Google Answers Logo
View Question
 
Q: Looking for info on creating tamper-proof Windows XP machines for public use ( Answered,   13 Comments )
Question  
Subject: Looking for info on creating tamper-proof Windows XP machines for public use
Category: Computers > Security
Asked by: bigjosh-ga
List Price: $100.00
Posted: 29 Apr 2005 10:36 PDT
Expires: 29 May 2005 10:36 PDT
Question ID: 515848
I am setting up a computer center where random people can walk in and
surf the internet.

I am using new PCs running Windows XP. 

I want to set these machines up so that the users can not mess them up
in any way that would effect the next person to use that machine.

I've played around with setting up a Windows "Guest" account, but even
in a restricted guest mode people can still mess things up. I've also
tried using IE's Kiosk mode, but again it is pretty easy for people to
get out of that mode and mess things up.

The only application people will need access to is IE. I will
preinstall all the needed plug-ing like Flash and Adobe PDF Reader.

An ideal solution would be to have a special key combination that
would restore the machine back to a fresh state each time a new person
sat down.

I can guarantee that people will not be able to mess with the actual
PC hardware - thier only interface with the computer will through the
keybaord and the mouse.

This is a very low budget project, so I am looking for either a way to
do this using just Windows/IE configuration or perhaps some freeware.

Thanks!

-josh
Answer  
Subject: Re: Looking for info on creating tamper-proof Windows XP machines for public use
Answered By: wildeeo-ga on 09 May 2005 18:06 PDT
 
Hi, josh. Thanks for your question.


I would strongly recommend investing in a commercial solution since
there are so many different ways to disrupt a windows machine, many of
which cannot be easily disabled. Many of these programs are fairly
inexpensive and pretty much all of them have a free trial. I've
included a list of some of the more inexpensive options below.

If these are really not an option, I've provided various steps you can
take to make life much more difficult for anyone trying to escape from
the browser. It will take a lot of time and experimentation to ensure
it's secure enough (possibly another reason to opt for a commercial
solution).They all assume that the users have *no* physical access to
a machine whatsoever, including the ability to insert CDs or USB hard
drives; if they do, your task becomes next to impossible.


Your first - and biggest - problem is that any user using your kiosk
can get out of the browser by press Ctrl-Alt-Del and killing the task,
or pressing Alt-F4, or pressing Ctrl-W, or using Alt-Tab, or pressing
the Windows key, or...

Unfortunately, these key combinations - particularly the Ctrl-Alt-Del
combination - can't be disabled by applications for security reasons.
You can disable various features by editing the registry as described
below:

- Disable Alt-Tab (to switch tasks):
http://www.windowsitpro.com/Article/ArticleID/15076/15076.html

- Disable the Task manager (accessed from Ctrl-Alt-Del):
http://is-it-true.org/WindowsTips/WindowsNT/UserTips/Miscellaneous/EnableDisableTaskManagerinWindowsXPHomePro.html

The other issues cannot be solved by editing the registry. The most
effective (and extreme) solution I can find to these problems is
simply to disable the Ctrl, Alt, Windows and F10 keys. This means
nobody - including you - can use these keys for anything, but if this
is just for a kiosk that shouldn't be a problem. The steps for
disabling these keys can be found at
http://www.northcode.com/resources/kiosk/kiosk.html (at the bottom of
the page).


For the browser, I'd recommend using the free alternative Mozilla
instead of Internet Explorer. There are fewer known exploits, and less
spyware and exploits are targeted at Mozilla, making it less like
likely that someone will install something you don't want installed.

You can get Mozilla from http://mozilla.org/ and there is a useful
plugin available from http://mozdevgroup.com/clients/bm/ for Mozilla
that will do most of the things you require, such as automatically
resetting the browser after a period of inactivity or when someone
presses 'Logout' on the screen.


If you must use Internet Explorer, there are various registry changes
you can make to stop people viewing files on the computer, for
example. A list of the keys and options is available at
http://tln.lib.mi.us/~amutch/pro/ie/restrictions.htm.


