How can I secure a public PC?

  • Thread starter Thread starter null
  • Start date Start date
N

null

I have to install a PC in a public space for use by the public. The user
will be in a location where he/she will be under observation at all
times. I would like to restrict it to only IE and Word, and printing. No
saving of documents or anything to the hard drive other than temporary
internet cache files. It will be running Windows XP Professional.

The PC will be strapped to the desk by a locked cable, which will also
hinder access to the inside of the case. I will password protect the
BIOS and Administrator accounts (the Administrator account will be
renamed) with strong passwords. I will physically disconnect the CD and
floppy drives' ribbon cables, as well as disabling them and the USB,
LPT, and COM ports in the BIOS if possible.

The PC will be behind a firewall with spyware and antivirus protection.
Auto-update will be enabled. The PC will not be a member of the domain,
although I'm willing to consider adding it to the domain if there are
sufficient security reasons to do so. I plan to disable the Run option.

The user will login with (at a maximum) a limited account. I would like
to know what I can do to limit this account even further so it can only
access the applications mentioned above.

I would also like to disable any unnecessary services, as well as try to
keep IE from visiting inappropriate sites (such as porn).

I know this may not be totally possible to lock it down that much, but I
would like to know just how far I can go and what I can do. Oh, by the
way, any software to be installed to facilitate this must be freeware.

Does anyone have any good ideas? Has anyone done this before?
 
Microsoft Shared Computer Toolkit for Windows XP
http://www.microsoft.com/downloads/...56-e3da-42ea-857d-92b716077a84&displaylang=en

--
Carey Frisch
Microsoft MVP
Windows - Shell/User
Microsoft Community Newsgroups
news://msnews.microsoft.com/

-------------------------------------------------------------------------------------------

:

| I have to install a PC in a public space for use by the public. The user
| will be in a location where he/she will be under observation at all
| times. I would like to restrict it to only IE and Word, and printing. No
| saving of documents or anything to the hard drive other than temporary
| internet cache files. It will be running Windows XP Professional.
|
| The PC will be strapped to the desk by a locked cable, which will also
| hinder access to the inside of the case. I will password protect the
| BIOS and Administrator accounts (the Administrator account will be
| renamed) with strong passwords. I will physically disconnect the CD and
| floppy drives' ribbon cables, as well as disabling them and the USB,
| LPT, and COM ports in the BIOS if possible.
|
| The PC will be behind a firewall with spyware and antivirus protection.
| Auto-update will be enabled. The PC will not be a member of the domain,
| although I'm willing to consider adding it to the domain if there are
| sufficient security reasons to do so. I plan to disable the Run option.
|
| The user will login with (at a maximum) a limited account. I would like
| to know what I can do to limit this account even further so it can only
| access the applications mentioned above.
|
| I would also like to disable any unnecessary services, as well as try to
| keep IE from visiting inappropriate sites (such as porn).
|
| I know this may not be totally possible to lock it down that much, but I
| would like to know just how far I can go and what I can do. Oh, by the
| way, any software to be installed to facilitate this must be freeware.
|
| Does anyone have any good ideas? Has anyone done this before?
 
null said:
I have to install a PC in a public space for use by the public. The user
will be in a location where he/she will be under observation at all times.
I would like to restrict it to only IE and Word, and printing. No saving of
documents or anything to the hard drive other than temporary internet cache
files. It will be running Windows XP Professional.

The PC will be strapped to the desk by a locked cable, which will also
hinder access to the inside of the case. I will password protect the BIOS
and Administrator accounts (the Administrator account will be renamed)
with strong passwords. I will physically disconnect the CD and floppy
drives' ribbon cables, as well as disabling them and the USB, LPT, and COM
ports in the BIOS if possible.

The PC will be behind a firewall with spyware and antivirus protection.
Auto-update will be enabled. The PC will not be a member of the domain,
although I'm willing to consider adding it to the domain if there are
sufficient security reasons to do so. I plan to disable the Run option.

The user will login with (at a maximum) a limited account. I would like to
know what I can do to limit this account even further so it can only
access the applications mentioned above.

I would also like to disable any unnecessary services, as well as try to
keep IE from visiting inappropriate sites (such as porn).

I know this may not be totally possible to lock it down that much, but I
would like to know just how far I can go and what I can do. Oh, by the
way, any software to be installed to facilitate this must be freeware.

Does anyone have any good ideas? Has anyone done this before?
Click to expand...

If you join the computer to the domain and use loopback processing with
group policy you can lock down the computer with quite fine grained
security. It can be a lot of work getting it working but once it is working
it is quite flexible. If you go this route be sure to document it well. It
can be quite complicated to come back to it a year later to make a change if
you have poor documentation. It may be simpler to use a program and/or
hardware to do this.

http://www.faronics.com/index.asp

http://www.fortres.com/

http://support.microsoft.com/?id=231287

Kerry
 
Back
Top