How Would You Lock Down a Windows XP Machine?

Kronos666 asks: "I've been working with a network of about 50 computers, and a few of them have to be locked down. What I mean is that there is an application running, and the users must not be able to do anything else on it. The computers (Windows XP), are in a Windows 2000 domain and I've tried everything that comes to mind with the group policies. Now, I know it might seem contradictory to some, but is there a way to make those computers completely locked down? Maybe someone has had previous experience with something like this?"

Have you tried....

[HotNeedleOfInquiry]

A blob of expoxy in the keyboard jack?

surely there's programs for this?

[gl4ss]

for turning them into 'kiosk' style machines, with the ability to only run 1 program. removing explorer & etc.

it's not foolproof but it's a start, and make them copy themselfs from the network everytime they're started.

http://www.google.com/search?q=windows+xp+kiosk&so urceid=mozilla-search&start=0&start=0&ie=utf-8&oe= utf-8 , and remember, there's no ask-slashdot that google couldn't solve...

Re:surely there's programs for this?

[bhtooefr]

Couldn't you simply set the shell to your application for the applicable users? It's the Windows equivalent of setting the WM to your app on Linux, which was already suggested. I know it can be done on a per-user basis - you might want to ask the people at Blackbox for Windows how they got that done.

Remove all drives

[Marxist+Hacker+42]

And boot off the network. In addition, the truly best way is to avoid the problem to begin with- by coding your kiosk software as it's own operating system, booting off of network or ROM chip, and having the data held elsewhere.

But if you're stuck with XP, I'd suggest a VERY minimal install of XP, with your program loaded in the registry full screen, and Windows.Form.KeyPreview on, Windows.Form.KeyDown testing for and disabling all standard keys (like alt-tab and ctrl-alt-del). For extra fun, link those keys to nasty messages from "The Master Programer". And remove the floppy & cd Rom drives completely from the machine. If the kisok can get by with just mouse or touchscreen access, remove the keyboard as well, or at least a blob of superglue under the Windows and Right Menu keys.

Re:Remove all drives

[Foolhardy]

But if you're stuck with XP, I'd suggest a VERY minimal install of XP, with your program loaded in the registry full screen, and Windows.Form.KeyPreview on, Windows.Form.KeyDown testing for and disabling all standard keys (like alt-tab and ctrl-alt-del).

Windows.Form.KeyPreview? From .NET? First, .NET is a bit heavyweight for that; a keyboard journal hook in win32 is much better. Second, it's excessive: what's so bad about alt-tab? Third, it will be ineffective: ctrl-alt-delete is a security attention sequence; Windows goes to extra lengths to make sure it cannot ever be disabled, short of installing a new keyboard driver.

Think Software Restriction Policies.

Overall, those are good ideas.

Another solution

[foidulus]

rather than a technical solution, just strike fear into the heart of the user. Put an empty camera shell above the computer tied to a fake, but realistic looking revolver.
Tell them the camera can detect them messing with the system, and if caught, the camera/gun combo will grow legs and make them wish they hadn't installed the random screensaver exe sent to them in the mail.
Or maybe you would get sued, I dunno, I'm not a lawyer.

activedir.org

[scupper]

Share your group policies with a few other minds on the mailing list at http://www.activedir.org

Re:Physical security

[DiscoOnTheSide]

Lack of a CD drive? :)

Smash it with an axe.

[trouser]

Disconnect it from the network, remove all drives, smash it with an axe and then, for good measure, install GNU/Linux.

My apologies if this seems unhelpful. It's very early and I haven't had my coffee yet.

Re:Smash it with an axe.

[chris_mahan]

Either you are not good with the ol' axe, or you're the guru of gurus if you can get linux installed post axeing.

Thin client

[0x0d0a]

It's a pain, because it's so much harder to build Windows-from-scratch barebones systems than their Linux equivalents. I've seen a lot of Windows kiosks, and they're almost always loaded with scads of things they don't need because it's so hard to really pare down a Windows box.