Either way, I'd recommend running these in an account with restricted
access so as to minimise any potential damage.


Another, more extreme option, as suggested by several people in the
comments below, is to install Linux as a kiosk. A complete Linux
distribution designed for this can be found at
http://boothbox.sourceforge.net/ and can be burnt to a CD. This has
the added advantage that, if somehow something does go badly wrong,
all you need to do is restart the computer and it will be in it's
original state. It also has features such as auto-reset that you
require.

Alternatively, there is a (slightly technical) tutorial describing how
to do this with the K Desktop Environment (KDE) at
http://developer.kde.org/documentation/tutorials/kiosk/index.html.


Here are a few commercial programs for Windows that will probably meet your needs:

- Public Web Browser
http://www.teamsoftwaresolutions.com/downloads.html
($100/yr site license)

- Kioware Lite
http://www.kioware.net/kiowarelite.asp
($70/computer)

- Advanced Internet Kiosk
http://www.softstack.com/advink.html
($39/computer)


You might also find the following searches useful:

://www.google.com/search?q=linux+web+kiosk
://www.google.com/search?q=windows+xp+disabling+task+manager+registry
://www.google.com/search?q=internet+explorer+kiosk


If you have any questions, please feel free to request a clarification.

--wildeeo
Comments  
Subject: Re: Looking for info on creating tamper-proof Windows XP machines for public use
From: emin-ga on 29 Apr 2005 13:34 PDT
 
Either Windows or tamper-proof. Choose one.
Subject: Re: Looking for info on creating tamper-proof Windows XP machines for public use
From: bschonec-ga on 29 Apr 2005 20:21 PDT
 
Does it HAVE to be Windows/IE?

How about Linux kiosk mode?

://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLD,GGLD:2004-38,GGLD:en&q=linux+kiosk
Subject: Re: Looking for info on creating tamper-proof Windows XP machines for public use
From: frde-ga on 30 Apr 2005 03:41 PDT
 
This looks interesting:

  http://www.nu2.nu/pebuilder/

Also this page that points to it:

  http://www.runtime.org/peb.htm
Subject: Re: Looking for info on creating tamper-proof Windows XP machines for public use
From: bearitall-ga on 04 May 2005 16:30 PDT
 
I set up a Linux for that in south Wales because the shop was having
trouble with users doing deliberate damage with virus's and just
deleting things, which is all just too easy on MS Windows.

With the Linux setup I gave him he could let each of his customers
have their own login, so they could leave the shop assigned email
addresses setup and so on. He hasn't had trouble since and he actually
gets more regular users because they can logon and get to their
emails, documents and favourites very easily. He can relax because he
knows that customers can not get to each others documents/emails.
Also, he hasn't had any problems with people trying to cause damage,
partly because all they can damage is their own account, but also it
is just too obvious who is attempting to do damage.

But if you haven't done UNIX/Linux before you may want a MS Win
answer. But see the bit at the end that may help you decide.

The first thing you need to know is that they is no such thing as a
safe file on an MS Win PC. I could slip a 'Live Linux' CD into the
drive of any XP, boot the machine and have full access to everything,
all users data/files, all system files. Of cause I could do the same
on many Linux systems.

So you must start with the bios and ensure that the only boot device
is the drive that your MS Win is on. With no alternative devices. Then
password protect the bios.

Then your best defence is to ensure you have the means to return the
PC to a known state. For that something like Norton Ghost. You set
your PC how you want it, then set Ghost to duplicate the main drive
(the one your windows boots off) and use ghosts ability to password
protect that backup. If you are not allowing customers to keep
documents on the PC, then the recovery to the known state is actually
very fast because niether drive needs to be very large. Might even be
fast enough to perform the task between every customer, Ghost is
clever enough to only change back what has changed. By default it also
protects you from a genuine hard drive problem, because the mirror
drive can become the boot drive and is already fully set up.

