Figure 1: WSS: Initial help (Getting Started)
We recommend reading this tutorial file and the WSS handbook
The 'Global Computer Settings' screen (Figure 2) shows us the 3 main options, 3 options will be introduced in this article:
In addition, in the left menu you can access WSS resources and in the right menu, user accounts can be managed, exported and imported. Configuring user attributes and restrictions will also be introduced in this article in the following section.
Figure 2: WSS: Global Computer Settings
First - let's set up restrictions (Computer Restrictions) for computers. As its name implies, here are completely wide policy settings for computers that will 'hit' all users who are logged on. We do not recommend all of these settings here, but you can see in Figure 3 that it is related to the 'Log On to Windows' dialog, Welcome screen, user profile, password, and creation. files and folders, USB devices, .
Figure 3: WSS: Set Computer Restrictions
In the WSS main window, select the ' Schedule Software Updates ' option. This is one of the great features of WSS - the ability to "stabilize" the system, but still needs new upgrades (for the operating system .) and needs to be updated regularly. If you have ever used a hardware controller to lock the hardware state, it may be a problem to keep your computers up to date. With WSS this becomes an automated task!
Figure 4 shows the Schedule Software Updates dialog box - here you can schedule an upgrade to appear at a specific time, allowing upgrading of security programs - ' Security Program Updates ' ( AV / Anti-Malware, .) or even execute a custom download script for software upgrade (security) that is not supported and detected by WSS by default.
Figure 4: WSS: Schedule Software Updates
In the main WSS window, select the ' Protect the Hard Disk ' section. This is where there are many important features - a very useful feature called: Windows Disk Protection, or WDP for short. As you can see in the screen below (Figure 5), WDP is off by default. As mentioned earlier, some basic things are required before enabling WDP, so you need to wait and activate it later.
Note here that you have a number of different options - but the suggestion is to use the 'Remove all changes at restart' setting because that setting will be done for most administrative tasks. It has no major impact on performance and file cache (where all changes take place), completely deleted in a few seconds during boot. We will cover it carefully below.
Figure 5: WSS: Protect the Hard Disk - protect the hard disk
The ' Do not warn the administrator ' checkbox about losing changes before log off, restart, or shutdown 'will bring up a dialog box (see Figure 6) - this dialog box is displayed by default for 30 seconds - then admin The administrator is reminded that WDP is currently ON. Therefore, WDP will apply to all users - administrators or not administrators. We will introduce WDP in more detail in the section below.
Figure 6: WSS: WDP alerts the administrator
In this section, the 3 global settings of the computer for WSS are targeted, so it is time to observe the creation of the User and setting certain restrictions for User.
Create User
All administrators know how to do this, the users needed for the necessary work. Therefore, let's click ' Add a New User ' in the main WSS window. Figure 7 shows this problem very intuitively and simply as we see it. Select User name , password (if needed), select User location and finally the picture for profile. Click OK when the above tasks are done.
Figure 7: WSS: add new users
Now interesting things really start, this is where we can adjust user settings in more detail. You can do most of this tweaking by combining internal Group Policy (but remember until Vista's internal policy applies to all users including administrators), security. NTFS, profiles are mandatory, controls for higher levels (Vista only), . However, WSS makes these tasks much easier.
The General tab in User Settings (see Figure 8) gives us the ' Lock ' profile option - this is the same type as creating a mandatory profile (renaming User.Dat to User.Man ). The session timer can also be configured here - it is possible to restart the computer after logging out, which (depending on WDP settings) will restart your system to the state 'clean'.
Figure 8: WSS User Settings: General tab
The Windows Restrictions tab in User Settings (see Figure 9) gives us options from the four default configured restrictions: High, Medium, Low and Unrestricted - equivalent to High, Medium, Low, No restrictions. or you can set these restrictions arbitrarily. I cannot introduce all the limitations here, but I will give you the idea that this will allow you to hide the drive, remove objects in the Start menu to prevent anything from Autoplay. to the printer and disable system tools, .
