David Szpunar: Lead Engineer, PC Help Services

David's Church Information Technology

July 31st, 2007 at 7:30 am Print This Post Print This Post

Windows SteadyState Lockdown and the Youth Internet Café

This is a long one (about 1800 words), so I’m giving you a table of contents, and breaking it up so it’s not all on the front page (the first post where I’ve done so, and I’ve had some other long ones!).

Overview

Our new youth facility now has a four-computer internet café. I’ve already written twice about my plans and research leading up to implementation, specifically about computer lockdown software. A couple of weeks ago, I mentioned briefly that we had changed course and decided to use Microsoft Windows SteadyState as our lockdown software of choice, mainly due to the price (free!).

We (Dutch volunteer Jeroen and I) were physically installing the computers/monitors/etc. in the youth lobby area when I thought, “hey, Microsoft just released some updated lockdown software, let’s try it out.” We hadn’t yet purchased the Fortres Grand software, although I had it approved. So I downloaded SteadyState, installed it, and messed around for a few minutes. It was so easy, even my mom could do it! Well, okay, I’ve been teaching her computers for a while and I might still have to walk her through this one over the phone, but I have no doubt she’d make it work :-) The installation went smoothly, the lockdown options (we wanted pretty much the tightest lockdown possible) were easy to select, and the hard disk protection (which discards changes on reboot) was easy to enable and control from within the main SteadyState console. I haven’t had experience with Microsoft’s old Shared Computer Toolkit, but from what I understand it was more difficult to combine all the options together into one functional system, and they appear to have fixed all of this in SteadyState.

Lockdown Features

In the SteadyState console, there are three items under Global Computer Settings: Set Computer Restrictions, Schedule Software Updates, and Protect the Hard Disk. The Set Computer Restrictions option lets you change things such as whether to display the last username in the logon screen, prevent users from writing to USB drives, turn the Welcome Screen on and off, and other miscellaneous things that affect the whole computer, not just particular user(s). I turned most of these on. I’m not writing this with access to the computers I set up, so I’m going from memory on this (and everything else) but if you have any questions about specifics please leave a comment!

You can create or import users/profiles that SteadyState can then manage with a selection of lockdown options going from low to high security, but at each level it just selects a more restricted subset of the detailed options and lets you customize away. This is similar to the functionality of the Fortres 101 software. All we tested was the highest security possible, locking down almost everything and only allowing the Mozilla Firefox executable to run. However, we did have to allow command prompt access to get the Firefox auto-restart trick below to work, although with the GUI and keyboard shortcuts this locked down, no one should be able to access the command line except through the batch file the Firefox shortcut links to for this trick to work.

Testing the lockdown settings to find the right mix can be a bit tricky because you must save the settings, log out, log in as the limited user, test, log out, and log back on to the administrative account again. It’s tedious, but once you have what you want, you can duplicate the settings more easily on other systems. The Export/Import Profile function works, but it imports a default user profile with the lockdown settings. Be careful with this, because it means you must wait until after you import a user into SteadyState from an exported profile before logging in and doing any customization to their desktop (display options, Start Menu positioning, etc.) as any customization you’ve done will be deleted if you import a user over top of your existing user! Found this out the hard way — once :-)

Firefox Does Its Own Privacy Work

Firefox has some great options for “Clearing Private Data” such as cache, cookies, history, saved passwords, authenticated sessions, etc., which for most Firefox users is either a manual option or something it prompts you to do when you close Firefox. Because of the multi-user environment, we instead set the options, available through the Firefox Tools->Options panel, to automatically clear private data when the browser was closed, with no prompting. That way someone logged into Gmail, Hotmail, Facebook, or lets face it, MySpace (one site I still refuse to sign up for :-) will be logged out when Firefox closes, safe for the next person to use. Let’s face it, these are teenagers we’re talking about here — do you think they’re going to remember to log off? Not likely in the vast majority of cases.

I found a batch file with some Google searching (I’ll have to re-locate it and post an update if anyone is interested) that, when run via a command line or a shortcut and passed the path to a .exe file, runs the file but monitors it and if the process ends, it restarts it automatically. So Firefox is in the Startup folder in the Start Menu, but run with this batch script. When someone closes Firefox, it clears their data, is automatically restarted, and goes back to the youth homepage automatically, ready for the next user!

