PDA

View Full Version : How safe is Steady State?



nofam
24-06-2009, 02:14 PM
My Head Office has just sent out a request/directive for us to set up a terminal instore for customers to access the internet so they can add their details to an online database.

I've refused, as our whole LAN is on one subnet, and the idea of (potentially) opening that up (and our two satellite branches!) to the general public and only relying on an application-level protection like steady state is crazy IMHO.

I wouldn't be prepared to do this unless I had that device on a separate vLAN or something similar.

Or is Steady State that good?

Reminds me of when The Warehouse was selling Dell PC's a few years back - someone at the local store changed all the admin passwords on the 4 display models, and put passwords on the screen savers too.

pctek
24-06-2009, 02:47 PM
Um. But is anything likely to get across to the other PCs?
But I think it's a dumb idea anyway, why should customers need to go on the net at your business, wait till they get home.

Blam
24-06-2009, 03:00 PM
Wouldn't booting into safe mode bypass steadysafe?...

somebody
24-06-2009, 03:22 PM
Steady State will only protect that machine - malicious customers can still wreck havoc on your network. You would need other tools to protect the rest of your network from someone doing "interesting" things on that public PC.

You might be able to use some internet-cafe type software which limits users to the confines of a browser. It won't be bullet proof, but at least it'll stop most of the idiots who think they're being funny.

Saucy
24-06-2009, 09:21 PM
Wouldn't booting into safe mode bypass steadysafe?...

I think there's probably a couple of ways around that, like setting a BIOS password, removing shutdown and restart buttons using Steady State and keep the computer itself and power locked away.

Also in the Steady State FAQ (http://www.microsoft.com/downloads/details.aspx?familyid=6D130662-C084-4356-906F-426BC814582A&displaylang=en) they seem to have answers to safe mode, something to do with an administrator password, and also using the BIOS settings to prevent people using a bootable OS to get around it.

From the Steady State manual (http://www.microsoft.com/downloads/details.aspx?FamilyId=F829BB8B-C7A9-426B-A7A4-2B504A6238D2&displaylang=en), it sounds quite powerful, and a bit of web searching turned up quite a few stories about it getting use in internet cafes and schools and libraries so it's probably relatively robust. But there were also people having problems with wrong configurations and forgotten passwords, so probably for expert users only, not something to mess around with just for fun.

Not sure what could be done to configure it to not see the LAN though, a separate internet connection would be much safer. Maybe you can get close by disabling access to Windows Explorer and Command.com/Run and then setting up Family Safety (http://download.live.com/familysafety) to only allow access to the one website. :2cents:

Saucy
24-06-2009, 09:34 PM
Reading more about Steady State in the FAQ, it sounds like it has an option to limit to specific websites so you probably wouldn't need any family safety stuff.

My suggestion, set it up on a stand alone spare PC, see what it can do, then decide.

Blam
24-06-2009, 09:37 PM
Maybe set it up in a VM and "audit" it:D

beeswax34
24-06-2009, 09:47 PM
Can't you just build a standalone database application where customers can go and enter that data and that can be then synced to your company's proper database every night or something. That way, everything exists on 2 different networks.

inphinity
25-06-2009, 08:35 AM
You could probably put a router in between the customer terminal & the rest of your network, and configure only for internet connectivity.

linw
25-06-2009, 09:01 AM
Locked down software, called 'Kiosk' software, is made for public access points.

But Beeswax's idea sounds good, too. But you still need a locked down OS.