Create an Indestructible Shared PC
Wednesday, 12. April 2006, 13:57:56
By Neil J. Rubenking
Need to put a PC in a public place? A free Microsoft tool makes it easy to lock down.
Schools, libraries, and other organizations often want to make computers available in public places. These can become tempting targets for hackers. Even well-intentioned users can wreak havoc by deleting important files or accidentally installing malware.
Microsoft's free Shared Computer Toolkit lets you configure a PC that can be used to search the Internet, look up resources, and run approved programs; it also stops users from making permanent system changes, running arbitrary programs, or introducing malware. Administrators on domain-based PCs have long been able to do this; the toolkit offers a similar level for any PC. You don't need an IT degree—the kit leads an administrator through the steps of locking down a system.
We evaluated a recent release candidate of the toolkit, which can be downloaded at www.microsoft.com/sharedaccess. The toolkit requires Windows XP Service Pack 2 or Windows XP Tablet PC Edition 2005, and you'll probably need to download the oddly named User Profile Hive Cleanup Service. Start by installing the toolkit while logged on to an account that will become the toolkit administrator account. It will open a Getting Started applet that lists the steps you'll follow to lock down the computer.
The first step is usually to adjust the disk's partitioning to make room for Windows Disk Protection. WDP requires a region of unallocated disk space that is located just beyond the boot partition and whose size is at least 10 percent of the boot partition's size but no less than 1 GB. Windows doesn't provide a nondestructive partition management utility; the toolkit suggests using PartitionMagic 8 or Terabyte Unlimited's BootIt. If you're configuring a new computer, you can adjust the partition size during installation of Windows XP. When active, WDP discards all changes to the boot partition when the computer is restarted, so you won't turn it on until the other configuration steps are completed.
The second step pulls together a number of security settings and suggests you enable them all. One key option removes the toolkit administrator account from the Welcome screen—users won't know the account name, much less the password. As the administrator, you'll log in by pressing Ctrl-Alt-Del twice at the Welcome screen, then entering the account name and password in the dialog box. Among other restrictions, the toolkit can prevent other users from shutting down or restarting the computer, block Windows from caching Passport or other credentials, and disallow unapproved user profiles. The Test Your Password button checks to be sure you haven't used a blank password or a weak password like your username.
Next you'll create a public account to be shared by all walk-up users. (You can make multiple accounts by repeating the next few steps.) The instructions advise making it a Limited account, but there are also instructions for dealing with an Administrative account, in case a critical program won't run under a Limited one. For the setup, you should set a password for this account, or else Windows will boot to it on each restart, forcing you to log off and then into the toolkit administrator account. Next, the wizard asks you to log on to this new account and configure it completely, including setting appearance, configuring the printer, enabling the Quick Launch toolbar (if desired), and setting up programs such as Microsoft Office that perform user-specific initialization. Be sure to install add-ons like Adobe Reader and Flash. Now log off the public account and back into the toolkit administrator account.
In the wizard, the User Restrictions applet offers a range of limitations from mild to draconian. The Lock This Profile check box tells the system not to save Internet history and other user changes. You can force a specific home page and limit which drives are displayed in My Computer in order to block the user from bringing in software on diskette or USB key. You can configure this profile to log off after a specified amount of time, or of idle time. And you can set it to restart at log-off; this is significant when WDP is enabled, because restarting discards all changes to the Windows partition.
Checking the Recommended Restrictions box really locks down the system. Start menu restrictions eliminate many icons such as Control Panel and My Network Places, force the classic Start menu style, and disable right-clicking on Start menu items. General XP restrictions eliminate the Recycle Bin (so one user can't paw through another's trash), block access to such tools as the Command Prompt, Registry Editor, and Microsoft Management Console, and prevent activating Task Manager to kill specific processes. Internet Explorer restrictions disable right-clicking within IE, block access to Internet Options, and suppress certain toolbar buttons. Office restrictions disable macros and VBA and prevent other inappropriate changes. The Software Restriction Policy blocks all programs not found in the Windows or Program Files folder and prevents use of tools that could bypass the toolkit's security.
You can go even further. You can block Internet access for the account, prevent IE or Windows Messenger from running, or disable Microsoft Office. And you can disconnect this account from the All Users account, so the only items on the Start menu are those specifically installed for this user.
Next the wizard asks you to test the account and make sure it's not so restricted as to be unusable. You'll find it a novel experience. Most of the right-click menus are disabled. You can't launch a Command Prompt or enter a program name in the Run dialog. You can't change the wallpaper or set the clock. All you can do is run the programs listed in the Start menu or log off. Do run all the programs to be sure they work.
