Securing public Windows PCs

19 June 2009

Version: 19-June-2009

As I am going into my fourth year of traveling around the world, I've seen many different setups for shared Windows machines.

I'm using Internet Cafes and PCs in hostels for all my computer usage and the number of viruses and messed up machines I encounter is just amazing.

In Asia in 2005-2007 there were still some Windows 98s around but now in Latin America I only see XP and Vista machines, so I wont talk about Windows 9x, that's a whole different game.

There are a few different ways of how PCs are usually set up:

  1. Bare bones OS, users run as administrator
  2. As 1 but with some AntiVirus software installed
  3. As 2 but users run as standard user
  4. Some software like Deep Freeze is used. This creates a snapshot of an install and than reapplies that snapshot every time the machine boots. So all changes during a user sessions are discarded after a reboot. Microsoft's free SteadyState could be used as well, but I've never seen it in the wild.

In addition to the many many commercial shops run some sort of Cybercafe software that tracks the usage time of the customer and reports back to a central server so the customer can be charged when leaving. The software often adds some restrictions as well, like disallowing access to the registry, taskmanager or cmd.exe. Again many times the users still runs as administrator.

So option 4 doesn't sound too bad, doesn't it, lets explain why it isn't a good option. Take the Oasis hostel in Granada, Nicaragua. Deep Freeze 5 was installed about 15 months ago, every morning after booting up, a clean system was on the machine, problem was it was an unpatched system. Within an hour, Conficker came in from the network and other viruses joined in from USB sticks. For the rest of the day these suckers would do their work and would spread to other USB devices. Having AntiVirus software didn't help much because the virus definitions were totally out of date, as any updates would be overwritten every morning.

So none of these ways are perfect and some cost money. Lets try to solve the problem with builtin/free tools.

First, let's think about what a typical user wants to do on the computer:

So here's my proposed solution for a fairly secure public Windows machine:


The user can now do all the things he/she wants to do but can't screw up the system itself. New software and viruses may be installed but they can only affect the user's home directory.

You could now create an disk image of the system and use it for other computers. After using the image make sure to apply all updates.


Over time the user's home directory is getting messed up with photos, documents and software. So once a week or so you should log on as the administrator and do some clean-up:

Pages in this section


ASP.Net | Community | Development | IIS | IT Pro | Security | SQL (Server) | Tools | Web | Work on the road | Windows