This is a long one (about 1800 words), so I’m giving you a table of contents, and breaking it up so it’s not all on the front page (the first post where I’ve done so, and I’ve had some other long ones!).
Overview
Our new youth facility now has a four-computer internet café. I’ve already written twice about my plans and research leading up to implementation, specifically about computer lockdown software. A couple of weeks ago, I mentioned briefly that we had changed course and decided to use Microsoft Windows SteadyState as our lockdown software of choice, mainly due to the price (free!).
We (Dutch volunteer Jeroen and I) were physically installing the computers/monitors/etc. in the youth lobby area when I thought, “hey, Microsoft just released some updated lockdown software, let’s try it out.” We hadn’t yet purchased the Fortres Grand software, although I had it approved. So I downloaded SteadyState, installed it, and messed around for a few minutes. It was so easy, even my mom could do it! Well, okay, I’ve been teaching her computers for a while and I might still have to walk her through this one over the phone, but I have no doubt she’d make it work :-) The installation went smoothly, the lockdown options (we wanted pretty much the tightest lockdown possible) were easy to select, and the hard disk protection (which discards changes on reboot) was easy to enable and control from within the main SteadyState console. I haven’t had experience with Microsoft’s old Shared Computer Toolkit, but from what I understand it was more difficult to combine all the options together into one functional system, and they appear to have fixed all of this in SteadyState.
Lockdown Features
In the SteadyState console, there are three items under Global Computer Settings: Set Computer Restrictions, Schedule Software Updates, and Protect the Hard Disk. The Set Computer Restrictions option lets you change things such as whether to display the last username in the logon screen, prevent users from writing to USB drives, turn the Welcome Screen on and off, and other miscellaneous things that affect the whole computer, not just particular user(s). I turned most of these on. I’m not writing this with access to the computers I set up, so I’m going from memory on this (and everything else) but if you have any questions about specifics please leave a comment!
You can create or import users/profiles that SteadyState can then manage with a selection of lockdown options going from low to high security, but at each level it just selects a more restricted subset of the detailed options and lets you customize away. This is similar to the functionality of the Fortres 101 software. All we tested was the highest security possible, locking down almost everything and only allowing the Mozilla Firefox executable to run. However, we did have to allow command prompt access to get the Firefox auto-restart trick below to work, although with the GUI and keyboard shortcuts this locked down, no one should be able to access the command line except through the batch file the Firefox shortcut links to for this trick to work.
Testing the lockdown settings to find the right mix can be a bit tricky because you must save the settings, log out, log in as the limited user, test, log out, and log back on to the administrative account again. It’s tedious, but once you have what you want, you can duplicate the settings more easily on other systems. The Export/Import Profile function works, but it imports a default user profile with the lockdown settings. Be careful with this, because it means you must wait until after you import a user into SteadyState from an exported profile before logging in and doing any customization to their desktop (display options, Start Menu positioning, etc.) as any customization you’ve done will be deleted if you import a user over top of your existing user! Found this out the hard way — once :-)
Firefox Does Its Own Privacy Work
Firefox has some great options for “Clearing Private Data” such as cache, cookies, history, saved passwords, authenticated sessions, etc., which for most Firefox users is either a manual option or something it prompts you to do when you close Firefox. Because of the multi-user environment, we instead set the options, available through the Firefox Tools->Options panel, to automatically clear private data when the browser was closed, with no prompting. That way someone logged into Gmail, Hotmail, Facebook, or lets face it, MySpace (one site I still refuse to sign up for :-) will be logged out when Firefox closes, safe for the next person to use. Let’s face it, these are teenagers we’re talking about here — do you think they’re going to remember to log off? Not likely in the vast majority of cases.
I found a batch file with some Google searching (I’ll have to re-locate it and post an update if anyone is interested) that, when run via a command line or a shortcut and passed the path to a .exe file, runs the file but monitors it and if the process ends, it restarts it automatically. So Firefox is in the Startup folder in the Start Menu, but run with this batch script. When someone closes Firefox, it clears their data, is automatically restarted, and goes back to the youth homepage automatically, ready for the next user!
