This is an issue that’s come up for some customers who deploy a kiosk with a standard keyboard facing the public. In these scenarios, a keyboard is used to enter in a search criteria or personal information. Occasionally, someone may come along and correctly guess that it’s Windows under the hood. This knowledge prompts attempts to access the underlying operating system, most often by using known key combinations that could allow break-in.
To better secure these types of kiosks, it’s best to start with security tools such as Microsoft’s SteadyState to help lock down the system and File Based Write Filter (FBWF) to prevent unwanted updates. However there’s one important detail not covered by those features- the world’s most famous 3 button combo, namely Ctrl + Alt + Del.
While nothing technically bad can happen as long as the options that appear are disabled, this looks unprofessional in a kiosk environment and really doesn’t provide a kiosk with any more security.
Below are instructions on how to disable this feature. Note that this will only work with XP and XP Embedded operating systems such as POSReady. Vista and the upcoming Windows 7 do not support this feature.
This step is certainly not the most intuitive or obvious. By switching the NT-style logon screen to the more stylish XP themed logon, the system also transfers Ctrl + Alt + Delete to start the Task Manager instead. There is one catch: it won’t work on domain systems. If your kiosk must be on a domain, you’re not going to have much luck and will have to find a different route (the GINA might be able to help).
If you’re not on a domain, enable the Welcome Screen.
This will change the login screen to the fancier XP style but, luckily, automatic logon will still be possible. At this point, press Ctrl + Alt +Delete. The Task Manager should appear.
For more information on GINA: http://msdn.microsoft.com/en-us/magazine/cc163803.aspx
This step will prevent the Task Manager from running and appearing as an option when right-clicking on the Task Bar.
Alternatively, we can achieve this using GPEdit.msc.
Double click on “Remove Task Manager” and Select enable option.
While the Ctrl + Alt + Del combo is effectively disabled, however a strange and unfortunate problem occurs:
While quite annoying, according the Spy++, it’s actually the Task Manager executable showing this message box. Knowing this, there are many ways to block this message, however only one Registry key is really all that’s required.
These settings should take effect immediately, so try it out.
If you ever want to revert back to the old way, undo each of the 3 steps above. Order isn’t important, but all are required.