Fog Creek Software
Discussion Board




disabling ctrl-alt-del?

Hey, Imagine you have a bookstore, and you want to make a PC available to the customers for searching and stuff.
You want to use a webpage, but lock it down so the users cant exit IE, which is in fullscreen mode. (The kind of fullscreen you can get with javascript where there is no browser widgets visible at all)

Remove the delete key? Use linux?

General advice on tamper-proofing a public machine also appreciated.

Eric Debois
Sunday, May 02, 2004

Look up zbdesk on sourceforge.net. It's part of the Zeiberbude project and is responsible for the locking of Win32 clients. The implementation is in C++.

Li-fan Chen
Sunday, May 02, 2004

You could remove the hard drive from the machine and custom roll your own Linux that will boot of a CD and connect to a web site, like Knoppix. That way if anything went wrong just reboot the machine.

Alternatively there is this "HDD Sheriff" product which apparently wipes and resets the machine back to its original state on reboot. I have never used it however:

http://www.kelvin.com/ts_hddsheriff.html

Matthew Lock
Sunday, May 02, 2004

"The kind of fullscreen you can get with javascript where there is no browser widgets visible at all"

Any reason not to use iexplore -k ?

Philo

Philo
Sunday, May 02, 2004


Hi, just a couple general suggestions if you use Windows 2000 or XP. 
Run Internet Explorer in kiosk mode (iexplore -k optional_url).
Create a user and use group policy editor (gpedit.msc in the run box) to further limit that user.  Definitely educate yourself on GPE;  It's a very powerful tool.

Al

Al C
Sunday, May 02, 2004

Whoops, forgot to answer the question:

if we're talking Windows XP Pro, Start, Run, gpedit.msc

There are a whole lotta options there you'll want to lock down. I'm not sure if you can *disable* Ctrl/Alt/Del, but you can turn off everything except "Shut Down" and "Cancel" and you can set a policy that prevents the logged-in user from having permission to shut down...

Philo

Philo
Sunday, May 02, 2004

OK, sounds good.
Thanks

Eric Debois
Sunday, May 02, 2004

I wouldn't normally ask this, but seeing that the point has come up, how to I get a shortcut to a web page to open the browser in kiosk mode?

Stephen Jones
Sunday, May 02, 2004

Make the shortcut run "iexplore -k <url>" instead of making the shortcut to the URL itself ..... (the icon may differ, though)

Ori Berger
Sunday, May 02, 2004

Thanks; actually the inverted commas have to go before the -k switch or it won't work.

That is to say "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -k D:\default.asp.html

and not "C:\Program Files\Internet Explorer\IEXPLORE.EXE -k D:\default.asp.html"

which isn't a valid target.

Now what I'm trying to find out is a way to close the page in kiosk mode on machines where control  + alt + delete is disabled (and no, Eric, I can't rememer offhand how I did it, but if you use the group policy snap on you'll find it there).

Incidentally, if you don't have a domain the group policy snap settings will apply to all users. The way to get round it is to use the snap on to configure what you want, but making sure you still keep run working, and then export the registry key it has created, and then undo the settings. Then later import the settings into the current user registry.

Stephen Jones
Sunday, May 02, 2004

If it's XP Pro, then enable remote desktop. Run "mstsc /console" and then connect to the console session of XP. Log in as the admin, as opposed to the kiosk user, which will cause the kiosk user's session to terminate forcefully.

Brad Wilson (dotnetguy.techieswithcats.com)
Sunday, May 02, 2004

Thanks but not practical. I have 45 computers and they are locked down so that the users can only access the apps on the desktop and the start menu only has shut down and log off, and all of the shortcut keys are disabled (I hope). The students have no access to the file menu or any of the drives except in one small application, where they can't do any damage.

What I want to do is add some exercises which can be saved as web pages, but not allow them to get anything from the IE Explorer menu bar. In other words a partial kiosk mode. However I do want them to be able to terminate the application so as to be able to get back to the desktop. I have no control over the controls on the web pages, which are created by the exercise authoring program. Any ideas?

Stephen Jones
Sunday, May 02, 2004

Could you open the websites inside a frame and have a javascript:close()-link in a small top/bottom-frame while opening the excerises in the fullsized frame, while running -k?

Marcus
Sunday, May 02, 2004

Check out Philo's suggestion. Investigate the various options of IE, it does have kiosk modes (fine tunable, although I forgot where the settings are documented) although it might not be what you need, but check it out anyway (you may need to turn of Javascript when in reality you need it for example). Netscape/Mozilla also have kiosk modes switches.

Li-fan Chen
Sunday, May 02, 2004

It's finding where fine tuning  the kiosk modes are documentable that is the problem.

The truth is that Microsoft security is like a Swiss cheese. You can run in kiosk mode but if there is a graphic on the page up pops the toolbar from the Windows fax viewer or whatever and you can then open the My Pictures Folder and go on from there.

So of course, if you've set kiosk mode up on 180 machines you then have to go back and find a way of disabling the fax viewer (not even sure it's possible) for the lot.

Stephen Jones
Sunday, May 02, 2004

Geez Stephen, you're new at this aren't you? 

Please don't confuse your lack of knowledge/experience for a system shortcoming.

I'm not sure there are any admins who'll bother replying here and, quite frankly, I couldn't be bothered educating you so I'll leave the solution to this non-problem for you to research (research which, BTW, should have been conducted before displaying your ignorance to the world)

Think before you post
Sunday, May 02, 2004

Dear think before you post,
                                            You are an 'arsehole aren't you? I've actually set up language labs three times in different locations, both with W98 and Win XP and have a pretty good idea about security on a peer-to-peer network.

