How Would You Lock Down a Windows XP Machine? 119
Kronos666 asks: "I've been working with a network of about 50 computers, and a few of them have to be locked down. What I mean is that there is an application running, and the users must not be able to do anything else on it. The computers (Windows XP), are in a Windows 2000 domain and I've tried everything that comes to mind with the group policies. Now, I know it might seem contradictory to some, but is there a way to make those computers completely locked down? Maybe someone has had previous experience with something like this?"
Have you tried.... (Score:5, Funny)
I prefer the well-tested... (Score:3, Insightful)
Being MS-Windows, you might need to use hardwood stake instead, in which case I recommend either Wandoo or what the PNG call "Ironwood" (which loosely corresponds with San Martin's Ferran from David Weber's Honorverse [baen.com]).
I'd recommend first off porting the apps in question to Linux (well, to not-MS-Windows) where that can be readily done because it's easy to make the program into the WM (if they exit, they get a
Re:Have you tried.... (Score:1)
surely there's programs for this? (Score:5, Informative)
it's not foolproof but it's a start, and make them copy themselfs from the network everytime they're started.
http://www.google.com/search?q=windows+xp+kiosk&s
With Google, as with life... (Score:5, Insightful)
But 90% of the answer is in knowing how to ask exactly the right question.
The same is true of life.
That's kind of the point of "42" in Hitchhikers.. by Douglas Adams.
Re:With Google, as with life... (Score:1, Flamebait)
Re:surely there's programs for this? (Score:2, Funny)
That not working? Well, log in as root. Move the Finder out of your
Still not working? Oh, you meant Windows. Can't help you there.
the phrase "surely there's a program for this" (Score:3, Insightful)
if you have to download a program for every single little thing you do on your computer, the operating system is broken. don't bother trying to fix it, just switch.
honestly, that really struck home with me. you need a program for everything you want to do on your computer? oh, you must be using windows
Re:the phrase "surely there's a program for this" (Score:4, Insightful)
Er, unlike the unix(er, GNU?) mentality of "lots of little programs that do a single thing well"?
Re:the phrase "surely there's a program for this" (Score:5, Insightful)
Windows is a "one app, one task" based approach. You've got an app for everything you need to do, and you can't use those apps together to accomplish a bigger 'task'.
Yes, I prefer the Unix way. Give me a toolbox, and with that toolbox (and not much else) I can build a car, a house, a boat, a dam, a power station, etc.
But with Windows, I gotta download "PowerStation 1.0", "House 2.3.2", "Boat 3.2", etc. And god help me if I wanna plug House into PowerStation safely and securely
Re:the phrase "surely there's a program for this" (Score:2, Funny)
It's easy to say things.. (Score:1)
Heck, if nothing else, you can get a port of nearly every unix utility for Windows.
Re:It's easy to say things.. (Score:1)
If I'm using Unix tools on Windows, then its not Windows' tools I'm using. Its Unix tools.
And as for 'bashing Windows', I've been doing that now for 20 years, and I've had plenty of good reasons all this time, believe me.
Re:surely there's programs for this? (Score:4, Informative)
Well.. you asked for it (Score:1)
Re:Well.. you asked for it (Score:1, Troll)
1. simply remove power cable.
Remove all drives (Score:5, Informative)
But if you're stuck with XP, I'd suggest a VERY minimal install of XP, with your program loaded in the registry full screen, and Windows.Form.KeyPreview on, Windows.Form.KeyDown testing for and disabling all standard keys (like alt-tab and ctrl-alt-del). For extra fun, link those keys to nasty messages from "The Master Programer". And remove the floppy & cd Rom drives completely from the machine. If the kisok can get by with just mouse or touchscreen access, remove the keyboard as well, or at least a blob of superglue under the Windows and Right Menu keys.
Re:Remove all drives (Score:3, Informative)
Windows.Form.KeyPreview? From .NET? First, .NET is a bit heavyweight for that; a keyboard journal hook in win32 is much better. Second, it's excessive: what's so bad about alt-tab? Third, it will be ineffective: ctrl-alt-delete is a security attention sequen
Re:Remove all drives (Score:2)
Re:Remove all drives (Score:2)
XP Embedded (Score:2)
But if you're stuck with XP, I'd suggest a VERY minimal install of XP,
My thought, too. If the kiosk app had to be running Windows and not be able to run anything else, I'd probably look into Windows XP Embedded [microsoft.com].
