Picture from here

I originally wrote this for Journey to Get Paid published here.

It seems more and more of my past associates and friends are starting businesses, mostly ones dealing with a tech front. You have Shea who seems to be starting a a new business model for something every week. Most of his stuff deals with blogging or enviromental concerns such as wind energy. He works for himself and his latest venture deals with making t-shirts.

I have another friend who just left his current cozy job to do a security company with a partner. He’s planned this for months so it’s not a phantom leap in the dark. I am however very impressed – now if I could only find a partner to do a similar thing here in the midwest.

Finally a friend from Oregon contacted me to ask me questions on kiosks. It turns out he started an eco friendly baby item website. Of course I think there should be a blog attached to it, but he has his own online business which he said is going well. (btw use the coupon code BRENTSPAWN there to get 5% off).

I’m interested and ecstatic about new media. New media however for someone like me doesn’t pay the bills. Until I can figure out how to successfully monetize my activities I’ll have to keep my normal boring day job.

One of the programs that management wants us to look at for our kiosk implementation is Microsoft Steadystate, Microsoft‘s all in one wizard create a kiosk solution.

I’m not entirely convinced on the scenario that there is things in which you can do with this, that active directory is not more suited for.   So while we work through this document we’ll be exploring the options of SteadyState and comparing it to group policies that you can push down to a computer or user account from a central location.

This is the start page of Microsoft SteadyState from here there are 6 things you can do:

1. Set Computer Restrictions

2. Schedule Software Updates

3. Protect the Hard Disk

4. Add a New User

5. Export a User

6. Import a User

This is the “Set Computer Restrictions” page.  This page is broken down to different sections and show you how limiting the computer settings are in group polices that can be applied to this state.   While there are still further windows computer policies you can apply to the machine especially if you wish to conform to your company’s security plan, we’ll stick with Microsoft’s options for now.

Privacy Settings:

1. Do not display user names in the Log On to Windows dialog box

Group Policy equivalent:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Do Not Display last user name in login screen

2. Prevent locked or roaming profiles that cannot be found on the computer from logging on

Group Policy Equivalent:

Disable interactive logon for all accounts except the approved accounts for use with the kiosk machine

Registry Equivalent:

“Computer Configuration\User Settings\Administrative Templates\System\User Profiles\Log users off when roaming profile fails”

[HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\System\ProfileErrorAction]

3. Do not cache copies of locked or roaming profiles for users who have previously logged on to this computer -

Group Policy Equivalent:

Disable interactive logon for all accounts except the approved accounts for use with the kiosk machine

Registry Equivalent:

[HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\System\DeleteRoamingCache]

Security Settings:

1. Remove the Administrator user name from the Welcome Screen

Group Policy Equivalent:

The XP Welcome screen is automatically changed to the classic logon screen after a computer is joined to a domain – no policy change is needed unless this has been adjusted.

Registry equivalent:

[HKEY_LOCAL_MACHINE\SOFTWARE\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Administrator]

2. Remove the Shut Down and Turn Off options from the Log On to Windows and the Welcome Screen

Group Policy Equivalent:

Policy:Disable Logoff on the Start Menu
Description:Removes the "Logoff" button from the Start menu and prevents
users from adding the Logoff button to the Start menu.
Registry Value:"StartMenuLogoff"

Policy:Disable and remove the Turn Off Computer button
Description:Removes the "Turn Off Computer" button from the Start Menu and
prevents shutting down Windows using the standard shutdown user interface.
Registry Value:"NoClose"

3. Do not allow Windows to compute and store passwords using LAN Manager Hash values

Group Policy Equivalent:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Do not store LAN Manager hash value on next password change

4. Do not store user names or passwords used to log on to Windows Live ID or the domain

Group Policy Equivalent:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow storage of credentials or .NET Passports for network Authentication

By disabling interactive logins for all users accept the kiosk user account – this isn’t an issue

5. Prevent users from creating folders and files on the drive c:\

Security configured on the drive to give the kiosk only read access to information it needs should handle this.

