Slashdot Mirror
How Would You Lock Down a Windows XP Machine?
Kronos666 asks: "I've been working with a network of about 50 computers, and a few of them have to be locked down. What I mean is that there is an application running, and the users must not be able to do anything else on it. The computers (Windows XP), are in a Windows 2000 domain and I've tried everything that comes to mind with the group policies. Now, I know it might seem contradictory to some, but is there a way to make those computers completely locked down? Maybe someone has had previous experience with something like this?"
A blob of expoxy in the keyboard jack?
"Eve of Destruction", it's not just for old hippies anymore...
with a cement block and a chain right before i dropped it in the ocean.
for turning them into 'kiosk' style machines, with the ability to only run 1 program. removing explorer & etc.
o urceid=mozilla-search&start=0&start=0&ie=utf-8&oe= utf-8 , and remember, there's no ask-slashdot that google couldn't solve...
it's not foolproof but it's a start, and make them copy themselfs from the network everytime they're started.
http://www.google.com/search?q=windows+xp+kiosk&s
world was created 5 seconds before this post as it is.
Unplug the network cable and remove the floppy drive
And boot off the network. In addition, the truly best way is to avoid the problem to begin with- by coding your kiosk software as it's own operating system, booting off of network or ROM chip, and having the data held elsewhere.
But if you're stuck with XP, I'd suggest a VERY minimal install of XP, with your program loaded in the registry full screen, and Windows.Form.KeyPreview on, Windows.Form.KeyDown testing for and disabling all standard keys (like alt-tab and ctrl-alt-del). For extra fun, link those keys to nasty messages from "The Master Programer". And remove the floppy & cd Rom drives completely from the machine. If the kisok can get by with just mouse or touchscreen access, remove the keyboard as well, or at least a blob of superglue under the Windows and Right Menu keys.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
rather than a technical solution, just strike fear into the heart of the user. Put an empty camera shell above the computer tied to a fake, but realistic looking revolver.
Tell them the camera can detect them messing with the system, and if caught, the camera/gun combo will grow legs and make them wish they hadn't installed the random screensaver exe sent to them in the mail.
Or maybe you would get sued, I dunno, I'm not a lawyer.
Share your group policies with a few other minds on the mailing list at http://www.activedir.org
Lack of a CD drive? :)
Viva La Revolucion! Buy a Mac!
Disconnect it from the network, remove all drives, smash it with an axe and then, for good measure, install GNU/Linux.
My apologies if this seems unhelpful. It's very early and I haven't had my coffee yet.
Now wash your hands.
It's a pain, because it's so much harder to build Windows-from-scratch barebones systems than their Linux equivalents. I've seen a lot of Windows kiosks, and they're almost always loaded with scads of things they don't need because it's so hard to really pare down a Windows box.
/etc/inittab, remove all VTs. In /etc/X11/XF86Config, kill the "special" xorg key combinations (like control-alt-backspace). Don't have xterm or any such terminals installed. Use an xsession set up to start rdesktop, and a window manager of your choice that can slap something up fullscreen and disable all other functionality -- almost all can do this, but you'll probably want something more barebones than the sawfish that I use. Have rdesktop running fullscreen. Set up X to respawn logged in to whatever user you have using the program.
I'm going to be blunt and say that the best way to do this is with Linux, because it's much easier to pare down.
Set up a bunch of thin clients with netbooting enabled. That means no CD drive, floppy drive, hard drive. Lock the BIOS. Buy cases that are physically securable.
Have one or several Windows Terminal Server boxes set up.
Set up your netboot server to serve a Linux distro something like Red Hat (or an even more bare-bones system), installing a minimal set of packages necessary. You'll want to install rdesktop so that your clients can act as Terminal Server clients, but no terminals or anything. In
The user should have no write access to anything on the Linux distro (if you want to include a small swap drive, you might want to have a local hard drive, but only root should be able to write to the thing).
The user should have no write access to anything on the Windows TS system (unless as required by your application). Hence, the users can't install anything. It's easy to administer. You don't have to pay for each client, since they're running Linux, which makes a decent thin client OS.
Now, you can do whatever you want in a trusted manner on the TS system(s), since the users don't have the ability to reboot or muck with it, since they have no local access (and rebooting or mucking with their thin client does nothing that gives them any influence over what applications are running on the server). Kill all processes that you don't recognize automatically or whatnot.
May we never see th
I think I understand what you are trying to do here.
