Canned Heat

2 x PC's In a Public Place

21 posts in this topic

Hi Guys,

Installing 2 Pc's into a public place for internet access.

Was going with 2x intel i3 / Windows 7 based builds.

The issue i have is there are some office pc's Running on the same network and

I dont wont these to be seen.

I really need to lock these Units up tight,

The PC's are for ie only.

A new area for me, any help would be great,

Can windows disable all functions except for ie?,

Should I look at an embedded system?

3rd Party Software?

Dont know where to start?

If you know of any good sites / links, that would be great.

Thanks

:wacko:

Share this post


Link to post
Share on other sites

To make it so the 2 PC's can't see other computers on the same network, make sure they are using a different IP subnet. For example, if the office computers are using 192.168.x.x addresses then put the 2 PC's on a 172.16.x.x or 10.x.x.x subnet. They will not be able to communicate with any of the office PC's at all.

 

In order to enforce the IP addresses (i.e. ensure no one can change them), you do have to lock down the PC's. Yes, it can be done. My suggestion is to search the internet for how to set up Windows in kiosk mode. One of the things you can do is to create 2 accounts on the computers; one for administration, and another, locked down one that's set up to only run IE and is also set to auto-login at system startup.

Share this post


Link to post
Share on other sites

That Helps heaps, Ikon

Thanks Mate

Share this post


Link to post
Share on other sites

I would handle this with Vlans, there are dirt-cheap switches out from netgear now that support vlan tags. Then you will have 2 logically separated networks that cannot talk to each other unless A) you allow the router to route traffic between them or B) the switch is compromised.

 

There are a few issues you could run into with using a different subnet. For example, I could plug my laptop into one of the public PCs cable and get an address on your normal subnet via DHCP. Someone could do the same thing with a bridged dropbox, and depending on how observant the people in the facility are, no one would ever notice. This also doesn't stop someone from booting an alterate OS via USB.

 

 

Of course, I have no idea how these are going to be set up and how much unbridled access people are going to have on these PCs without an employee watching them, so you may have a rebuttal for those scenarios.

Share this post


Link to post
Share on other sites

Thanks Darkside,

Yeah, so many possiblites to hack,

Might Actually run a seperate router for this.

The Pc's are in line of sight with staff there,

But could throw a USB in in seconds. :ph34r:

Will disable USB too in bios.

Thanks Again for your input,

:D

Share this post


Link to post
Share on other sites

Yeah. I was assuming that no one would be able to gain physical access to the ports on the PCs. If that was not part of the plan then I very much encourage you to make it part. For most kiosk computers the system unit is locked inside a cabinet and only the screen, keyboard, and mouse are accessible to the public. I highly recommend this approach.

 

You do have to be careful to vent the cabinets properly. I've done a number of kiosk installs and, during the design phase, one of the hardest tasks is to get the designers on board for adequate ventilation - they always think you can just lock a PC inside a cabinet and forget about it.

 

I would not have these 2 PCs use DHCP; give them fixed IPs. For one thing, this can make it possible to remotely connect to the PC and monitor whats going on.

Share this post


Link to post
Share on other sites

Use local Group Policies to disable users seeing anything but IE, No control panel, no explorer, etc

Share this post


Link to post
Share on other sites

Thanks Jim

Share this post


Link to post
Share on other sites

Disabling the usb in bios isn't enough. Glue them shut if there is no real reason to have them exposed. While LGP will help, You are still giving access to the internet. You'll need a blacklist of sites that are meant for accessing/hacking terminals with web access. With your proposed setup I could still have cmd access within seconds. Even better would be to whitelist domains deemed appropriate for the terminal.

Share this post


Link to post
Share on other sites

Microsoft used to make something called SteadyState, which was basically a wizard for locking down computers. It was a great tool that was used by many institutions with public internet computers. There is no Windows 7 version of SteadyState, and there isn't going to be one.

 

Check out this TechNet article for ways MS provides to lock down Windows 7 similarly to what SteadyState did.

 

There are also 3rd party tools such as RollBack Rx and Deep Freeze.

 

A combination of the TechNet articles, along with Deep Freeze, could pretty much replicate what SteadyState did. Unfortunately, Deep Freeze is not free (~$35/year).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now