Now, log back on as administrator; you'll have to press Ctrl-Alt-Del twice. Turn on Windows Disk Protection. When WDP is active, it takes control of all programmatic requests to read or write data to the Windows drive. The write requests are trapped and stored without changing the drive itself. For read requests, WDP reads from the physical drive, then applies any modifications based on those stored write requests.
The technique of inserting a layer between the system and the physical disk is used by other products, like Altiris Protect and ShadowUser. While WDP doesn't have all the flexibility of these programs, it has a nice feature they lack: It automates Windows Update installation. At the scheduled time, it will restart the computer to discard changes, run Windows Update, commit those changes to the physical hard disk, and restart with WDP protection active. You can also run a script to update your antivirus program during this process.
Once WDP is active, all changes, even those made under the toolkit administrator account, are discarded by default when you restart the computer. You get one warning about this, at the time you turn WDP on. After making configuration changes, you must set WDP to save changes on the next restart. It will commit your changes to disk and return to the default of discarding changes. You can also set it to retain all changes until actively placed back in the protection mode. Note that WDP protects only the boot partition (the one containing the Windows folder) and that it disables hibernation.
The system is now ready for public use. The shared public account is locked down so users can do only what you've allowed them to do. And the system is automatically wiped clean at each restart. You'll want to read the security advice in the Shared Computer Toolkit Handbook—in particular, to create a strong password for the powerful toolkit admin-istrator account.
If you decide to uninstall the toolkit, you'll want to be very careful. Many of its restrictions are simply existing features of Windows, brought together for convenience. The settings will remain even if the toolkit is removed. Before uninstalling, you must work backwards through the steps in the Getting Started applet, turning off WDP and undoing the restrictions for all accounts. Only then can you safely uninstall.
You might think it would be easier to uninstall the toolkit by restoring an earlier drive-image backup, but even here you need to act with care. WDP uses a nonstandard configuration for both the main partition and its data storage partition. If your drive-imaging tool supports it, you'd have to delete both partitions and restore the image into the resulting free space. You'd also have to configure the tool to restore the Master Boot Record and mark the restored partition as active.
We applaud Microsoft for making this security tool available. It should be a godsend for schools, libraries, and other havens of public computers.
Source: http://www.pcmag.com/article2/0,1895,1892666,00.asp
Need to put a PC in a public place? A free Microsoft tool makes it easy to lock down.
Schools, libraries, and other organizations often want to make computers available in public places. These can become tempting targets for hackers. Even well-intentioned users can wreak havoc by deleting important files or accidentally installing malware.
Microsoft's free Shared Computer Toolkit lets you configure a PC that can be used to search the Internet, look up resources, and run approved programs; it also stops users from making permanent system changes, running arbitrary programs, or introducing malware. Administrators on domain-based PCs have long been able to do this; the toolkit offers a similar level for any PC. You don't need an IT degree—the kit leads an administrator through the steps of locking down a system.
We evaluated a recent release candidate of the toolkit, which can be downloaded at www.microsoft.com/sharedaccess. The toolkit requires Windows XP Service Pack 2 or Windows XP Tablet PC Edition 2005, and you'll probably need to download the oddly named User Profile Hive Cleanup Service. Start by installing the toolkit while logged on to an account that will become the toolkit administrator account. It will open a Getting Started applet that lists the steps you'll follow to lock down the computer.
The first step is usually to adjust the disk's partitioning to make room for Windows Disk Protection. WDP requires a region of unallocated disk space that is located just beyond the boot partition and whose size is at least 10 percent of the boot partition's size but no less than 1 GB. Windows doesn't provide a nondestructive partition management utility; the toolkit suggests using PartitionMagic 8 or Terabyte Unlimited's BootIt. If you're configuring a new computer, you can adjust the partition size during installation of Windows XP. When active, WDP discards all changes to the boot partition when the computer is restarted, so you won't turn it on until the other configuration steps are completed.
The second step pulls together a number of security settings and suggests you enable them all. One key option removes the toolkit administrator account from the Welcome screen—users won't know the account name, much less the password. As the administrator, you'll log in by pressing Ctrl-Alt-Del twice at the Welcome screen, then entering the account name and password in the dialog box. Among other restrictions, the toolkit can prevent other users from shutting down or restarting the computer, block Windows from caching Passport or other credentials, and disallow unapproved user profiles. The Test Your Password button checks to be sure you haven't used a blank password or a weak password like your username.
