Jump to content

  •  

  • Photo

    2 x PC's In a Public Place


    • Please log in to reply
    20 replies to this topic

    #1 Canned Heat

    Canned Heat

      HSS Member

    • Members
    • 38 posts
    • LocationYarrawonga, Australia

    Posted 20 May 2012 - 07:45 PM

    Hi Guys,
    Installing 2 Pc's into a public place for internet access.
    Was going with 2x intel i3 / Windows 7 based builds.
    The issue i have is there are some office pc's Running on the same network and
    I dont wont these to be seen.
    I really need to lock these Units up tight,
    The PC's are for ie only.
    A new area for me, any help would be great,
    Can windows disable all functions except for ie?,
    Should I look at an embedded system?
    3rd Party Software?
    Dont know where to start?
    If you know of any good sites / links, that would be great.
    Thanks
    :wacko:
    • 0

    #2 ikon

    ikon

      HSS Elite Master

    • Donating Member
    • 12,312 posts

    Posted 20 May 2012 - 08:01 PM

    To make it so the 2 PC's can't see other computers on the same network, make sure they are using a different IP subnet. For example, if the office computers are using 192.168.x.x addresses then put the 2 PC's on a 172.16.x.x or 10.x.x.x subnet. They will not be able to communicate with any of the office PC's at all.


    In order to enforce the IP addresses (i.e. ensure no one can change them), you do have to lock down the PC's. Yes, it can be done. My suggestion is to search the internet for how to set up Windows in kiosk mode. One of the things you can do is to create 2 accounts on the computers; one for administration, and another, locked down one that's set up to only run IE and is also set to auto-login at system startup.


    • 0

    If at first you don't succeed, do it like your mother told you.


    #3 Canned Heat

    Canned Heat

      HSS Member

    • Members
    • 38 posts
    • LocationYarrawonga, Australia

    Posted 20 May 2012 - 08:16 PM

    That Helps heaps, Ikon
    Thanks Mate
    • 0

    #4 darkside34

    darkside34

      HSS Member

    • Members
    • 27 posts

    Posted 21 May 2012 - 12:07 AM

    I would handle this with Vlans, there are dirt-cheap switches out from netgear now that support vlan tags. Then you will have 2 logically separated networks that cannot talk to each other unless A) you allow the router to route traffic between them or B) the switch is compromised.

    There are a few issues you could run into with using a different subnet. For example, I could plug my laptop into one of the public PCs cable and get an address on your normal subnet via DHCP. Someone could do the same thing with a bridged dropbox, and depending on how observant the people in the facility are, no one would ever notice. This also doesn't stop someone from booting an alterate OS via USB.


    Of course, I have no idea how these are going to be set up and how much unbridled access people are going to have on these PCs without an employee watching them, so you may have a rebuttal for those scenarios.
    • 0

    #5 Canned Heat

    Canned Heat

      HSS Member

    • Members
    • 38 posts
    • LocationYarrawonga, Australia

    Posted 21 May 2012 - 01:34 AM

    Thanks Darkside,
    Yeah, so many possiblites to hack,
    Might Actually run a seperate router for this.
    The Pc's are in line of sight with staff there,
    But could throw a USB in in seconds. :ph34r:
    Will disable USB too in bios.
    Thanks Again for your input,
    :D
    • 0

    #6 ikon

    ikon

      HSS Elite Master

    • Donating Member
    • 12,312 posts

    Posted 21 May 2012 - 11:41 AM

    Yeah. I was assuming that no one would be able to gain physical access to the ports on the PCs. If that was not part of the plan then I very much encourage you to make it part. For most kiosk computers the system unit is locked inside a cabinet and only the screen, keyboard, and mouse are accessible to the public. I highly recommend this approach.

    You do have to be careful to vent the cabinets properly. I've done a number of kiosk installs and, during the design phase, one of the hardest tasks is to get the designers on board for adequate ventilation - they always think you can just lock a PC inside a cabinet and forget about it.

    I would not have these 2 PCs use DHCP; give them fixed IPs. For one thing, this can make it possible to remotely connect to the PC and monitor whats going on.
    • 0

    If at first you don't succeed, do it like your mother told you.