But what if people don’t close the browser? We set up a Scheduled Task to kill the firefox.exe process after 5 minutes of the computer being idle. Same effect as the user closing the browser, and it automatically reopens still. This is a touch buggy, as occasionally Firefox will instead of reopening once, reopen window after window after window after window…and of course the computer is so locked down you can’t kill the process manually. It requires a logout or restart to fix. This is still on my “to track down” list, but it’s the last little piece of the puzzle, and generally it works fine. I’m sure it’s an issue with either the batch file, the scheduled task, or both interacting somehow.
Thematic Full Screen
The theme we chose for Firefox is called NASA Night Launch. It’s a beautiful theme, which shows an awesome shuttle launch shot as the blank background before a tab finishes rendering, and has equally nice toolbar backgrounds and a custom throbber (the top-right icon that moves while a page is loading, if you didn’t know). The grays and blacks in this theme look wonderful with our current homepage, www.infusionstudents.com, as well as the black LCD monitors mounted to the wall (pictures to follow later). A new version of this theme was released on July 22nd, after we set up the computers, so I will consider upgrading the theme at some point soon.
To make the slickest looking interface possible, we applied the R-Kiosk extension to Firefox to force it into fullscreen mode when it starts, getting rid of the title bar and any non-themed borders. We did apply the change to user.js that provides the navigation menu so the address bar and back/forward function. It looks really good with this extension combined with the theme!
While looking to see what the theme and extension we used are called, I just ran into an extension called Auto Reset Browser that for some reason I’ve never seen before. It looks like it might be a more elegant solution to my earlier problem, but I don’t know if it will help keep Firefox open if someone manually closes it. I will have to investigate further as time allows.
Disk Protection
SteadyState’s disk protection option, which you must enable separately from the policy lockdown settings, basically makes the hard drive immutable for most purposes. Do anything, reboot, and you’re back where you started last time. Fortres Grand’s Clean Slate product has similar functionality. Microsoft has made what I hear are improvements (compared to the Shared Computer Toolkit) in this functionality in that you enable and disable this option from the SteadyState control console just like all the policy options. Give it some time to make a cache file for the temporary disk changes, reboot, and the disk is protected.
The nicest thing is, if you’re an Adminstrator running SteadyState, and you log in, install a new program, and reboot — oops, if the disk protection was on you’d lose all your changes! You can unlock the disk for a time in the console, however. But the best option Microsoft added was a modification to the Log Off screen, prompting you that disk protection is on and giving you the option to discard all changes — or, keep the changes, restarting to merge the cache onto the hard drive automatically. That’s a no-brainer option that will continue to save my behind as I update these systems in the future I’m sure, long past initial setup! I’ve already used it for a few tweaks here and there.
No Manual Needed
SteadyState scores high marks for ease of use; I’ve still not read the manual and only referenced the help file (which opens automatically with the console) a few times. (Well, I did use the manual to refresh my memory while writing this post, but only because I don’t have access to the real systems at the moment. And this is the first time I’ve even opened it.)
Physical Installation
I don’t currently have any pictures of the computers handy, so I will leave photos and a description of the mounting process (which comprised more than 50% of the entire operation) to a future post.
Yet Another Alternate Option
In very related news, I did received a reply, although a bit late for me and not really a fit anyway at this point (due to the cost), from when I emailed and asked the guys at the Casting From The Server Room podcast for a reminder of what software they had run across as a Deep Freeze competitor. They mentioned it (CompuGuard CornerStone) in an old episode which I couldn’t remember, and their “show notes wiki” had been lost without a backup. Thanks for the response, guys! Always good to check out alternative options and at least keep abreast of what’s available in the future. They replied to my question back in March on the air, but I missed three episodes in an otherwise unbroken string of probably 30-40 of their episodes I’ve listened to without skipping (wouldn’t you know it was in one of those!), and when I grabbed the back-episode to check out I heard my name again (they’ve mentioned my comments twice in more recent shows since — and inspired the new last name pronunciation guide in my About David page)!
