One of the biggest challenges Maximum PC readers often face is the never ending battle we endure when it comes to restoring the PC’s of family and friends. We often find ourselves bombarded with machines that may have once been configured by us, but have become infected or modified beyond recognition. The good news is that Microsoft finally has a solution and it comes in the form of a free add on for Windows XP and Vista which promises to restore sanity to your world.
Windows Steady State goes far beyond a simple group policy editor. It gives users the protection and peace of mind that until now could only be matched by a virtual machine. Simply put, Windows Steady State gives you nearly unlimited control over what can and cannot be done on a protected PC. With the ability to flush unwanted changes with each reboot every new session can be as fresh and snappy as the day you first installed the OS.
The obvious application for Steady State is anyone who maintains a large fleet of public computers, but I would argue that it works just as well for anyone who maintains a troublesome household computer with friends or family who just can’t resist opening email attachments. Steady State gives administrators full control over how users access the internet, how they import and export data, and even what programs they can use. Interested in learning how to master this amazing new utility? Read on to learn how to configure Steady State for your application.
What you'll Need:
A PC With Windows XP (Any 32 Bit Edition) or Windows Vista (Any 32 Bit Edition) The Operating System Must be Installed on an NTFS partition.
First things first, you will need to point your browser over to Microsoft and download your free copy of Windows Steady State. For those of you using Firefox (which I’m guessing is most of our readers), you may want to consider using Internet Explorer for this step. Microsoft will validate your copy of Windows to ensure it is genuine both before downloading and again during installation. Internet Explorer makes this first step easier since a one click ActiveX control makes the process pretty transparent. You can use Firefox, Safari, or just about anything else you can think of, but you’ll just have to jump through a few extra hoops in order to validate.
Once you have downloaded the installer go ahead and launch it when you’re ready. The installer doesn’t offer any installation options to configure, so we won’t bother walking you through the process of clicking next. I would however caution you to go slow and watch for the option to opt out of the Live Tool bar if you don’t want it.
2.) Protect The Hard Disk **OPTIONAL**
Double click the Windows Steady State Icon on your desktop (shown here) which will launch the application into the main menu screen shown above. Once the interface is up and running click the Protect The Hard Disk option which is circled in red on our screen shot.
Protecting the hard disk has known (but undocumented) issues with whole drive encryption technologies such as True Crypt. Users with encrypted drives should not use this feature and should skip ahead to step 3.
Even though this step is listed as optional, protecting the hard disk is one the most powerful features in Windows Steady State. When enabled disk protection earmarks a chunk of your free disk space (50% by default) and forms a cache where modified files will be stored during a users session.To be clear, Steady State isn’t creating an image of your hard drive, it simply quarantines any files that are modified during a user’s session to the cache.
When the operating system needs to read a file from the hard drive it first checks the cache to see if a modified version already exists, and if not, retrieves it from the protected section. Since the cache only contains modified copies of the protected files, when the machine is rebooted the cache is easily dumped and your computer will once again rebuild it as changes are made. This protection applies to the entire windows partition and cannot be customized to exclude individual folders. If you require persistent storage, data will need to be stored on a separate drive or partition.
Separate partitions are ignored by steady state and can be interacted with normally. If you find yourself wishing you’d had the foresight to create a separate partition on the machine in question, but don’t want to reformat and start over have no fear. We have a how to guide for that too. If you choose not to use the disk protection feature that is of course your choice. But if you’re serious about protecting the PC from users who don’t need to install new software very often it’s the safest bet. If you choose not to use disk protection, the privileges you grant your users in later steps will need to be much more draconian in order to compensate for this feature not being active. With hard disk protection enabled any mischief a user gets himself into will be wiped clean with every reboot.
After clicking the protect hard disk option you should see the screen shown above. Here is a breakdown of what each option does.
Remove All Changes At Restart – This is the easiest way to lock down a PC with Steady State. Each time the machine resets, it clears the cache and things are restored to whatever state it was in when you activated this feature. When you turn this on for the first time it will warn you that it needs to create the cache and restart. By default it will use 50% of your remaining free space.
Retain Changes Temporarily – If you want changes to be persistent throughout the day this option would allow you to maintain state for a set period. This is helpful in an office environment where users could be warned that data on the windows partition will be wiped daily.
Retain All Changes Permanently – This turns off the cache feature but maintains the space it allocated during setup. This is helpful if an administrator wants to make permanent changes to a limited user account that won’t be wiped upon reboot. Once those changes are complete however, don’t forget to revert to a protected mode.