Truly the only way to really secure a PC is to lock it in a room away from 'end users'.
Once you do that, you can use something like VNC or Windows Remote Desktop to monitor and control the programs.
If you can't move the CPU, at least you could remove keyboards and mice, and put a big note on the monitor to have people call you to find out when the machine will be available again. (Then use a remote client.)
aloha,
dave
Then replace the shell for that group with the app you want to run. That property is User->Admin. Templates->Custom User Interface.
In ctrl-alt-delete settings remove task manager if you want.
Turn off autoplay.
For a really locked down mode, use Software Restriction Policies. Create a whitelist of runnable apps by hash; if the program isn't on the list for users affected by the group policy, they cannot start the program. You can still admin the systems by logging on as a real user; just use ctrl-alt-delete to log off. Use this for shutdown/restart too.
You may need to set SRP from an XP machine or install the server 2003 admin kit (free) because SRP didn't exist yet in the win2k era; it's only supported locally on XP and later. The win2k AD server can still enforce the policy but the standard interface doesn't list the option.It's not contradictory. SRP does a great job of locking a Windows system down completely.
Well, if I'm understanding what you're trying to do, you've got both software and operating system options, as well as a whole bunch of hardware solutions.
Of course, you can also enable a screensaver password, and have the screensaver running all the time, configure the BIOS not to allow booting from the floppy drive, and use password access to the BIOS to disallow unauthorized changes to it.
It sounds like your easiest (read: less time to deal with and less worry of hacking headaches) solutions is just to toss the suckers into one of those cabinets listed above. Hell, you can build the cabinet yourself for under $100, if you're any good with power tools and have a spare afternoon.
Sitekiosk.com.
Worked well for me.
Do you need internet access with this app?
Do you need only internet access?
I am going to assume that this is a data entry teminal with a windows (VB/Access) app.
Remove all drives, usb, and anything else except: mouse, keyboard, and video output.
put a 1 gig hd in the machine, install linux with bare minimum, and use rDesktop to remote into a win2003 machine with nothing enabled. now you have just one machine to manage, and win2k3TS has more options than a win2kbox for lockdown.
More costly, yes. But they won't be surfing the net or installing bonzibuddy.
"Piter, too, is dead."
... and it's no fun for the network administrator. A big problem we (and by 'we' I mean a school where I used to do volunteer work) had with NT4 years ago was network messaging using 'net send' from the command line. No matter what we tried, locking down local hard disks, removing applications, whatever, the little fsckers still found ways to access it. The most innovative was using the File -> Open dialog of an MS Office dialog to get to c:\winnt\system32 (since thanks to Microsoft's code re-use, these dialogs are custom, not the system-wide standard ones), using the dialog to add cmd32 as an IE Favorite, launching IE and clicking on Favorites -> cmd32. Voila, the command line.
I hear Win2K and WinXP are improved, but to be honest I think trying to completely lock down a system that clearly isn't designed to be locked down is a lost cause.
Think about exactly what you're doing, and try not to catch Diebold syndrome*. If you want to provide a terminal for web browsing and e-mail, is a full Windows install necessary? Why not go for Mozilla on Linux, which will connect to your Windows-based TCP/IP network and provide the functions you want. Of course, your requirements might be a lot more complex, so this might not be an option.
If so, why not consider enforcement rather than prevention? Tell the users they can't do this, can't do that, and track them if necessary. If they break the rules, suspend them from the network. Placing software restrictions on people will often upset them, especially if they have a legitimate use for doing odd things (like installing a new media codec to watch a video they need for their work).
* Diebold syndrome: believing that a full multi-tasking memory-protected graphical operating system that consumes 300MHz of processor power and 500MB of disk space is the best basis for a dumb embedded system such as eVoting or an ATM
there's no ask-slashdot that google couldn't solve...
But 90% of the answer is in knowing how to ask exactly the right question.
The same is true of life.
That's kind of the point of "42" in Hitchhikers.. by Douglas Adams.
--
and quite honestly, if you don't know how to lock down XP machines in a native 2000 domain, you shouldn't have the job you have.
It is like asking a Windows admin to secure an Apache system. While Slashdotters often make fun of Windows admins, as you have found out, its not as simple as you think it'd be.
I'd check out what these guys had to say about locking down xp.
+++ UGUCAUCGUAUUUCU
Faronics - Deep Freeze
Used with great success on a 300+ seat university campus.
