Securing public Windows PCs

Version: 19-June-2009

As I am going into my fourth year of traveling around the world, I've seen many different setups for shared Windows machines.

I'm using Internet Cafes and PCs in hostels for all my computer usage and the number of viruses and messed up machines I encounter is just amazing.

In Asia in 2005-2007 there were still some Windows 98s around but now in Latin America I only see XP and Vista machines, so I wont talk about Windows 9x, that's a whole different game.

There are a few different ways of how PCs are usually set up:

1. Bare bones OS, users run as administrator
2. As 1 but with some AntiVirus software installed
3. As 2 but users run as standard user
4. Some software like Deep Freeze is used. This creates a snapshot of an install and than reapplies that snapshot every time the machine boots. So all changes during a user sessions are discarded after a reboot. Microsoft's free SteadyState could be used as well, but I've never seen it in the wild.

In addition to the many many commercial shops run some sort of Cybercafe software that tracks the usage time of the customer and reports back to a central server so the customer can be charged when leaving. The software often adds some restrictions as well, like disallowing access to the registry, taskmanager or cmd.exe. Again many times the users still runs as administrator.

So option 4 doesn't sound too bad, doesn't it, lets explain why it isn't a good option. Take the Oasis hostel in Granada, Nicaragua. Deep Freeze 5 was installed about 15 months ago, every morning after booting up, a clean system was on the machine, problem was it was an unpatched system. Within an hour, Conficker came in from the network and other viruses joined in from USB sticks. For the rest of the day these suckers would do their work and would spread to other USB devices. Having AntiVirus software didn't help much because the virus definitions were totally out of date, as any updates would be overwritten every morning.

So none of these ways are perfect and some cost money. Lets try to solve the problem with builtin/free tools.

First, let's think about what a typical user wants to do on the computer:

• Surf the Internet
• Use Skype
• Use Office
• Copy photos from a camera to another USB device or upload them to the Internet.
• Burn files onto CD or DVD
• Download free music or podcasts and put it on a iPod or another player.
• View PDF documents
• Use Chat/Instant Messaging applications

So here's my proposed solution for a fairly secure public Windows machine:

Setup:

• Install XP or Vista
  Always use a fully licensed version, otherwise certain updates may not work.
• Apply all Microsoft updates and patches
  Use Internet Explorer and go to update.microsoft.com, I recommend also installing the latest version of the dot.net framework and Silverlight
• Turn off Fast User switching
  This just confuses uses and may lead to both admin and standard user logged on at the same time, something we don't want.
  Open the control panel and then the 'user accounts' section. Click on 'Change the way users log on or off', untick 'Use fast user switching'.
• Use a strong password for the administrator account
• Make sure the Windows Firewall is on
  In the control panel, click on 'Security Center'
• Make sure Windows Auto update is set to auto download and auto install.
  This makes sure updates are applied when running as standard user. In the control panel, click on 'Security Center' and check the settings for 'Automatic Updates'
• Install a free Anti Virus package like AVGFree and make sure it is set to update the virus definitions once a day.
• Make sure autorun is turned off
  See Microsoft site for detailes
• Install alternative keyboard layouts such as Spanish and Hebrew
  In control panel open the 'Date, time, language and regional options' section. Check the checkbox for 'Install files for complex script...'. This is required for Hebrew.
  The click on 'add other languages' and then on the 'Details' button. There you can add additional input languages. Also click on the 'Language bar' button and make sure the language bar is shown so the use can change the language.
• Install other Software
  • MS Office, or Open Office
    openoffice.org
  • Skype
    internet telephony: skype.com
  • Firefox
    web surfing: getfirefox.com
  • DeepBurner Free
    CD/DVD burning: deepburner.com
  • Foxit
    PDF viewing: foxitsoftware.com
  • IM Client
    chatting: choose a client that supports all common IM protocols???
  • Floola
    iPod management: floola.com This doesn't sync anything and also allows you to copy songs off the iPod.
  • Adobe Flash
    browser plugin: adobe.com
• DO NOT install:
  • Adobe Acrobat Reader
    too big and slow, many security problems
  • Nero
    too big and installs too many things you don't want
  • iTunes
    too big, also may delete people's music when trying to sync
  • Any browser plugins and toolbars,
    these are some times nice to have to not necessary.
• Make sure the installed software doesn't autostart but put an icon on the 'all users' desktop.
  Put a shortcut into C:\Documents and Settings\All Users\Desktop
• For Vista and Windows 7, turn off UAC.
  The user should not be able to access admin features and should not be prompted for an Admin password.  On the other hand, when using Internet Explorer UAC is valuable for security reasons.
• Create a new user account.
  Use the 'user accounts' section in control panel. Lets call it 'user'. For convenience reasons with an empty password.
• Set the autologin to the new user.
  See Microsoft site for detailes
• Make sure the user is only in the user's group not in the administrators group.
  This means the user only has write access to the user's own home directory (C:/documents and settings/username or C:/users/username) and can't change anything else in the system.
• If you have additional partitions, make sure the user doesn't have write permissions.
  !Explain how to do this!
• Create a html page that explains the usage of DeepBurner and Floola to users who are used to Nero and iTunes. Put the file on the All Users desktop.
  !A sample file should be created!
• Optional: Set read-only permissions to the HKCU-Run section in the registry and the Startup folder. This prevents most applications from auto-starting.
  !Explain how to do this!

The user can now do all the things he/she wants to do but can't screw up the system itself. New software and viruses may be installed but they can only affect the user's home directory.

You could now create an disk image of the system and use it for other computers. After using the image make sure to apply all updates.

Maintenance:

Over time the user's home directory is getting messed up with photos, documents and software. So once a week or so you should log on as the administrator and do some clean-up:

• Delete the user's profile, but not the user itself.
  This deletes everything the user added and brings the system back into a clean state.
  Do do this log off the standard user and log in as the administrator. In the start menu right click on 'My Computer' and choose properties. Under the 'Advanced' tab, click on the 'Settings' button in the 'User Profiles' section. There chose the User account and click 'delete'.
  You can also download a tool from Microsoft to delete the profile from the command line and create a batch file to do this.
• Windows, Office and your AntiVirus software should be up to date because of auto-update but you should check the third party software for new versions. Another reason to keep the number of these applications low.
• Log on as the standard user to create a new clean profile.
• Optional: Set read-only permissions again.