Slashdot Mirror
How Would You Lock Down a Windows XP Machine?
Kronos666 asks: "I've been working with a network of about 50 computers, and a few of them have to be locked down. What I mean is that there is an application running, and the users must not be able to do anything else on it. The computers (Windows XP), are in a Windows 2000 domain and I've tried everything that comes to mind with the group policies. Now, I know it might seem contradictory to some, but is there a way to make those computers completely locked down? Maybe someone has had previous experience with something like this?"
for turning them into 'kiosk' style machines, with the ability to only run 1 program. removing explorer & etc.
o urceid=mozilla-search&start=0&start=0&ie=utf-8&oe= utf-8 , and remember, there's no ask-slashdot that google couldn't solve...
it's not foolproof but it's a start, and make them copy themselfs from the network everytime they're started.
http://www.google.com/search?q=windows+xp+kiosk&s
world was created 5 seconds before this post as it is.
And boot off the network. In addition, the truly best way is to avoid the problem to begin with- by coding your kiosk software as it's own operating system, booting off of network or ROM chip, and having the data held elsewhere.
But if you're stuck with XP, I'd suggest a VERY minimal install of XP, with your program loaded in the registry full screen, and Windows.Form.KeyPreview on, Windows.Form.KeyDown testing for and disabling all standard keys (like alt-tab and ctrl-alt-del). For extra fun, link those keys to nasty messages from "The Master Programer". And remove the floppy & cd Rom drives completely from the machine. If the kisok can get by with just mouse or touchscreen access, remove the keyboard as well, or at least a blob of superglue under the Windows and Right Menu keys.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Share your group policies with a few other minds on the mailing list at http://www.activedir.org
Then replace the shell for that group with the app you want to run. That property is User->Admin. Templates->Custom User Interface.
In ctrl-alt-delete settings remove task manager if you want.
Turn off autoplay.
For a really locked down mode, use Software Restriction Policies. Create a whitelist of runnable apps by hash; if the program isn't on the list for users affected by the group policy, they cannot start the program. You can still admin the systems by logging on as a real user; just use ctrl-alt-delete to log off. Use this for shutdown/restart too.
You may need to set SRP from an XP machine or install the server 2003 admin kit (free) because SRP didn't exist yet in the win2k era; it's only supported locally on XP and later. The win2k AD server can still enforce the policy but the standard interface doesn't list the option.It's not contradictory. SRP does a great job of locking a Windows system down completely.
Well, if I'm understanding what you're trying to do, you've got both software and operating system options, as well as a whole bunch of hardware solutions.
Of course, you can also enable a screensaver password, and have the screensaver running all the time, configure the BIOS not to allow booting from the floppy drive, and use password access to the BIOS to disallow unauthorized changes to it.
It sounds like your easiest (read: less time to deal with and less worry of hacking headaches) solutions is just to toss the suckers into one of those cabinets listed above. Hell, you can build the cabinet yourself for under $100, if you're any good with power tools and have a spare afternoon.
Sitekiosk.com.
Worked well for me.
I'd check out what these guys had to say about locking down xp.
+++ UGUCAUCGUAUUUCU
Take a look at the NSA security guides for Windows NT, 2000, XP, and 2003. Normal users on the machine will have no ability to modify the machine if the policy is applied (especially the policies that apply to the file system.)
I've used these policies for Windows 2000 lab machines, and have no known incidents with virii/trojans/stupid user tricks/etc...
Back in the day, you could edit the win.ini or system.ini and change shell=explorer.exe to shell=myapp.exe. I don't know if this still works, though I know you can do it with a terminal services session, so I'm assuming some googling will help you out. Once windows loaded, it would run your app, and unless your app has the ability to launch other programs, nothing else. You can lock out task manager and whatnot with windows policies. Between those 2 things, you should be in pretty good shape. You might also think about deep-freeze. It locks out the disk such that a user can change anything, and I mean anything, and a reboot will bring it back to a default state.
NIST have recently released a good guide on securing XP boxes here
I haven't had the time to read it yet, but from the high quality of their other documents it is probably well worth printing and reading.
Be careful...
"You don't have to pay for each client, since they're running Linux, which makes a decent thin client OS."
This is true for the Linux piece of the solution, but Microsoft's TS licensing is more invasive than you think. To run a TS session, the licesning states that you must have a Windows OS license (regardless of what the clietn platform really is!), plus a Windows Server CAL, plus a TS CAL, then licesning for each app you are accessing via terminal services.