Canned Heat

2 x PC's In a Public Place

21 posts in this topic

Hi Guys,

Installing 2 Pc's into a public place for internet access.

Was going with 2x intel i3 / Windows 7 based builds.

The issue i have is there are some office pc's Running on the same network and

I dont wont these to be seen.

I really need to lock these Units up tight,

The PC's are for ie only.

A new area for me, any help would be great,

Can windows disable all functions except for ie?,

Should I look at an embedded system?

3rd Party Software?

Dont know where to start?

If you know of any good sites / links, that would be great.

Thanks

:wacko:

Share this post


Link to post
Share on other sites

To make it so the 2 PC's can't see other computers on the same network, make sure they are using a different IP subnet. For example, if the office computers are using 192.168.x.x addresses then put the 2 PC's on a 172.16.x.x or 10.x.x.x subnet. They will not be able to communicate with any of the office PC's at all.

 

In order to enforce the IP addresses (i.e. ensure no one can change them), you do have to lock down the PC's. Yes, it can be done. My suggestion is to search the internet for how to set up Windows in kiosk mode. One of the things you can do is to create 2 accounts on the computers; one for administration, and another, locked down one that's set up to only run IE and is also set to auto-login at system startup.

Share this post


Link to post
Share on other sites

That Helps heaps, Ikon

Thanks Mate

Share this post


Link to post
Share on other sites

I would handle this with Vlans, there are dirt-cheap switches out from netgear now that support vlan tags. Then you will have 2 logically separated networks that cannot talk to each other unless A) you allow the router to route traffic between them or B) the switch is compromised.

 

There are a few issues you could run into with using a different subnet. For example, I could plug my laptop into one of the public PCs cable and get an address on your normal subnet via DHCP. Someone could do the same thing with a bridged dropbox, and depending on how observant the people in the facility are, no one would ever notice. This also doesn't stop someone from booting an alterate OS via USB.

 

 

Of course, I have no idea how these are going to be set up and how much unbridled access people are going to have on these PCs without an employee watching them, so you may have a rebuttal for those scenarios.

Share this post


Link to post
Share on other sites

Thanks Darkside,

Yeah, so many possiblites to hack,

Might Actually run a seperate router for this.

The Pc's are in line of sight with staff there,

But could throw a USB in in seconds. :ph34r:

Will disable USB too in bios.

Thanks Again for your input,

:D

Share this post


Link to post
Share on other sites

Yeah. I was assuming that no one would be able to gain physical access to the ports on the PCs. If that was not part of the plan then I very much encourage you to make it part. For most kiosk computers the system unit is locked inside a cabinet and only the screen, keyboard, and mouse are accessible to the public. I highly recommend this approach.

 

You do have to be careful to vent the cabinets properly. I've done a number of kiosk installs and, during the design phase, one of the hardest tasks is to get the designers on board for adequate ventilation - they always think you can just lock a PC inside a cabinet and forget about it.

 

I would not have these 2 PCs use DHCP; give them fixed IPs. For one thing, this can make it possible to remotely connect to the PC and monitor whats going on.

Share this post


Link to post
Share on other sites

Use local Group Policies to disable users seeing anything but IE, No control panel, no explorer, etc

Share this post


Link to post
Share on other sites

Thanks Jim

Share this post


Link to post
Share on other sites

Disabling the usb in bios isn't enough. Glue them shut if there is no real reason to have them exposed. While LGP will help, You are still giving access to the internet. You'll need a blacklist of sites that are meant for accessing/hacking terminals with web access. With your proposed setup I could still have cmd access within seconds. Even better would be to whitelist domains deemed appropriate for the terminal.

Share this post


Link to post
Share on other sites

Microsoft used to make something called SteadyState, which was basically a wizard for locking down computers. It was a great tool that was used by many institutions with public internet computers. There is no Windows 7 version of SteadyState, and there isn't going to be one.

 

Check out this TechNet article for ways MS provides to lock down Windows 7 similarly to what SteadyState did.

 

There are also 3rd party tools such as RollBack Rx and Deep Freeze.

 

A combination of the TechNet articles, along with Deep Freeze, could pretty much replicate what SteadyState did. Unfortunately, Deep Freeze is not free (~$35/year).

Share this post


Link to post
Share on other sites

Thanks Icon / No Control

 

Yeah SteadyState would be great.

Will Definitely Black List too.

 

Is ubuntu a Better option ?

Share this post


Link to post
Share on other sites

I can't offer any advice about Ubuntu. I stopped messing around with flavours of Linux years ago. The only Linux I use now is Untangle.

Share this post


Link to post
Share on other sites

Cool, thanks iKon

Share this post


Link to post
Share on other sites

Ubuntu would not be good because so few people use Linux. You need to make this user friendly and also remember that you can lock this down so much to make it unusable. Security is a balance of usability and being safe.

Share this post


Link to post
Share on other sites

Ubuntu would not be good because so few people use Linux. You need to make this user friendly and also remember that you can lock this down so much to make it unusable. Security is a balance of usability and being safe.

Linux is great for low-access terminals, probably why the majority of ATMs and ticketing machines use it as an OS. It can be a bit harder to lock down, but not impossible, and you will probably end up with something more reliable and more secure. I have not set up physical terminals that are locked down, but I have set up thin clients that are locked-down virtual machines for performing a specific task deemed to sensitive to be accomplished with a webui.

Share this post


Link to post
Share on other sites

Shut down the usb.inf file (I believe that is the one) and that will do it for external media. Keyboards and mice will still work.

Share this post


Link to post
Share on other sites

4 ports x $20 for port dodad = $80

 

Tube of super glue = $.80

Share this post


Link to post
Share on other sites

Hard to believe these things are $20 each. $3 or $4 maybe, but $20?? Kensington must really be targeting the corporate world.

Share this post


Link to post
Share on other sites

HIPS will shut that down along with the Cd/DVD drive quite nicely.

Share this post


Link to post
Share on other sites

Maybe Best Buy should lock down their computers better. Was playing with the iMac today when I realized there was a

cellphone photo of a topless girl in the downloads folder.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now