I'm going to be blunt and say that the best way to do this is with Linux, because it's much easier to pare down.

Set up a bunch of thin clients with netbooting enabled. That means no CD drive, floppy drive, hard drive. Lock the BIOS. Buy cases that are physically securable.

Have one or several Windows Terminal Server boxes set up.

Set up your netboot server to serve a Linux distro something like Red Hat (or an even more bare-bones system), installing a minimal set of packages necessary. You'll want to install rdesktop so that your clients can act as Terminal Server clients, but no terminals or anything. In /etc/inittab, remove all VTs. In /etc/X11/XF86Config, kill the "special" xorg key combinations (like control-alt-backspace). Don't have xterm or any such terminals installed. Use an xsession set up to start rdesktop, and a window manager of your choice that can slap something up fullscreen and disable all other functionality -- almost all can do this, but you'll probably want something more barebones than the sawfish that I use. Have rdesktop running fullscreen. Set up X to respawn logged in to whatever user you have using the program.

The user should have no write access to anything on the Linux distro (if you want to include a small swap drive, you might want to have a local hard drive, but only root should be able to write to the thing).

The user should have no write access to anything on the Windows TS system (unless as required by your application). Hence, the users can't install anything. It's easy to administer. You don't have to pay for each client, since they're running Linux, which makes a decent thin client OS.

Now, you can do whatever you want in a trusted manner on the TS system(s), since the users don't have the ability to reboot or muck with it, since they have no local access (and rebooting or mucking with their thin client does nothing that gives them any influence over what applications are running on the server). Kill all processes that you don't recognize automatically or whatnot.

Re:Thin client

[bhtooefr]

Why does the app need Windows XP? If it's the ONLY thing running, 95 or 98 could do the job. Brooks Software (the people behind 98lite) got 98 down to 8MB, and OSFocus got 95 down to 5MB, and both of those have 95's explorer.exe. Trim that fat off, and put only the necessary drivers back in, and you can get your app running alone.

Replace the shell

[Foolhardy]

First, create a user group for the locked-down users. Give it the least privledges possible. You can have everyone log on with the same user; use autologon for simplicity. Use the account property that prevents the user from changing the password.
Then replace the shell for that group with the app you want to run. That property is User->Admin. Templates->Custom User Interface.
In ctrl-alt-delete settings remove task manager if you want.
Turn off autoplay.
For a really locked down mode, use Software Restriction Policies. Create a whitelist of runnable apps by hash; if the program isn't on the list for users affected by the group policy, they cannot start the program. You can still admin the systems by logging on as a real user; just use ctrl-alt-delete to log off. Use this for shutdown/restart too.
You may need to set SRP from an XP machine or install the server 2003 admin kit (free) because SRP didn't exist yet in the win2k era; it's only supported locally on XP and later. The win2k AD server can still enforce the policy but the standard interface doesn't list the option.

Now, I know it might seem contradictory to some, but is there a way to make those computers completely locked down?

It's not contradictory. SRP does a great job of locking a Windows system down completely.

Re:Replace the shell

[shyster]

Everything you said is spot-on...except for logging on with the same user. That makes tracking and auditing more difficult. I suggest creating different users for each machine, and just adding them to a security group and/or OU for management. you can also restrict Logon hours and/or machines to logon to if need be.

One thing I've had trouble with custom shells is that they don't restart if exited normally. I wrote a WSH script to handle that - it simply checks the process list and starts the shell if it's not there. I set the custom shell to the VBS script and pass it the process to start.

If an internet kiosk is what you need, Public Web Browser is a decent and cheap option. IE in kiosk mode with a proxy, disabled Internet options (through Group Policy), and other workstation restrictions is also doable and free, but not as easy to secure.

Just a suggestion to the OP, you want to lock down the user, not the machine. Perhaps that's why you're not finding the GPO settings you need?