6. Prevent users from opening Microsoft Office documents from within Internet Explorer

Registry Equivalents:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Excel.Sheet.5\BrowserFlags]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Excel.Sheet.8\BrowserFlags]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSProject.Project.8\BrowserFlags]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\BrowserFlags]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.6\BrowserFlags]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.8\BrowserFlags]

7. Prevent write access to USB storage devices

Registry Equivalent:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect]

Other Settings:

1. Turn off the Welcome Screen

Group Policy Equivalent:

The XP Welcome screen is automatically changed to the classic logon screen after a computer is joined to a domain – no policy change is needed unless this has been adjusted.

If you notice the Microsoft does have some understanding of using machines with this configuration applied to them in a Domain environment since they offer the not “In a Domain managed environment the Domain Group Policy supersedes any settings made here.”

This is the Schedule Software updates screen.  From you can configure the interval in which you update the Windows Operatings and auxillary programs.  For updating windows a SteadyState computer supports Microsoft Update, Windows update or WindowServer Update Services.

The supported security program updates are limited.  The only programs that have native support are Computer Associates eTrust 7.0, McAfee VirusScan, and TrendMicro 7.0.  You have the option of creating a custom script to handle any other program updates you may need.   In a domain environment this can easily be handled by central update servers such as SMS and AV servers.

Windows disk protection allows the user to install any programs they want or download whatever they wish, but the hard drive will just wipe out the data.  I can’t seem to find a registry or policy equivalent that allows this, so it seems that this is one main benefit of steady state.

The “Add a New User” screen only allows you to create local users which doesn’t really help you in a secure domain based environment.   It will however check you domain’s password policy’s that you may have pushed down to the machine via group policy.  If you do use this wizard to create accounts be aware that user policies from the domain can not be applied.

The first screen of User Settings is the “General” tab.   Here we get into some more unique settings to the SteadyState product.   While it has the function to prevent the user from making permanent changes the most interesting thing is the log off options,  The ability to add a greatest amount of use time or an idle time is done by the use of two helper applications that are installed with SteadyState.   Being able to always display the session countdown allows the user to see how much time they have left before the log off procedure is invoked.   Restart computer after log off allows the Windows Disk Protection to kick in and reset the machine back to a clean state.   While this is nice, the same option could be invoked by creating a log-off script.

The User Settings \ Windows Restrictions tab allows you to hide drives, set default restriction levels and takes the start menu restrictions straight out of the security policy.  This is simple to replicate with a domain group policy.

Screen 2 of Windows Restrictions

Screen 3 of Windows Restrictions

Screen 4 of Windows Restrictions

Feature restrictions are more policies that have been taken straight out of the local security policy (domain policy manager).

Screen 2 of Feature Restrictions

Screen 3 of Feature Restrictions

Screen 4 of Feature Restrictions

While SteadyState allows you to block certain programs, locally installed antivirus can normally do this.  Normally you wouldn’t want this in a kiosk environment.  A better scenario is using group policies to allow only the programs you specify to run.  Using the SteadyState scenario if someone ran a rogue application off their USB drive (if you’ve given them access) or renamed an EXE that was blocked that doesn’t need registry access, well I doubt that SteadyState could do anything to stop this.

Importing users is done via a normal windows save/open dialogue box.   It loads files done with a supported *.ssu extenstion.

Exporting is done in a proprietary *.ssu file extension once again using the standard windows open / save dialogue box.

Can I recommend SteadyState?

For 90% of what it does I wouldn’t use SteadyState at all but would personally rely on centrally controlled and maintained group policies within a domain environment.   What does shine though is the Windows Drive Protection and the helper utilities that handle logoff  timers – though with the idle time out I would more likely just use a script I controlled which could be invoked by the screensaver kicking in.

