How To: Protect Any PC Using Windows Steady State

Posted 09/04/2008 at 10:00am | by Justin Kerr

12

Comments

Print

5.) Create New User Profiles

Next we will need to create individual user accounts for Steady State to adminstrate. In the steps ahead we will learn how to configure each account to match anyone's needs. Click the Add A New User button circled above to bring up the creation window shown below.

Windows Steady State creates custom user profiles which will appear to the OS as a “limited account”. For those who aren’t familiar with the various permission levels, Windows XP and Vista allow for two levels of user, limited or administrator. Users who log into the system with an administrative account will have access to Windows Steady State’s configuration and even have the option of allowing changes to save to the hard disk when shutting down the computer.  Administrative users cannot be created through this interface, and are instead created the old fashioned way through the control panel. Here is a quick break down of the various fields shown above in the add a new user window.

User Name - The name as you would like it to appear on the welcome screen

Password – This can be any length you like or even blank for no password.

Confirm Password – You do remember the password you just typed don’t you? Prove it!

User Location – This allows you to select the disk where the user profile will be stored. Changing this option is important to consider if you are setting up this machine for a typical home user. It will easily allow them to save pictures, documents, and even bookmarks since they are located on a separate partition which will be unaffected by the protected mode enabled in step 2. For a public machine leave the user profile on the default drive which will allow it to be sanitized each time the machine is rebooted.

6.) User Settings / General Tab

The general tab will allow you to configure a few basic features but most of the fields contained in this tab relate more to configuring a public computer. They apply mostly to a machine you might find in a school, library, or even a cyber café. Below is a rundown of the various options that might interest you.

Lock Profile – This is an extremely useful feature, especially if you choose not to protect the disk in step 2. This will prevent any changes to system settings such as the wallpaper or screen resolution from being saved when the user logs out or reboots the machine. This feature doesn’t fully protect the drive or operating system from being modified but should keep casual users out of trouble.

Log Off After – Allows you to set a limit as to how long a computer can be used in any particular session. The user will be notified at login how long they will be given to use the machine.

Always Display The Session Countdown – Annoying but often better than having your users caught off guard by an unannounced logout. This is ideal for short session timers.

Reboot Computer After Log Off – This feature is only useful if you are using the disk protection feature mentioned in step 2. This guarantees that each new login will present the OS as the administrator intended it.

7.) User Settings / Windows Restrictions Tab

This tab is where you really start to break away Windows features that commonly get inexperienced users in trouble. As you can see there are far too many options here to explain individually and most of what you are trying to be accomplish can be done by picking a security preset which can be high, none, or anything in-between. If you are setting up a public computer I would recommend select the high preset and do a quick read through of the list making exceptions as necessary. For home users I would select low or even none particularly if you have disk protection enabled from step 2. Bellow I will point out a few of the most useful options to enable.

Prevent right-click in the Start Menu – This helps keep the appearance of the start menu consistent in non protected drives.

Remove The Control Panel – Disabling the control panel is an important step in securing a system. If they don’t need it, don’t give it to them.

Remove The Run Icon – If you allowed Steady State to protect your hard disk users can’t really cause any permanent damage. But if your disk isn’t protected then the run menu is just another access point that is quite powerful if you know how to use it. It’s best to lock this one down.

General Restrictions – Enabling this feature activates everything below it, and for the most part everything under this tab is a good idea. A few exceptions exist however which I would consider reversing manually. These include Remove CD and DVD burning features, Disable Notepad and WordPad, as well as Disable keyboard shortcuts. For home users disabling these features really detract from the UI and don’t net you a whole lot of security benefits.  

Hide Drives – This is useful if the administrator wants to keep files on a separate partition that limited users can’t access. Additionally, since Steady State only protects the windows partition, it will keep users who don’t need persistent local storage from saving anything on the systems hard drives.