As an extra though, so that you can have a look at linux properly
without affecting your current setup at all, the magazine 'Linux User'
this month has a free copy of Linspire with it. This is one of those
'Live Linux's' I mentioned above. You simply boot from it and have all
of the functionality of Linux, so that you can try it out. It has very
good video tutorials for most tasks. If you do try in, booting a 'Live
Linux' is always a slow process because it has to perform hardware
checks that an installed Linux only needs to perform once. Be patient
with it even when you feel it must have stopped working. Once booted
though you will find it performs reasonably fast, so you can at least
it try out.
Subject: Re: Looking for info on creating tamper-proof Windows XP machines for public use
From: cpdohert-ga on 20 May 2005 10:58 PDT
 
Oh, good grief.  Never send a boy to do a man's job, and never ask a
Linux geek to answer a question about Windows.

There is, in fact, a simple canonical native Windows solution to your
problem.  I use it to set up Citrix thin terminals.  And it uses all
the tools that already there in Windows XP.

1) Create two local users, an administrator (there by default, but
you'll have to set the password and log in at least once) and the user
you're going to have the IE desktop run under.  I'll call that user
"public" for the sake of brevity.  Make public a Restricted User.

2) Read up on Local Group Policies
(http://www.windowsdevcenter.com/pub/a/windows/2005/03/29/local_group_policy.html
and http://www.theeldergeek.com/group_policy_for_windows_xp_prof.htm).
 Local Group Policy Objects allow you to lock down nearly every aspect
of a Windows XP box.  This includes the ability to remove access to
the Task Manager,  logging off, and various other ways of exiting the
currently running application.  All the settings are extensively
documented within the Group Policy editor itself.  There's an
extensive section just on IE, which should help you.

WARNING: DO NOT PLAY AROUND IN THE POLICY EDITOR UNTIL YOU ARE READY
TO ROLL OUT  THE DESKTOP - you'll see why in a minute.

3) Specific things you can set in the Policy Editor (they're scattered
all over the place): Autologon as the public user (may require some
additional registry tweaks, see
http://www.winguides.com/registry/display.php/780/ and
http://www.chicagotech.net/winlogon.htm).  This will automatically log
in public when the machine boots, and if anyone manages to log out
somehow, the system will log them right back in again.
: Set iexplore.exe as the shell for public.  Most of the ways to get
out of an application are controlled by the Windows _shell_,
explorer.exe, not the kernel or the application.  Set IE as the shell
for public and they won't get any of the application quitting options.
 Make sure you find and set the "auto restart shell" Policy Object -
that way if someone kills the shell or crashes IE it restarts the same
way explorer does when you kill it in the Task Manager.  See
http://blogs.msdn.com/embedded/archive/2005/03/30/403999.aspx
: Disallow any executables running except for the ones you want. 
There's a Policy Object that allows black- and whitelists for
processes.  This will prevent people from running things from the
shell (in this case, iexplore).

I'm sure you can find lots more.  The GPO documentation is great; the
organization is not...

You may also want to look at more traditional methods of securing the
PC from network and file system access, using the various checklists:
http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm
http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/default.mspx

Since you're going to save yourself a lot of time with the GPO editor,
in lieu of screwing around with other OSes and software you don't
need, you can take some time to investigate the IEAK, which will let
you customize the dickens out of IE, including enforcing the
full-screen or "kiosk" mode.
http://www.microsoft.com/technet/prodtechnol/ie/ieak/default.mspx

4) Before you apply the Local Group Policy, READ THIS:
http://www.theeldergeek.com/gp07.htm
Outside of an Active Directory environment, any settings you put in
that GPO are going to affect _all_ the users, including the
Administrator!  That will make it impossible to update or administrate
the PC.  The trick in that web page will show you how to trigger the
restricted environment for public but _not_ for Administrator.  (to
bypass the autologon to get to the logon prompt, hold down Shift while
the PC boots).