Take a look at the NSA security guides for Windows NT, 2000, XP, and 2003. Normal users on the machine will have no ability to modify the machine if the policy is applied (especially the policies that apply to the file system.)
I've used these policies for Windows 2000 lab machines, and have no known incidents with virii/trojans/stupid user tricks/etc...
If you have to use Windows for your app, and it isn't too picky over which version of Windows, try using Windows 98 (hear me out before flaming). In c:\windows\win.ini, change the shell=explorer.exe line to shell=c:\path\to\your\app.exe. Make sure the machine is set to autologin as a user if you need samba access. I used a win98 based touch screen POS system, and it is 90% impossible to escape from it once its running. Alt-Tab is disabled, the Windows key does nothing. The only thing I didn't try is CTRL+ALT+DEL to escape out. The POS system is run off an NT 4 domain, so that might also be enforcing something. Seriously, if your standalone app runs under 95 or 98, you might want to give that a try. They both also have a system policy editor if shell replacement doesn't lock it down enough. Oh, if you ever need full windows, just boot off a boot disk and edit the shell line back.
Back in the day, you could edit the win.ini or system.ini and change shell=explorer.exe to shell=myapp.exe. I don't know if this still works, though I know you can do it with a terminal services session, so I'm assuming some googling will help you out. Once windows loaded, it would run your app, and unless your app has the ability to launch other programs, nothing else. You can lock out task manager and whatnot with windows policies. Between those 2 things, you should be in pretty good shape. You might also think about deep-freeze. It locks out the disk such that a user can change anything, and I mean anything, and a reboot will bring it back to a default state.
Remove the power cord.
...railway spike hammered down through the case into the CPU and the surface of the desk beneath.
Being MS-Windows, you might need to use hardwood stake instead, in which case I recommend either Wandoo or what the PNG call "Ironwood" (which loosely corresponds with San Martin's Ferran from David Weber's Honorverse).
I'd recommend first off porting the apps in question to Linux (well, to not-MS-Windows) where that can be readily done because it's easy to make the program into the WM (if they exit, they get a new session running... the same program).
If the app is well behaved, you can do this using WINE and no port... [/ME pauses to wonder whether that pun was part of the original rationale for the acronym]... and using NX you can now give other users efficient platform-independent sessions on such a box at no extra charge.
Plus there's the instant-thin-client aspect to think about. Something screwy with the system? Doorbell time. No hard disks to worry about the structure of.
It might also save you some trouble if you're forced to stick with MS-Windows to put all of these apps on a Terminal Services box and lock it down once-for-all rather than locking down n workstations. This also gives you another opportunity to Linuxify (with rdesktopification) and/or thinclientise the workstations themselves (sorry, didn't get much sleep last night and am feeling a bit Dubya now).
Got time? Spend some of it coding or testing
So...let's eliminate the floppy drive as well - because it could be done that way. Heck, if you network boot a machine, you can still feed it whatever you want to. Allowing a vendor lockin wrt to one operating system in the hardware would be suicide for Intel, AMD, etc, and they know it.
Tell me - how does one do bios upgrades on the motherboard without a floppy or some other bootable access to the hardware? Do people seriously think that one can design and market general purpose PC hardware that only allows installation of Windows? That's just nuts. The server market would say "Fuck you".
But more ontopic, if one has to boot the machine to one form of storage or another, one can find a way to read/write/alter the info on any storage medium on the computer.
Sure, the hardware manufacturers can change that. Will they?
SB
It's old. The more humans I meet, the more I like my cats. At least they are honest.
I guess it depends upon what type of company you're working for, but, if it's not necessary, one should not go too crazy with locking down the actual machine. As long as all the important data is kept on a server, and the server is secure, who cares if they hose the local machine? Odd's are, you can reimage it, and, hopefully, folks can get it trouble for doing such things.
At my company, we have kiosk-like machines for hourly employees to clock in at. For them, the restrictions really aren't that complex. We've pared down the start menu to where they can only get at printers, disabled the Windows key, don't let them get to the task manager, etc. They could still log out, but it will auto log back on unless they hit the shift key. Supervisors have the ability to log into their own account, but we have a screensaver that will log them out after 5 minutes of inactivity.
A determined hacker will still be able to get in, but they can't really do much to anything other than the actual computer, which has nothing important on it. And if they do it after a supervisor leaves with himself still logged in, we know which supervisor was, and he'll be partly responsible.
