Windows Lockdown For Kiosks

Windows Lockdown Software for Kiosk Mode

Comment: Windows lockdown software has a long history and there are numerous articles regarding assigned access as it is called, and the many problems that trying to DIY with the standard Windows tools rarely turns out well, and then it has to be redone for next iteration of Windows. Windows XP was the first commercially used Windows software. It still runs on many ATMs and I suspect a few airline kiosks.  For that matter most credit card readers are not encrypted in this day and age.  Doing your own lockdown because you think you are extremely cheap or you have the available resources is the usual rationale. Our advice is to at least educate yourself first on the trials and tribulations that industrial strength (and secure) software has learned over the last 10 or so generations while you begin your first generation.

It may sound less than tactful but the fact is if you think about it, most times you try and go cheap, end up being much more expensive.  Nobody wants to spend an exorbitant amount of money unnecessarily.  It’s just a matter of calculating the probability of that happening based on a decision.

  • Kiosk Mode Software Providers Recommended
  • KioWare software for lockdown and remote monitoring
  • Esper Android Cloud Solutions
  • Sitekiosk – Android and Windows lockdown, remote management and CMS for digital signage

Windows 10 Kiosk Mode Definition – What is Kiosk Mode?

Locking down your computer so that it does what it supposed to do, and only what it is supposed to do is usually accomplished by kiosk lockdown software.  Many times the IT department will first opt for tweaking in Windows OS.  Most times this inevitably does not work, if only because the “really smart guy” who did it is no longer there.

That solution is the “kiosk mode” solution and these days you have a Chrome Kiosk Mode as well as “Assigned Access” under Windows 8.1 and these are never used in major unattended self-service deployments and for good reason. If you have a couple of units in the lobby and a eager IT person, then maybe kiosk mode will work for you.

Better to use an established and supported lock down which you can always get support for and is not dependent on one person. Examples are:

Windows Lockdown Kiosk Mode

Windows 8 introduced a new feature that has effectively been dubbed “Kiosk Mode” due to it’s ability to lock down Windows to a single application that the user can run.  This kiosk mode option can be useful for a surface level of security, but does not provide the level of security needed for self service or public access computers.

Personal data is at risk as is browser history, passwords, and other private information. The integrity of the computer is also at risk, as any downloads and uploads provide access to the local file system and expose the computer to malicious files or intent.

For true protection, restrictions and security, it is recommended that kiosk software be utilized. KioWare has multiple options (from KioWare Lite to KioWare Full with Server) that will allow more control and provide true security to protect both the device and the user.  Read the full article about Windows Kiosk Mode limitations and capabilities by downloading the pdf.  Kiosk Mode Limitations

Related Articles

What is “Kiosk mode”?

Browser Kiosk Mode

Generally, kiosk mode is usually meant to refer to a particular “mode” that most browsers offer.  “Kiosk Mode” is offered by browser applications (Internet Explorer, Chrome, Firefox etc) to run the application full screen without any browser user interface such as toolbars and menus.  The intent of most people setting up “kiosk mode” is to prevent the user from running anything other than the browser based content in the full screen browser window.

What kind of security does a browser’s Kiosk Mode offer and is it a viable solution for users?  If “Kiosk mode” is meant to create a “Kiosk like environment”, the kiosk mode option on your browser is likely insufficient.

Kiosks tend to be deployed in a self-service environment which means the user of the kiosk is not formally associated with the kiosk.  In short, the user doesn’t own the kiosk and isn’t responsible for the proper functioning of the kiosk.  The user just wants the kiosk to provide a defined service.  This can cause a problem for Kiosk Mode browsers because of the following situations not handled by Kiosk Mode browsers.

Session Management – User Data Security

For most applications, a self-service or public access kiosk needs to clean itself of the current user’s data when the user leaves.  How does the kiosk know a user has left?  The simplest solution is an inactivity timer, but that can be a problem if the kiosk has a queue of users, and the next user steps up and begins using the kiosk before the inactivity timer runs out.  In this case, a proximity switch or security mat is required.  Regardless, when a user’s session is finished the kiosk needs to delete all record of the user.  This means clearing cache, user session data and potentially the print queue.

It is also important for the kiosk to reset to the start page of the application when a user session has ended.  There is nothing more confusing to the next user to see the kiosk at screen #20 of the application.

Full Keyboard Blocking

Sometimes the kiosk deployment uses the standard computer keyboard.  The standard keyboard has a long list of keys that a user should not be able to use.  In a Windows environment, the key combination of Ctrl-Alt-Del can create havoc to a device in a browser kiosk mode state.  In Windows, a sophisticated kiosk owner can change Group Policies to minimize the Ctrl-Alt-Del hazard, but the list of individual keys and key combinations which need to be blocked is extensive. The main issue with Group Policies is that they aren’t intuitive.  Group Policies are difficult to setup properly initially, and can be inadvertently and quickly undone by a future kiosk programmer/staff member.

Application Restart, Memory Management

Kiosks tend to run unattended for long periods of time, and many browser based applications are designed to be run once and then be closed (ex, internet websites).  This means that the application can continue to grab a larger chunk of memory with each run.  This is particularly an issue for a kiosk where the application is being run repeatedly.  At some point enough memory has been used that the operating system starts to suffer and the kiosk stops functioning properly.  The kiosk needs to be smart enough to monitor its own health and when necessary restart the application or even restart the kiosk.  Browser based Kiosk modes do not address this need.

Custom Toolbars

By definition Kiosk Mode removes all of the browser’s toolbars and menus. As such, the application needs to have navigation built-in or a navigation toolbar needs to be displayed.  Forward, Back and Home buttons are a minimum requirement with perhaps a print button and scroll buttons as necessary.

Printers and Other External Devices

For security reasons, it is critical to not show the normal OS print dialog when a user requests a print.  Even more critically for internet content which may have embedded print buttons, the device must properly handle inadvertent print button selection when the kiosk has no printer. This needs to be properly handled or else OS dialogs will be displayed.  This can be both confusing to the user and a serious security risk.

Internet Content, Domain “Allow” Lists

Often a kiosk provides access to a specific website or websites, and it is critical to keep the user on that specific website or websites, or even certain selected pages of that website/websites.  In addition, certain allowed website domains/pages may have links to download files.  These files can be confusing and distracting at best and serious security issues at worst.  As such, file downloading action needs to be blocked.  In addition, there may be links to enable the user to send an email using HTML’s [MailTo] tags.  Clicking this button will attempt to open an email tool which a) likely isn’t installed and will error out (again confusing to the user, potential security issue) or b) if an email tool happens to be installed, then this could almost certainly cause a huge security risk.  The kiosk needs to prevent [MailTo] tags from being clicked.

OS GUI

Windows, in particular, has a bad habit of popping up dialog windows, task bar, charms bar, etc., for a variety of reasons completely unrelated to the application. They are at minimum confusing to a kiosk user and serve as a potential security threat.  The kiosk needs to prevent these items from being displayed to the user.

It is clear that for a majority of self-service applications, browser Kiosk Mode options have limitations that prevent it from being a viable solution.  Moving to a kiosk software solution will provide you with the security that you need.  Using kiosk software solutions, you won’t inadvertently leave open a serious security hole or confusing user experience.   The user experience will benefit while keeping user and company data secure.

Kiosk Mode Lockdown Software Feature list Example

KioWare Lite for Windows features:

  • Pop-up window control
  • Keyboard Filtering
  • Clear User Data
  • Custom Toolbar & Attract Screen
  • File Download Blocking
  • Virtual Keyboard
  • Clearing of Cookies, Cache & Print Queue at Session End

KioWare Basic for Windows features:

  • All KioWare Lite features
  • Multiple Monitor Support
  • External Device Support (Security Mats, Proximity Switches)
  • Input Device Support (MSR, Barcode Readers, Cash/Coin Acceptors)
  • Output Device Support (RFID Tag, Magstripe Card, Cash Dispensers)

KioWare Full for Windows features:

  • All KioWare Lite features
  • All KioWare Basic features
  • Kiosk Management Tools via KioWare Server (Device Organization, Content Management, Remote Monitoring, Device Usage Statistics, Reporting)

Linux based systems, which linux geeks will always tell you are much easier to setup and less issues.  Here are a few pre-packaged systems to look at:

https://www.porteus.org/
https://www.binaryemotions.com/webkiosk-os/download.html
https://sanickiosk.org/

One that is cross-platform browser based:
https://openkiosk.mozdevgroup.com/

Editor Picks Kiosk Lockdown articles

 

More Kiosk Lockdown Software aka Kiosk Mode information

<ul”>