                                            Before I posted to ask about limited kiosk mode I had just spent two to three hours reading all the documentation that came up on the MS site after a google search. That was also after reading through the W2000 resource kit, and standard Win help.

                                          As you can't be bothered to say anything, probably because it will expose your ignorance, we don't even know which problem you consider non-trivial.

Despite what Philo says, even following all the settings on Group Policy will not lock down a machine on a peer-to-peer network. This doesn't even bother to tell you that you can't prevent the users accessing help with F1, though you can spend hours making a list of every program on the computer for the setting that stops them running those programs; the problem is you don't want them accessing anything that is not on their desktop and they can easily do this through help.  In fact you can either disable the help service for all users of the hardware profile using the services snap-in. or disable the F1 key by writing a scan code key for the registry and finding out from the developer network what exactly the code is for the F1 key, since the Knowledge Base only gives you the setting to disable the win key.

Stephen Jones
Monday, May 03, 2004

The problem about clicking on the picture and fax viewer bar can be solved by disabling the image toolbar in Internet Explorer options, but the point is that if you are running in kiosk mode it doesn't occur to you you have to disable any toolbars because there shouldn't be any showing.

This one I have found about before deployment, but in my experience with MS security there is always something you find out about later, after you have set up all the machines, and then you have to go back and set the lot up again.

Sure you can plug all the holes in your Gruyere, but you'll find another one you hadn't seen. Group Policy Editor is at least better than poledit, which is possibly the worst designed piece of software ever, but you still get the impression MS isn't really trying. It simply doesn't give you the information in the right places. For example you can disable new task in task manager by disabling run on the start menu, but it doesn't tell you that when you are looking at the settings for disabling task manager, so you end up by disabling it, even though you don't need to.

I'm thinking of having a piece of javascript on the html page so they can close the window. This does mean however that someone has to intervene between the web page being generated automatically by the authoring program, and the file being deployed. As the people producing the files will be teachers with no knowledge of programming this means another intermediate stage for every file produced. So if Li-fan, or anybody else, does know of where partial kiosk modes are documented it would be useful. Could I set file associations so all html files are opened by a piece of javasript that would open IE with nomenubar?

Stephen Jones
Monday, May 03, 2004

"The truth is that Microsoft security is like a Swiss cheese. "

Ring a bell anyone, Myron, anyone?

Mike
Monday, May 03, 2004

Don't sweat it Stephen, think before you post sounds like he'd be more familiar with Unix anyway just from the amount of 'tude coming off him

Mike
Monday, May 03, 2004

Yea, it does look like embrace and extend is taking in the slashdotters.

Stephen Jones
Monday, May 03, 2004

"Now what I'm trying to find out is a way to close the page in kiosk mode on machines where control  + alt + delete is disabled"

If you have control of the bookmarks, you can try adding a "Close Window" shortcut which points to a file containing something like

<html>
<title>Close Window</title>
<SCRIPT  FOR=window EVENT=onload LANGUAGE="VBScript">
  window.close
</SCRIPT>
<body></body>
</html>

You may have to screw around with security zones to make it work right.

Motown (AU)
Monday, May 03, 2004

Thanks. It looks like I'll need to put a javascript button on the page. The pages will run javascript because they are fairly sophisticated programs generated by a testing software program.

Stephen Jones
Tuesday, May 04, 2004

I think Linux is the better fit here. It's really one of its stronger sides. Windows has some 'kiosk' (i.e. just the web browser, no escaping) features but it is prone to lots of web browser exploits. Even with a locked down system, Windows does require maintenance because some of the spyware/viruses still sticks.

Either try Knoppix as previously mentioned (which I think is perfect in terms of installation time -- 0 minutes, 0 seconds, after you've burned a freely available CD), or Google for 'linux kiosk'. There is a kiosk mode in KDE that is very powerful if you need more customization.

Jonas B.
Tuesday, May 04, 2004

Dear Jonas,
                  thanks, but Linux is not an option (though I probably will be installing SAMBA in each lab at some time). The reason is that there are other EFL learning applications which work on windows only. I'll probably write back to the developers of both authoring programs and ask them to put the java script control in on the program. They will probably appreciate the feedback.

Stephen Jones
Tuesday, May 04, 2004

I read of a 3rd-party tool: you tell it which executables are alllowed to run, and then it only allows those (permitted) executables to run. I suppose it works by being a file system filter driver. It also remembers a checksum of each permitted executable, so that a modified (e.g. virus-laden) copy of the executable won't load.

Christopher Wells
Tuesday, May 04, 2004

Thanks; the third party tool is at least an improvement on the version that came with poledit in Windows 98. You made a list of approved programs that could run and then tested it out to find out what programs those programs needed to run to work and added those to the list. Then, somebody renamed nastyvirus.exe as notepad.exe and Windows ran it with no problem.

Stephen Jones
Tuesday, May 04, 2004

If you're on a standalone machine (can't use group policy) and you want to program a "real" solution - that is, get into the nuts and bolts of windows, you can write a new MS GINA.

GINA controls the login, logoff, change password, and the ctl-alt-del sequence among other things.  There is a msgina.dll in the system32 directory.  Microsoft has lots of articles how to customize it.  Plus, there are some examples on the web and in MS's developer SDKs.  It's no easy task, and should only be done if the disabling is integral to your solution, but if you do, you'll have complete control over those processes.

You can also just modify that interface and add/remove buttons to it at will.  Then they might hit ctl-alt-del but can't do anything once they do that.

12 Month Lurker
Friday, May 07, 2004

vai toma no cuh

aeae
Wednesday, June 23, 2004

*  Recent Topics

*  Fog Creek Home