    #7 jmwills

    jmwills

      HSS Genius

    • Donating Member
    • 6,926 posts
    • LocationHuntsville, AL

    Posted 21 May 2012 - 03:29 PM

    Use local Group Policies to disable users seeing anything but IE, No control panel, no explorer, etc
    • 0

    Windows 7 Desktop - Antec 100 Case, Intel D8H67BL, OCZ 550W PSU, Intel i3-530 CPU w/16GB G-Skill DDR3 1333 RAM
    Server 2012 - Fractal Arc Midi, CoolerMaster M600 PSU, ASUS P8H67V, Intel i5-2500 CPU w/32GBG-Skill DDR3 1333 RAM, 90 GIG OCZ SSD OS Drive – Roles: Hyper-V (WHS-SharePoint-DC-SQL-Exchange-WSE 2012R2), Print Server - Rocket RAID 2720 4 x 3TB WD Red
    HTPC Build - Silverstone GD05 Case,x 2
    Travel Laptop: Lenovo U310 13.3" Windows 8.1


    #8 Canned Heat

    Canned Heat

      HSS Member

    • Members
    • 38 posts
    • LocationYarrawonga, Australia

    Posted 21 May 2012 - 03:48 PM

    Thanks Jim
    • 0

    #9 no-control

    no-control

      HSS Elite

    • BYOB Podcasters
    • 1,782 posts
    • LocationSoCal

    Posted 22 May 2012 - 07:05 AM

    Disabling the usb in bios isn't enough. Glue them shut if there is no real reason to have them exposed. While LGP will help, You are still giving access to the internet. You'll need a blacklist of sites that are meant for accessing/hacking terminals with web access. With your proposed setup I could still have cmd access within seconds. Even better would be to whitelist domains deemed appropriate for the terminal.
    • 0

    VISIT MY NEW BLOG
    Find me on the internet

    I've been censored by the HSS

    #10 ikon

    ikon

      HSS Elite Master

    • Donating Member
    • 12,312 posts

    Posted 22 May 2012 - 07:31 AM

    Microsoft used to make something called SteadyState, which was basically a wizard for locking down computers. It was a great tool that was used by many institutions with public internet computers. There is no Windows 7 version of SteadyState, and there isn't going to be one.

    Check out this TechNet article for ways MS provides to lock down Windows 7 similarly to what SteadyState did.

    There are also 3rd party tools such as RollBack Rx and Deep Freeze.

    A combination of the TechNet articles, along with Deep Freeze, could pretty much replicate what SteadyState did. Unfortunately, Deep Freeze is not free (~$35/year).
    • 0

    If at first you don't succeed, do it like your mother told you.


    #11 Canned Heat

    Canned Heat

      HSS Member

    • Members
    • 38 posts
    • LocationYarrawonga, Australia

    Posted 22 May 2012 - 09:40 PM

    Thanks Icon / No Control

    Yeah SteadyState would be great.
    Will Definitely Black List too.

    Is ubuntu a Better option ?
    • 0

    #12 ikon

    ikon

      HSS Elite Master

    • Donating Member
    • 12,312 posts

    Posted 22 May 2012 - 10:03 PM

    I can't offer any advice about Ubuntu. I stopped messing around with flavours of Linux years ago. The only Linux I use now is Untangle.
    • 0

    If at first you don't succeed, do it like your mother told you.


    #13 Canned Heat

    Canned Heat

      HSS Member

    • Members
    • 38 posts
    • LocationYarrawonga, Australia

    Posted 22 May 2012 - 10:25 PM

    Cool, thanks iKon
    • 0

    #14 jmwills

    jmwills

      HSS Genius

    • Donating Member
    • 6,926 posts
    • LocationHuntsville, AL

    Posted 23 May 2012 - 05:25 AM

    Ubuntu would not be good because so few people use Linux. You need to make this user friendly and also remember that you can lock this down so much to make it unusable. Security is a balance of usability and being safe.
    • 0