But what if people don’t close the browser? We set up a Scheduled Task to kill the firefox.exe process after 5 minutes of the computer being idle. Same effect as the user closing the browser, and it automatically reopens still. This is a touch buggy, as occasionally Firefox will instead of reopening once, reopen window after window after window after window…and of course the computer is so locked down you can’t kill the process manually. It requires a logout or restart to fix. This is still on my “to track down” list, but it’s the last little piece of the puzzle, and generally it works fine. I’m sure it’s an issue with either the batch file, the scheduled task, or both interacting somehow.

Thematic Full Screen

The theme we chose for Firefox is called NASA Night Launch. It’s a beautiful theme, which shows an awesome shuttle launch shot as the blank background before a tab finishes rendering, and has equally nice toolbar backgrounds and a custom throbber (the top-right icon that moves while a page is loading, if you didn’t know). The grays and blacks in this theme look wonderful with our current homepage, www.infusionstudents.com, as well as the black LCD monitors mounted to the wall (pictures to follow later). A new version of this theme was released on July 22nd, after we set up the computers, so I will consider upgrading the theme at some point soon.

To make the slickest looking interface possible, we applied the R-Kiosk extension to Firefox to force it into fullscreen mode when it starts, getting rid of the title bar and any non-themed borders. We did apply the change to user.js that provides the navigation menu so the address bar and back/forward function. It looks really good with this extension combined with the theme!

While looking to see what the theme and extension we used are called, I just ran into an extension called Auto Reset Browser that for some reason I’ve never seen before. It looks like it might be a more elegant solution to my earlier problem, but I don’t know if it will help keep Firefox open if someone manually closes it. I will have to investigate further as time allows.

Disk Protection

SteadyState’s disk protection option, which you must enable separately from the policy lockdown settings, basically makes the hard drive immutable for most purposes. Do anything, reboot, and you’re back where you started last time. Fortres Grand’s Clean Slate product has similar functionality. Microsoft has made what I hear are improvements (compared to the Shared Computer Toolkit) in this functionality in that you enable and disable this option from the SteadyState control console just like all the policy options. Give it some time to make a cache file for the temporary disk changes, reboot, and the disk is protected.

The nicest thing is, if you’re an Adminstrator running SteadyState, and you log in, install a new program, and reboot — oops, if the disk protection was on you’d lose all your changes! You can unlock the disk for a time in the console, however. But the best option Microsoft added was a modification to the Log Off screen, prompting you that disk protection is on and giving you the option to discard all changes — or, keep the changes, restarting to merge the cache onto the hard drive automatically. That’s a no-brainer option that will continue to save my behind as I update these systems in the future I’m sure, long past initial setup! I’ve already used it for a few tweaks here and there.

No Manual Needed

SteadyState scores high marks for ease of use; I’ve still not read the manual and only referenced the help file (which opens automatically with the console) a few times. (Well, I did use the manual to refresh my memory while writing this post, but only because I don’t have access to the real systems at the moment. And this is the first time I’ve even opened it.)

Physical Installation

I don’t currently have any pictures of the computers handy, so I will leave photos and a description of the mounting process (which comprised more than 50% of the entire operation) to a future post.

Yet Another Alternate Option

In very related news, I did received a reply, although a bit late for me and not really a fit anyway at this point (due to the cost), from when I emailed and asked the guys at the Casting From The Server Room podcast for a reminder of what software they had run across as a Deep Freeze competitor. They mentioned it (CompuGuard CornerStone) in an old episode which I couldn’t remember, and their “show notes wiki” had been lost without a backup. Thanks for the response, guys! Always good to check out alternative options and at least keep abreast of what’s available in the future. They replied to my question back in March on the air, but I missed three episodes in an otherwise unbroken string of probably 30-40 of their episodes I’ve listened to without skipping (wouldn’t you know it was in one of those!), and when I grabbed the back-episode to check out I heard my name again (they’ve mentioned my comments twice in more recent shows since — and inspired the new last name pronunciation guide in my About David page)!