Locking down the computer for public use in a library

[norway2015]

Hi.
I am setting up a computer for use in a public library.
The OS is Win 8.1 Enterprise.
Also the computer auto login with a user named "Kiosk".
And I use local group policy to lock it down.
The computer is only allowed to run Word, Excel, Powerpoint, Calculator and Internet Explorer.
I have only white listed those programs in LGPO, blocked the rest for that user.
The computer is not in a domain, only Internet allowed.

I changed user rights to block changes and deletion to the desktop icons for that user.
Muted the sound and disabled the volume icon.
Turned of sleep mode and used a 10 minute limit sleep mode for the monitor
Deactivated access to remote assistance and desktop.
Deactivated file and print sharing.
Deactivated Windows Search (it turned up misc stuff not wanted).

In local GPO I deactivated much there.
But, please fill in suggestions.
So far:
Hidden the C-drive.
USB sticks is allowed.
All access to misc. user config or settings (Win+X, Win+R).

Outside local GPO, is there anything I missed?
Please, let me know.
Suggestions welcome (even if I have done the already).
Fire away, people!.

 

[DMGrier]

Honestly I think you have done killer job, the only thing I can think of is that if in anyway and some how the user get's asked for "Administrative Privileges" that UAC ask for a password, this can be set through secpol.msc. Off the top of my head I can think of one way to run as a different user which should ask for credentials however you never want to under estimate the end user and there ticks. I know in a domain enviroment it will but you said this is not a domain environment.

Everything else I think should be handled at the Firewall level, but be careful here as a guy in my state (Colorado) won a case against the Denver library as he was not aloud to hit certain sites thanks to a firewall and being they are public computers funded by the people you cannot have those restrictions.

 

[1PW]

Hello norway2015:

Good work!

1.) In that setting, Microsoft's Windows Defender will quite likely under-serve the library and its users. Have plans been made, or executed, to upgrade to a much more effective and on-going anti-virus/malware/spyware/exploit protection process?

2.) Please seriously consider having a periodically updated/isolated "Bare-metal restore" procedure at the ready.

3.) Would a fairly resourceful user have the ability to restart the computer using their own bootable media?

4.) How will the computer connect to the Internet? Wi-Fi? Ethernet cabling to an ISP's modem? Will a router be employed?

5.) Has the computer's BIOS/UEFI been password protected?

Skål

 

[norway2015]

1)
I use the SCEP (System Center Endpoint Protection) client on the public computers.
Mostly because I can and have access to it through work.
It works also standalone, but be sure to tick the choice in Win Update: Update other Microsoft products.

2)
I have a similar computer yet to be deployed.
I need to clone the drive to an image.

3)
I tried to use CloneZilla on a CD to clone the drive.
I ended up writing in the BIOS admin password to gain access, so I do not think so.
And this is right beside the break room for the staff and the library leader office.

4)
Computer has only access to Internet by Ethernet cable.

5)
Yes, with a looong password with 4 blocks of characters with spaces between.
1 name block, one 4-digit block, 1 longer name block, 1 4-digit block.