The Kiosk Series – Part Three – Microsoft SteadyState vs Group Policies

April 9, 2008

by — Posted in Security, Technology

 

phphUxa5V

One of the programs that management wants us to look at for our kiosk implementation is Microsoft SteadystateMicrosoft‘s all in one wizard create a kiosk solution.

I’m not entirely convinced on the scenario that there is things in which you can do with this, that active directory is not more suited for.   So while we work through this document we’ll be exploring the options of SteadyState and comparing it to group policies that you can push down to a computer or user account from a central location.

Steadystate1

This is the start page of Microsoft SteadyState from here there are 6 things you can do:

1. Set Computer Restrictions

2. Schedule Software Updates

3. Protect the Hard Disk

4. Add a New User

5. Export a User

6. Import a User

Steadystate2

This is the “Set Computer Restrictions” page.  This page is broken down to different sections and show you how limiting the computer settings are in group polices that can be applied to this state.   While there are still further windows computer policies you can apply to the machine especially if you wish to conform to your company’s security plan, we’ll stick with Microsoft’s options for now.

Privacy Settings:

1. Do not display user names in the Log On to Windows dialog box

Group Policy equivalent:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Do Not Display last user name in login screen

2. Prevent locked or roaming profiles that cannot be found on the computer from logging on

Group Policy Equivalent:

Disable interactive logon for all accounts except the approved accounts for use with the kiosk machine

Registry Equivalent:

 

“Computer Configuration\User Settings\Administrative Templates\System\User Profiles\Log users off when roaming profile fails”

[HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\System\ProfileErrorAction]

 

3. Do not cache copies of locked or roaming profiles for users who have previously logged on to this computer –

Group Policy Equivalent:

Disable interactive logon for all accounts except the approved accounts for use with the kiosk machine

Registry Equivalent:

[HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\System\DeleteRoamingCache]

Security Settings:

1. Remove the Administrator user name from the Welcome Screen

Group Policy Equivalent:

The XP Welcome screen is automatically changed to the classic logon screen after a computer is joined to a domain – no policy change is needed unless this has been adjusted.

Registry equivalent:

[HKEY_LOCAL_MACHINE\SOFTWARE\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Administrator]

2. Remove the Shut Down and Turn Off options from the Log On to Windows and the Welcome Screen

Group Policy Equivalent:

User Configuration \ Administrative Templates \ Start Menu and Taskbar
Policy:Disable Logoff on the Start Menu
Description:Removes the "Logoff" button from the Start menu and prevents
users from adding the Logoff button to the Start menu.
Registry Value:"StartMenuLogoff"

Policy:Disable and remove the Turn Off Computer button
Description:Removes the "Turn Off Computer" button from the Start Menu and
prevents shutting down Windows using the standard shutdown user interface.
Registry Value:"NoClose"

3. Do not allow Windows to compute and store passwords using LAN Manager Hash values

Group Policy Equivalent:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Do not store LAN Manager hash value on next password change

4. Do not store user names or passwords used to log on to Windows Live ID or the domain

Group Policy Equivalent:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow storage of credentials or .NET Passports for network Authentication

By disabling interactive logins for all users accept the kiosk user account – this isn’t an issue

5. Prevent users from creating folders and files on the drive c:\

Security configured on the drive to give the kiosk only read access to information it needs should handle this.

6. Prevent users from opening Microsoft Office documents from within Internet Explorer

Registry Equivalents:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Excel.Sheet.5\BrowserFlags]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Excel.Sheet.8\BrowserFlags]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSProject.Project.8\BrowserFlags]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\BrowserFlags]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.6\BrowserFlags]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.8\BrowserFlags]

 

7. Prevent write access to USB storage devices

Registry Equivalent:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect]

Other Settings:

1. Turn off the Welcome Screen

Group Policy Equivalent:

The XP Welcome screen is automatically changed to the classic logon screen after a computer is joined to a domain – no policy change is needed unless this has been adjusted.

If you notice the Microsoft does have some understanding of using machines with this configuration applied to them in a Domain environment since they offer the not “In a Domain managed environment the Domain Group Policy supersedes any settings made here.

 

Steadystate3

This is the Schedule Software updates screen.  From you can configure the interval in which you update the Windows Operatings and auxillary programs.  For updating windows a SteadyState computer supports Microsoft Update, Windows update or WindowServer Update Services.

The supported security program updates are limited.  The only programs that have native support are Computer Associates eTrust 7.0, McAfee VirusScan, and TrendMicro 7.0.  You have the option of creating a custom script to handle any other program updates you may need.   In a domain environment this can easily be handled by central update servers such as SMS and AV servers.

 

Steadystate4

Windows disk protection allows the user to install any programs they want or download whatever they wish, but the hard drive will just wipe out the data.  I can’t seem to find a registry or policy equivalent that allows this, so it seems that this is one main benefit of steady state.

Steadystate5

The “Add a New User” screen only allows you to create local users which doesn’t really help you in a secure domain based environment.   It will however check you domain’s password policy’s that you may have pushed down to the machine via group policy.  If you do use this wizard to create accounts be aware that user policies from the domain can not be applied.

 

ss8

The first screen of User Settings is the “General” tab.   Here we get into some more unique settings to the SteadyState product.   While it has the function to prevent the user from making permanent changes the most interesting thing is the log off options,  The ability to add a greatest amount of use time or an idle time is done by the use of two helper applications that are installed with SteadyState.   Being able to always display the session countdown allows the user to see how much time they have left before the log off procedure is invoked.   Restart computer after log off allows the Windows Disk Protection to kick in and reset the machine back to a clean state.   While this is nice, the same option could be invoked by creating a log-off script.