I didn’t go through the group policies under the user restrictions since it’s almost verbatim down the list under the policy management.  If you have any questions on a setting to restrict without using the SteadyState feel free to ask.   The biggest disadvantage to SteadyState is that it uses local accounts that can’t be managed remotely with ease.   Being at a company where everything is done to avoid using local accounts I can say this is bad mojo.

I may use the the drive protection and timeout applications, we’ll see when this project is truly finished.

Reference Links:

Windows SteadyState Worldwide page

Windows SteadyState Readme File

Windows SteadyState Technical FAQ

Windows SteadyState Handbook

The Desktop Files: Shared Computing with Windows SteadyState

The Kiosk Series:

The Kiosk Series – Part One – Choices For Your Environment

The Kiosk Series – Part Two – Management Considerations For Your Environment

Kiosk Options

When discussing kiosk system we need to discuss the scope, security issues, and functionality requirements that we must maintain to achieve a successful deployment.   There are many types of kiosk systems that we can implement within the Company network.   The solutions we are going to describe in this document are based on product literature that we have received after scope is finalized actual product testing will be done so we can verify that all the features work as described and will function within the deployed environment.

For the sake of categorization the following options were identified as possible for use within a kiosk environment.   This list is not meant to be all encompassing but rather a list of desired features that we feel can be accomplished from the products we are looking at.

·    Internal Websites – company Designated
·    External Websites – Completely open from a kiosk standpoint
·    SSL VPN – For access to the internal network
·    Citrix – for terminal server capabilities
·    Printing – locally attached print
·    Sound – for hearing active embedded media
·    USB Mounting – for USB memory sticks
·    Run Apps Locally (Read Only) – from either the memory stick or kiosk directly
·    Run Apps Locally (Read / Write) – from either the memory stick or kiosk directly
·    Write to USB Memory Stick – from kiosk
·    Access to User Documents
·    No Login – completely is designed to start being used without login
·    Boiler Plate Website – standard start page
·    Full application list
·    Internal – Authentication
·    External – No Authentication
·    Browser Plug-ins – for enhanced compatibility
·    Restricted To Certain Web Sites – Company Designated

Kiosk mode systems come in a variety of shapes, sizes, and functions.   To help narrow the design gap for our needs we have devised eight categories in which we can work around design structures for:

·    Full web only access kiosk on the company guest network
·    Limited web access on the company guest network with a locked down browser
·    Full web only access kiosk on the internal network
·    Limited web access on the internal network with a locked down browser
·    Limited seat with security controls on the company guest network
·    Limited seat with security controls on the internal network
·    Full seat with security controls on the company guest network
·    Full seat open use office solution – internal network
·    Full seat with security Controls open use office on the internal network

Each solution has its own benefits and concerns for deployment.  We will be going over these one by one to analyze and work with company to implement the correct and desired solution.  The analysis will include which functions identified above can be implemented, target placement, target users, benefits and disadvantages of each solutions, and possible security concerns.

Full web only access kiosk on the company guest network:

Description: This would be a fully open web kiosk with an address bar located at the top with the web browser being the only application available to the end user.  All functions must be done within the browser.

Possible targeted functions:

·    Internal Websites – via SSL VPN
·    External Websites –
·    SSL VPN
·    Citrix – via SSL VPN
·    Printing – locally attached print
·    Sound – for hearing active embedded media
·    Access to My Docs – Via SSL VPN
·    No Login – completely is designed to start being used without login
·    Boiler Plate Website – standard start page
·    External – No Authentication
·    Browser Plug-ins – for enhanced compatibility

Target placement:

·    Public areas where guests are most likely

Target users:

·    Visitors
·    Visiting Contractors
·    Local Contractors
·    Company Employees

Benefits:

·    Allows users access to information at placement points
·    User will not have access to the local computer beyond the web browser

Disadvantages:

·    All functions must be performed must be performed within a browser
·    Won’t be able to perform other application tasks

Security concerns:

·    If a user leaves an authenticated session up there will be a time delay before the profile resets, risking possible exposure of private data or company data if the SSL VPN was used.
·    Unsigned Active-X controls could cause issues and it would be recommended denying unsigned Active-X controls.