I've just rolled out thirty Citrix thin terminals using this method,
and no one's broken them yet :-)
Subject: Re: Looking for info on creating tamper-proof Windows XP machines for public use
From: bigjosh2-ga on 20 May 2005 18:09 PDT
 
cpdohert-ga,

Thanks, this is *exactly* the kind of info I was looking for.

I'll try setting up a couple of meachines next week and post back my results.

Thanks again!

-josh
Subject: Re: Looking for info on creating tamper-proof Windows XP machines for public use
From: bigjosh2-ga on 24 May 2005 19:09 PDT
 
Just saw this news story, hope it comes out soon...

 
Microsoft Tests Security Toolkit for Shared-Computer Users  
http://www.eweek.com/article2/0,1759,1816917,00.asp
Subject: Re: Looking for info on creating tamper-proof Windows XP machines for public use
From: cpdohert-ga on 26 May 2005 05:39 PDT
 
No worries, bigjosh.  I hope this saves you some time.

One thing I did run across that you may want to know:  there do exist
certain rare circumstances where the Windows shell (in your case, IE)
can crash and yet the OS will not auto-restart it.  This is extremely
rare; I've only had it happen once or twice on me since XP came out. 
There is a way to use the WMI eventing interface to monitor tasks and
restart them, but it involves some complex VBScripting.  In case you
want to go that serious a route, here's the links:

<a href="http://www.windowsitpro.com/Article/ArticleID/9805/9805.html?Ad=1">Understanding
WMI Eventing</a> and
<a href="http://www.windowsitpro.com/WindowsScripting/Article/ArticleID/15643/15643.html">Use
WMI Eventing to Monitor Your System</a>

If you're just setting up an Internet cafe or library surf desk or
something, you may find it easier to just have someone around who can
logoff the user (triggering the autologon and shell restart) or hit
the reset button rather than messing with VBScript at this level.
Subject: Re: Looking for info on creating tamper-proof Windows XP machines for public use
From: netdoc-ga on 04 Jun 2005 08:20 PDT
 
cpdohert-ga Nice job and nicely put.  I have setup several of these
types of machines for clients using windows and never had a single
problem.  You can do all of this through publicly availiable
configuration settings as you pointed out.
Subject: Re: Looking for info on creating tamper-proof Windows XP machines for public use
From: danielmaui-ga on 20 Jul 2005 20:20 PDT
 
I think what you are looking for is Deep Freeze. Restarting brings you
right back to the same configuration every time. Doesn't matter what
kind of garbage they downloaded or tweaks they have done, a restart
will fix that in a hurry! Ever used a rental station at Kinkos? As low
as $20/ea for library settings.

http://www.faronics.com/html/deepfreeze.asp

"Deep Freeze instantly protects and preserves original computer
configurations. Completely invulnerable to hacking, Deep Freeze makes
computing environments easier to manage and maintain. Each restart
eradicates all changes and resets the computer to its original state,
right down to the last byte."
Subject: Re: Looking for info on creating tamper-proof Windows XP machines for public use
From: bigjosh2-ga on 31 Jul 2005 16:44 PDT
 
The Microsoft Shared Computer Toolkit is now out in Beta and available
for free download here...

http://www.microsoft.com/windowsxp/sharedaccess/default.mspx

It has a really nice disk protection scheeme that lets you schedual
automatic updates for critial patches.
Subject: Recovery Password in a switch
From: raulbond-ga on 05 Aug 2005 09:28 PDT
 
Sorry... but i dont have a count but i have a question. How I recover
or crack a password in a switch omnistack
Subject: Re: Looking for info on creating tamper-proof Windows XP machines for public use
From: daniel123123-ga on 13 Oct 2005 02:36 PDT
 
Sitekiosk offers a great secure shell incorporated into Internet Explorer
http://www.sitekiosk.co.uk

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  


Google Home - Answers FAQ - Terms of Service - Privacy Policy