Next you'll create a public account to be shared by all walk-up users. (You can make multiple accounts by repeating the next few steps.) The instructions advise making it a Limited account, but there are also instructions for dealing with an Administrative account, in case a critical program won't run under a Limited one. For the setup, you should set a password for this account, or else Windows will boot to it on each restart, forcing you to log off and then into the toolkit administrator account. Next, the wizard asks you to log on to this new account and configure it completely, including setting appearance, configuring the printer, enabling the Quick Launch toolbar (if desired), and setting up programs such as Microsoft Office that perform user-specific initialization. Be sure to install add-ons like Adobe Reader and Flash. Now log off the public account and back into the toolkit administrator account.
In the wizard, the User Restrictions applet offers a range of limitations from mild to draconian. The Lock This Profile check box tells the system not to save Internet history and other user changes. You can force a specific home page and limit which drives are displayed in My Computer in order to block the user from bringing in software on diskette or USB key. You can configure this profile to log off after a specified amount of time, or of idle time. And you can set it to restart at log-off; this is significant when WDP is enabled, because restarting discards all changes to the Windows partition.
Checking the Recommended Restrictions box really locks down the system. Start menu restrictions eliminate many icons such as Control Panel and My Network Places, force the classic Start menu style, and disable right-clicking on Start menu items. General XP restrictions eliminate the Recycle Bin (so one user can't paw through another's trash), block access to such tools as the Command Prompt, Registry Editor, and Microsoft Management Console, and prevent activating Task Manager to kill specific processes. Internet Explorer restrictions disable right-clicking within IE, block access to Internet Options, and suppress certain toolbar buttons. Office restrictions disable macros and VBA and prevent other inappropriate changes. The Software Restriction Policy blocks all programs not found in the Windows or Program Files folder and prevents use of tools that could bypass the toolkit's security.
You can go even further. You can block Internet access for the account, prevent IE or Windows Messenger from running, or disable Microsoft Office. And you can disconnect this account from the All Users account, so the only items on the Start menu are those specifically installed for this user.
Next the wizard asks you to test the account and make sure it's not so restricted as to be unusable. You'll find it a novel experience. Most of the right-click menus are disabled. You can't launch a Command Prompt or enter a program name in the Run dialog. You can't change the wallpaper or set the clock. All you can do is run the programs listed in the Start menu or log off. Do run all the programs to be sure they work.
Now, log back on as administrator; you'll have to press Ctrl-Alt-Del twice. Turn on Windows Disk Protection. When WDP is active, it takes control of all programmatic requests to read or write data to the Windows drive. The write requests are trapped and stored without changing the drive itself. For read requests, WDP reads from the physical drive, then applies any modifications based on those stored write requests.
The technique of inserting a layer between the system and the physical disk is used by other products, like Altiris Protect and ShadowUser. While WDP doesn't have all the flexibility of these programs, it has a nice feature they lack: It automates Windows Update installation. At the scheduled time, it will restart the computer to discard changes, run Windows Update, commit those changes to the physical hard disk, and restart with WDP protection active. You can also run a script to update your antivirus program during this process.
Once WDP is active, all changes, even those made under the toolkit administrator account, are discarded by default when you restart the computer. You get one warning about this, at the time you turn WDP on. After making configuration changes, you must set WDP to save changes on the next restart. It will commit your changes to disk and return to the default of discarding changes. You can also set it to retain all changes until actively placed back in the protection mode. Note that WDP protects only the boot partition (the one containing the Windows folder) and that it disables hibernation.
The system is now ready for public use. The shared public account is locked down so users can do only what you've allowed them to do. And the system is automatically wiped clean at each restart. You'll want to read the security advice in the Shared Computer Toolkit Handbook—in particular, to create a strong password for the powerful toolkit admin-istrator account.
If you decide to uninstall the toolkit, you'll want to be very careful. Many of its restrictions are simply existing features of Windows, brought together for convenience. The settings will remain even if the toolkit is removed. Before uninstalling, you must work backwards through the steps in the Getting Started applet, turning off WDP and undoing the restrictions for all accounts. Only then can you safely uninstall.
You might think it would be easier to uninstall the toolkit by restoring an earlier drive-image backup, but even here you need to act with care. WDP uses a nonstandard configuration for both the main partition and its data storage partition. If your drive-imaging tool supports it, you'd have to delete both partitions and restore the image into the resulting free space. You'd also have to configure the tool to restore the Master Boot Record and mark the restored partition as active.
We applaud Microsoft for making this security tool available. It should be a godsend for schools, libraries, and other havens of public computers.
Source: http://www.pcmag.com/article2/0,1895,1892666,00.asp
