SolutionBase: Gain control over computers in common areas with the Shared Computer Toolkit

Shared computers can present a special security challenge if you're not in a domain environment. That's where the Shared Computer Toolkit comes in. Here's how to secure computers in common areas using it.

In most organizations, workstations are assigned on an individual basis. Each person gets their own machine. This makes securing systems relatively easy. Through the use of group policy, you can lock down and secure these systems. Things become complicated when you have computers located in common areas with multiple people accessing them. In such a case, the Shared Computer Toolkit can come in handy.

What's the Shared Computer Toolkit?

The Microsoft Shared Computer Toolkit a set of software that help you manage shared computers. Using it you can do such things as:

  • Restrict local user profiles
  • Protect shared computers against unauthorized changes
  • Enforce logon and log off times
  • Prevent users from adding programs
  • Create custom desktops

Why can't I just use group policy and roaming profiles?

True, a lot of the things you can do with the Shared Computer Toolkit can be handled with Group Policy and Active Directory. The problem is that not all networks use Active Directory.

Additionally, unless you're comfortable creating and using group policies, you may not want to go through the hassle of implementing them. Group Policy can also create additional headaches in administration in some circumstances.

Obtaining and installing the Shared Computer Toolkit

You can get the Shared Computer Toolkit directly from Microsoft's Web site. Like most new software from Microsoft, you must first pass Microsoft's Genuine Windows test to make sure you're not running a pirated version of Windows XP before you can download it. The file is only 2.2Mb, so it will download pretty quickly.

In order to run the Shared Computer Toolkit, you must be running Windows XP Service Pack 2. Earlier versions of Windows won't work with it at all. You also need to make sure you've installed Microsoft's User Profile Hive Cleanup Service installed.

You'll also need to make sure you have 10% of the hard drive space free on the computer you want to use the toolkit on if you want to use the drive protection feature. Microsoft reserves a large area of the hard drive for protection, so if you don't have free space, you won't be able to use the kit. That's not just free space on your system drive, this is blank space on the disk where a separate partition can be created. Make sure your other hard drive partitions have been formatted with the NTFS file system.

If you have a domain on your network, the toolkit won't work properly. There are special things you must do to configure the toolkit to work correctly. When you run a tool in the kit when connected to a domain, you'll see an error referring you to read Chapter 10 of the Handbook that comes with the kit.

After you've downloaded the Shared_Computer_Toolkit_ENU.msi file, just run it. If you haven't installed the User Profile Hive Cleanup Service, you'll see a warning telling you need it. You can click the link to go to the Web site and install it.

Beyond that, there are no real gotchas with the installation. It installs relatively easy. Just follow the on screen prompts. When it's done, the toolkit Getting Started screen appears as shown in Figure A.

Figure A

After you install the toolkit, it starts on this screen.

From this screen, you can click the various icons to configure the kit the way you want it. You can follow the steps listed on the screen as an easy way to set all of the features. In the rest of the article, I'll cover specific tools.

Disk Protection

The Disk Protection features allows you control who can access drives on the computer and what they can do with it. When you start the Disk Protection tool, you'll see the screen shown in Figure B.

Figure B

Disk Protection safeguards the shared computer's hard drive resources.

Profile Manager

The User Profile Manager, shown in Figure C, allows you to manage, create, and delete profiles for user accounts created on a machine. The interface is fairly simple as you can see in the figure.

Figure C

The Profile Manager helps manage profiles on the system.

User Restrictions

The User Restrictions tool, shown in Figure D, controls what users can do on the system. As you can see there are a lot of different settings you can apply for a given user.

Figure D

You can control what users can do using the User Restrictions tool.

Click the Select Profile button to select the profile you want to manage. From there, you can use click the [+] buttons to expand the menus and change the settings you want for the use. You can restrict hardware, software, logon and logoff times, as well as the way the user can connect to network resources such as the Internet.

Accessibility tools

The Accessibility screen shown in Figure E doesn't really add any new features to Windows XP. It merely makes it easier to access the built-in features of Windows XP that make it easier for people to use. For example, you can create easier to view colors and fonts for people with low-vision.

Figure E

This screen makes it easier to use XP's Accessibility features.

Command line tools

The Shared Computer Toolkit has more than just GUI tools. There are also some command line tools you can use. Some of the command line scripts you can run include-

  • Accessibility.wsf -- Run the Accessibility tool from the command prompt and enable or disable accessibility options
  • Autodemo.wsf -- Runs a demo that illustrates some of the toolkit functions
  • Accounts.wsf -- This script allows you to control the users who are able to access the system.
  • AutoLogon.wsf -- Allows you to configure an auto-logon account.
  • AutoRestart.wsf -- Use this tool to configure a user account to start a specific program
  • AutoRunOnce.wsf -- This script allows you to configure a program to run the next time a user logs on, but only once.
  • CriticalUpdates.wsf -- This script configures the way the computer downloads and installs critical Windows updates.
  • DiskProtect.wsf -- Use this script to turn Disk Protection off and on as well as doing other things.
  • Restrict.wsf -- This script applies restrictions to user profiles
  • ProfilesMgr.wsf -- With this tool, you can use the command line to do things that normally only works with the User Profiles tool.
  • SCTReport.wsf -- Use this script to create a report to troubleshoot problems
  • SleepWakePC.wsf -- You'll use this script to put the computer to sleep or wake up to perform scheduled tasks.
  • Welcome.wsf -- This script prevents the Welcome screen from appearing for specified accounts