 

ss9

The User Settings \ Windows Restrictions tab allows you to hide drives, set default restriction levels and takes the start menu restrictions straight out of the security policy.  This is simple to replicate with a domain group policy.

 

ss10

Screen 2 of Windows Restrictions

 

ss11

Screen 3 of Windows Restrictions

 

ss12

Screen 4 of Windows Restrictions

ss13

Feature restrictions are more policies that have been taken straight out of the local security policy (domain policy manager).

 

ss14

Screen 2 of Feature Restrictions

 

ss15

Screen 3 of Feature Restrictions

ss16

Screen 4 of Feature Restrictions

 

ss17

While SteadyState allows you to block certain programs, locally installed antivirus can normally do this.  Normally you wouldn’t want this in a kiosk environment.  A better scenario is using group policies to allow only the programs you specify to run.  Using the SteadyState scenario if someone ran a rogue application off their USB drive (if you’ve given them access) or renamed an EXE that was blocked that doesn’t need registry access, well I doubt that SteadyState could do anything to stop this.

 

Steadystate7

Importing users is done via a normal windows save/open dialogue box.   It loads files done with a supported *.ssu extenstion.

 

Steadystate6

Exporting is done in a proprietary *.ssu file extension once again using the standard windows open / save dialogue box.

Can I recommend SteadyState?

For 90% of what it does I wouldn’t use SteadyState at all but would personally rely on centrally controlled and maintained group policies within a domain environment.   What does shine though is the Windows Drive Protection and the helper utilities that handle logoff  timers – though with the idle time out I would more likely just use a script I controlled which could be invoked by the screensaver kicking in.

I didn’t go through the group policies under the user restrictions since it’s almost verbatim down the list under the policy management.  If you have any questions on a setting to restrict without using the SteadyState feel free to ask.   The biggest disadvantage to SteadyState is that it uses local accounts that can’t be managed remotely with ease.   Being at a company where everything is done to avoid using local accounts I can say this is bad mojo.

I may use the the drive protection and timeout applications, we’ll see when this project is truly finished.

Reference Links:

Windows SteadyState Worldwide page

Windows SteadyState Readme File

Windows SteadyState Technical FAQ

Windows SteadyState Handbook

The Desktop Files: Shared Computing with Windows SteadyState

The Kiosk Series:

The Kiosk Series – Part One – Choices For Your Environment

The Kiosk Series – Part Two – Management Considerations For Your Environment

14 thoughts on “The Kiosk Series – Part Three – Microsoft SteadyState vs Group Policies

  1. Thanks so much for the work you’ve put into this series. I’m currently working on a similar project with a retail customer facing kiosk. This contrast between SteadyState (which I just ran across this afternoon) and GPO was just what I was looking for.

    This is probably a very simple question, but what methods are you looking at (or are you) to log in a restricted domain user account on startup?

  2. Thanks so much for the work you've put into this series. I'm currently working on a similar project with a retail customer facing kiosk. This contrast between SteadyState (which I just ran across this afternoon) and GPO was just what I was looking for.

    This is probably a very simple question, but what methods are you looking at (or are you) to log in a restricted domain user account on startup?

  3. I still have to do 3 more parts on this series – might get another part done this weekend. That being said, at work we talked to MS on a conference call and we are partially implementing one of their solutions which is a mixture of GPO stuff, and steadystate (at least on the drawing board for right now).

    To automatically login in a user there is a registry entry that you can put in the user name and passwords and that will cache it for you and auto login. The problem with using steadystate with user accounts and auto login is that user accounts must be local and not domain accounts, and the session timer makes absolutely no sense with auto login.

  4. I still have to do 3 more parts on this series – might get another part done this weekend. That being said, at work we talked to MS on a conference call and we are partially implementing one of their solutions which is a mixture of GPO stuff, and steadystate (at least on the drawing board for right now).

    To automatically login in a user there is a registry entry that you can put in the user name and passwords and that will cache it for you and auto login. The problem with using steadystate with user accounts and auto login is that user accounts must be local and not domain accounts, and the session timer makes absolutely no sense with auto login.

  5. Have you or your team looked at the platforms offered by companies like Netkey? They offer content distribution and quite a comprehensive suite of security and deployment tools. We’ve been looking very hard at them for some time during our project but haven’t made up our minds yet as to whether to implement their software or not with our kiosks.

  6. Have you or your team looked at the platforms offered by companies like Netkey? They offer content distribution and quite a comprehensive suite of security and deployment tools. We've been looking very hard at them for some time during our project but haven't made up our minds yet as to whether to implement their software or not with our kiosks.

  7. I haven’t looked at Netkey’s solution. I will be looking them up now and seeing what they have to offer, thanks for the tip.

  8. I haven't looked at Netkey's solution. I will be looking them up now and seeing what they have to offer, thanks for the tip.

  9. I want to remove all traces of SteadyState regarding logon especially. Also my SystemRestore no longer functions. I removed every file with regedit. But it's still present. OS is XP Pro.

  10. To be honest – I haven't really attempted to actually remove steady state – on the machines I employ these on I would just do a system wipe. If I get a chance I'll attempt to go through and try it and see how it goes and what I find.

  11. As an aside Steady state offers a group policy template. Install SteadyState on the machine you use for group policies and you can import the template into group policy. It has many of the same options and doesn't require as much fiddling with obscure settings. (Registry Keys and such)

  12. As an aside Steady state offers a group policy template. Install SteadyState on the machine you use for group policies and you can import the template into group policy. It has many of the same options and doesn't require as much fiddling with obscure settings. (Registry Keys and such)

  13.  Is it possivble that part 2 and 4 dotn work any more.
    and if so could you see if you can get them back up again

Leave a Reply