How Would You Lock Down a Windows XP Machine?

Kronos666 asks: "I've been working with a network of about 50 computers, and a few of them have to be locked down. What I mean is that there is an application running, and the users must not be able to do anything else on it. The computers (Windows XP), are in a Windows 2000 domain and I've tried everything that comes to mind with the group policies. Now, I know it might seem contradictory to some, but is there a way to make those computers completely locked down? Maybe someone has had previous experience with something like this?"

Have you tried....

[HotNeedleOfInquiry]

A blob of expoxy in the keyboard jack?

surely there's programs for this?

[gl4ss]

for turning them into 'kiosk' style machines, with the ability to only run 1 program. removing explorer & etc.

it's not foolproof but it's a start, and make them copy themselfs from the network everytime they're started.

http://www.google.com/search?q=windows+xp+kiosk&so urceid=mozilla-search&start=0&start=0&ie=utf-8&oe= utf-8 , and remember, there's no ask-slashdot that google couldn't solve...

Remove all drives

[Marxist+Hacker+42]

And boot off the network. In addition, the truly best way is to avoid the problem to begin with- by coding your kiosk software as it's own operating system, booting off of network or ROM chip, and having the data held elsewhere.

But if you're stuck with XP, I'd suggest a VERY minimal install of XP, with your program loaded in the registry full screen, and Windows.Form.KeyPreview on, Windows.Form.KeyDown testing for and disabling all standard keys (like alt-tab and ctrl-alt-del). For extra fun, link those keys to nasty messages from "The Master Programer". And remove the floppy & cd Rom drives completely from the machine. If the kisok can get by with just mouse or touchscreen access, remove the keyboard as well, or at least a blob of superglue under the Windows and Right Menu keys.

Thin client

[0x0d0a]

It's a pain, because it's so much harder to build Windows-from-scratch barebones systems than their Linux equivalents. I've seen a lot of Windows kiosks, and they're almost always loaded with scads of things they don't need because it's so hard to really pare down a Windows box.

I'm going to be blunt and say that the best way to do this is with Linux, because it's much easier to pare down.

Set up a bunch of thin clients with netbooting enabled. That means no CD drive, floppy drive, hard drive. Lock the BIOS. Buy cases that are physically securable.

Have one or several Windows Terminal Server boxes set up.

Set up your netboot server to serve a Linux distro something like Red Hat (or an even more bare-bones system), installing a minimal set of packages necessary. You'll want to install rdesktop so that your clients can act as Terminal Server clients, but no terminals or anything. In /etc/inittab, remove all VTs. In /etc/X11/XF86Config, kill the "special" xorg key combinations (like control-alt-backspace). Don't have xterm or any such terminals installed. Use an xsession set up to start rdesktop, and a window manager of your choice that can slap something up fullscreen and disable all other functionality -- almost all can do this, but you'll probably want something more barebones than the sawfish that I use. Have rdesktop running fullscreen. Set up X to respawn logged in to whatever user you have using the program.

The user should have no write access to anything on the Linux distro (if you want to include a small swap drive, you might want to have a local hard drive, but only root should be able to write to the thing).

The user should have no write access to anything on the Windows TS system (unless as required by your application). Hence, the users can't install anything. It's easy to administer. You don't have to pay for each client, since they're running Linux, which makes a decent thin client OS.

Now, you can do whatever you want in a trusted manner on the TS system(s), since the users don't have the ability to reboot or muck with it, since they have no local access (and rebooting or mucking with their thin client does nothing that gives them any influence over what applications are running on the server). Kill all processes that you don't recognize automatically or whatnot.

Replace the shell

[Foolhardy]

First, create a user group for the locked-down users. Give it the least privledges possible. You can have everyone log on with the same user; use autologon for simplicity. Use the account property that prevents the user from changing the password.
Then replace the shell for that group with the app you want to run. That property is User->Admin. Templates->Custom User Interface.
In ctrl-alt-delete settings remove task manager if you want.
Turn off autoplay.
For a really locked down mode, use Software Restriction Policies. Create a whitelist of runnable apps by hash; if the program isn't on the list for users affected by the group policy, they cannot start the program. You can still admin the systems by logging on as a real user; just use ctrl-alt-delete to log off. Use this for shutdown/restart too.
You may need to set SRP from an XP machine or install the server 2003 admin kit (free) because SRP didn't exist yet in the win2k era; it's only supported locally on XP and later. The win2k AD server can still enforce the policy but the standard interface doesn't list the option.

