Windows Kiosk Security: Preventing Attacks

TL;DR

Windows kiosks are vulnerable to attacks if not properly secured. This guide covers common threats and practical steps to lock down your kiosk, including restricting user access, disabling unnecessary features, using Group Policy, enabling Assigned Access, and monitoring for suspicious activity.

1. Understand the Threats

Kiosks are often targeted because they run with limited security controls and are physically accessible. Common attacks include:

• Privilege Escalation: Attackers try to gain administrator access.
• Malware Installation: Viruses, ransomware, or keyloggers can be installed.
• Data Theft: Sensitive information entered into the kiosk could be stolen.
• Application Tampering: The kiosk application itself might be modified.
• Physical Attacks: USB devices used to introduce malware or access the system.

2. Restrict User Access

The goal is to limit what users can do on the kiosk.

1. Create a Dedicated Kiosk Account: Do not use an existing user account. Create a new, limited-privilege account specifically for the kiosk application.
2. Remove Local Administrator Privileges: Ensure this account has no administrator rights.
3. Disable Guest Access: Turn off guest access to prevent unauthorized logins.

3. Disable Unnecessary Features

Reduce the attack surface by disabling features not required for the kiosk application.

• Task Manager: Prevent users from ending processes.

  reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem" /v DisableTaskMgr /t REG_DWORD /d 1

• Command Prompt & PowerShell: Block access to these powerful tools.

  reg add "HKCUSoftwarePoliciesMicrosoftWindowsSystem" /v DisableCMD /t REG_DWORD /d 1

• Registry Editor: Prevent modification of system settings.

  reg add "HKCUSoftwarePoliciesMicrosoftWindowsSystem" /v DisableRegistryTools /t REG_DWORD /d 1

• File Explorer: Hide File Explorer to prevent browsing the file system. (More complex, often achieved through Group Policy or third-party software).

4. Use Group Policy for Centralised Control

If your kiosks are part of a domain, use Group Policy to enforce security settings.

1. Create a New GPO: Create a new Group Policy Object (GPO) specifically for the kiosk configuration.
2. Configure Security Settings: Use the following settings within the GPO:
   • Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Remove rights like ‘Log on as a batch job’, ‘Change system time’.
   • Computer Configuration > Administrative Templates > System: Configure restrictions for Task Manager, Command Prompt, PowerShell.
3. Apply the GPO: Link the GPO to an Organizational Unit (OU) containing your kiosk computers.

5. Enable Assigned Access

Assigned Access locks the device to a single Universal Windows Platform (UWP) app.

1. Open Settings: Go to Settings > Accounts > Family & other users > Set up a kiosk.
2. Choose an Account: Select the dedicated kiosk account you created earlier.
3. Select an App: Choose the UWP app that will run in kiosk mode. Note: This only works with UWP apps, not traditional desktop applications.

6. Disable USB Ports

Prevent users from introducing malware via USB devices.

• Device Manager: In Device Manager, disable the USB storage controllers.
  Warning: This will prevent all USB device access. Consider using Group Policy to selectively allow specific trusted devices if needed.
• Group Policy (Recommended): Use Group Policy to control USB access more granularly. Configure ‘USB Storage Access’ under Computer Configuration > Administrative Templates > System > Removable Storage Access.

7. Keep Software Updated

Regular updates patch security vulnerabilities.

• Windows Updates: Ensure Windows is automatically updated with the latest security patches.
• Kiosk Application Updates: Regularly update the kiosk application itself to address any known vulnerabilities.

8. Monitor for Suspicious Activity

Regularly check logs and monitor system behaviour.

• Event Viewer: Review the Event Viewer for unusual errors or login attempts.
• Antivirus/Endpoint Detection & Response (EDR): Install an antivirus solution or EDR software to detect and prevent malware.
• Remote Monitoring: Consider using a remote monitoring tool to track system performance and security events.