Plenty of options...

[ezraekman]

Well, if I'm understanding what you're trying to do, you've got both software and operating system options, as well as a whole bunch of hardware solutions.

Of course, you can also enable a screensaver password, and have the screensaver running all the time, configure the BIOS not to allow booting from the floppy drive, and use password access to the BIOS to disallow unauthorized changes to it.

It sounds like your easiest (read: less time to deal with and less worry of hacking headaches) solutions is just to toss the suckers into one of those cabinets listed above. Hell, you can build the cabinet yourself for under $100, if you're any good with power tools and have a spare afternoon.

Go to

[DaveJay]

Sitekiosk.com.

Worked well for me.

Do you need internet access?

[chris_mahan]

Do you need internet access with this app?

Do you need only internet access?

I am going to assume that this is a data entry teminal with a windows (VB/Access) app.

Remove all drives, usb, and anything else except: mouse, keyboard, and video output.

put a 1 gig hd in the machine, install linux with bare minimum, and use rDesktop to remote into a win2003 machine with nothing enabled. now you have just one machine to manage, and win2k3TS has more options than a win2kbox for lockdown.

More costly, yes. But they won't be surfing the net or installing bonzibuddy.

I used to play this game...

[Ianoo]

... and it's no fun for the network administrator. A big problem we (and by 'we' I mean a school where I used to do volunteer work) had with NT4 years ago was network messaging using 'net send' from the command line. No matter what we tried, locking down local hard disks, removing applications, whatever, the little fsckers still found ways to access it. The most innovative was using the File -> Open dialog of an MS Office dialog to get to c:\winnt\system32 (since thanks to Microsoft's code re-use, these dialogs are custom, not the system-wide standard ones), using the dialog to add cmd32 as an IE Favorite, launching IE and clicking on Favorites -> cmd32. Voila, the command line.

I hear Win2K and WinXP are improved, but to be honest I think trying to completely lock down a system that clearly isn't designed to be locked down is a lost cause.

Think about exactly what you're doing, and try not to catch Diebold syndrome*. If you want to provide a terminal for web browsing and e-mail, is a full Windows install necessary? Why not go for Mozilla on Linux, which will connect to your Windows-based TCP/IP network and provide the functions you want. Of course, your requirements might be a lot more complex, so this might not be an option.

If so, why not consider enforcement rather than prevention? Tell the users they can't do this, can't do that, and track them if necessary. If they break the rules, suspend them from the network. Placing software restrictions on people will often upset them, especially if they have a legitimate use for doing odd things (like installing a new media codec to watch a video they need for their work).

* Diebold syndrome: believing that a full multi-tasking memory-protected graphical operating system that consumes 300MHz of processor power and 500MB of disk space is the best basis for a dumb embedded system such as eVoting or an ATM

With Google, as with life...

[CaptainCheese]

there's no ask-slashdot that google couldn't solve...

But 90% of the answer is in knowing how to ask exactly the right question.

The same is true of life.

That's kind of the point of "42" in Hitchhikers.. by Douglas Adams.

Some good reading...

[(H)elix1]

I'd check out what these guys had to say about locking down xp.

Re:Some good reading...

[jea6]

In order to download the PDFs using IE, I'd need to add them to my list of Trusted Sites. What to do, what to do...

Try the NSA Security guides

[hardreset]

Take a look at the NSA security guides for Windows NT, 2000, XP, and 2003. Normal users on the machine will have no ability to modify the machine if the policy is applied (especially the policies that apply to the file system.)
I've used these policies for Windows 2000 lab machines, and have no known incidents with virii/trojans/stupid user tricks/etc...

change shell

[Jjeff1]

Back in the day, you could edit the win.ini or system.ini and change shell=explorer.exe to shell=myapp.exe. I don't know if this still works, though I know you can do it with a terminal services session, so I'm assuming some googling will help you out. Once windows loaded, it would run your app, and unless your app has the ability to launch other programs, nothing else. You can lock out task manager and whatnot with windows policies. Between those 2 things, you should be in pretty good shape. You might also think about deep-freeze. It locks out the disk such that a user can change anything, and I mean anything, and a reboot will bring it back to a default state.