Insightful: 76, Off-Topic: 379, Flamebait: 24, Funny: 152, Interesting: 201, Underrated: 55, Troll: 9, Total: 896
NIST have recently released a good guide on securing XP boxes here
I haven't had the time to read it yet, but from the high quality of their other documents it is probably well worth printing and reading.
Boot the XP systems with 32MB RAM.
...is that it can be locked down.
You might stand a chance if you:
1, remove all network access;
2, lock it in a hardened shelter;
3, post a platoon of U.S. Marines.
Otherwise, why bother: People who want secure and robust don't use MS products and there is simply no way you can't know that -- you be a troll?
Everything in the Universe sucks: It's the law!
Unplug it.
small flowers crack concrete
This really isn't a guarantee, though. Windows is inherently impossible to prevent users from performing certain actions; but the above software will certainly help. I reccommend Fortres if you want a standard Windows interface with restrictions, and WinU if you want to run only a single application. The Ontario Science Centre uses it (for their Internet Cafe), and it seems to work OK.
There are probably better solutions, but from what I know, I would wipe down that single user of every app (minux one you want to use), make it so that the program is always on top (vitrite can do that), set it to run on start-up, and disallow the user from installing anything.
Live life to the fullest. It's not that life is short, but that you are dead for so long.
Kensington Chain ;-)
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
Shut Down
Shut Down
Ok
Beware blue cats moving at
Windows provide you with Group Policies.
These can be set on domain level (and applied to your OU's)
or you can set them per computer
Start -> Run -> gpedit.msc
Apply restrictions through policies and rights
Hide drives in My Computer
Hide My Network Places
Hide the Internet Explorer icon
Disable Add/Remove Programs
Disable changes to the taskbar
Remove Run from the Start menu
Disable and remove the Shutdown command from the Start menu
Disable the Control Panel
etc.
The Windows XP has more group policy objects than Windows 2000.
Good luck!
There are several predefined security templates you could try. Some come with windows, others are created by third parties. They may be a helpful starting point for creating your own template, so long as you don't turn your pc into a brick, which is little more secure but not too useful.
And in addition the last hint at
http://silverstr.ufies.org/blog/archives/000257.ht ml about how to limit which programs are allowed.
I have not tried any of these myself, except the few I have had to "hack" (reset) on computers, where some admin didn't allow me to even use Notepad. To "hack" them, I had to use third party software, which the sloppy admin for some reason had installed. Perhaps it was just a silly test of my curiosity or integrity. In the former case I passed. In the latter I guess I failed, even though I actually didn't do any harm with Notepad.
This is not a troll.
Set up Fedora 2 on the box, then tweak it such that it automatically logs into a given user, and set that user's windowmanager to be the application that you want to run. Have it automatically restart if it closes (not terribly hard). Then you'd basically have a screenful of that application with no window decorations, you wouln't be able to close it (save for CTRL+ALT+DELETE, which would ideally just restart X and put you back into that application if not disabled entirely).
I think that would be a pretty bullet-proof solution, if you don't mind getting your hands dirty.
I would say that phrase is the #1 reason i never, ever use microsoft windows.
...
if you have to download a program for every single little thing you do on your computer, the operating system is broken. don't bother trying to fix it, just switch.
honestly, that really struck home with me. you need a program for everything you want to do on your computer? oh, you must be using windows
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
Get blackbox (explorer replacement) and hack it down so the menu only shows your apps.
Does format C: still work?
I know "Ask Slashdot" is normally full of stupid posts, but this takes the biscuit.
USE GROUP POLICIES. if you don't know how, ask an admin who knows their job. This is bloody obvious, and just far too easy for linux zealots to start jumping up and down and adding nothing of use to the argument.
Any admin worth their salt knows how to do this, and does it already where appropriate.
I've been to a lot of places where the floppy and CD remain (they are standard boxes), but they have been disconnected internally.
See my journal, I write things there
This isn't hard to do at all, there are many options that come to mind, all that are built in and would do what you need.
Hit MSDN.microsoft.com or even do a few searches on Microsoft.com.
I'm not sure if you realize this, but getting a solid answer to a Windows solution on Slashdot is like asking Charlie Manson where the best nearby starbucks is... Not going to be an answer he will have, and if he gives you one, it won't be one you will want...
But if you're stuck with XP, I'd suggest a VERY minimal install of XP,
My thought, too. If the kiosk app had to be running Windows and not be able to run anything else, I'd probably look into Windows XP Embedded.