Good info David – I just started looking at SteadyState for the same purpose here at CLC, and this info will come in handy.
I heard your name mentioned as I was listening to Casting From the Server Room yesterday in the gym. I thought “I know that guy!” Pretty cool!
David, just last night I was reading about SteadyState. In my “daytime” job I am responsible for PCs for a regional real estate broker. We provide many “shared” or “public” PCs. We have used either 1) nothing, 2) limited users, 3) Deep Freeze, or 4) Drive Vaccine. We have not settled on one approach. I will try SS this week, Thanks.
Thanks Brett and John, glad my post was helpful! Took me long enough to write the thing…and I still need to do the part about the physical install! But I figured it was about time for another technical post. Maybe I’ll try to keep the next one under 1000 words though…I had to find a plugin to auto-create the table of contents just for this thing :-)
Let me know if you run into any issues with SS, or if you have success as well; I’m sure my machines will need to be tweaked after teens beat them up!
Oh yeah, and don’t forget to set a BIOS password and prevent booting from CD-ROM or floppy in addition to SteadyState, or someone could use a live Linux distro or do any number of bad things to your locked down systems.
What a great post! I think you’ve convinced me to deploy SS at work. Thanks for the info!
Thanks, Matt! Glad I could help! Getting a good response from people is a pretty good motivator to put effort into detailed articles in the future. I appreciate you as well as Brett and John above taking the time to comment. You even get a little Google Juice for your own blog since I’m a DoFollower :-)
David
I have started a similar project also using steadystate. What did you use to “kill the firefox.exe process after 5 minutes of the computer being idle” ?
[…] ran into a small issue with the SteadyState/Firefox setup that was a relatively easy fix: Firefox tried to update itself and the theme when new versions came […]
I’m running XP Pro on a domain.(let me know what other specifications you need) I installed SteadyState on numerous machines. 10 machines, worked fine. 10 other machines, when I turned Disk Protection “On”? and the program installed disk protection everything seemed fine. To complete the installation of disk protection it restarts after clicking OK.
Here’s where I’m getting the problem. It gets to the Windows XP screen and the bar under the windows icon that cycles from left to right never freezes, but I left one machine for a half an hour and it didn’t boot up. I ended up pulling the plug, and going home for the night. I couldn’t figure out why it was doing that.
Please let me know what I can do to get SteadyState installed on those machines.
George,
I am sorry you’re having such difficulties, but the four machines on which I installed SteadyState were not joined to a domain, they were standalone Windows XP Pro SP2 installations. I have not had the difficulties you describe. I did end up with a computer that wouldn’t boot originally, but it appears that that was a hard drive problem as running SpinRite and reinstalling Windows worked and I haven’t seen the problem since. (These were off-lease refurb computers so I’m not horrified by one of four having a minor issue, especially one so easily corrected.)
Perhaps you could try Safe Mode and see if it’s possible to disable the Disk Protection so you may try other options without reinstalling Windows?
Sorry I don’t have more helpful information, but if you do solve your problem you’re welcome to post it here so others can benefit from your solution.
[…] been promising pictures of the Youth Internet Cafe running Firefox and Microsoft SteadyState but first I forgot, then I […]
Hello kind Sir:
I am still trying to figure out the screen saver function,and how to get it to run the screensaver I choose and not the default XP screensaver.
I have read many posts on it and seems like you had no problem with it. Might I get some help from you on that
issue?I know that problem is to be addressed by MicroS,
but as yet have found no updates for this issue.
Nice looking setup you have by the way.
Keep that smile and good info going :)..
Hello everyone im operating a small internet cafe with 12 pc’s. im using deep freeze to protect my configuration.im quite satisfied with deep freeze but we have online games that receive frequent updates or patches and i have to thaw the system one by one to get these updates.can anyone tell me a solution to this? do you guys know a similar product that will enable me to protect or selectively choose which folders i like be open for changes .thanks