Add to collection(s) Add to saved
  1. Social Science
  2. Psychology
  3. Conformity

Best practice Guide – Type 2 Agent in Kiosk Workstation Mode V1.3

advertisement 
Best Practice Guide
OneSign Agent in a Workstation
Kiosk Mode (Type 2)
Document Version:
1.3
Status:
Live
Author:
Andrew Harrison
Date:
08/06/2011
Imprivata, Inc.
Suite 16, Building 6
Croxley Green Business Park
Hatters Lane, Watford
England, UK
Phone: +44 (0)1923 226 759
www.imprivata.com
Best Practice Guide - Type 2 Agent in Kiosk Mode
Document Overview
Purpose of this document
This document describes the best practice method of configuring and securing a typical OneSign Kiosk
workstation for use with the OneSign Type 2 Agent.
Overview
The OneSign Kiosk Agent is designed for computers that are shared by multiple users. The machine is
authenticated to windows using a generic login with few privileges and locked down using OneSign.
Users can log in and out of the computer via OneSign without logging out of the Windows session. An
example of this would be clinical staff using a shared workstation on a hospital ward with access limited
to select applications required for patient care.
This scenario provides efficient, quick access to applications but is not ideally suited to the ‘full desktop’
experience. The OneSign Kiosk mode differs from the traditional Microsoft Fast User Switching process.
In the MS scenario, every user switch leaves the previous user fully logged on. This creates performance
issues, due to multiple instances of applications running concurrently in different user sessions. With the
OneSign Kiosk Mode, only one (generic) user is ever logged on, making the OneSign kiosk fast, efficient
and suitable for most types of workstation.
When to use the OneSign Kiosk Agent:
• For workstation computers used by multiple operators
• To take advantage of fast user-switching and automated application shutdown (SSO only)
The OneSign Kiosk Agent requires very few system resources so is ideally placed where logon times and
performance are critical; it can be used on any computer that can run Windows 2000 or later.
You can deploy Group Policy settings to automate the login process and hide/restrict access to items on
the Kiosk workstation. By enabling these settings you can further increase security so that the
workstation is only used for its intended purpose. The Group Policy settings outlined in this document
are required to enable a Type 2 Kiosk Workstation. There are other suggested Group Policy settings
which go towards securing the workstation but the list is not exhaustive and may be different for each
organisation.
16 May 2011
Version 1.3
Page 2
Best Practice Guide - Type 2 Agent in Kiosk Mode
Table of Contents
Document Overview ..................................................................................................................................... 2
Purpose of this document ......................................................................................................................... 2
Overview ................................................................................................................................................... 2
OneSign Requirements for a Kiosk Workstation running a Type 2 Agent .................................................... 4
Typical Group Organisational Units you may want to consider in a ‘Kiosk’ Group Policy scenario ......... 5
Typical Group Policy Object examples you may want to consider in a ‘Kiosk’ Group Policy scenario ..... 6
Automated Application Shutdown ............................................................................................................... 8
16 May 2011
Version 1.3
Page 3
Best Practice Guide - Type 2 Agent in Kiosk Mode
Configuring a OneSign Kiosk Workstation
Basic requirements for a OneSign Kiosk Workstation
OneSign requires the Kiosk Machines to ‘Auto Logon’ using a generic user account with minimal
privileges. From the point of workstation login, the OneSign Agent handles user access to the
Workstation by locking the machine and requiring authentication to OneSign. You can force the option
to allow only OneSign users to unlock the machine, thus disabling the ability for users to log on as a
generic domain account.
1. The following option must be checked to allow only OneSign Users access to the
Workstation. This can be found under the ‘Default Computer Policies’ in the Policies tab of
the OneSign Administrator:
One point to note is that there are no auto logon options in Group Policy so it is necessary to write
registry keys via Group Policy Preferences to achieve the desired result. The workstation machine must
also have Group Policy Client Side Extensions installed.
More information regarding Group Policy Preferences can be found below;
http://technet.microsoft.com/en-us/library/cc731892(WS.10).aspx
2. Group Policy Preferences required for automated login at the Kiosk Workstation:
16 May 2011
Version 1.3
Page 4
Best Practice Guide - Type 2 Agent in Kiosk Mode
3. Settings required to be written to the Workstation Registry by Group Policy Preferences:
Registry Key
AutoAdminLogon
DefaultDomainName
DefaultPassword
DefaultUsername
Shell
Value
1
Your Domain
The Generic Account Password
The Generic Account Username
Set to ‘Blank’ which prohibits the Explorer Shell
If the above Preferences are set within a Group Policy and applied to the Kiosk Workstations the
machines will automatically be logged in as the specified Generic account. Further ‘Lock down’ Group
Policies should be put in place to secure the Kiosk workstation from unintended use. These settings will
differ vastly from one organisation to the next. Some typical Group Policy examples are listed later in
this document.
Note: Shell is only removed if no local desktop or applications are required to be accessed and is
typically used in combination with a VDI solution.