From what little I've heard, XP Embedded would even make a pretty good desktop OS because it doesn't have as much gratuitous intertangling with browsers and media players as plain XP.
Nice limited functionality; you add only components that you want. Technically a good way to go for the general desktop and not just kiosks and POS terminals, but the business and marketing people in Redmond have other objectives...
"Provided by the management for your protection."
I've seen some good ideas running through this article and thought I'ld contribute my $0.02. First up is the "Local Security Policy" part of Windows XP (start->control panel->administrative tools->local security policy). On XP there is a "software security policy." Configure it to have 2 lines. First line gives permissions to run anything in a specified directory (and subdirectories). This is for where your application is installed. Second line is deny permission to run anything from drive C: (and subdirectories). Put your application in the Startup folder, clear the desktop of all applications, and you are probably set.
If that doesn't work, here's the other solution I came up with. Essentially, put them on an isolated network. If your patch panel is mapped out (it SHOULD be) so you know which computer is on which port and can isolate them at this point onto a switch or hub. The upstream from that switch or hub goes to a cheap Linux or BSD based router (this is what uplinks to your primary network). Configure iptables/ipchains/ipfw/whatever to only allow incoming and outgoing traffic that the application needs. This will only be effective if it doesn't use common ports (like 80 or 25/110). Make sure to allow 53 for dns and 68 for dhcp if applicable.
That should harden the box pretty effectively.
Simon.
I've seen some boxes where the floppy drive has a physical lock inserted into it preventing its use.
Xenon, where's my money? -Borno
The interesting thing is that in former times, many CD-players could still do audio when they have power but no data cable. You just hooked up headphones and the builtin volume control could be used. Regrettably, newer drives don't have this possibility.
See my journal, I write things there
Windows XP embedded.
Woah, slashdotters continue to amaze me, sometimes perfect advice, sometimes they go 'sailing off on a tangent' This guy wants to do what 1000's of schools have to do to preserve their sanity. www.fortres.com is a product that just about every school tech coordinator has heard of and/or used for years! - it will let you make a 'kiosk' machine that users only have IE and not much else, it'll prevent users from changing desktops, deleting printers, no network settings changes....etc...etc... www.fortres.com for fortress software, www.censornet.com for a free Internet filter www.slashdot.org for usually good advice with google for information and fark for a good laugh - those are about the only web sites I really need during the week - maybe hp's web site for printer drivers...
The college I work at uses Deep Freeze, which along with your other precautions will make is so that any change made to the computer (even a complete reformat) will be erased and the computer will revert back to it's orginal form.
CowsAnonymous: We're here to help moo.
1. Insert Caldera Linux CD
2. Reboot
Keyboard hook to trap 'switching' and ctrl-escape (amongst other key combinations), mouse hook to prevent double clicks on icons or the desktop, calling disable on the toolbar window and the start button which is on the toolbar window. Setting a couple of registry keys which will disable ctrl-alt-delete because irregardless of what you read somewhere else you CANNOT trap ctrl-alt-delete. You can detect it, but you can't trap it.
I tried to post the class in the comment for you but Slashdot prevented the submission because it had to many special (code) characters in it. Hmmm?
Loading...
Seriously, what's to prevent Joe Slashdot reader from rebooting with a Knoppix CD?
Put the computer in a box, then lock it.
There is no way to 'lock down' a system that has been engineered in secret to contain untold numbers of back doors and latent viruses whose triggers and keys are held by large corporate interests and governments around the world who have paid microsoft for them. If you are an XP user, you are a dupe and a pawn. Your data is bread on the window, accessable to untold numbers of crooks and government snoops of most any government worldwide. Conceivably one could use this system and complain about a foreign government to a friend in an e-mail and get extradited from the United States to be hauled into a foreign court, say China, and be charged with 'anti-chinese' activities and spend the rest of your days stamping sports figures names in American branded sneakers.
Tho only way data would be safe on an XP system is for it never to see the internet. But then every document created on such a system would have
codes in it identifying the system it was from. As soon as these products got into a system that had internet access they would act as viruses on that system and call Redmond Washington.
