KioWare - Kiosk System Software - Documentation

See All User Docs
Introduction
Quick Start Guide
Configuration Tool
Run KioWare Lite
Exit KioWare Lite
IE Setup
Installation
Unattended Installation
Automated Licensing
Configuration Tool Command Line Arguments
File Menu
Load Local Settings
Load Settings from a File
Save Local Settings
Save Settings to File
Reset Settings
Exit
Tools Menu
View Event Log
Preferences
System Reporting Tool
Multi-Settings Mode
Help Menu
User Guide
Licensing
Single User Licensing
Multi-User Licensing
Volume Licensing
Time Limited License
General Tab
Start Page URL
Browsing Access Control Lists
Restriction Messages
Domain Restriction
Page Restriction
Access List Logging
Scripting Access Control Lists
XML Configuration
KioWare Shutdown
Auto Logon
System Settings
Keyboard/Printing Tab
Keyboard Filtering
Virtual Keyboard
Printing
Attract/Inactivity Tab
Inactivity
Custom Timeout
Timeout/Warning
Attract Screens
Session End URL
Session End Browser Options
Browser Tab
Browser Interface Settings
Popup Window Settings
Error Handling
External Applications
Dialog Box Settings
User Interface
Tool Bar Designer
Tool Bars
Add Tool Bar
Edit Tool Bar
Delete Tool Bar
Controls
Add Control
Edit Control
Skins Walkthrough
Button
Address Bar
Busy Indicator
Custom Link
Label
Picture
Align Controls
Skins Directory
Delete Control
Security Tab
Software Watchdog
Hardware Watchdog
Disable Devices
Dialog Box Blocking
Miscellaneous Security
User Security
Using KioWare Lite
Running KioWare Lite
Command Line Arguments
Troubleshooting
Exit KioWare Lite
Using with Thin Client
Best Practices
Security
Desktop
LAN/WAN
Design Guide (Programming)
Attract Screens
HTML Title Tags
Scrollbars
Keyboard Filtering
Virtual Keyboard
Touchscreen
Popup Windows
User Sessions
Error Handling
User Agent
External Navigation Commands
Scripting
.Net Addins
Config Tool Addins
Additional Resources
Copyright
KioWare Lite   |   Platform: Windows®   |   Version: 6.8.0

Best Practices

Unlike a normal PC application, a kiosk application has to run unattended and reliably for extended periods of time, it will also be exposed to users who will try very hard to break into the OS and crash your application.

Generally speaking, the kiosk is vulnerable to two threats.  The first is when it boots.  The very brief time from when the autologon is executed but before KioWare Lite executes is an opportunity for a hacker to have access to the kiosk's desktop.  It is very important to de-clutter the desktop and taskbar, and do everything possible to minimize the chance of a hacker stopping execution of KioWare Lite before it has a chance to load and execute.  Using KioWare Lite as the Shell also mitigates this risk.

The second vulnerability presents itself by any action that causes a secondary process to kick off that may preempt KioWare Lite.  The secondary process may be generated locally or externally to the kiosk, so it is a very good idea to disable all unnecessary services or processes that may interfere with your kiosk application.  Using KioWare Lite Service helps to ensure that even if an external process kills KioWare Lite, the service will restart KioWare Lite.

The following is a list of best practices that address the issues of long term reliability and thwarting hackers:

Security

  • Make a special kiosk user account with limited permissions.
  • Have the kiosk user run with a KioWare shell.
  • Add backdoor administrator account.
  • Set up recommended blocked keys.
  • Prevent users from plugging in their own keyboard.
  • Do not allow users to use a keyboard that has F8.  F8 will access Windows safe mode when PC is booting.
  • Make sure the system BIOS cannot be accessed.  The best way to do this is to password protect it.  The next best way is to use a keyboard that does not have the system BIOS key.  The BIOS key could be F10, Del, Esc, and so on.
  • From the BIOS, either disable all boot devices except the local hard drive, or make it the first boot device.  This is important because the CD-Rom or USB ports are usually the first boot devices.  If users can boot from their own device, they will be able to do ANYTHING they want.
  • Set passwords to never expire.
  • Set passwords to NOT require user to change password on next logon.
  • Set Windows to not display error pop-up messages:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows\ErrorMode – set to 2 (0 will display all).
  • Set Windows to not display pop-up messages during boot:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows\NoPopUpsOnBoot – set to 1 (0 will display all).
  • Set Autologon KioWare Lite (General Tab) so that the PC restarts without needing logon.
      Note: If you are using the KioWare Lite shell there is no need to use Start on Boot because KioWare Lite is the shell.
  • Disable ClickOnce.

