Secure Windows 7 with 2 logins Kiosk and Administrator

operationsIT
operationsIT used Ask the Experts™
on
Is it possible to have a automatic login with a Kiosk user or maybe it doesn't have to be Kiosk that limits many areas of interaction with the Operating System?  However when required can switch to administrator who can support the system local/remote via admin credentials?  What is the best setup?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Sean Plemons Kelly, CISSPInformation Systems Security Engineer

Commented:
Hello operationsIT!

In my opinion:

Through Group Policy, most things are possible!

Most of the settings for this can be found under User Configuration > Policies > Administrative Templates.

Cheers!
Sean

Author

Commented:
If this is a stand alone machine we can use the local GPO to lock it down (no desktop right click) yet somebody can login and override this with admin rights?
Sean Plemons Kelly, CISSPInformation Systems Security Engineer

Commented:
operationsIT,

If someone else has admin rights, then yes, they will typicaly be able to change things.

There are two places you can remove the desktop context menu (right click):
One is the registry, at key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, key NoViewContextMenu. Giving this a value of 1 will disable the context menu.

The other is in Group Policy, at User Configuration > Policies > Administrative Templates > Windows Components > Windows Explorer > Remove Windows Explorer's Default Context Menu. Changing that to Enabled will disable the context menu.

*Ideally* the machine would be connected to some sort of domain that could apply the policy to different groups (I.E. the GPO that locked the system down would apply only to domain users the regular account, and the domain admins would be exempt from it).

I hope this helps!
Sean
Announcing the Winners!

The results are in for the 15th Annual Expert Awards! Congratulations to the winners, and thank you to everyone who participated in the nominations. We are so grateful for the valuable contributions experts make on a daily basis. Click to read more about this year’s recipients!

Author

Commented:
This is a machine we will put at a customer site to manage equipment so it will not be on their domain and the management team there wants it locked down so we can change to administer it, but their team cannot

•      Remove all icons from desktop
•      Remove or disable taskbar
•      Remove right click on desktop
•      Disable most system keyboard functions

Anything with these that won't work?  What will context menu removal do specifically?
We will still be able to switch to or restart to get admin in?
Information Systems Security Engineer
Commented:
operationsIT,

The menu that comes up when you right click is the context menu.

It would help to know:
Are there going to be multiple user accounts?
Will the users have specific apps they need to access?
Should they have drive access?

Thanks!
Sean

Author

Commented:
There should be one locked down and one engineer who has administrative rights

Disabling:
 File system navigation (except through package analytics)
All shortcut and fast keys (IE: <control>+<alt>+<delete>)
Right click menus
Command Window
Start menu (all of the menu, however can leave one option: user login change)

Effectively, the locked down user should only be able to:
Have the option to change users (change to engineering)
View the package analytics user interface (dashboard)
Remote desktop accessibility
Mount/unmount an external drive (USB)

Author

Commented:
Great help thanks!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial