Protect Public Computers with Windows SteadyState, Part 2

If you missed the first part in this article series please read Protect Public Computers with Windows SteadyState, Part 1

If you would like to be notified when Jakob Heidelberg releases the next part of this article series please sign up to the WindowSecurity.com Real time article update newsletter.

Part 1 of this series was a short introduction to Windows SteadyState (WSS). In this part we will see how easy it is to get in the game.

The next, and final article in this series, will introduce you to version 2.5 of this wonderful toolkit – the first version to support Windows Vista.

Before installing WSS

Before you install Windows SteadyState you should uninstall previous versions of the Microsoft Shared Computer Toolkit and earlier versions of Windows SteadyState (only relevant when installing version 2.5 which is currently in Beta).

In my world you want to start from scratch with a totally clean Windows XP installation, latest Service Pack level, latest drivers and all necessary updates (from the Windows Update website). You could use an existing Windows XP installation, remove unnecessary software applications, user profiles, temporary files etc – but instead of cleaning up an old system I would recommend starting all over (then you will not miss any existing security holes, etc). As a start, a virtual Windows XP machine should do just fine for “demo” or test purposes.

Even though Windows SteadyState offers great protection from changes, you should still install supported anti-malware software and update the definitions. Also remember to set some strong passwords for the local administrator account(s).

I would recommend installing any applications, features, services, etc the users should have available, before installing WSS – or at least before “locking down” with Windows Disk Protection (WDP).

As the very last thing before installing WSS (and enabling WDP), be sure to defragment your system drives to optimize performance. Just remember, it is only when WDP is finally enabled (see later in this article) that you can consider the system “frozen & secure”.

The first steps

Now you should be ready to install the downloaded install package. First accept the license terms if they seems OK to you – next the Windows license is validated with Windows Genuine Advantage (WGA) – and then the installation is started (no further questions asked!), it will take a few minutes. Click Finish when ready.

At your desktop, and in the All Programs menu, a new “Windows SteadyState” program shortcut should now be available. At first start up the very thorough help reference guide is launched automatically (see Figure 1) as well as the main WSS windows (see Figure 2).


Figure 1:
WSS: Getting Started Help

I recommend that you read this help file and the WSS handbook available here.

The “Global Computer Settings” screen (Figure 2) presents us with 3 main options which we will cover in this article:

  1. Set Computer Restrictions
  2. Schedule Software Updates
  3. Protect the Hard Disk

Other than that, in the left menu you have access to WSS resources and in the right menu User accounts can be managed, exported and imported. Configuring user properties and restrictions will also be covered later in this article.


Figure 2:
WSS: Global Computer Settings

First thing first – let us set Computer Restrictions. As the name implies these are computer wide policy settings (HKLM stuff you could say) which will “hit” all users logging on. I will not cover all of the available settings here, but as you can see in Figure 3 it is related to the “Log On to Windows” dialog box, Welcome screen, roaming profiles, passwords, file/folder creation, USB storage devices, etc.


Figure 3:
WSS: Set Computer Restrictions

In the main WSS window, select the “Schedule Software Updates” option next. This is one of the really cool features of WSS – the ability to “freeze” the system, but still get the latest updates (OS, AV etc.) and keep them. If you have ever tried using hardware controllers for locking down the hardware state, you probably know it is a problem to keep the computers up to date. With WSS this becomes an automated task!

Figure 4 shows the Schedule Software Updates dialog – here you can Schedule Updates to occur at a specific interval, allow “Security Program Updates” (AV/Anti-Malware etc.) or even execute a custom download script for updating (security) software which is not supported and found by WSS by default.

More on scheduled Software Updates later in this article (see the separate WDP section).


Figure 4:
WSS: Schedule Software Updates

In the main WSS window, select the “Protect the Hard Disk” next. This is where the magic is – the cool and very useful feature called: Windows Disk Protection, or just WDP. As you can probably see in the screenshot below (Figure 5), by default WDP is Off. As mentioned previously, a few basic things should be in place before enabling WDP, so you might want to wait at this point and come back to enable it later.

Notice you have a few different options in here – but a quick hint is to use the “Remove all changes at restart” setting as that will do it for most kiosk admins around the world. It really has no deep impact on performance and the cache file (where all the changes go), is “cleaned” within a few seconds during startup – more on this later.


Figure 5:
WSS: Protect the Hard Disk

The checkbox “Do not warn the administrator about losing changes before log off, restart, or shutdown” refers to the following dialog (see Figure 6) – which is shown by default with a 30 second countdown/timeout – where the administrator is reminded that WDP is currently On. So, WDP applies to all users – admins and non-admins – very effective I would say! More on WDP later in this article.


Figure 6:
WSS: WDP warning for administrators

At this point the 3 Global Computer Settings for WSS have been addressed, so now it is time to look at creating Users and setting User specific limits and restrictions.

Users are next

All administrators know it, whether we like it or not, users are needed for all of our hard work to make any sense. So, let us click “Add a New User” in the main WSS window. Figure 7 shows this very intuitive and simple dialog we are presented with. Select a User name, a password (if needed), select a User location and finally the profile picture. Click OK when done.


Figure 7:
WSS: Add a New User

This is when the real fun begins, now it is time to tweak the user settings in more detail. In other words: it is lockdown time! You could do most of this with a combination of a local Group Policy (but remember until Vista the local policy applies to all users including administrators), NTFS security, mandatory profiles, Parental control (only Vista), etc. However, WSS makes it extremely easy – no admin sweat here, thanks.