Typical Group Organisational Units you may want to consider in a ‘Kiosk’ Group
Policy scenario
Below is a typical OU configuration that would achieve a locked down ‘Kiosk’ Group Policy Scenario. The
Group Policies are split into Computer and User Policies. All Kiosk machines should be located within the
Kiosk OU of the Computers OU. All Kiosk users (The generic user accounts used to login to the Kiosk
machines) should be located within the Kiosk Users OU of the Users OU.
16 May 2011
Version 1.3
Page 5
Best Practice Guide - Type 2 Agent in Kiosk Mode
Typical Group Policy Object examples you may want to consider in a ‘Kiosk’
Group Policy scenario
Computer Configuration
Policies
Windows Settings
Security Settings
Local Policies/Security Option
Interactive Logon
Policy
Setting
Interactive logon: Do not display last user name
Enabled
Interactive logon: Do not require CTRL+ALT+DEL
Enabled
**** THIS IS REQUIRED BY ONESIGN ****
User Configuration
Policies
Administrative Templates
16 May 2011
Version 1.3
Page 6
Best Practice Guide - Type 2 Agent in Kiosk Mode
Start Menu and Taskbar
Policy
Setting
Do not keep history of recently opened documents
Enabled
Prevent changes to Taskbar and Start Menu Settings
Enabled
Prevent users from adding or removing toolbars
Enabled
Remove Documents icon from Start Menu
Enabled
Remove Favorites menu from Start Menu
Enabled
Remove Logoff on the Start Menu
Enabled
Remove Music icon from Start Menu
Enabled
Remove Network icon from Start Menu
Enabled
Remove Pictures icon from Start Menu
Enabled
Remove Recent Items menu from Start Menu
Enabled
Remove Run menu from Start Menu
Enabled
Remove the networking icon
Enabled
Comment
User Configuration
Policies
Administrative Templates
System
Policy
Setting
Prevent access to registry editing tools
Enabled
Policy
Setting
Prevent access to the command prompt
Enabled
Policy
Setting
Windows Automatic Updates
Enabled
Comment
Comment
Comment
System/Ctrl+Alt+Del Options
Policy
Setting
Remove Change Password
Enabled
16 May 2011
Version 1.3
Comment
Page 7
Best Practice Guide - Type 2 Agent in Kiosk Mode
Remove Lock Computer
Enabled
Remove Logoff
Enabled
Remove Task Manager
Enabled
Windows Components/Windows Explorer
Policy
Setting
Hide these specified drives in My Computer
Enabled
Policy
Setting
No Entire Network in Network Locations
Enabled
Prevent access to drives from My Computer
Enabled
Policy
Setting
Remove "Map Network Drive" and "Disconnect Network Drive"
Enabled
Remove Shared Documents from My Computer
Enabled
Comment
Comment
Comment
Automated Application Shutdown
In a Type 2 Workstation Kiosk configuration the computer is automatically logged into Windows using a
generic domain account, as described previously. OneSign controls user access to the machine but the
logged on Windows session is persistent. In this scenario applications can be kept open when a user logs
off and the next user logs on. This saves time closing and re-opening the application and further
enhances the performance of the Kiosk configuration. To avoid a user finding an application open and
logged in as a previous user, one of two steps needs to be completed:
1.
At login, gracefully log any previous user out of any running application.
This step is ideal if you want to keep an application alive and not have to spend time relaunching it.
The below example shows a log off sequence where the ‘Esc’ key is pressed five times to back
the user out of the application, all the way to the login screen. It is triggered ‘During fast user
switching on a kiosk workstation’ and/or ‘when the workstation locks’. Note that the ‘Shut
down’ option is not chosen.
16 May 2011
Version 1.3
Page 8
Best Practice Guide - Type 2 Agent in Kiosk Mode
16 May 2011
Version 1.3
Page 9
Best Practice Guide - Type 2 Agent in Kiosk Mode
2.
At login, close the application altogether.
This step can be used where application load times are not an issue or where an application
cannot log out the previous user gracefully.
The below example is the same as the last in that it attempts to log the user out of the
application gracefully by following a logoff sequence. It will attempt the ‘Logoff Sequence’ but
will in this instance actually close the application at the end. Whether the logoff sequence
completes or not, OneSign will completely shut down the application before the next user logs
on.
** Note: The default behaviour of OneSign (i.e. if no options are selected within the
Application Log off and Shudown settings) is to close the application completely. **
16 May 2011
Version 1.3
Page 10
Related documents
o365 licensing and pricing
o365 licensing and pricing
Interactive Kiosk Turtle Beach
Interactive Kiosk Turtle Beach
QuickChek Case Study
QuickChek Case Study
Splango has definitely been the most effective marketing we've done
Splango has definitely been the most effective marketing we've done
TechTip #6 – Online Technical Requirements (all online users) For
TechTip #6 – Online Technical Requirements (all online users) For
What is Predprocessing
What is Predprocessing
Wednesday 9th April 2008
Wednesday 9th April 2008
JOINT PRESS RELEASE – FOR IMMEDIATE RELEASE
JOINT PRESS RELEASE – FOR IMMEDIATE RELEASE
Tips to Prepare for Anatomy and Physiology
Tips to Prepare for Anatomy and Physiology
BackGround Papers-1251410.pdf
BackGround Papers-1251410.pdf
Download
advertisement