There is no one-size-fits-all answer because the needs and circumstances of
each installation are different. It requires a multi-layered approach. First,
define the threats. Prioritize them, then look for the mitigations of those
threats. There are so many potential failure points and they can’t all be
addressed with one approach. Is your system a PC or a tablet? Windows or
Android? Networked or not? Does it use peripherals? And so on.
Here are some strategies to consider off the top of me head. I am currently
securing two Windows 7 exhibits.
I think of exhibit application security in three layers.
1) The App. First, make your foreground app stable as you can. If your
foreground app never crashes or gives up focus, the user can only do what it
allows. Make sure you’ve disabled all possible options for closing or crashing
the app. Let it run for long periods of time and see what happens. For
instance, the Windows 10 update blindsided me on this install. A totally new
problem!
2) Peripherals and Connections. Isolate the system and strip all unnecessary
“tools” away from the user especially those that might allow them to crash the
foreground application!
- Take away the keyboard and mouse and disable unnecessary touch functions
and don’t forget the Windows 7 virtual keyboard. Attach a keyboard for admin as
needed but don’t leave it accessible to users.
- Disable all "network" connections and functions that are not absolutely
necessary: ethernet, wi-fi, bluetooth, DNS, DHCP, etc… Most interactives don’t
NEED a full time network connection. Even if you do, say for remote admin or a
backend system, you will only need narrowly defined functionality. Disable
everything and then open only what you need. Firewall all communications not
explicitly required.
3) The System. Make the system as lean and stable as you can.
- run your app on a “limited” user and strip all needed functions from that
user. You can use parental controls on many systems to disable a lot of
functionality. And make sure all admin user is password protected!
- Disable everything that runs in the background, especially any kind of
updating. Turn off all automatic updates and all “alerts.” Remove every
background app and function.
- I like to automate a periodic restart. This helps with long term stability.
Windows simply can’t run for long periods without eventually crashing. It just
can’t. Macs too.
Those are just highlights. Many threats can be eliminated en masse using
security apps and application design, but you still need to think about all the
possible undesirable consequences and make sure you are guarding against them.
If you keep a close eye on your existing installations, failures will reveal
threats that you never anticipated.
Some other things to consider:
If the app crashes, what does the user see. I like to clean off the desktop and
put a “restart” icon right in the middle. Most users don’t want to hack your
system and will happily restart your app for you if it’s obvious how this is
done.
You can also purchase app monitors that will check the run state and restart
the app if it crashes. If you have good monitoring though, this is probably
more trouble than help though. It’s a background app. ;)
Can your user get to physical buttons on your monitors or systems? You can
often disable them via menu controls.
Can users access the power? This allows them to reboot. What happens when the
system reboots? Does it automatically load the correct user and application?
What happens when power fails? Does the system automatically reboot when power
comes back?
Etc…
I’m considering writing a longer more formal “how to" so I’d love to hear
anyone’s horror stories or specific configuration tips.
Cheers,
tod
Tod Hopkins
Hillmann & Carr Inc.
> On Nov 6, 2015, at 9:04 AM, Patrick Davis <[email protected]> wrote:
>
> New to the group. Looking forward to seeing what everyone has to say.
>
> One question that just recently was asked of me by our Director of
> Technology was how we are securing the computers that run our digital
> interactives in the public space. Not well was my answer. We are currently
> hovering around 75 different digital interactives and are adding new ones
> all the time.
>
> I was wondering what everyone here does to lock down their windows 7 pro
> installations. In our situation we have three different kind of
> applications running. A majority of them are standalone flash projectors.
> The rest either run on Firefox or Chrome. I always lean towards open source
> solutions but we do have some room in our budget to purchase software to
> make this work. Ideally there would be some kind of central management
> solution that we could use to not only lock them down but keep tabs on what
> is going on.
>
> Thanks!
>
> -------
> Patrick Davis | Exhibitions AV Specialist | The Field Museum
> 1400 S Lake Shore Drive, Chicago, IL 60605
> 312-665-7968
> _______________________________________________
> You are currently subscribed to mcn-l, the listserv of the Museum Computer
> Network (http://www.mcn.edu)
>
> To post to this list, send messages to: [email protected]
>
> To unsubscribe or change mcn-l delivery options visit:
> http://mcn.edu/mailman/listinfo/mcn-l
>
> The MCN-L archives can be found at:
> http://www.mail-archive.com/[email protected]/
_______________________________________________
You are currently subscribed to mcn-l, the listserv of the Museum Computer
Network (http://www.mcn.edu)
To post to this list, send messages to: [email protected]
To unsubscribe or change mcn-l delivery options visit:
http://mcn.edu/mailman/listinfo/mcn-l
The MCN-L archives can be found at:
http://www.mail-archive.com/[email protected]/