Change Cache File Size – By default Steady State will grab 50% of your available disk space, which if you have a massive 500 GB drive with nothing but windows on it, can be somewhat exessive. The cache only needs to be large enough to contain changes that will be made during an individual session. Unless users are constantly installing large programs the minimum 2 GB cache size is more than enough for everyday use. Clicking this option will bring up a seperate window where this can be adjusted. Should a user max out the cache during any individual session they will simply be prompted to restart the machine in order to free up space. The default cache layout is shown below.
3.) Set Computer Restrictions
Next we are going to dive into the Set Computer Restrictions option. The features that are selected within this menu option are global in nature. They will apply to any non administrative users on the machine without exception.
Most of the features listed in this window are somewhat obscure and only offer advantages in very niche scenarios.Below we will delve into the options that are most important for home users or someone setting up a public machine.
Remove The Administrator User Name From The Welcome Screen – If you will only need administration privileges infrequently, or you’d rather not let others know it’s there, go ahead and enable this feature.
Do Not Store User Names or Passwords Used To Log on to Windows Live – Depending on if this is truly a public or private machine you may want to turn this option on or off accordingly.
Prevent Users From Creating Folders and Files in Drive c:\ - If disk protection is enabled anything on the c: drive gets wiped with every reboot. But if you decided not to go that route, this option can go a long way towards protecting the integrity of your file structure.
Prevent write access to USB storage devices – This is a useful security mechanism in an office environment or anytime you are concerned about user’s swiping large chunks of sensitive data on a thumb drive. This feature roots deep into the OS and requires a restart to activate and deactivate.
4.) Schedule Windows Updates
Your newly protected system might feel invincible, but it’s still important to let the OS keep up with Windows updates. This will keep individual user sessions from becoming compromised and in the case of Vista, will allow for stability and compatibility fixes that might come in handy. To configure how you receive Windows updates select the Schedule Software Updates option from the main menu.
From here you can pick what time the machine will apply automatic updates or if you would like to opt out. Additionally under the Security Program Updates you can select any anti-virus program you currently have installed. In theory this should allow the signature database to update without interference. Microsoft hasn’t compiled an official list of compatible AV suites yet, but unofficially here is what is what users are having success with in the forums.
Most of these products have a trial version available which I highly suggest you test out before you shell out any cash. Many problems have been reported getting definitions to survive a reboot, but this only applies to users who enabled hard disk protection in step 2. If you didn’t enable protected mode, anti-virus software will function normally.
5.) Create New User Profiles
Next we will need to create individual user accounts for Steady State to adminstrate. In the steps ahead we will learn how to configure each account to match anyone's needs. Click the Add A New User button circled above to bring up the creation window shown below.
Windows Steady State creates custom user profiles which will appear to the OS as a “limited account”. For those who aren’t familiar with the various permission levels, Windows XP and Vista allow for two levels of user, limited or administrator. Users who log into the system with an administrative account will have access to Windows Steady State’s configuration and even have the option of allowing changes to save to the hard disk when shutting down the computer. Administrative users cannot be created through this interface, and are instead created the old fashioned way through the control panel.Here is a quick break down of the various fields shown above in the add a new user window.
User Name - The name as you would like it to appear on the welcome screen
Password – This can be any length you like or even blank for no password.
Confirm Password – You do remember the password you just typed don’t you? Prove it!
User Location – This allows you to select the disk where the user profile will be stored. Changing this option is important to consider if you are setting up this machine for a typical home user. It will easily allow them to save pictures, documents, and even bookmarks since they are located on a separate partition which will be unaffected by the protected mode enabled in step 2. For a public machine leave the user profile on the default drive which will allow it to be sanitized each time the machine is rebooted.
6.) User Settings / General Tab
The general tab will allow you to configure a few basic features but most of the fields contained in this tab relate more to configuring a public computer. They apply mostly to a machine you might find in a school, library, or even a cyber café. Below is a rundown of the various options that might interest you.
Lock Profile – This is an extremely useful feature, especially if you choose not to protect the disk in step 2. This will prevent any changes to system settings such as the wallpaper or screen resolution from being saved when the user logs out or reboots the machine. This feature doesn’t fully protect the drive or operating system from being modified but should keep casual users out of trouble.
