2. Kiosk Hardening

OPSWAT recommends that the following additional setup is performed if MetaDefender Kiosk is deployed on a dedicated system.

Auto login

If MetaDefender Kiosk is being used on a dedicated system we recommend that the Windows system on the kiosk is configured to auto-login into the account with Administrator privileges that MetaDefender will run with. If the MetaDefender Kiosk system is part of a domain additional steps may be required to allow this.

User Access Control (UAC)

OPSWAT recommends that UAC is disabled on systems that are being used as dedicated MetaDefender Kiosks. If UAC is not disabled MetaDefender Kiosk's watchdog functionality may not work correctly.

There are two ways to completely disable UAC in Windows:

By editing the registry

  1. Click Start and type "regedit.exe" to open the Registry Editor

  2. Navigate to the registry key at HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Policies > System

  3. Set EnableLUA to 0

  4. Restart Windows

By adjusting Local Group Policy settings

  1. Click Start and type "gpedit.msc" to open the Group Policy Editor

  2. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

  3. Right pane is populated with policies, locate the ones for User Access Control and set:

    1. User Account Control: Only elevate executables that are signed and validatedEnabled

    2. User Account Control: Switch to the secure desktop when prompting for elevation → Disabled

  4. Restart Windows

Windows Update

Install all patches and updates available through Windows Update. Once all updates are installed, OPSWAT recommends that automatic updates are turned off to prevent system reboots.

  1. Navigate to Start > Control Panel > Windows Update > Change settings

  2. Select Never check for updates from the menu

  3. Click Apply or OK and close the dialog box

If turning off automatic updates is not desired, you must configure a mechanism or process to restart MetaDefender Kiosk system. We recommend using standard organizational patch practices and tools.

Setting the screen saver and power saving options

Select the maximum performance power saving option.

  1. Navigate to Start > Control Panel > Power Options

  2. Click Change plan settings

  3. Click Change advanced power settings

  4. Select High Performance from the menu

  5. Click OK

You should turn off the screensaver.

  1. Navigate to Start > Control Panel > Personalization > Change screen saver

  2. Select (None) from the menu

  3. Click Apply or OK and close the dialog box

Disabling mouse cursor pointer

Note: This configuration is optional. Once these steps are taken, there will be no visible mouse pointer.

OPSWAT recommends that mouse cursor points are turned off after MetaDefender Kiosk has been configured.. If the system touchscreen configuration software does not have this feature, it can be done manually by following the steps below:

  1. Navigate to Start > Control Panel > Mouse

  2. Click the Pointers tab

  3. Browse to C:\Program Files (x86)\OPSWAT\Metadefender Kiosk\Client\blank.cur

  4. Customize each pointer type to the provided blank pointer, blank.cur

  5. Click Apply and close the dialog box.

Disabling hotkeys

By default, the Kiosk will ignore any command that is a combination of Ctrl and another key.

The Ctrl + Alt + Del combination is disabled once you launch the Kiosk UI first time. When a user presses these keys, the following screen appears and it is expected.

images/download/attachments/29948819/sreenshot.png

if you want to disable completely where nothing happens, please follow 2.2. Disabling Windows Hot Keys.

Other system hardening configuration

MetaDefender Kiosk does the following system hardening when installed:

  • Disables auto-run on all plug-and-play media and drives

  • Captures and disables all Hotkey combinations such as Windows Key, Alt+Tab, etc...

CORS Configuration

see Limit Access to the REST Server for more detailed instruction