Re:change shell

All the config data has been moved to the registry. The shell is now in HKCU\Software\Microsoft\ Windows\CurrentVersion\Policies\System\Shell. It defaults to explorer if the value doesn't exist. It's also available as a user policy.

BTW: Deepfreeze is a great program.

Re:Yes there is a way

[Clover_Kicker]

While Slashdotters often make fun of Windows admins, as you have found out, its not as simple as you think it'd be.

No, and I've got the grey hairs to prove it.

Tip for the day:

A masochistic Windows admins bragging about how difficult it is to secure a Windows box is no more appealing or interesting than a hard core *nix guy bragging about how he does everything with /bin/ed over a 300 baud serial connection.

I prefer the well-tested...

[leonbrooks]

...railway spike hammered down through the case into the CPU and the surface of the desk beneath.

Being MS-Windows, you might need to use hardwood stake instead, in which case I recommend either Wandoo or what the PNG call "Ironwood" (which loosely corresponds with San Martin's Ferran from David Weber's Honorverse).

I'd recommend first off porting the apps in question to Linux (well, to not-MS-Windows) where that can be readily done because it's easy to make the program into the WM (if they exit, they get a new session running... the same program).

If the app is well behaved, you can do this using WINE and no port... [/ME pauses to wonder whether that pun was part of the original rationale for the acronym]... and using NX you can now give other users efficient platform-independent sessions on such a box at no extra charge.

Plus there's the instant-thin-client aspect to think about. Something screwy with the system? Doorbell time. No hard disks to worry about the structure of.

It might also save you some trouble if you're forced to stick with MS-Windows to put all of these apps on a Terminal Services box and lock it down once-for-all rather than locking down n workstations. This also gives you another opportunity to Linuxify (with rdesktopification) and/or thinclientise the workstations themselves (sorry, didn't get much sleep last night and am feeling a bit Dubya now).

NIST Guide

[Introspective]

NIST have recently released a good guide on securing XP boxes here

I haven't had the time to read it yet, but from the high quality of their other documents it is probably well worth printing and reading.

Enable Windows RAM Policy

[prabha]

Boot the XP systems with 32MB RAM.

Two words

[Lars+T.]

Kensington Chain ;-)

the phrase "surely there's a program for this"

[torpor]

I would say that phrase is the #1 reason i never, ever use microsoft windows.

if you have to download a program for every single little thing you do on your computer, the operating system is broken. don't bother trying to fix it, just switch.

honestly, that really struck home with me. you need a program for everything you want to do on your computer? oh, you must be using windows ...

Re:the phrase "surely there's a program for this"

[ColaMan]

if you have to download a program for every single little thing you do on your computer, the operating system is broken. don't bother trying to fix it, just switch.

Er, unlike the unix(er, GNU?) mentality of "lots of little programs that do a single thing well"?

Re:the phrase "surely there's a program for this"

[torpor]

Unix is a tools-based approach. You have many tools already, with which you can do many different kinds of things.

Windows is a "one app, one task" based approach. You've got an app for everything you need to do, and you can't use those apps together to accomplish a bigger 'task'.

Yes, I prefer the Unix way. Give me a toolbox, and with that toolbox (and not much else) I can build a car, a house, a boat, a dam, a power station, etc.

But with Windows, I gotta download "PowerStation 1.0", "House 2.3.2", "Boat 3.2", etc. And god help me if I wanna plug House into PowerStation safely and securely ...

Re:the phrase "surely there's a program for this"

[FlameSnyper]

I can build a car, a house, a boat, a dam, a power station, etc.

A hat, a brooch, etc...