Will Group Policy Object (GPO) lock down my system, restrict access, and provide sufficient security to my network, device, and user? The short and long answer: It depends on your user, your usage, and your security needs. Group Policy can provide users access to the desktop and allow them to work with Windows applications. GPO can also restrict access to external devices or allow for various configurations/allowances based on the user “group”. Still, there are many things that Group Policy does not protect from and/or restrict. If your device is to be used for public access or to access restricted information, kiosk software will provide a much stronger blanket of security.
Here are just a few things to consider when deciding if GPO provides the level of security you need.
1. GPO does not launch an attract screen. If a Windows Screen Saver is sufficient, GPO will suffice, otherwise you’ll want to consider kiosk software like KioWare that utilizes an attract screen to provide users with a clear message and/or path.
2. GPO does not filter unwanted keyboard keys (Ctrl+Alt+Del in particular). If your device will be public facing and needs to be protected from malicious users and/or from users interested in impacting the intended usage of the device, you will want to restrict access – disallowing functions and keys that can disrupt device reliability & functionality.
3. Time limited sessions can be a valuable asset in making sure that activity resets when a kiosk or device has been left mid-session. This feature is not available via GPO but can be configured with KioWare.
4. Disabling left and/or right mouse clicks can be of use with regard to select applications (right clicks for Adobe Reader or Flash, for example). GPO does not easily allow this restriction, though KioWare does.
5. Mailto: Links are another place in which users sometimes can gain access to information or functions to which they should not have access. Group Policy is not able to accommodate this restriction.
6. Administrators may inadvertently alter the GPO settings, allowing users access to information or programs that they are not authorized to view. If you have multiple tech support or administrative users for Windows machines throughout the organization, this issue becomes more likely and this potential security gap more significant.
In addition to these basic self-service and/or lockdown requirements, GPO does not provide managers with remote monitoring or centrally controlled statistics like those presented by KioWare Server. KioWare’s remote monitoring solution provides managers, marketers, and tech teams with the information needed to improve the user experience, manage their devices, and deploy devices to the appropriate locations.
GPO relies heavily on both your level of knowledge and your ability to know exactly which areas to lock down to restrict users from inadvertent or deliberate unauthorized access. Kiosk software can eliminate the variables, taking away the chance that you will “miss” an important step to restrict access.
Additionally, kiosk software will lockdown and restrict access to the OS, keyboard, external devices and/or unauthorized websites. The configuration file is also extremely easy to update and deploy across multiple devices. Unattended installation can assist with large scale deployments and xml file usage will allow configuration updates on all devices when the single xml file is updated.
All in all, GPO can be used to provide users across an organization with a level of restriction, but wide access to the device applications. Kiosk software should be considered when lockdown is the paramount concern, and browser based applications are the primary function for the devices.
Some examples:
Single user access (GPO) Multi user or Public Access (KioWare)
Public data (GPO) Private Data, Healthcare Data, Financial Data (KioWare)
Limited Restrictions (GPO) Secure Lockdown, Restricted Usage (KioWare)
Read other comparison articles: