Part 2: Protect computers with Windows SteadyState

Part 1: Introduction to Windows SteadyState

Jakob H. Heidelberg

In Part 1 of this series, I went over the Windows SteadyState (WSS). In this part 2, we will introduce more about this topic. Next and the final part of this series we will introduce you to version 2.5 of this great toolkit - this is also the first version to support Windows Vista.

Before installing WSS

Before installing WSS, you need to uninstall the previous versions of the Microsoft Shared Computer Toolkit and the previous version of WSS (related only when installing version 2.5 currently in Beta).

In our world, you want to start from the starting point with the installation of all the original Windows XP, the latest Service Pack levels, the latest drivers and all necessary updates (from the Windows Update website). However, you can also use an existing Windows XP installation, only remove unnecessary software applications, user profiles, and temporary files, but instead of wiping an old system. I recommend that you start everything from scratch (then there won't be any existing security holes .). At this point we need a Windows XP computer to perform for demo or test purposes.

Although WSS protects when changes occur, you should still install the supported anti-malware software and update the list continuously. You should also remember to set up some strong passwords for local admin accounts.

We also recommend that you install the applications, features and services that the user needs before installing WSS - or at least before "locking" with Windows Disk Protection (WDP).

One last thing before installing WSS (and enabling WDP) is that you have to make sure to defragment the system disks to optimize performance. Remember that it is only done when WDP is finally activated so you can consider the system 'stable and safe'.

The first step

Now you are ready to install the downloaded installation package. You first accept the license terms if they are completely OK for you - then the Windows registry is valid for Windows Genuine Advantage (WGA) - the installation will start, then it will lose one few minutes to perform the installation. Click Finish when ready.

At your desktop, in the All Programs menu, the new shortcut of the 'Windows SteadyState' program will now appear. The first detailed help reference guide was launched automatically (see Figure 1) as well as WSS windows (Figure 2).

Figure 1: WSS: Initial help (Getting Started)

We recommend reading this tutorial file and the WSS handbook

The 'Global Computer Settings' screen (Figure 2) shows us the 3 main options, 3 options will be introduced in this article:

1. Set restrictions
2. Schedule updates
3. Hard drive protection

In addition, in the left menu you can access WSS resources and in the right menu, user accounts can be managed, exported and imported. Configuring user attributes and restrictions will also be introduced in this article in the following section.

Figure 2: WSS: Global Computer Settings

First - let's set up restrictions (Computer Restrictions) for computers. As its name implies, here are completely wide policy settings for computers that will 'hit' all users who are logged on. We do not recommend all of these settings here, but you can see in Figure 3 that it is related to the 'Log On to Windows' dialog, Welcome screen, user profile, password, and creation. files and folders, USB devices, .

Figure 3: WSS: Set Computer Restrictions

In the WSS main window, select the ' Schedule Software Updates ' option. This is one of the great features of WSS - the ability to "stabilize" the system, but still needs new upgrades (for the operating system .) and needs to be updated regularly. If you have ever used a hardware controller to lock the hardware state, it may be a problem to keep your computers up to date. With WSS this becomes an automated task!

Figure 4 shows the Schedule Software Updates dialog box - here you can schedule an upgrade to appear at a specific time, allowing upgrading of security programs - ' Security Program Updates ' ( AV / Anti-Malware, .) or even execute a custom download script for software upgrade (security) that is not supported and detected by WSS by default.

Figure 4: WSS: Schedule Software Updates

In the main WSS window, select the ' Protect the Hard Disk ' section. This is where there are many important features - a very useful feature called: Windows Disk Protection, or WDP for short. As you can see in the screen below (Figure 5), WDP is off by default. As mentioned earlier, some basic things are required before enabling WDP, so you need to wait and activate it later.

Note here that you have a number of different options - but the suggestion is to use the 'Remove all changes at restart' setting because that setting will be done for most administrative tasks. It has no major impact on performance and file cache (where all changes take place), completely deleted in a few seconds during boot. We will cover it carefully below.

Figure 5: WSS: Protect the Hard Disk - protect the hard disk

The ' Do not warn the administrator ' checkbox about losing changes before log off, restart, or shutdown 'will bring up a dialog box (see Figure 6) - this dialog box is displayed by default for 30 seconds - then admin The administrator is reminded that WDP is currently ON. Therefore, WDP will apply to all users - administrators or not administrators. We will introduce WDP in more detail in the section below.

Figure 6: WSS: WDP alerts the administrator

In this section, the 3 global settings of the computer for WSS are targeted, so it is time to observe the creation of the User and setting certain restrictions for User.

Create User

All administrators know how to do this, the users needed for the necessary work. Therefore, let's click ' Add a New User ' in the main WSS window. Figure 7 shows this problem very intuitively and simply as we see it. Select User name , password (if needed), select User location and finally the picture for profile. Click OK when the above tasks are done.

Figure 7: WSS: add new users

Now interesting things really start, this is where we can adjust user settings in more detail. You can do most of this tweaking by combining internal Group Policy (but remember until Vista's internal policy applies to all users including administrators), security. NTFS, profiles are mandatory, controls for higher levels (Vista only), . However, WSS makes these tasks much easier.