    Windows 7 Desktop - Antec 100 Case, Intel D8H67BL, OCZ 550W PSU, Intel i3-530 CPU w/16GB G-Skill DDR3 1333 RAM
    Server 2012 - Fractal Arc Midi, CoolerMaster M600 PSU, ASUS P8H67V, Intel i5-2500 CPU w/32GBG-Skill DDR3 1333 RAM, 90 GIG OCZ SSD OS Drive – Roles: Hyper-V (WHS-SharePoint-DC-SQL-Exchange-WSE 2012R2), Print Server - Rocket RAID 2720 4 x 3TB WD Red
    HTPC Build - Silverstone GD05 Case,x 2
    Travel Laptop: Lenovo U310 13.3" Windows 8.1


    #15 darkside34

    darkside34

      HSS Member

    • Members
    • 27 posts

    Posted 05 July 2012 - 10:02 AM

    Ubuntu would not be good because so few people use Linux. You need to make this user friendly and also remember that you can lock this down so much to make it unusable. Security is a balance of usability and being safe.

    Linux is great for low-access terminals, probably why the majority of ATMs and ticketing machines use it as an OS. It can be a bit harder to lock down, but not impossible, and you will probably end up with something more reliable and more secure. I have not set up physical terminals that are locked down, but I have set up thin clients that are locked-down virtual machines for performing a specific task deemed to sensitive to be accomplished with a webui.
    • 0

    #16 2percenter

    2percenter

      HSS Star

    • Donating Member
    • 63 posts

    Posted 20 September 2012 - 11:13 PM

    If youre still looking for physically securing usb ports, without glueing them, check this.
    http://www.kensingto...d---square.aspx
    • 0

    #17 jmwills

    jmwills

      HSS Genius

    • Donating Member
    • 6,926 posts
    • LocationHuntsville, AL

    Posted 21 September 2012 - 08:15 AM

    Shut down the usb.inf file (I believe that is the one) and that will do it for external media. Keyboards and mice will still work.
    • 0

    Windows 7 Desktop - Antec 100 Case, Intel D8H67BL, OCZ 550W PSU, Intel i3-530 CPU w/16GB G-Skill DDR3 1333 RAM
    Server 2012 - Fractal Arc Midi, CoolerMaster M600 PSU, ASUS P8H67V, Intel i5-2500 CPU w/32GBG-Skill DDR3 1333 RAM, 90 GIG OCZ SSD OS Drive – Roles: Hyper-V (WHS-SharePoint-DC-SQL-Exchange-WSE 2012R2), Print Server - Rocket RAID 2720 4 x 3TB WD Red
    HTPC Build - Silverstone GD05 Case,x 2
    Travel Laptop: Lenovo U310 13.3" Windows 8.1


    #18 no-control

    no-control

      HSS Elite

    • BYOB Podcasters
    • 1,782 posts
    • LocationSoCal

    Posted 21 September 2012 - 05:43 PM

    4 ports x $20 for port dodad = $80

    Tube of super glue = $.80
    • 0

    VISIT MY NEW BLOG
    Find me on the internet

    I've been censored by the HSS

    #19 ikon

    ikon

      HSS Elite Master

    • Donating Member
    • 12,312 posts

    Posted 22 September 2012 - 08:48 AM

    Hard to believe these things are $20 each. $3 or $4 maybe, but $20?? Kensington must really be targeting the corporate world.
    • 0

    If at first you don't succeed, do it like your mother told you.


    #20 jmwills

    jmwills

      HSS Genius

    • Donating Member
    • 6,926 posts
    • LocationHuntsville, AL

    Posted 22 September 2012 - 01:05 PM

    HIPS will shut that down along with the Cd/DVD drive quite nicely.
    • 0

    Windows 7 Desktop - Antec 100 Case, Intel D8H67BL, OCZ 550W PSU, Intel i3-530 CPU w/16GB G-Skill DDR3 1333 RAM
    Server 2012 - Fractal Arc Midi, CoolerMaster M600 PSU, ASUS P8H67V, Intel i5-2500 CPU w/32GBG-Skill DDR3 1333 RAM, 90 GIG OCZ SSD OS Drive – Roles: Hyper-V (WHS-SharePoint-DC-SQL-Exchange-WSE 2012R2), Print Server - Rocket RAID 2720 4 x 3TB WD Red
    HTPC Build - Silverstone GD05 Case,x 2
    Travel Laptop: Lenovo U310 13.3" Windows 8.1





    Skins By Invisioneers