By William T. Evans
Securing Windows XP in a shared or public use work environment can offer up unique challenges. In some environments, server security is of primary concern. However, in K-12 environments, securing the shared workstation is as important, from a support perspective, as securing the server. Microsoft offers "The Shared Computer Toolkit" that promises to make it easy for anyone to mange and safeguard shared computers running Windows XP. But is it the right tool for securing K-12 computing environments? Let's find out.
Microsoft Shared Computer Toolkit—What it does
According to Microsoft’s Shared Computer Toolkit for Windows XP Handbook:
"The Microsoft® Shared Computer Toolkit for Windows® XP provides a simple and effective way to defend shared computers from untrusted users and malicious software, restrict untrusted users from system resources, and enhance and simplify the user experience. The Toolkit runs on genuine copies of Windows XP Professional, Windows XP Home Edition, and Windows XP Tablet PC Edition."
The Handbook also states that the tool is designed to be used by people other than the network administrator, such as teachers, librarians, and technology coordinators.
Simply put, this tool centralizes and simplifies the control of useable operating system functions and is designed to be used by novice users as well. Here are some of the main features of the tool:
Windows Disk Protection
This is the primary, and most important, function of this tool. Once a workstation is fully configured (software, utilities, security, etc.), it can be placed in "read-only" mode. Any changes made to the operating system or third-party software are discarded during the next reboot. This is an excellent way to prevent permanent modification of any system or application data, including viruses, spyware, malware, and even unauthorized software installations.
Local user accounts, and all of their settings, can be locked from modification with this portion of the tool. This is especially useful in non-domain environments.
This is an easy-to-use interface for managing and even creating user profiles on the local system.
This function controls access to accessibility functions without relying on use of the Control Panel in Windows.
Command Line Tools
There are other functions built in to this tool, including command-line functionality that enhances the products capabilities and automation.
Microsoft Shared Computer Toolkit—What it doesn’t do
Although this toolkit boasts features to improve the manageability of computers in a shared use environment, only 11 pages of the 107 page handbook discuss use in domain environments. Most, if not all, computers in any given K-12 environment are connected to an Active Directory domain system.
Consider this excerpt from the Handbook:
"The Active Directory® directory service offers significant benefits for shared computers on a network... Active Directory provides a better environment for centrally managing user accounts that require access to network resources or need to log on with the same credentials on multiple computers, as many educational institutions require...Group Policy is more effective than the User Restrictions tool for restricting multiple user accounts across numerous computers at one time."
Most of the tool’s features are built into, and controlled from, the local interface. Many of the features are beneficial to non-domain environments. However, much of what is offered can be performed by simply using Group Policy alone. One might add that the Windows Disk Protection is a powerful new feature for network administrators. Although this is true, you should be concerned with application compatibility and accidental loss of user data while it is enabled. Properly securing a workstation operating system negates the necessity to use this feature in most environments (an application programming lab could make use of this though).
Microsoft Shared Computer Toolkit—The verdict
Unfortunately, the answer to this question is neither yes nor no. The toolkit offers some new and exciting functionality that many inexperienced network administrators can take advantage of. It also greatly increases the ability to secure and control stand-alone workstations in public/shared environments. Novice users such as computer aides and librarians can use this tool to control their lab environments. However, the skilled network administrator in K-12 will find little benefit to this tool. Using ACLs, Group Policy, and a handful of custom ADMs they can provide a much greater level of centralized and manageable security to shared workstations across the entire organization.