Limited web access on the company guest network with a locked down browser:

Description: This solution can be configured with or without an address bar allowing the option to restrict this to certain web sites.   Active X would be disabled.

Possible targeted functions:

·    External Websites
·    Printing
·    Sound
·    No Login
·    Boiler Plate Website External – No Authentication
·    Restricted To Certain Web Sites

Target placement:

·    Public areas where guests are most likely

Target users:

·    Visitors
·    Visiting Contractors
·    Local Contractors
·    Company Employees

Benefits:

·    Tighter Security Controls
·    Limited Risk Exposure
·    Option of controlling where the users can go via the browser

Disadvantages:

·    SSL VPN will not work if active-x controls are disabled
·    All functions must be performed must be performed within a browser
·    Won’t be able to perform other application tasks
·    With no SSL-VPN – no access to internal company data

Security concerns:

·    If a user leaves an authenticated session up there will be a time delay before the profile resets, risking possible exposure of private data.

Full web only access kiosk on the internal network:

Description: While not recommended this is being offered as an option for choice.  It has the same features as the Full web only access kiosk on the company guest network, but would require user authentication due to the network access it has.

Possible targeted functions:

·    Internal Websites
·    External Websites
·    Citrix
·    Printing
·    Sound
·    Access to My Docs
·    Boiler Plate Website
·    Internal
·    Browser Plug-ins

Target placement:

·    Public sites within company buildings that are not commonly visited by the large amounts of visitors at once.  This would be to limit the amount of time that authenticated data is available if a user walks away from the kiosk.
·    Would not be recommended at location that the general public has access to

Target users:

·    Local Contractors
·    Company Employees

Benefits:

·    Company employees would be able to access their Webmail from anywhere these are placed
·    Company employees would be able to access a terminal server session from anywhere these are placed

Disadvantages:

·    All functions must be performed must be performed within a browser
·    Won’t be able to perform other application tasks

Security concerns:

·    Possible information leakage due to open Webmail or terminal server session.
·    Unsigned Active-X controls could cause issues and it would be recommended denying unsigned Active-X controls.

Limited web access on the internal network with a locked down browser:

Description: While not recommended this is being offered as an option for choice.  It has the same features as the limited access kiosk on the company guest network, but would require user authentication due to the network access it has.

Possible targeted functions:

·    External Websites
·    Printing
·    Sound
·    No Login
·    Boiler Plate Website External – No Authentication
·    Restricted To Certain Web Sites

Target placement:

·    Public sites within company buildings that are not commonly visited by the large amounts of visitors at once.  This would be to limit the amount of time that authenticated data is available if a user walks away from the kiosk.
·    Would not be recommended at location that the general public has access to

Target users:

·    Local Contractors
·    Company Employees

Benefits:

·    Company employees would be able to access their Webmail from anywhere these are placed
·    Company employees would be able to access a terminal server session from anywhere these are placed
·    Tighter Security Controls
·    Limited Risk Exposure
·    Option of controlling where the users can go via the browser

Disadvantages:

·    All functions must be performed must be performed within a browser
·    Won’t be able to perform other application tasks
·    Some sites won’t work due to Active-X being disabled

Security concerns:

·    Possible information leakage due to open Webmail or terminal server session.

Limited seat with security controls on the company guest network:

Description: This would be a scenario where we would have an open standard windows desktop for the user to access.  It would allow only certain applications to run but will give the user access to a portable memory stick for use.