These ONLY apply if you're not using / can't use the KioWare Lite shell:

Warning: If you are using Windows 7 or Vista the only secure option is using the KioWare shell as spoken of above.  This is because Microsoft removed the ability to not keep the taskbar on top.

  • Disable the Task Manager for the kiosk user.
  • Set Start on Boot, so KioWare Lite automatically starts after PC restarts.
  • Remove all unnecessary screen icons
  • Remove all Task Bar items
  • Task Bar Properties – uncheck ‘Always on Top'
  • In Vista and Windows 7 you should disable AutoPlay so that a dialog will not show when someone plugs in a USB drive or Cd-Rom.  To do so:
    From the user account that will be running KioWare Lite
    open the Control Panel.
    View in Classic Mode (in Win 7 select "View by Small icons").
    Click AutoPlay.
    Uncheck "Use AutoPlay for all media and devices".
    Make sure that all of the dropdowns are set to either "Choose a default" or "Take no action".

Also see Security Audit Tool.

Start on Boot and the KioWare Shell

One of the minor benefits of using the KioWare shell is that you will not need Start on Boot because KioWare is the shell, and therefore will always run when you log in as your kiosk user.  When you log in as any other user (such as your admin), KioWare will not run, saving you time and effort.

It is highly recommended that you run KioWare in production as the shell because it eliminates MANY security problems that you would have otherwise.  To list a few: taskbar showing, Start menu access, random popups from external applications...  Simply put, always run a production kiosk in the KioWare shell.

Other Applications

Normally, we do not encourage the use of other applications when running KioWare Lite, however there are some situations where this is unavoidable, and can be safe to do.  Normally it is safe to allow the use of the applications listed below as long as you are using a KioWare browsing access list that allows only sites that you trust and are not allowing users to run external files from devices such as removable thumb drives.  Below are some common applications used on kiosks along with their known vulnerabilities and security measures you can take to protect your kiosk from attack.

  • Adobe Acrobat Reader: Acrobat Reader opens one of the most common file formats on the Internet; PDF files.  A known security flaw is that it can run executables, and is set up to allow this functionality by default.  We highly suggest disabling this "feature".  To do so, open the Adobe Reader application and go to
    Preferences - Trust Manager.
    Uncheck "Allow opening of non-PDF file attachments with external applications".
  • Java: Java is very powerful and will enable users to run any Java application they can get to.  It is best not to install Java on the kiosk.
  • Microsoft Office (Word,Excel,Power Point): Office documents have the ability to run Macros and even embedded executables.  The only known work around is to install software that will not allow foreign code to run on the kiosk, such as McAfee Solidifier.
  • Anti-Virus Software: Beware of your anti-virus software.  Most anti-virus software will show a dialog when a threat is detected and can expose parts of the system.  This can happen when you click on a link in a web page that is a virus, even if you are blocking downloads in KioWare, because some virus software installs itself lower than the web browser.
  • Windows Media Player: Even when embedded in the browser, WMP can stop the ability for the allow display sleep and power options features to work.  To stop this interference, open WMP and go to Tools - Options and check Allow screen saver during playback.

Desktop

  • Uncheck Windows Tips screen
  • Disable screen savers
  • If possible, BIOS setup and set AC Power Recovery = On ; i.e., restart PC after power resumes

LAN/WAN

  • Disable Telnet service
  • Disable FTP service
  • Disable Message service (can be done within KioWare Lite)
  • Disable Networking: File & Print Services
  • Disable Networking: Client for Microsoft Networks
  • If using Dialup Networking, disable progress and phone number display while dialing