The General tab in User Settings (see Figure 8) gives us the ' Lock ' profile option - this is the same type as creating a mandatory profile (renaming User.Dat to User.Man ). The session timer can also be configured here - it is possible to restart the computer after logging out, which (depending on WDP settings) will restart your system to the state 'clean'.

Figure 8: WSS User Settings: General tab

The Windows Restrictions tab in User Settings (see Figure 9) gives us options from the four default configured restrictions: High, Medium, Low and Unrestricted - equivalent to High, Medium, Low, No restrictions. or you can set these restrictions arbitrarily. I cannot introduce all the limitations here, but I will give you the idea that this will allow you to hide the drive, remove objects in the Start menu to prevent anything from Autoplay. to the printer and disable system tools, .

Figure 9: WSS User Settings: Windows Restrictions tab

The Feature Restrictions tab in User Settings (see Figure 10) lets us choose from four default options: High, Medium, Low, No restrictions or arbitrarily set feature restrictions. We cannot recommend all the restrictions here, but can only tell you that it allows to restrict Internet Explorer and some Microsoft Office settings.

One of the most useful Internet Explorer restrictions is the ability to ' Prevent Internet access (except Web sites below) ' (the ability to block access except for some websites given below). In the ' Web Addresses Allowed ' field, simply type in any website you want to allow (without the http:/// or https: // protocol prefix) and a comma separated by a ' ; .

Figure 10: WSS User Settings: Feature Restrictions tab

The Block Programs tab in User Settings (see Figure 11) gives us an option to block certain executable tables. The list of internal executable tables will be created automatically by WSS, but you can manually add files. This feature works like Software Restriction Policies (SRP) by using aggregate. For more details about SRP, you can refer to the series of articles that we introduced on QuanTriMang.com: By default deny all applications.

Figure 11: User Settings: Block Programs tab

This procedure is very simple - you just need to select the program file to lock and click ' Block ' (or lock all the programs found by clicking 'Block All'). If a user wants to open locked programs, he or she will receive an error message like the one in SRP.

Windows Disk Protection (WDP)


WDP is an excellent technology to hide changes made to files on the Windows system partition. The cache is a physical file ( C: Cache.WDP ) that has a default value of up to 50% of your system partition (up to 40GB maximum), but this number can be adjusted to a minimum. 2GB by clicking on ' Change cache file size ' in the ' Protect the Hard Disk ' window. The cache is deleted regularly from time to time - best for us with each restart (during the boot process). Adjusting the cache file size may require repeated reboots.

WDP compared to Windows System Restore (WSR) is much more efficient, because WSR only checks changes to a core set of system and program files (like important registry files). However, on WSS platform, WDP is enabled, you can completely restore the conditions of individual user profiles and data (eg Desktop, Favorites, History, Documents, .). This is done automatically without any user or administrator intervention!

The important things to understand about this are how Schedule Software Updates works when WDP is enabled. Basically this is an upgrade procedure in nutshell (brief table):

1. Activate the logged-in user at the time of the upgrade schedule.
2. The computer is rebooted so that disk changes are deleted
3. Shared user accounts are disabled to prevent unauthorized disk changes.
4. WDP: 'Retain all changes permanently' is activated automatically to make sure changes are saved.
5. Updates are downloaded and installed (manual scripts are executed)
6. The computer must restart
7. WDP is set back to ' Remove all changes at restart '.

With some scripting skills, you can make sure your system is always neat and clean - automatically upgraded. This is the difference between WDP and other hardware protection solutions.

Some questions and answers

Does WSS support WSUS?

The answer here is yes, WDP will download and install updates from Microsoft Update, Windows Update, or Windows Server Update Services (WSUS) - this depends on your client settings.

Does WSS support domain members?

The answer is yes, the WSS computer can be a member of an Active Directory domain.

Does WSS support the use of SYSPREP?

Yes, remember to disable WDP and unlock previously blocked users.

Does WSS support Windows Vista operating system?

Up to this point No, however, a Beta program (WSS version 2.5) is currently available completely free from Microsoft.

If I had set restrictions on users, blocked programs, . and wanted to use such exact settings on a WSS computer, how could that be done - or done it manually? from the beginning?

No, use the Export feature in the WSS main window, save the .SSU file (see Figure 12), copy this file to another computer and use the Import it feature.

Figure 12: WSS: The user settings have successfully exported to a file

Can I manage WSS using Group Policy in my Active Directory domain?

Yes, the ADM file (SCTSettings.adm) is part of the WSS toolkit, in the 'Windows SteadyStateADM' section , by adding ' Administrative Templates ' in the GPO, you almost have complete control over the settings of WSS.

Conclude

Windows SteadyState is indeed a great tool, allowing you to perform multiple controls as well as flexibility. It is really friendly with a nice management interface and a help system throughout. Administrators of many public computers (like Internet kiosks and libraries in computers) need to consider this tool.

However, home users can still take advantage of some of the advantages of this tool to ensure that children can use the computer more safely without damaging anything.