Brad McAfee
asked on
Secure Windows 10 For Specific Purpose
We have several computers that are being setup with Windows 10 that are only going to be used for one purpose: to go to one external website and input data into a web form. Nothing else. [They are going to be in a workgroup configuration and not a domain/server environment where we can push GPO.]
We want to prevent users from doing anything else on the computer such as visiting other sites, opening applications, or even the start menu.
What is the best way to simply lock the computer down to prevent users from straying away from the original purpose (see above) and inadvertently causing an issue?
I have heard of solutions over the years however I am not sure what is the best solution in 2019. Thanks in advance.
We want to prevent users from doing anything else on the computer such as visiting other sites, opening applications, or even the start menu.
What is the best way to simply lock the computer down to prevent users from straying away from the original purpose (see above) and inadvertently causing an issue?
I have heard of solutions over the years however I am not sure what is the best solution in 2019. Thanks in advance.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That would work however how can we restrict them to a single site or domain?
These are laptops that are going to be moving around so setting something in the router/edge device/etc is not an option.
These are laptops that are going to be moving around so setting something in the router/edge device/etc is not an option.
I like AA but also
Maybe a hybrid with this
Set Win 10 in Kiosk mode (yes it's imprecise and "clever users" will work a way around) but lock down browsing by setting the only app to work as the browser
Configure it to use 127.0.0.1 for LAN and then set the domain you're allowing as the only exception.
https://docs.microsoft.com/en-us/windows/configuration/kiosk-single-app
Maybe a hybrid with this
Set Win 10 in Kiosk mode (yes it's imprecise and "clever users" will work a way around) but lock down browsing by setting the only app to work as the browser
Configure it to use 127.0.0.1 for LAN and then set the domain you're allowing as the only exception.
https://docs.microsoft.com/en-us/windows/configuration/kiosk-single-app
ASKER
MASQ: Can you clarify "Configure it to use 127.0.0.1 for LAN and then set the domain you're allowing as the only exception." ?
Set your browser to use a proxy server
Set that server address as "Local" 127.0.0.1
It now can't reach the outside world
BUT you can configure exceptions to that to go to specific sites
Edge > '...' Menu > Settings > Advanced Settings > Open proxy settings
Then in "Use the proxy server except for addresses that start with the following entries"
Add "https ://this is the only site you're allowed access to . com"
Set that server address as "Local" 127.0.0.1
It now can't reach the outside world
BUT you can configure exceptions to that to go to specific sites
Edge > '...' Menu > Settings > Advanced Settings > Open proxy settings
Then in "Use the proxy server except for addresses that start with the following entries"
Add "https ://this is the only site you're allowed access to . com"
ASKER
Thanks MASQ. We will try that and let you know how it works!
Only as a added thought,
If you haven't done so already, you might also want to consider setting the website up as the default browser start/home page
Add "https ://this is the only site you're allowed access to . com"
If you haven't done so already, you might also want to consider setting the website up as the default browser start/home page
You could (more straight) limit the application executable in the firewall configuration.
This is the Powershell command to setup assigned access with the edge browser:
Set-AssignedAccess -UserName weakusername -AUMID Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge
Revisiting, I noticed that with the current win10 version, it is finally possible using the GUI to setup edge as assigned access app.
Wasn't even possible (Microsoft screwing up once more) in older versions with edge, hence the command I provided.
Wasn't even possible (Microsoft screwing up once more) in older versions with edge, hence the command I provided.
"AA" will let them start a browser and nothing else. They can print things, but else, they cannot interact with the file system, with the network or anything. They cannot execute malware.
Interested?
Edit: this should not be confused with the term kiosk mode, which is not very precise.