.) I would rather let them do a controlled shutdown... > >I tend to agree, though I can think of situations like a public >demonstration PC locked into a box, or schools where you don't trust > the students, where making rebooting/powering-down difficult is > beneficial. > >I think you also have to take care of other matters if you allow > people to reboot computers that aren't their own, so that they can't > easily boot from other media, or change boot parameters, to bypass > your security. Which is why, when building a new box for someone at the tv station, there is only one cdrom drive and floppy, and they live on the shelf in the room where maintainance on computers is normally done. Almost none of the other boxes in the building have either a floppy or a cdrom reader. And its sure slowed down the infection rate when they can't bring their fav doom disk in thats already infected and install it on their work box. We go a bunch of static at first but after the message was delivered in force by the GM, that was the end of the squawking. We also pretty well fixed the porn problem because anytime we find some on a box while we're replaceing the cpu fan or some such piddly detail, the drive gets re-imaged. They lose all their personal account data 2-3 times and thats the end of the porn sucking. More than once it was a box dedicated to news graphics. The third time it got re-imaged, the news director finally got the message that these were work boxes, not play boxes and he is now helping to enforce the ban. And things are running a hell of a lot smoother. Note that these boxes all have free reign on the net, often required to run down a news or sales lead, and we don't cripple that access as its totally non-productive to do so. -- Cheers, Gene People having trouble with vz bouncing email to me should add the word 'online' between the 'verizon', and the dot which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2006 by Maurice Eugene Heskett, all rights reserved.