Creating the Ultimate Windows XP Kiosk Machine

Recently, I was presented with an opportunity to create a locked down, autologin PC running Windows XP. I had also read about the Shared Computer Toolkit for Windows XP on a recent Technet article. The Shared Computer Toolkit for Windows XP allows you easily lock down a machine through a GUI interface. No longer do you have to do ugly registry hacks! In my case, all the computer had to do was run an AS/400 client. These users had a AS/400 login, but not a network login. Best practices dictate the “the principle of least privilege”. Haha, this is going to be fun!

During the installation of the toolkit, you are prompted to download the user profile hive cleanup utility. Go ahead and do so. After installing UPHClean, re-run the toolkit setup. You are presented with several options. Let’s pick “User Restrictions”. This will lock down a specific user’s profile. That means you have to have created a user account and logged in as that account at least once (so the profile gets created). Let’s take a look at some of the options:

User Restrictions Screenshot

There is a copious amount of features at our disposal. You can lock it down so far that the only thing the user will have is the option to run a program that you specify! There are, however, a few words of caution. Under the software restrictions section there is an option “Only allow software in Program Files and Windows folders to run”. If you are installing a program outside Program Files, be sure to NOT enable this feature. Also, under additional Start Menu restrictions, there is an option “Prevent programs from the All Users folder from appearing on the Start Menu”. That exactly where I put icons for all users of the machine, so I left that disabled.

Let’s create a kiosk Windows XP machine where I want allow users to surf the Internet and be able to do nothing else. Further assume that I have proxy server which blocks out pornographic sites. I’m going to turn off themes by stopping and disabling the themes service. Now I will login as the user I want to restrict and switch the start menu back to classic mode. I’ll also change the background to a plain blue color. I’ll rip everything off the start menu and place an Internet Explorer icon on the desktop. Make sure that the user just has read/execute rights to the icon so they cannot modify or delete the icon. To make cleaning up the start menu easier, open up C:documents and settings and keep deleting the items you don’t want from the user’s profile directory AND the All Users directory. After doing this, here is the result:

There are two folders you cannot delete because Windows XP says they are protected: Administrative Tools and Startup. That is OK though: the toolkit can disable them for the profile. The toolkit will also let us get rid of the Recycle Bin and everything else on the Start Menu. Lets lock this bad boy down and see the result:

Hahaha! Well hacker boy, where do you want to go today? Certainly no where on this locked down PC! When you hit CTRL-ALT-DEL, you are presented with this message:

Where art thou hacker boy? If we go back to the toolkit you’ll notice another option: lock profile. What exactly does this do? It makes the profile a mandatory profile by renaming NTUSER.DAT TO NTUSER.MAN. Basically, any changes made to the profile will be flushed when the computer reboots. As if the user could make any changes to the profile to begin with! Let’s lock the profile and continue on to the autologin potion. The toolkit does not come with any type of auto-login capability, but we don’t need it to. There is a slick utility made by Tommy Mikkelsen called Autolog which will do exactly that. Before running it, go into the User Accounts icon in the Contol Panel and turn off the “Welcome Screen”.

This utility was made for computers running Novell, but don’t worry: if you are not running Novell that is OK.

Erase the domain/workstation information. Enter in the name and password of the account you are using. Under mode, pick “Autologin to workstation, do not use E-dir”. Edirectory is Novell Netware’s Directory Services. Click Enable Autologin. Logout and watch the magic! Using this method is a lot better then registry hacks, because it seems the autologin portion does NOT break when you use the shift-logoff method. When you want to login to the workstation as an administrator, you hold down the left shift key and then hit logoff. It will then give you the login screen to login as yourself. After you are done and logout, the script resumes. How cool is that?

There is another feature of the toolkit: disk protection. It allows you to create a hidden partition which rolls back any changes made during the login session. Unforunately, when I tried it at work on a Compaq Deskpro 733 MHz, it would cause the computer to freeze up when I logged in as the restricted user. Logging in as an administrator worked fine though.

– Soli Deo Gloria

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.