Possible targeted functions:

·    Internal Websites – via SSL VPN
·    External Websites
·    SSL VPN
·    Citrix – via SSL VPN
·    Printing
·    Sound
·    Access to My Docs – Via SSL VPN
·    No Login
·    Boiler Plate Website
·    External
·    Browser Plug-ins
·    USB Mounting
·    Write to USB Memory Stick
·    No Login
·    Boiler Plate Website
·    Browser Plug-ins
·    Restricted To Certain Web Sites – company Designated

Target placement:

·    Public open use office space

Target users:

·    Visiting Contractors
·    Local Contractors
·    Company Employees

Benefits:

·    Allows users access to information at placement points
·    Access to certain designated applications
·    Controlled environment

Disadvantages:

·    Won’t be able to perform non designated application tasks

Security concerns:

·    Possible information leakage due to open Webmail or SSL VPN session.
·    Unsigned Active-X controls could cause issues and it would be recommended denying unsigned Active-X controls.
·    Possible application vulnerabilities could compromise the unit

Limited seat with security controls on the internal network:

Description: Same as the limited seat on the company guest network but designed for internal GRC employees.   Smart card access would be recommended and roaming profiles blocked.

Possible targeted functions:

·    Internal Websites
·    External Websites
·    Citrix
·    Printing
·    Sound
·    Access to My Docs
·    Boiler Plate Website
·    Browser Plug-ins
·    USB Mounting
·    Write to USB Memory Stick
·    Boiler Plate Website
·    Internal – Authentication
·    Browser Plug-ins
·    Restricted To Certain Web Sites – company Designated

Target placement:

·    Public open use office space

Target users:

·    Local Contractors
·    Company Employees

Benefits:

·    Allows users access to information at placement points
·    Access to certain designated applications
·    Controlled environment

Disadvantages:

·    Won’t be able to perform non designated application tasks
·    Large threat to data being exposed

Security concerns:

·    Unsigned Active-X controls could cause issues and it would be recommended denying unsigned Active-X controls.
·    Possible information leakage due to be on the open internal network
·    Large data exposure footprint
·    Possible application vulnerabilities could compromise the unit

Full seat with security controls on the company guest network:

Description: This option would give users to the same standard applications as their normal desktop.   The hard drive would not be written to for data storage.  Roaming profiles would be blocked.  These seat would also have full security controls applied to it.

Possible targeted functions:

·    Internal Websites
·    External Websites
·    SSL VPN
·    Citrix
·    Printing
·    Sound
·    USB Mounting
·    Run Apps Locally (Read Only)
·    Run Apps Locally (Read / Write)
·    Write to USB Memory Stick
·    Access to My Docs
·    No Login – completely is designed to start being used without login
·    Boiler Plate Website
·    Full Application Suite
·    External – No Authentication
·    Browser Plug-ins
·    Restricted To Certain Web Sites – company Designated

Target placement:

·    Public open use office space

Target users:

·    Local Contractors
·    company Employees

Benefits:

·    Users are able to function as they would at their desks
·    Allows users access to information at placement points

Disadvantages:

·    No login requirements
·    Possible data exposure

Security concerns:

·    Unsigned Active-X controls could cause issues and it would be recommended denying unsigned Active-X controls.
·    Possible information leakage due to open Webmail or SSL VPN session.

Full seat open use office solution on the internal network:

Description: Standard full seat for user to use on the internal network located at open access points for any user to access.  Security settinga would be applied and user profile data removed upon log out.   It is recommended to require smart card access to these units.

Possible targeted functions:

·    Internal Websites
·    External Websites
·    Citrix
·    Printing
·    Sound
·    USB Mounting
·    Run Apps Locally (Read Only)
·    Run Apps Locally (Read / Write)
·    Write to USB Memory Stick
·    Access to My Docs
·    Boiler Plate Website
·    Full Application Suite
·    Internal Authentication
·    Browser Plug-ins

Target placement:

·    Public open use office space

Target users:

·    Local Contractors
·    Company Employees

Benefits:

·    Users are able to function as they would at their desks
·    Allows users access to information at placement points

Disadvantages:

·    Requires smart card
·    No access to local profiles

Security concerns:

·    Possible information leakage due to open sessions.