From what little I've heard, XP Embedded would even make a pretty good desktop OS because it doesn't have as much gratuitous intertangling with browsers [com.com] and media players [infoworld.com] as plain XP.
Nice limited functionality; you add only components that you want. Technically a good way to go for the general
Re:XP Embedded (Score:1)
Another solution (Score:4, Funny)
Tell them the camera can detect them messing with the system, and if caught, the camera/gun combo will grow legs and make them wish they hadn't installed the random screensaver exe sent to them in the mail.
Or maybe you would get sued, I dunno, I'm not a lawyer.
activedir.org (Score:2, Informative)
Smash it with an axe. (Score:2, Funny)
My apologies if this seems unhelpful. It's very early and I haven't had my coffee yet.
Re:Smash it with an axe. (Score:4, Funny)
Re:Smash it with an axe. (Score:2)
Re:Smash it with an axe. (Score:2)
>the guru of gurus if you can get linux installed
>post axeing.
He meant NetBSD
Re:Smash it with an axe. (Score:2)
Re:Smash it with an axe. (Score:1)
If I recall correctly axes are for chopping not smashing, but what do I know...
Thin client (Score:5, Interesting)
I'm going to be blunt and say that the best way to do this is with Linux, because it's much easier to pare down.
Set up a bunch of thin clients with netbooting enabled. That means no CD drive, floppy drive, hard drive. Lock the BIOS. Buy cases that are physically securable.
Have one or several Windows Terminal Server boxes set up.
Set up your netboot server to serve a Linux distro something like Red Hat (or an even more bare-bones system), installing a minimal set of packages necessary. You'll want to install rdesktop so that your clients can act as Terminal Server clients, but no terminals or anything. In
The user should have no write access to anything on the Linux distro (if you want to include a small swap drive, you might want to have a local hard drive, but only root should be able to write to the thing).
The user should have no write access to anything on the Windows TS system (unless as required by your application). Hence, the users can't install anything. It's easy to administer. You don't have to pay for each client, since they're running Linux, which makes a decent thin client OS.
Now, you can do whatever you want in a trusted manner on the TS system(s), since the users don't have the ability to reboot or muck with it, since they have no local access (and rebooting or mucking with their thin client does nothing that gives them any influence over what applications are running on the server). Kill all processes that you don't recognize automatically or whatnot.
Re:Thin client (Score:1, Informative)
"You don't have to pay for each client, since they're running Linux, which makes a decent thin client OS."
This is true for the Linux piece of the solution, but Microsoft's TS licensing is more invasive than you think. To run a TS session, the licesning states that you must have a Windows OS license (regardless of what the clietn platform really is!), plus a Windows Server CAL, plus a TS CAL, then licesning for each app you are accessing via terminal services.
Re:Thin client (Score:3)
Re:Thin client (Score:1)
Replace the shell (Score:5, Informative)
Then replace the shell for that group with the app you want to run. That property is User->Admin. Templates->Custom User Interface.
In ctrl-alt-delete settings remove task manager if you want.
Turn off autoplay.
For a really locked down mode, use Software Restriction Policies [microsoft.com]. Create a whitelist of runnable apps by hash; if the program isn't on the list for users affected by the group policy, they cannot start the program. You can still admin the systems by logging on as a real user; just use ctrl-alt-delete to log off. Use this for shutdown/restart too.
You may need to set SRP from an XP machine or install the server 2003 admin kit [microsoft.com] (free) because SRP didn't exist yet in the win2k era; it's only supported locally on XP and later. The win2k AD server can still enforce the policy but the standard interface doesn't list the option. It's not contradictory. SRP does a great job of locking a Windows system down completely.
Re:Replace the shell (Score:2)
I disagree. Accounts exists so that people are accountable for what happens under them. If someone breaks out of your environment or tries to, you'll have a better chance of finding out who did it with one-account per person.