No the only way to make sure of no danger to
your privacy or data is to not use XP. Any hard drive or system that was ever exposed to XP should be disposed using an oxyhydrogen torch...totally
reduced to vapor! Parts of XP can and will insinuate itself into CMOS Ram of system motherboards and video cards and audio cards, anywhere there is any way to durably store ram. It will also leave crap in photo data disks that
are loaded into systems that use XP. Any network
contaminated with XP will have to be literally
forklifted into a fire with a temperature above
5000 degrees until all is liquified and then held there for an hour. Even some monitors are not safe, especially the self configurating 'green' ones. They have memory as well. Network routers and DSL modems have memory too and these can be
contaminated as well.
there is a program called deepfreeze, you install it onto a drive and from that point on any changes made to the drive will be lost on reset. give the user full admin rights, it will be fine, you can just restart and all is well again. "Incorporating patent-pending, proven technology, Deep Freeze is the benchmark for bulletproof workstation protection. Deep Freeze is simple, easy to use and installs in seconds as configuration only requires a password. All computers are completely restored to their original software configuration by simply restarting the computer. Deep Freeze instantly protects and preserves original workstation configurations. Deep Freeze is 100% successful at restoring the computer on every restart down to the last bit or byte. Deep Freeze completely eliminates software support issues." I've used it, I like it.
If you are stuck with Windows, use windows terminal server with diskless/driveless thin terminals. I haven't done this myself, but it has annoyed the hell out of me when I am in an airline lounge and need a SSH shell for an emergency, only to find out their "Internet" stations only allow you to run IE.
Windows: so hard to lock down, so easy to lock up. ^_^
Format c:
Check out this reg file (don't import it when logged on as administrator :))
M od e.reg
http://incunabula.be/data/misc/Windows2000Kiosk
But I haven't experienced the same problem you have with a lack of tools for Windows. I think you're falling into the popular trap of bashing Windows for no reason.
Heck, if nothing else, you can get a port of nearly every unix utility for Windows.
:wq
install linux
One box, one app, no user tampering. Well, thats possible. Difficult, but possible.
The first stage is physical security. If possible, you want to remove floppy and CD drives. If not, at least lock the system up. You could also contact an electronics geek to wire a keyswitch into their power connectors. Dont forget USB. At best a USB drive gets files on and off, at worst the BIOS may be able to boot from it. If you have USB ports, disable them in the BIOS. While your there, disable serial and parallel. Cant think what could be done with those, but better safe than sorry. If you have USB keyboard or mouse, you will have to actually lock the system up completly.
BIOS is, obviously, passworded.
If your networked, you will need to ensure the network leads are not removable from the computer. That probably means locked box with cable hole again. You wouldn't want someone unplugging your network cables and jacking in with their own laptop. For the same reason, if you have any spare network sockets disconnect them at the hub. If your really paranoid, you can put armored conduits in. But unless your one-app computers are bank tellers terminals, theres no need.
An elaborate software package can help, but you can work wonders with the keyboard and a penknife. Open up and carefully cut the membrane to disconnect any potentially malicious keys: Winkey, ctrl, alt, escape, the F-keys, unless required by the app. The repair staff will hate you for it, but it works. If the app is mouse-only, no keyboard is required.
Now, you wouldn't want a power cycle to leave the system exposed. So either boot-password the bios or set your (unquittable) app to run on startup. And disable the windows f8 boot hotkey of course.
Network security is obviously a good idea. But rather than a complex array of patches to update, you could try a software firewall set to block everything the app doesn't need. And, if you really want to annoy potential hackers, dont set the DNS servers. If the systems compromised they will spend hours trying to get their tools downloaded. Just enter IP addresses where needed.
The app should be full-screen and unexitable without a windows hotkey, which you have already disabled. If thats not possible, you must use some form of software security. Too bad, software is unpredictable in its complexity compared with the understandable cutting of cables.
Heavy chains, welded to the case, attached to eyebolts sunk in concrete. The chains need to be strong enough to resist commercially available bolt-cutters, and the eyebolts need to be completely immersed. Check with your building management to be sure you can core-drill the floors for setting the bolts; otherwise you will have to get a very heavy concrete block (big enough to double as a computer desk).
Furthermore, you'll need to replace the case fasteners with snap-off security bolts to prevent thieves from simply removing the innards from your locked-down case and reconstructing them in a plywood box, as was so common with the chained-down computer terminals at the University of Delaware in the 70s.
If that's not enough for you, you could consider this.
Hope this helped!
If I understood right you want there to be one program running and the user not being able to do anything else on the machine so how about log in on a user with a pw, open the program you need running and go to switch users, now nobody will be able to do anything without knowing the pw to that user.
Password on CMOS and boot order set to IDE-0,FLOPPY,CDROM?
ND
This statement is forty-five characters long.