Kiosk Computers 1

[Brycspain]

First post!!! I'm pretty weak on AD/GPO 2003 and my boss asked me to use a GPO to set up a series of Kiosk computers where prospective employee's can sit down and apply for jobs on our website. These systems will have to be networked and will be setup in various branch offices. Ive researched using kiosk mode however, I would feel more comfortable locking down the PC in the following areas:

-Use only mininal services (shut down ones that arent needed)
-Limit key combos like (Ctr Shft Esc)
-Need one user account logged on all the time
-Freeze the computer so super users can't bypass the security.

Any suggestions. Actually, if someone could talk to me like a i'm an 8 year old and explain it that would be better =)

Thanks

 

[porkchopexpress]

Take a look at this thread there are a couple of links in there that will be of interest, one is to the MS shared computer toolkit which is for locking down PC's without using Group polices (it's pretty straight forward). There is another link to E Exchange where someone has listed loads of group policies to lockdown a public PC it's quite extensive.

thread931-1201096

 

[porkchopexpress]

Also take a look at the Group Policy Settings Reference

http://www.microsoft.com/downloads/...2F-DA15-438D-8E48-45915CD2BC14&displaylang=en

 

[Brycspain]

Thanks Porkchop,

I reviewed all the threads concerning this issue and I received a lot of information already. I guess there are so many ways you can go with this, its a little confusing where to start.

 

[porkchopexpress]

I know what you mean but it really is best if you setup a test OU and try it, the danger is that i list hundreds of policy options which will take ages and most will not be relevant to you.
Also if you don't gain a good understanding of what you are setting then you will find it very difficult to troubleshoot problems in future.

If you find any policies that you don't understand or are unsure what affect they will have then post here and i will try to explain them.

 

[porkchopexpress]

Here is an example of a policy i setup in the past and it's pretty cut down it's worth investigating these but as i say not all will apply to your environment. The top part is related to a redirected desktop it's upto you if you want to use something like that.

User Configuration (Enabled)
Windows Settings
Folder Redirection
My Documents
Setting: Basic (Redirect everyone's folder to the same location)
Path: \\server\users$\support\%username%
Options
Grant user exclusive rights to My Documents Enabled
Move the contents of My Documents to the new location Disabled
Policy Removal Behavior Leave contents

Start Menu
Setting: Advanced (Specify locations for various user groups)
Group Path
DOMAIN\Restricted Users \\server\restrictedpro$\Start Menu

Options
Grant user exclusive rights to Start Menu Disabled
Move the contents of Start Menu to the new location Disabled
Policy Removal Behavior Leave contents

Administrative Templates
Desktop
Policy Setting
Hide Internet Explorer icon on desktop Enabled
Hide My Network Places icon on desktop Enabled
Remove My Documents icon on the desktop Disabled
Remove Properties from the My Computer context menu Enabled
Remove Properties from the My Documents context menu Disabled

Network/Offline Files
Policy Setting
Prevent use of Offline Files folder Enabled
Prohibit user configuration of Offline Files Enabled
Prevents users from changing any cache configuration settings.

Policy Setting
Remove 'Make Available Offline' Enabled
Synchronize all offline files before logging off Disabled
Synchronize all offline files when logging on Disabled

Start Menu and Taskbar
Policy Setting
Add Logoff to the Start Menu Enabled
Do not keep history of recently opened documents Enabled
Lock the Taskbar Enabled
Prevent changes to Taskbar and Start Menu Settings Enabled
Remove access to the context menus for the taskbar Enabled
Remove common program groups from Start Menu Enabled
Remove Favorites menu from Start Menu Enabled
Remove Help menu from Start Menu Enabled
Remove links and access to Windows Update Enabled
Remove My Network Places icon from Start Menu Enabled
Remove Network Connections from Start Menu Enabled
Remove programs on Settings menu Enabled
Remove Run menu from Start Menu Enabled
Remove Search menu from Start Menu Enabled

System
Policy Setting
Prevent access to registry editing tools Enabled
Disable regedit from running silently? No

Policy Setting
Prevent access to the command prompt Enabled
Disable the command prompt script processing also? No


Windows Components/Windows Explorer
Policy Setting
Hide these specified drives in My Computer Enabled
Pick one of the following combinations Restrict C drive only

Policy Setting
Prevent access to drives from My Computer Enabled
Pick one of the following combinations Restrict C drive only

 

[Brycspain]

Great info! What about services on the PC? Is there a list of bare-bone services you must run? Also, are there many services that are not needed that microsoft turns on when you load XP?

 

[porkchopexpress]

If you run SP2 you will find some of these dissabled but here is a list of services that can be turned off, don't go crazy in a domain environment as some are more are needed than with a standalone but most in this link will be ok.

http://www.windowsnetworking.com/kb...servicestoimproveworkstationsperformance.html

 

[Brycspain]

Porkchopexpress,

Want to come mentor me for a month? =) Thanks so much for the great information. I really appreciate it!

 

[porkchopexpress]

No probs.