Re:Replace the shell (Score:2)
Re:Replace the shell (Score:2)
Re:Replace the shell (Score:3)
One thing I've had trouble with custom shells is that they don't restart if exited normally. I wrote a WSH script to handle that - it simply checks the process list and starts the shell if it's
Re:Replace the shell (Score:2)
Plenty of options... (Score:5, Informative)
Well, if I'm understanding what you're trying to do, you've got both software [rixler.com] and operating [microsoft.com] system [nodak.edu] options [google.com], as well as a [securitykit.com] whole [anytimeproducts.com] bunch [industrial...sure.co.uk] of [iboxcabinets.com] hardware [server-rack-online.com] solutions [startech.com].
Of course, you can also enable a screensaver password, and have the screensaver running all the time, configure the BIOS not to allow booting from the floppy drive, and use password access to the BIOS to disallow unauthorized changes to it.
It sounds like your easiest (read: less time to deal with and less worry of hacking headaches) solutions is just to toss the suckers into one of those cabinets listed above. Hell, you can build the cabinet yourself for under $100, if you're any good with power tools and have a spare afternoon.
Go to (Score:4, Informative)
Worked well for me.
Do you need internet access? (Score:3)
Do you need only internet access?
I am going to assume that this is a data entry teminal with a windows (VB/Access) app.
Remove all drives, usb, and anything else except: mouse, keyboard, and video output.
put a 1 gig hd in the machine, install linux with bare minimum, and use rDesktop to remote into a win2003 machine with nothing enabled. now you have just one machine to manage, and win2k3TS has more options than a win2kbox for lockdown.
More costly, yes. But they won't be surfing the net or installing bonzibuddy.
I used to play this game... (Score:4, Insightful)
I hear Win2K and WinXP are improved, but to be honest I think trying to completely lock down a system that clearly isn't designed to be locked down is a lost cause.
Think about exactly what you're doing, and try not to catch Diebold syndrome*. If you want to provide a terminal for web browsing and e-mail, is a full Windows install necessary? Why not go for Mozilla on Linux, which will connect to your Windows-based TCP/IP network and provide the functions you want. Of course, your requirements might be a lot more complex, so this might not be an option.
If so, why not consider enforcement rather than prevention? Tell the users they can't do this, can't do that, and track them if necessary. If they break the rules, suspend them from the network. Placing software restrictions on people will often upset them, especially if they have a legitimate use for doing odd things (like installing a new media codec to watch a video they need for their work).
* Diebold syndrome: believing that a full multi-tasking memory-protected graphical operating system that consumes 300MHz of processor power and 500MB of disk space is the best basis for a dumb embedded system such as eVoting or an ATM
Re:I used to play this game... (Score:2)
Re:I used to play this game... (Score:1)
in ntlogon.bat
They can start it up agian but unless they get everyone in the school to do it its pretty useless to them.
Re:I used to play this game... (Score:1)
Re:Yes there is a way (Score:3, Funny)
Tip for the day:
Re:Yes there is a way (Score:2)
Some good reading... (Score:5, Informative)
Re:Some good reading... (Score:3, Funny)
Re:windows locking (Score:2)
Or is it my campus? OSU-N/COTC?
Try the NSA Security guides (Score:4, Informative)
I've used these policies for Windows 2000 lab machines, and have no known incidents with virii/trojans/stupid user tricks/etc...
Another thought.... (Score:1)
Re:Another thought.... (Score:1)
CtrlAltDel seems exactly the way to foil this.
90% impossible to escape from it once its running
Look, it is either impossible, or possible. It can't be some fraction impossible. Even if you mean that 90% of users can't get out, those 10% that can are the same ones who would be messing up the system anyway.
if you ever need full windows, just boot off a boot disk and edit the shell line back
If you can boot off a boot disk, so ca
Re:Another thought.... (Score:1)
Re:Another thought.... (Score:1)
Re:Another thought.... (Score:2)
change shell (Score:3, Informative)
Re:change shell (Score:2, Informative)
BTW: Deepfreeze is a great program.
Don't worry too much about the machine itself (Score:2)
At my company, we have kiosk-like machines for hourly employees to clock in at. For them, the restrictions really aren't that comp
NIST Guide (Score:3, Informative)
I haven't had the time to read it yet, but from the high quality of their other documents it is probably well worth printing and reading.
Enable Windows RAM Policy (Score:3, Funny)
The implied assumption... (Score:1, Troll)
You might stand a chance if you:
1, remove all network access;
2, lock it in a hardened shelter;
3, post a platoon of U.S. Marines.