Web Wandering Dump

via www.ripten.com Posted: 03 Jan 2008 02:11 AM CST

How to add sidebar(s) to a WordPress Theme | Blog Oh Blog Posted: 03 Jan 2008 02:07 AM CST How to add sidebar(s) to a WordPress Theme | Blog Oh Blog

“sidebar” Posted: 03 Jan 2008 02:05 AM CST “sidebar” - How To Create Your Own WordPress Theme – Jonathan Wold

via www.ukimagehost.com Posted: 03 Jan 2008 12:00 AM CST

via gonintendo.com Posted: 02 Jan 2008 11:46 PM CST

WordPress Demo [del.icio.us] Posted: 02 Jan 2008 08:23 PM CST

10 Awesome Things About Dungeons & Dragons [Digg] Posted: 02 Jan 2008 01:36 PM CST Sean Kelly has started playing the original Dungeons & Dragons again (pen & paper version) and he recently sent out his list of 10 Awesome Things About D&D:

Nintendo DS to Begin Full Game Downloads [Digg] Posted: 02 Jan 2008 09:17 AM CST We’ve long known the NIntendo DS to be a capable of downloading content like demos from kiosks, but “complete games” will soon be downloadable through the Wii, and then Wi-Fi transferable to the DS, according to Nintendo of America President Reggie Fils-Aime’s interview with the NYT.

Conspiracy Against Shareaza and Open Letter to the RIAA [Digg] Posted: 02 Jan 2008 08:42 AM CST La Societe Des Producteurs De Phonogrammes En France (SPPF), which represents recording labels in France, is suing three P2P software vendors, including Shareaza. The SPPF make many false claims against Shareaza in order to win in court. This is an open letter to them, setting the record straight.

How the Grinches Stole Net Neutrality [Digg] Posted: 02 Jan 2008 08:04 AM CST Until recently, net neutrality was a difficult issue to explain at a dinner party. It was even more of a struggle to get anybody worked up about it. Now, thanks to the major Internet service providers (ISPs) Comcast and Bell-Sympatico, the stakes are crystal clear and the acrid scent of a smoking gun hangs in the room.

What’s Next on the Web: a ReadWriteWeb Toolkit for 2008 [Digg] Posted: 02 Jan 2008 04:51 AM CST Some people say that the bubble’s going to take a downturn in the next year or two – that huge numbers of copycat startups are going to shut down, people are going to be out of work and Web 2.0 cheerleaders are going to eat their (our) words.

Malware Evolving Too Fast for Antivirus Apps [Digg] Posted: 01 Jan 2008 08:53 PM CST Bad guys use sophisticated testing to create malware that can evade even the best security programs.

Time Magazine’s 50 Best Websites 2007 [Digg] Posted: 01 Jan 2008 05:26 PM CST Our 2007 picks are the best examples of what’s new and exciting about the Web right now. Here we honor sites with exceptional style and smarts, sites that offer new and improved ways to access and share content, generate our own and otherwise enrich the online (and off-line) experience. What do you think of our choices?

Why Linux Distros Are More Secure Than Windows [Digg] Posted: 01 Jan 2008 01:55 PM CST Security in an OS refers to a process, not a product. This article discusses the features of Linux which makes a secure process possible when used by a knowledgeable user, namely better patch management, stronger defaults, modularity, better tools against zero day attacks, transparency and diversity of environment.

2008: Web 2.0 Companies I Couldn’t Live Without [Digg] Posted: 01 Jan 2008 01:06 PM CST This is a list of the products I tend to use daily. Some are for work, some are for fun, and some are useful for both. But I use most of them every day, or nearly every day, and I would not be as productive or happy without all of them.

How to Become a Gmail Jedi Master [Digg] Posted: 01 Jan 2008 08:00 AM CST Learn to master Gmail through the use of labels, filters, keyboard shortcuts, and vacation autoresponders. Sync Gmail with your wireless devices through the new IMAP support. “Gmail Master Become I”…

We have everything to fear from ID cards [Digg] Posted: 01 Jan 2008 05:53 AM CST “…Surveillance cameras and lost data will prove minuscule problems next to ID cards, which will obliterate the fundamental right to walk around in society as an unknown.”