Share and Share Alike
Microsoft's Shared Computer Toolkit can help ease the pain of configuring security for a shared computer.
- By Joern Wettern
Configuring security for a shared computer can create a lot of headaches. Fortunately, Microsoft provides the Shared Computer Toolkit, which simplifies this task. Read on to learn how you can use this set of tools to your advantage.
The Problem with Sharing
Most corporate computers are configured to make knowledge workers more productive, and each of these computers is typically configured for use by a single person. However, most organizations also have some computers that need to be shared by several users. Examples include kiosks in public areas or Internet access terminals for employees who don’t have a computer on their desks.
And if that sounds challenging, you should try administering computers in a school. Imagine being responsible for dozens, hundreds or more computers regularly used by young tykes who think a keyboard’s a toy, to aspiring teenage hackers who see your security measures as an opportunity to hone their skills.
The Toolkit is easy to configure and the price -- free -- can't be beat.
Securing public computers involves multiple steps. In addition to the usual virus protection and hardening procedures, IT managers must limit user activities and access on these PCs. Protecting user privacy becomes a priority as well. Systems must erase all trace of each user -- including confidential data such as cached passwords -- before the next person logs on. It can be a real challenge.
Windows 95 introduced System Policies to perform this work. Windows 2000 replaced these with Group Policy settings, and these have been an important tool for locking down access to public computers ever since.
But if you’ve ever tried to configure a shared computer using these policies, you learned quickly that finding all the required settings is a difficult task. What’s worse, many of these security measures can be bypassed by any user possessing sufficient knowledge to do so. Many administrators have thrown up their hands in desperation and asked why Microsoft couldn’t just give them everything needed to lock down a shared computer.
If you’re one of those admins, it’s time to rejoice, because the Shared Computer Toolkit is effective at locking down a computer running Windows XP. Read on to learn how to use this ingenious set of tools to your advantage.
Start by downloading the Toolkit and printing out the documentation. You can continue without reading the documentation, but you’ll want to review it before configuring the computer with anything but standard applications. While you’re at the download site, also get the User Hive Cleanup Tool. This is a service that ensures that logoff and shutdown actions complete, even when some pesky application or driver refuses to unload. Using this tool is crucial in an unattended environment where you need to ensure that logoffs work every time.
Once you’ve downloaded the Toolkit, install Windows XP SP2, all required updates
and the User Hive Cleanup Tool. (While you could install the Toolkit on a computer
already running Windows XP, a clean installation ensures that the computer only
holds the programs and data you want to be accessible for public use.) During
the setup, select NTFS as the file system for the Windows partition (using FAT
as the file system for your Windows partition is a bad idea in any case, and
would disable much of the functionality provided by the toolkit). Leave at least
10 percent of the hard disk unpartitioned, which saves you the trouble of later
having to use a third-party partitioning tool to create space that will save
non-persistent user data. Once you’ve installed the operating system, disable
unneeded services, install anti-virus software and perform any other hardening
steps that are standard in your organization. You should also install all programs
that need to be available to users, but if this is your first test run you can
immediately proceed to the installation of the Toolkit.
[Click on image for larger view.]
|Figure 1. The eight
simple rules for setting up the Shared Computer Toolkit.
8 Easy Steps
As soon as the installation is finished, you’ll see the Getting Started
window (shown in Figure 1), which takes you through the following eight steps.
You should start the configuration while logged on as an administrator:
- Step 1: Prepare the Disk for Windows Disk Protection. Windows Disk Protection erases any changes made to a system disk during usage. Instead of saving any changes made by users, they’re temporarily saved on a different partition and erased the next time the computer restarts. If you left enough unpartitioned space on your disk, the toolkit will create a new partition.
- Step 2: Select Computer Security Settings. This is where you choose some fairly common security settings, such as preventing Windows from caching credentials, and removing the Shut Down option from the Start menu. Unless you have some unusual requirements you should select all options. As part of this step, you can also let the Toolkit test whether the account password you’re logged on with meets some simple complexity requirements.
- Step 3: Create a Public Account for Shared Access. The account you create will be locked down in the following steps. At this point you only have to decide what to name the account.
- Step 4: Configure the Public User Profile. At this point you have to put on your non-admin hat. Log off and then log on as the public user you created in Step 3 to configure all operating system and application settings. This may be as simple as setting a wallpaper and choosing a printer, but it may also involve starting available applications to accept any license agreements that appear during the first use and configuring program preferences. When everything looks the way you want it to appear for the public user account, log off and then log on again with your administrative account.
- Step 5: Restrict and Lock the Public User Profile. Step 5 is where the fun really begins. The User Restrictions tool presents a long list of settings that restrict which Windows, Internet Explorer and Microsoft Office elements are available to public users, and which programs can be run by the user. The recommended restrictions for shared accounts are fairly comprehensive, but take a close look at each of the standard and optional restrictions to make sure you’re sufficiently locking down access without disabling a needed feature.
- Step 6: Test the Public User
Profile. The restrictions you set may disable needed functionality, so it’s a good idea to ensure that the public
user can still perform all needed tasks. Do the “log off as admin, log on as
regular user” dance and test all applications that need to work. While you’re at it, use all the hacking skills you have and try to do things the public user
isn’t allowed to. If you configured everything correctly, you should feel like you’re playing in a sandbox with
no exit. If you like what you see, log
off and then log on again with your administrative account.
- Step 7: Turn on Windows Disk Protection. In Step 1 you prepared the disk for Windows Disk Protection.
Now you’re ready to turn this feature on. Because Windows Disk Protection erases all changes to files and settings each time the computer restarts, it could also remove any Windows updates or virus signature downloads. To get around this you can configure Windows Disk Protection to store some settings permanently, and even schedule Windows and anti-virus software updates. Also, if you make changes like installing a new application, tell it to save these changes with the next restart, giving you control over what gets stored on disk and what gets automatically removed.
- Step 8: You’re Done! Learn More About The Toolkit. If you need to configure additional applications for use on that computer, or are looking for ways to keep the installation up-to-date, work through the documentation. It will teach you about other configuration options such as the length of a user session -- a great solution when you assign time slots for Internet surfing.
Know What It Can -- and Can’t -- Do
As always, the devil is in the details. Keep in mind that physical access to the computer can negate all security restrictions, so make sure that public users don’t have the ability to boot the computer into a different operating system from a CD-ROM or USB storage device. A bigger problem is that some applications give you access to parts of the computer’s disk that may bypass the restrictions you set using the Toolkit. Because of this, make sure that you thoroughly test any programs you install on the shared computer and make sure that they don’t give the public user a convenient back door.
Windows Disk Protection is a powerful tool for keeping your computer running and preserving user’s privacy. It erases
all traces of computer use between sessions, but it also prevents users from
saving work that needs to be preserved, such as school projects. If your users should be allowed to save some documents, you must set up a different location for these files. The Toolkit gives
you some flexibility for this, but it’s better suited for a public environment where no data needs to be saved.
The Toolkit solves many common problems in setting up a shared computer, it’s easy to configure and the price -- free -- can’t be beat. If you need to provide any type of public computer access, learn to use the Toolkit -- you’ll likely decide it’s exactly what you’ve been looking for.
More InformationYou can find Microsoft's portal for the Shared Computer Toolkit here.
Download the Toolkit.
To download the User Profile Hive Cleanup Service, go here.
You can also download the Shared Computer Toolkit documentation separately
About the Author
Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping
companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.