When deploying Windows XP as an internet kiosk (yes, some legacy systems still exist in specialized use cases), we need three core security layers:
- Shell replacement to prevent desktop access
- Browser lockdown through group policy
- Automated system restoration
Replace explorer.exe with a custom shell using this registry modification (create a .reg file):
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" -k http://client-site.com"
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
For Internet Explorer, create a security zone policy (kiosk.reg):
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1806"=dword:00000003
"CurrentLevel"=dword:00011000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Restrictions]
"NoBrowserContextMenu"=dword:00000001
"AllowToRunRestricted"=dword:00000000
Implement a scheduled task that runs this batch script daily (recovery.bat):
@echo off
xcopy "C:\kiosk\clean-image" "C:\" /E /Y /H /R
net stop "Windows Update"
net start "Windows Update"
For non-technical maintainers, Microsoft's discontinued (but still functional) SteadyState tool provides:
- User account restrictions
- Disk protection
- Browser lockdown
Additional hardening measures:
:: Disable USB via Device Manager Policies
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
"Start"=dword:00000004
:: Disable Command Prompt
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
"DisableCMD"=dword:00000002
When deploying Windows XP as a locked-down kiosk system, we need to implement three key security layers:
- Desktop lockdown to prevent access to OS functions
- Browser restrictions to specific URLs
- A recovery mechanism that non-technical staff can operate
The most effective approach is to replace Explorer.exe with a custom shell. Create a batch file named kiosk.bat:
@echo off :start start "" "C:\Program Files\Internet Explorer\iexplore.exe" -k http://client-website.com ping -n 10 127.0.0.1 > nul tasklist | find "iexplore.exe" > nul || goto start
Then modify the registry to set this as the shell:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"="C:\\kiosk\\kiosk.bat"
For Internet Explorer, we can enforce URL restrictions through Group Policy. Create a GPO that:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions] "NoBrowserOptions"=dword:00000001 "AllowedDomains"=hex(7):63,00,6c,00,69,00,65,00,6e,00,74,00,2d,00,77,00,65,\ 00,62,00,73,00,69,00,74,00,65,00,2e,00,63,00,6f,00,6d,00,00,00,00,00
For Firefox (if preferred), use the about:config settings:
lockPref("network.proxy.type", 0);
lockPref("browser.fixup.alternate.enabled", false);
lockPref("general.useragent.override", "KioskMode/1.0");
Create a scheduled task that runs nightly to restore the system:
schtasks /create /tn "Kiosk Reset" /tr "C:\kiosk\reset.bat" /sc daily /st 23:00
Contents of reset.bat:
@echo off taskkill /f /im iexplore.exe del /f /q "C:\Documents and Settings\KioskUser\*.*" xcopy "C:\kiosk\clean-profile\" "C:\Documents and Settings\KioskUser\" /e /y shutdown /r /t 30
Additional measures to implement:
- BIOS password to prevent boot from other devices
- Case locks to prevent hardware tampering
- USB ports disabled via Device Manager
For simple remote assistance, configure a VNC server with view-only password:
[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] "Password"=hex:39,87,a6,f4,72,67,4a,1b "ViewOnlyPassword"=hex:2a,95,b4,e2,51,46,3a,09
For more sophisticated management, consider a custom web interface that can trigger the reset script.