Protect Public Computers with Windows SteadyState, Part 1

by Jakob H. Heidelberg [Published on 3 Oct. 2007 / Last Updated on 3 Oct. 2007]

This article series will focus on “Windows SteadyState” – a completely free toolkit from Microsoft that helps administrators take control of shared access computers running Windows XP.

If you would like to read the next part in this article series please go to Protect Public Computers with Windows SteadyState, Part 2

Part 1 of this article series will include a short introduction to the possibilities we get with Windows SteadyState (WSS). We will look at the new version compared to older versions, system requirements, Windows Disk Protection (WDP) and how to get started.

The next articles will take us a bit further into the layers of this wonderful toolkit. But first the basics must be covered…

Shared Access Computers

If you have ever managed shared access computers, like computers in schools, public libraries, Internet cafes, kiosk machines, etc, you probably know how hard it is to keep the computers running in the long run, as well as keeping the security level high and up to date, without too much work and “hands-on”. What we need is a solution that protects hard disks from unauthorized changes – as some changes are required (ex. updates) and others are not (like when kids - and others - change the desktop layout, Start Menu shortcuts, system settings and worse).

Maybe you, like me, have tried hardware solutions with hard disk controllers redirecting writes to the system/boot partition to a hidden partition which is then “flushed” at every reboot. This is a very good solution; however we do face a problem when updating the computers, ex. Windows Update, Office Update, antivirus signature updates, etc. In this case the computers must be booted in “manager” or “admin” mode before we can perform any changes.

You probably also tried loading tons of local Group Policy settings to keep curious fingers off the system settings, Start Menu & Desktop options, etc, just to keep the computer usable for more than a couple of days. But still, you didn’t quite feel this was good enough for your scenario - maybe partly because of the fact that all local users were hit by those same local policy limitations, even administrators and support.

Well, Microsoft provides a solution for administrators with the above mentioned, very common problems. The toolkit is called Windows SteadyState – there is no additional hardware required… You are just a quick download, a few clicks and a helpful ‘wizard’ away from complete system protection.

What’s new?

If you have ever dealt with the mentioned problems before, you probably tested the Microsoft Shared Computer Toolkit, which was pretty good, actually. Windows SteadyState is an enhanced edition of this toolkit – it’s just even easier to set up, configure and manage.


Figure 1

These are some of the new features added to the toolkit:

  • New user console with tabbed navigation that lets you easily manage shared computers from a single console.
  • Windows Disk Protection is now file-based so you can set up and install without changing your disk partitions.
  • Windows Disk Protection now supports Group Policy so you can manage it in an Active Directory environment.
  • More software restriction options give you greater control over which programs can be used.
  • More user restriction options, including significantly greater control over Internet Explorer.
  • High, medium, and low security defaults allow for quicker and easier customization.
  • Easily import and export user restrictions directly from the console, without using command line tools.
  • Easier setup and better documentation to help you get started.

With these great enhancements in mind, let’s just recap the most fundamental and extremely important technology we get with Windows SteadyState for Windows XP: Windows Disk Protection!

Windows Disk Protection (WDP)

WDP is probably the main reason why Windows SteadyState is such a nice tool. This feature is designed to help protect system settings and data on the Windows partition from being permanently changed. During a logon session many changes are done to the system by the active user and the system itself. On a shared computer the goal is to create a stringent environment, one boot should be exactly like the other – no difference in the user experience.

When Windows Disk Protection is enabled, it clears all changes to the Operating System partition at whatever time interval you define. The most common scenario is removing all changes at restart. With this setting Helpdesk can just ask the users to restart the shared access computer (the most common sentence used by the average IT Support, I guess) – and it will definitely be reset to the previous (working) state, unless a hardware error has occurred of course.

WDP is not on by default. This is because you as an admin probably want to tweak the system, install applications, create users, etc, before activating this precious feature – unless you want to repeat your work forever, like Sisyphus did… When you are ready to use it and the system is 100% ready to go into production (disk defragmentation, deletion of temporary files completed, etc), switch it on and enjoy watching curious fingers try to mess around with your settings… They just won’t succeed!

Behind the scene, WDP creates and reserves a large (2 GB as a minimum) cache file to save all changes to the Operating System and program files. It needs at least 4 GB of unallocated space on your Windows partition to create its cache file, but the default size used is approximately 50% of the available disk space (40 GB as a maximum).

During reboot - or the specified time interval you define - WDP deletes the contents of the cache and restores the system to the exact same state as the moment it was turned on. If you want to enable users to save information to the Desktop, the Documents folder, etc for alter access, you can do this by defining the user profile as an “unlocked profile” placed on a different drive/partition (as WDP only protects the partition containing the operating system files).

The same functionality is available with many hardware controller solutions – so why is WDP better? Well, the really cool thing is that you can schedule updates and apply them permanently even when WDP is turned on! I’ve never seen a hardware solution for this – we need the systems to be stable AND secure, so we really need those updates for the Operating System, antivirus signature files, etc.

With Windows SteadyState important Microsoft updates and antivirus updates are not removed on restart of the shared computer, if you configure it correctly. The system will force a log off of any active user during the scheduled update interval, restart and perform the required updates and be ready to go after a short period in “maintenance mode”. We’ll get back to this in a later article in this series.

Requirements

Systems running Windows SteadyState must meet the minimum system configuration requirements listed in Table 1.

Component

Requirement

Processor (CPU)

300 megahertz (MHz) or higher speed recommended.

233 MHz minimum required (single or dual processor system); Intel Core/Pentium/Celeron family, or AMD K6/Athlon/Duron family, or compatible processor recommended.

Memory

128 megabytes (MB) of RAM or higher recommended.

64 MB minimum supported; but this may limit performance and some features.

Hard disk

1.5 gigabytes (GB) of available hard disk space without Windows Disk Protection (WDP), or 4.0 GB of available hard disk space with WDP. But I really can’t see why you would run Windows SteadyState without utilizing the WDP feature…

Operating system

Windows XP Professional, Windows XP Home Edition, or Windows XP Tablet PC Edition with Windows XP Service Pack 2 (SP2) installed.

Note:
Unfortunately Windows SteadyState does not run with Windows Vista. This is one of the tough limitations, but hopefully this will be part of the next version of the tool.

File System

NTFS (as you probably already know, you get almost no security on Windows systems without it).

Tools

Windows Scripting and Windows Management Instrumentation (WMI) must be working.

Permissions & rights

Administrator level access to the operating system.

Table 1

Another requirement is to pass the Windows Genuine Advantage test - although I did manage to get it installed on a machine that was not connected to the Internet… But anyway, basically you need a Windows XP license for your Operating System – that’s not so strange, is it?

Conclusion

We have now described what great features Windows SteadyState can bring ‘shared access computer administrators’. We have looked at the new version and its enhancements, and looked at the basic system requirements. Take a look at the External Links section – everything you need to get started should be there…

Try out this great toolkit, maybe just on a virtual machine to begin with. As soon as you see how efficient it really is you may start to like it. Also, ideas might start showing up – where to use it, how to use it. etc. For me it was the perfect way to keep my kids’ (6 and 8 years old) computers clean and stable… They can do anything they like – at the next reboot I know exactly what to expect: a Steady State!

External links

If you would like to read the next part in this article series please go to Protect Public Computers with Windows SteadyState, Part 2

See Also

Featured Links