Figure 9: WSS User Settings: Windows Restrictions tab
The Feature Restrictions tab in User Settings (see Figure 10) lets us choose from four default options: High, Medium, Low, No restrictions or arbitrarily set feature restrictions. We cannot recommend all the restrictions here, but can only tell you that it allows to restrict Internet Explorer and some Microsoft Office settings.
One of the most useful Internet Explorer restrictions is the ability to ' Prevent Internet access (except Web sites below) ' (the ability to block access except for some websites given below). In the ' Web Addresses Allowed ' field, simply type in any website you want to allow (without the http:/// or https: // protocol prefix) and a comma separated by a ' ; .
Figure 10: WSS User Settings: Feature Restrictions tab
The Block Programs tab in User Settings (see Figure 11) gives us an option to block certain executable tables. The list of internal executable tables will be created automatically by WSS, but you can manually add files. This feature works like Software Restriction Policies (SRP) by using aggregate. For more details about SRP, you can refer to the series of articles that we introduced on QuanTriMang.com: By default deny all applications.
Figure 11: User Settings: Block Programs tab
This procedure is very simple - you just need to select the program file to lock and click ' Block ' (or lock all the programs found by clicking 'Block All'). If a user wants to open locked programs, he or she will receive an error message like the one in SRP.
Windows Disk Protection (WDP)
WDP is an excellent technology to hide changes made to files on the Windows system partition. The cache is a physical file ( C: Cache.WDP ) that has a default value of up to 50% of your system partition (up to 40GB maximum), but this number can be adjusted to a minimum. 2GB by clicking on ' Change cache file size ' in the ' Protect the Hard Disk ' window. The cache is deleted regularly from time to time - best for us with each restart (during the boot process). Adjusting the cache file size may require repeated reboots.
WDP compared to Windows System Restore (WSR) is much more efficient, because WSR only checks changes to a core set of system and program files (like important registry files). However, on WSS platform, WDP is enabled, you can completely restore the conditions of individual user profiles and data (eg Desktop, Favorites, History, Documents, .). This is done automatically without any user or administrator intervention!
The important things to understand about this are how Schedule Software Updates works when WDP is enabled. Basically this is an upgrade procedure in nutshell (brief table):
With some scripting skills, you can make sure your system is always neat and clean - automatically upgraded. This is the difference between WDP and other hardware protection solutions.
Some questions and answers
Does WSS support WSUS?
The answer here is yes, WDP will download and install updates from Microsoft Update, Windows Update, or Windows Server Update Services (WSUS) - this depends on your client settings.
Does WSS support domain members?
The answer is yes, the WSS computer can be a member of an Active Directory domain.
Does WSS support the use of SYSPREP?
Yes, remember to disable WDP and unlock previously blocked users.
Does WSS support Windows Vista operating system?
Up to this point No, however, a Beta program (WSS version 2.5) is currently available completely free from Microsoft.
If I had set restrictions on users, blocked programs, . and wanted to use such exact settings on a WSS computer, how could that be done - or done it manually? from the beginning?
No, use the Export feature in the WSS main window, save the .SSU file (see Figure 12), copy this file to another computer and use the Import it feature.
Figure 12: WSS: The user settings have successfully exported to a file
Can I manage WSS using Group Policy in my Active Directory domain?
Yes, the ADM file (SCTSettings.adm) is part of the WSS toolkit, in the 'Windows SteadyStateADM' section , by adding ' Administrative Templates ' in the GPO, you almost have complete control over the settings of WSS.
Conclude
Windows SteadyState is indeed a great tool, allowing you to perform multiple controls as well as flexibility. It is really friendly with a nice management interface and a help system throughout. Administrators of many public computers (like Internet kiosks and libraries in computers) need to consider this tool.
However, home users can still take advantage of some of the advantages of this tool to ensure that children can use the computer more safely without damaging anything.