Otherwise, why bother: People who want secure and robust don't use MS products and there is simply no way you can't know that -- you be a troll?
You need lockdown software (Score:2)
This really isn't a guarantee, though. Windows is inherently impossible to prevent users from performing certain actions; but the above software will certainly help. I reccommend Fortres if you want a standard Windows interface with restrictions, and WinU if you want to run only a single application. The Ontario Science Centre uses it (for their Internet Cafe), and
Using what I know (Score:1)
Two words (Score:3, Funny)
Re:Two words (Score:1)
How Would You Lock Down a Windows XP Machine? (Score:2)
Shut Down
Shut Down
Ok
Use Group Policies (Score:2)
These can be set on domain level (and applied to your OU's)
or you can set them per computer
Start -> Run -> gpedit.msc
Apply restrictions through policies and rights
Hide drives in My Computer
Hide My Network Places
Hide the Internet Explorer icon
Disable Add/Remove Programs
Disable changes to the taskbar
Remove Run from the Start menu
Disable and remove the Shutdown command from the Start menu
Disable the Control Panel
etc.
The Windows XP has more group policy objec
Haven't used professionally but (Score:2)
Do these links help? (Score:1)
And in addition the last hint at
http://silverstr.ufies.org/blog/archives/000257.ht ml [ufies.org] about how to limit which programs are allowed.
I have not tried any of these myself, except the few I have had to "hack" (reset) on computers, where some admin didn't allow me to even use Notepad. To "hack" them, I had to use third party software, which the sloppy admin for some reason had installed. Perhaps it was just a silly test of my curiosity or integrity.
I would put linux on it. (Score:2)
Set up Fedora 2 on the box, then tweak it such that it automatically logs into a given user, and set that user's windowmanager to be the application that you want to run. Have it automatically restart if it closes (not terribly hard). Then you'd basically have a screenful of that application with no window decorations, you wouln't be able to close it (save for CTRL+ALT+DELETE, which would ideally just restart X and put you back into that application if not disabled entirely).
I think th
How Would You Lock Down a Windows XP Machine? (Score:2)
jesus people (Score:2)
USE GROUP POLICIES. if you don't know how, ask an admin who knows their job. This is bloody obvious, and just far too easy for linux zealots to start jumping up and down and adding nothing of use to the argument.
Any admin worth their salt knows how to do this, and does it already where appropriate.
This truly isn't hard to do... (Score:2)
Hit MSDN.microsoft.com or even do a few searches on Microsoft.com.
I'm not sure if you realize this, but getting a solid answer to a Windows solution on Slashdot is like asking Charlie Manson where the best nearby starbucks is... Not going to be an answer he will have, and if he gives you one, it won't be one you will want...
some ideas... (Score:1)
My suggestions (Score:2)
I'd get... (Score:2)
Simple (Score:1)
Re:Simple (Score:1)
My school's library has Fortres installed on all of their computers, and it doesn't work at all. It simply makes everything 1000% slower. (IE takes 10 minutes to start and 5 minutes to load Google.) That, and it can easily be bypassed without knowing the password. (Enter "C:" into Internet Explorer to access the hard drive.)
Deep Freeze (Score:1)
I had to write some code to do this, but it's easy (Score:1)
I tried to post the class in the comment for you but Slashdot prevented the s
DeepFreeze (Score:1)
I'd use chains and eyebolts. (Score:2)
Furthermore, you'll need to replace the case fasteners with snap-off security bolts to prevent thieves
Re:Physical security (Score:3, Insightful)
Re:Physical security (Score:2)
Tell me - how does one do bios upgrades on the motherboard without a floppy or some other bootable access to the hardware? Do people seriously think that one can design and market general purpose PC hardware that only al
Re:Physical security (Score:2)
Re:Physical security (Score:2)
Re:Physical security (Score:2)
The interesting thing is that in former times, many CD-players could still do audio when they have power but no data cable. You just hooked up headphones and the builtin volume control could be used. Regrettably, newer drives don't have
Re:Physical security (Score:1)
Seriously, what's to prevent Joe Slashdot reader from rebooting with a Knoppix CD?
Put the computer in a box, then lock it.