We had a student information system based on VT-520's and a text mode browser running on Unix. Now we want to replace this with a more modern system since the web-based student information systems require a graphical browser. The browser has to be as maintenance-free as the terminals and be as much remote-manageable as the terminals.
Since we have to use MS Internet Explorer (because of Hebrew), we decided to build the public PC on Windows NT. We secured the computer and installed a restricted web-browser (ResBrowser) that limits the user to browse only on the intranet. The computer boots directly into this browser and does not offer the usual Windows user interface, but runs the browser as full-screen kiosk application. Remote management is done using the standard Windows NT remote management tools (remote regedit, remote command, windows network). To ensure maximum protection we completely lock the computer via remote regedit. We also employ VNC for visual remote control.
In order to achieve a maximum protected environment on NT we followed the following installation path:
The NT 4 setup is rather simple. After installing NT on NTFS, the latest service pack, IE 5 and the latest Resource Kit we use C2Setup from the Resource Kit to close many security holes (like boot and file system). Nevertheless we found out that IE 5 doesn't run well when it has only read rights on the system directories, so we gave the public user the usual Change rights (that come with the NT installation). Network setup is TCP/IP only with the Windows Network. We disable the Computer Browser service to prevent the public computer from participating in existing Windows networks, it is sufficient to know the computers IP address to access it from the network. I also had to increase the Registry Size after installing IE 5.
Since we did not want the public browser to be logged on as Administrator we changed the Guest account into the public account (by renaming it and changing it's settings). The public user does not belong to any group (Except everyone which is built-in), has no password (important for the auto-login), no right to change the password and no timeouts (for password etc.). After creating the user in this manner we log on as public and set up the Internet Explorer and the screen saver (see above, logs out automatically). All further user setup can be done via regedit32 from another computer.
Since we use ResBrowser as shell we have to leave some backdoor open for the administrator. This backdoor is the Task Manager (%SYSTEM32%\TASKMGR.EXE). We change the file security permissions for TASKMGR.EXE so that the user administrator has Full Access to it, while the user public has No Access to it. Thus when the computer is running in normal kiosk user mode (logged in as public) the user has no access to run the Task Manager and Ctrl-Shift-ESC as well as choosing "Task Manager" from the "Windows NT Security" screen have no effect. When the administrator logs onto the computer, the Task Manager is available and through it the administrator can run all relevant programs (like EXPLORER.EXE or MUSRMGR.EXE).
I did not find a convenient way to completely disable Ctrl-Alt-Del. Nevertheless I think it's even beneficiary to leave it since through it a benevolent user can restart a stuck computer (don't forget, we talk Windows), while the possibilities to damage are more or less nil. The Change Password dialog pops up but I disabled the right to change the password so that this is mostly cosmetics. Logging Off logs of and then the computer automatically logs on again and returns to the opening screen of the public browser. Locking the Workstation is less pleasant, but everybody can unlock it by pressing the OK button since the public user has no password. The Task Manager can not be run (see above) and the last option, Shutdown, is even welcome since somebody can restart the computer if necessary
The boot is safe as far as NT and the BIOS are concerned. Of course we put a BIOS password and disabled boot from floppy. On the NT side we disabled the boot menu by setting the timeout to 0. Otherwise NT is already quite safe in terms of booting. From the Last Known Good menu users cannot do any harm.
One of the interesting parts of the NT Resource Kit is it's WINEXIT.SCR screen saver. After a certain period of inactivity the current user is logged out automatically, after which the computer logs on automatically as the public user. Like this the computer returns to a fixed initial state after nobody has been using it for some time. This also solves the cases where a malicious user locked the Workstation and nobody thinks about the empty password (though usually people click on OK before actually reading the contents :-) or when IE got stuck or the browser crashed etc.
We created a user (public) so that on the computer exist two user (administrator and public). In normal operation mode the computer logs on automatically as public. To disable the explorer we change the Windows shell from explorer.exe to ResBrowser (see later under Registry). This completely disables the explorer and most of the Windows user interface, as well as shortcut keys like WinKey-M for "Minimize all Windows".
We have to use Internet Explorer due to it's superior multi-language capabilities. We used a limited browser based on IE (ResBrow) that gives a very basic user interface and allows us to limit the sites accessible. With a registry patch we disabled the context menu (after enabling the language encoding Auto-Select feature) so that the user can only click on links to follow them. Since ResBrow is based on IE it makes use of IE's security settings. We set these settings in a very limiting and restricting way, disabling mostly everything (Especially downloads and password memory and caching and history) in the Internet and Intranet security zone. In these settings are many security risks, especially if you cannot disable active content (scripting). If you need cookies, you have to leave them enabled.
We use several services and scheduled items that do not come with a vanilla installation of NT:
The following patch under HKEY_USERS\ disables the IE settings that cannot be disabled by the Internet Settings Control Panel:
Key Name:<public user id>\Software\Policies\Microsoft\Internet Explorer\Restrictions
Class Name: <NO CLASS>
Value 0
Name: NoBrowserClose
Type: REG_DWORD
Data: 0x1
Value 1
Name: NoBrowserContextMenu
Type: REG_DWORD
Data: 0x1>
Value 2
Name: NoBrowserOptions
Type: REG_DWORD
Data: 0x1
Value 3
Name: NoBrowserSaveAs
Type: REG_DWORD
Data: 0x1
Value 4
Name: NoFavorites
Type: REG_DWORD
Data: 0x1
Value 5
Name: NoFileNew
Type: REG_DWORD
Data: 0x1
Value 6
Name: NoFileOpen
Type: REG_DWORD
Data: 0x1
Value 7
Name: NoFindFiles
Type: REG_DWORD
Data: 0x1
Value 8
Name: NoSelectDownloadDir
Type: REG_DWORD
Data: 0x1
Value 9
Name: NoTheaterMode
Type: REG_DWORD
Data: 0x1
This patch under HKEY_LOCAL_MACHINE sets the Auto Logon and the shell:
Key Name: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Class Name: <NO CLASS>
Value 0
Name: AutoAdminLogon
Type: REG_SZ
Data: 0
Value 1
Name: DefaultPassword
Type: REG_SZ
Data:
Value 2
Name: DefaultUserName
Type: REG_SZ
Data: public
Value 3
Name: DontDisplayLastUserName
Type: REG_SZ
Data: 0
Value 4
Name: Shell
Type: REG_SZ
Data: C:\Public\resbrow.exe /noclose /x ftp: /x telnet: /x file: /x gopher: /i huji /forcemax /fet "You are allowed to browse in the Hebrew University only !" /button "Mail|Press here to read eMail" http://www.our.email.server http://students.start.page
Value 5
Name: ShutdownWithoutLogon
Type: REG_SZ
Data: 0
The main problem I noticed with the auto login feature is that the system sets the user name to the last logged in user and disables the auto-login. I solved that problem by setting the permissions to the WinLogon subkey to Read Only for everybody (including Administrator !). I use this mechanism to lock the public PC via remote regedit so that nobody can log on as anything else except public, which is already severely limited.