Log Off After – Allows you to set a limit as to how long a computer can be used in any particular session. The user will be notified at login how long they will be given to use the machine.
Always Display The Session Countdown – Annoying but often better than having your users caught off guard by an unannounced logout. This is ideal for short session timers.
Reboot Computer After Log Off – This feature is only useful if you are using the disk protection feature mentioned in step 2. This guarantees that each new login will present the OS as the administrator intended it.
7.) User Settings / Windows Restrictions Tab
This tab is where you really start to break away Windows features that commonly get inexperienced users in trouble. As you can see there are far too many options here to explain individually and most of what you are trying to be accomplish can be done by picking a security preset which can be high, none, or anything in-between. If you are setting up a public computer I would recommend select the high preset and do a quick read through of the list making exceptions as necessary. For home users I would select low or even none particularly if you have disk protection enabled from step 2. Bellow I will point out a few of the most useful options to enable.
Prevent right-click in the Start Menu – This helps keep the appearance of the start menu consistent in non protected drives.
Remove The Control Panel – Disabling the control panel is an important step in securing a system. If they don’t need it, don’t give it to them.
Remove The Run Icon – If you allowed Steady State to protect your hard disk users can’t really cause any permanent damage. But if your disk isn’t protected then the run menu is just another access point that is quite powerful if you know how to use it. It’s best to lock this one down.
General Restrictions – Enabling this feature activates everything below it, and for the most part everything under this tab is a good idea. A few exceptions exist however which I would consider reversing manually. These include Remove CD and DVD burning features, Disable Notepad and WordPad, as well as Disable keyboard shortcuts. For home users disabling these features really detract from the UI and don’t net you a whole lot of security benefits.
Hide Drives – This is useful if the administrator wants to keep files on a separate partition that limited users can’t access. Additionally, since Steady State only protects the windows partition, it will keep users who don’t need persistent local storage from saving anything on the systems hard drives.
8.) User Settings / Feature Restrictions Tab
Feature restrictions will give you complete control over a user’s internet session. This will allow you to set what web pages they are allowed to access and even if they will be able to set bookmarks. If control over the internet is an important consideration, then make sure you effectively locked down a user’s ability to install new software under the Windows Restrictions tab. Since these options pertain specifically to Internet Explorer, if a user can simply download a new browser (even though it might be flushed after each session) your settings won’t accomplish much.
For home users I would recommend low or no restrictions, but only if disk protection is enabled. Bookmarks can be enabled and disabled from here but If permanent storage of your favorites is important, and you are using disk protection, make sure you created the user profile on a separate partition as noted in step 5. This will allow bookmarks to persist between sessions. By enabling Prevent Internet Access (except web sites below) you can keep kids quarantined on the internet, but services such as OpenDNS will make for a more flexible solution to this problem. It also won’t force you to maintain a manual list of kid friendly websites.
9.) User Settings / Block Programs Tab
This tab is where Steady State will allow you to block access to individual programs which are preinstalled on the machine. This list will update as the administrator adds additional programs and using the browse feature at the bottom, can even seek out individual .exe files you wish to block. It’s a great way to limit access to productivity killers such as solitaire, minesweeper, and even hold ‘em if you sprang for Vista Ultimate (The Microsoft equivalent of I Am Rich). Simply highlight the file you wish to block on the left hand side of the window and click the block button to advance it over to the right side.Once you have decided on your list go ahead and click OK which will return you to the main menu.
As you can see Steady State is a powerful tool and when configured properly can do wonders for your limited tech support schedule. As useful as it is, I wouldn't recommend power user’s put this on their primary machine if performance is of paramount concern. Since each file needs to be copied to the cache before it is modified, the OS can sometimes lag ever so slightly, but on modern machines it's hard to notice. Microsoft claims Steady State isn’t a replacement for anti-virus and recommends the two products be used together, but to be honest, AV is a bit redundant. This is especially true if you enabled disk protection. Anti-Virus software will only further bog down the system and has proven to be quite tricky when it comes to configuring it for automatic updates.
Finally I would urge anyone who is setting up a public machine to take a few extra minutes to tighten down the bios. It’s important to password protect the interface and make sure you remove any boot devices before the hard drive. Steady State will protect the machine from even the most sneaky root kitsl, but it can’t stop them from booting from a CD or thumb drive if you don’t tighten down every access point. For additional Steady State references check the links below.
Got any tips you would like to share? Did you find this article useful? Let us know in the comments section below.