The General tab in User Settings (see Figure 8) gives us the option to “Lock” the profile – this is kind of the same as creating a mandatory profile (renaming User.Dat to User.Man). Also session timers are configurable here – including the option to restart the computer after log off, which would (depending on WDP settings) reset the system back to a “clean” state.


Figure 8:
WSS User Settings: General tab

The Windows Restrictions tab in User Settings (see Figure 9) gives us the option to choose from 4 default configured Windows restriction levels: High, Medium, Low, No restrictions, or to go for a custom set of Windows restrictions. I cannot cover all possible Windows restrictions in this article, but to give you an idea this allows you to hide drives, remove objects in the Start Menu, prevent everything from Autoplay to printers, disable system tools, etc.


Figure 9:
WSS User Settings: Windows Restrictions tab

The Feature Restrictions tab in User Settings (see Figure 10) gives us the option to choose from 4 default configured feature restriction levels: High, Medium, Low, No restrictions or to go for a custom set of feature restrictions. I cannot cover all possible feature restrictions in this article either, but to give you an idea this allows you to restrict Internet Explorer and a few Microsoft Office settings.

One very useful Internet Explorer restriction is the ability to “Prevent Internet access (except Web sites below)”. In the “Web Addresses Allowed” field, just type in whatever website(s) you want to allow (without protocol prefixes like http:// or https://) and separate with a semicolon. So many people have asked for such a possibility over the years and we have come up with some workarounds to get this to work – but now it is there, right “out-of-the-box”.


Figure 10:
WSS User Settings: Feature Restrictions tab

The Block Programs tab in User Settings (see Figure 11) gives us the option to block specific executables. A list of local executables is automatically generated by WSS, but you can add certain files manually. This blocking feature works like Software Restriction Policies (SRP) by the use of hashing – for more information on SRP please see these two articles: Default Deny All Applications part 1 & Default Deny All Applications part 2.


Figure 11:
WSS User Settings: Block Programs tab

The procedure is simple – just select the program file to block and click “Block” (or block all found programs by clicking “Block All”. If a user tries to open programs that are blocked, he/she will receive an error message, just like with SRP.

Windows Disk Protection (WDP)

WDP is a cool technology which caches changes made to any files on the Windows system partition. The cache is a physical file (C:\Cache.WDP) which by default will take up 50% of your system partition (or up to 40 GB as a maximum), but this can be tweaked to a minimum of 2 GB by clicking “Change cache file size” in the “Protect the Hard Disk” window. The cache is cleared at certain intervals – my recommendation is with every restart (during the boot process). Tweaking the cache file size could require more reboots.

Compared to Windows System Restore (WSR) it is much more effective, as WSR only monitors changes to a core set of system and program files (like the important registry files). But on top of that WSS, with WDP enabled, will even restore the condition of personal user profiles and data (ex. Desktop, Favorites, History, Documents, etc.). This is done automatically without any user or admin intervention!

What is important to understand about this is how Schedule Software Updates works with WDP enabled. Basically, this is the update procedure in a nutshell:

  1. Active users are logged off when the scheduled update time has arrived.
  2. The computer is restarted so any disk changes are cleaned.
  3. Shared user accounts are disabled to prevent unapproved disk changes.
  4. WDP: “Retain all changes permanently” is enabled automatically to make sure changes are saved.
  5. Updates are downloaded and installed (manual scripts are executed).
  6. The computer is restarted.
  7. WDP is set back to “Remove all changes at restart”.

With some scripting skills you can make sure your system is nice and clean – and automatically brought up to date at the same time. This is the main difference between WDP and hardware protection solutions.

A few questions answered

These are some questions I have received since the last article in this series:
Does WSS support WSUS?
Yes, WDP will download and install updates from Microsoft Update, Windows Update, or Windows Server Update Services (WSUS) – depending on client settings.

Does WSS support domain membership?
Yes, a WSS machine can be a member of an Active Directory domain.

Does WSS support the use of SYSPREP?
Yes, just remember to disable WDP and unlock any locked users first.

Does WSS support Windows Vista?
No, not at this point anyway. But, a public Beta program (WSS version 2.5) is available at no cost from Microsoft right here – also get the new handbook here.

If I have set user restrictions, limits, blocked programs, etc. and want to use the exact same settings on another WSS computer, how would I do that – manually?
No, just use the Export feature in the WSS main window, save the .SSU file (see Figure 12), copy the file to the other machine and use the Import feature there – all done!


Figure 12:
WSS: Successfully exported user settings to a file

Can I manage WSS by using Group Policies in my Active Directory domain?
Yes, an ADM file (SCTSettings.adm) is part of the WSS toolkit, see below “<Program Files>\Windows SteadyState\ADM“, by adding this to your “Administrative Templates” in a GPO you have nearly full control of all WSS settings.

Conclusion

Windows SteadyState is a cool toolset offering great control and flexibility at the same time. It is very “admin-friendly” with a nice GUI and a very thorough help system (make sure to check out the handbook as well). I can recommend all administrators of public machines, like Internet kiosks, Public library machines etc., to take a look at this tool right away.

Even home users could take advantage of this tool to make sure the kids can use the family computer(s) safely – even without the chance of them “breaking” anything. After the next reboot you know exactly what you will get: a Steady State!

External links

If you missed the first part in this article series please read Protect Public Computers with Windows SteadyState, Part 1

If you would like to be notified when Jakob Heidelberg releases the next part of this article series please sign up to the WindowSecurity.com Real time article update newsletter.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top