Article by Massimiliano Chini

Desktop Lockdown: elaborated vs ‘Agile’ way of doing it

The desktop lockdown is a way to simplify the use of a computer dedicated to a single task. The possibility to use only dedicated programs will make it difficult to users to compromise the system, whether intentionally or not.

This configuration is useful whenever you want to create an information kiosk, a point of sale or other systems used by people in a public place. In the office it can make easier to use a thin client-type remote access workspace; it can also be useful in order to configure a computer dedicated to the control of a machine. Basically, with the desktop lockdown we want an autologin account, which performs only certain applications, to be present in Windows.

There are various ways to achieve this result, depending on your operating system. In this article we will go through two different ways of doing it: setting the registry keys in Windows, and using Praim Agile Mode.

By using Windows

Windows 10 Enterprise and Education have the AppLocker feature to facilitate the setup of a dedicated computer. The transaction still needs to set a set of rules by Local Security Policy and Local Group Policy on each machine. At the following link you can find the steps needed to set up your PC for this application:

https://technet.microsoft.com/en-us/itpro/windows/manage/lock-down-windows-10-to-specific-apps

Generally you can get a specialised machine for an application in this way:

  1. Create a new user and set it to autologin
  2. Limit the operations that can be made with Ctrl-Alt-Del at the user switching
  3. Start a launcher or your preferred application instead of the default Windows shell (explorer.exe).

 

Let’s see in details these operations:

  • Autologin

Create a new user (Lockdown), set the password (Lockdp$d), without expiration. To put it in startup autologin add the following registry keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AutoAdminLogon"="1"
"DefaultUserName"="Lockdown"
"DefaultPassword"="Lockdp$d"

 

In this way the user can not change the password and launch other programs with the task manager.

  •  Limit Ctrl-Alt-Delete 

Login with Lockdown user, so that, the system creates all directories of that user.
Add the registry keys for the restrictions:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableChangePassword"=dword:00000001
"DisableTaskMgr"=dword:00000001
  • Change shell

To change the user shell you need to add another registry key for that user:

[HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon]
"Shell"="c:\...\launcher.exe -parameters"
The user will have only this executed program available. It will be the administrator task to give the user all the tools s/he needs. Without the shell explore.exe the possibility of interacting with the system user are reduced to only use the program the administratorhave made available.

An easy way to manage more programs at startup is to use a .vbs script.

 

In this case:

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="wscript /b /nologo c:\Lockdown\Launch.vbs"
For example, using the following script you can make sure that when the user closes the program the PC will be turned off:
Set shell = CreateObject ("WScript.Shell")
shell.Run "iexplore.exe -K www.praim.com", 1, true
shell.Run "shutdown / s / t 0"

By using Praim Agile

A quicker and comprehensive tool, which presents also many other possibilities, can be found in Praim Agile.
You can lockdown the desktop without the need to perform on the PC the configurations mentioned above. In addition, the software provides a well-structured launcher and the opportunity to change the configuration by using the ThinMan management console.

 

Fig.1 Enable Praim Agile Mode (administrator side).

 

 

 

 

 

 

 

 

 

 

 

 

Fig. 2. Configuration of programs the user will be authorised to use (administrator side).

 

 

 

 

 

 

 

 

 

 

 

 

 

Fig. 3 Resources panel with the programs set for the user (user side).

 

 

 

 

 

 

 

 

 

 

 


Visit the website pages to know more about what these products can do for your company:

 

Leave a Reply

There is strength in numbers

Our dealers are able to leverage our technology and work with us to design the optimal solutions for you.

Customers

They have chosen Praim solutions