Now, I know it might seem contradictory to some, but is there a way to make those computers completely locked down?

It's not contradictory. SRP does a great job of locking a Windows system down completely.

Plenty of options...

[ezraekman]

Well, if I'm understanding what you're trying to do, you've got both software and operating system options, as well as a whole bunch of hardware solutions.

Of course, you can also enable a screensaver password, and have the screensaver running all the time, configure the BIOS not to allow booting from the floppy drive, and use password access to the BIOS to disallow unauthorized changes to it.

It sounds like your easiest (read: less time to deal with and less worry of hacking headaches) solutions is just to toss the suckers into one of those cabinets listed above. Hell, you can build the cabinet yourself for under $100, if you're any good with power tools and have a spare afternoon.

I used to play this game...

[Ianoo]

... and it's no fun for the network administrator. A big problem we (and by 'we' I mean a school where I used to do volunteer work) had with NT4 years ago was network messaging using 'net send' from the command line. No matter what we tried, locking down local hard disks, removing applications, whatever, the little fsckers still found ways to access it. The most innovative was using the File -> Open dialog of an MS Office dialog to get to c:\winnt\system32 (since thanks to Microsoft's code re-use, these dialogs are custom, not the system-wide standard ones), using the dialog to add cmd32 as an IE Favorite, launching IE and clicking on Favorites -> cmd32. Voila, the command line.

I hear Win2K and WinXP are improved, but to be honest I think trying to completely lock down a system that clearly isn't designed to be locked down is a lost cause.

Think about exactly what you're doing, and try not to catch Diebold syndrome*. If you want to provide a terminal for web browsing and e-mail, is a full Windows install necessary? Why not go for Mozilla on Linux, which will connect to your Windows-based TCP/IP network and provide the functions you want. Of course, your requirements might be a lot more complex, so this might not be an option.

If so, why not consider enforcement rather than prevention? Tell the users they can't do this, can't do that, and track them if necessary. If they break the rules, suspend them from the network. Placing software restrictions on people will often upset them, especially if they have a legitimate use for doing odd things (like installing a new media codec to watch a video they need for their work).

* Diebold syndrome: believing that a full multi-tasking memory-protected graphical operating system that consumes 300MHz of processor power and 500MB of disk space is the best basis for a dumb embedded system such as eVoting or an ATM

With Google, as with life...

[CaptainCheese]

there's no ask-slashdot that google couldn't solve...

But 90% of the answer is in knowing how to ask exactly the right question.

The same is true of life.

That's kind of the point of "42" in Hitchhikers.. by Douglas Adams.

Some good reading...

[(H)elix1]

I'd check out what these guys had to say about locking down xp.

Try the NSA Security guides

[hardreset]

Take a look at the NSA security guides for Windows NT, 2000, XP, and 2003. Normal users on the machine will have no ability to modify the machine if the policy is applied (especially the policies that apply to the file system.)
I've used these policies for Windows 2000 lab machines, and have no known incidents with virii/trojans/stupid user tricks/etc...

Re:the phrase "surely there's a program for this"

[torpor]

Unix is a tools-based approach. You have many tools already, with which you can do many different kinds of things.

Windows is a "one app, one task" based approach. You've got an app for everything you need to do, and you can't use those apps together to accomplish a bigger 'task'.

Yes, I prefer the Unix way. Give me a toolbox, and with that toolbox (and not much else) I can build a car, a house, a boat, a dam, a power station, etc.

But with Windows, I gotta download "PowerStation 1.0", "House 2.3.2", "Boat 3.2", etc. And god help me if I wanna plug House into PowerStation safely and securely ...