WebJunction

Introduction
This article contains general instructions for installing and configuring the Microsoft Shared Computer Toolkit (SCT) on a Windows XP computer to create a secure public access computer suitable for use in a library. For an introduction to what the SCT is and what it can do, please read An Overview of the Microsoft Computer Toolkit first.

These instructions assume the user has an intermediate level knowledge of Windows and computer hardware. It is not an exhaustive, step-by-step set of instructions. A downloadable PDF version of this article is available here.

For more detail on any of the features described, please see the official Microsoft Shared Computer Toolkit Handbook, available at here as a downloadable 1.18 MB PDF file.

Prerequisites for Using the SCT

• Windows XP Service Pack 2. The Shared Computer Toolkit can't be installed on Windows 2000, or Windows XP without SP2.
• You must agree to validate your copy of Windows using the Windows Genuine Advantage Validation Tool to download the toolkit.
• Windows Disk Protection requires unallocated hard disk space (blank space on the drive following a primary drive partition) equal to 1 GB or 10% of your system partition (i.e. your C:\ drive), whichever is larger. Since almost no computer will come configured this way, you will need to either reformat your hard drive or use disk partitioning software to create it. Without this unallocated space, you can still use the other features of the SCT.
• Your hard drive must be formatted using NTFS.
• You must install the toolkit from an administrative account.

Before Installing the Toolkit

Creating Unallocated Space on your hard drive
As mentioned, Windows Disk Protection requires unallocated hard disk space. If you wish to use this feature (and we highly recommend that you do), you should create the space before installing the Toolkit. There are several ways to create this unallocated space; we recommend one of these two.

1. For those without access to a disk partitioning utility, reformatting the hard drive and reinstalling Windows XP is probably the easiest solution to this problem. It also has the added benefit guaranteeing a fresh, clean Windows installation. To repartition your hard drive during the XP Setup routine, follow the instructions at http://support.microsoft.com/?kbid=313348.
   
2. Use a third party disk partitioning tool to create unallocated space on your hard drive. PartitionMagic and BootIt NG are two such tools. There are also several free, open source tools which allow you to resize an NTFS partition. Resizing Your Hard Drive Partitions Using Free Software describes how to use one of these free tools called QTParted.

Installing the Toolkit
Installation is fairly straightforward. First go to the Microsoft SCT site at http://www.microsoft.com/windowsxp/sharedaccess/default.mspx and download the tool. Browse to the folder where you downloaded the SCT Installer (Shared_Computer_Toolkit_ENU.msi), and double-click this file. You'll be prompted to download and install the User Profile Hive Cleanup Service, a tool that prepares your computer for the SCT. Follow the instructions to install this service. You'll then need to close and restart the SCT installer. Proceed through the wizard and accept the defaults.

Getting Started Tool
Once the SCT is installed, the Getting Started tool appears. This tool will continue to load at login on the account where you have installed it until you uncheck the Show Getting Started at Startup option at the top of the screen.



Getting Started does a nice job of walking you through the necessary steps to set up computer and profile security. All the tools - including Getting Started - can also be accessed by going to Start > All Programs > Microsoft Shared Computer Toolkit.

Computer Security Settings
Computer Security Settings prevent access to certain areas of the computer that might allow a patron to make modifications. The settings here apply to all user accounts except administrators, rather than to a single selected profile. These settings are fairly self-explanatory; choose the ones you think best fit your needs.

Creating and Locking Down a Public User Profile
Creating a locked-down public user profile with the SCT consists of four main steps:

1. Create a public account to use for shared access.
2. Log into that account and configure the public user profile.
3. Log back into your administrative account and lock down the public user profile.
4. Log back into the public user profile and test the security.

1. Create the public account

1. In the Getting Started window, click on Step 3. Step 3 expands.
2. Click on Open User Accounts. The User Accounts window opens.
3. From here, create as many accounts as you need. Be sure to choose Limited as the account type.
4. When all needed accounts are created, close the User Accounts window.

2. Configure the public account
Log off of the administrative account and log into your new public user account. In the public account, set up the profile environment you want, including, but not limited to these tasks:

• Set the background and screen saver
• Add shortcuts for applications and web sites to the desktop
• Add any network printers and set default printer.
• Run all major programs (MS Office, Adobe Acrobat, Internet Explorer, games, etc.) at least once so that you can accept licensing agreements and configure initial settings.

Repeat the procedure for each public account. Once you've configured all public user profiles, log back onto the administrative account.

3. Lock down the public account
Each public user account you create can be individually locked down using different restrictions to fit the different types of users they are intended for.

1. In the Getting Started window, click on Step 5. Step 5 expands.
2. Click on Open User Restrictions. The User Restrictions window opens.
3. Click on Select a Profile and pick a public profile from the pop-up menu
4. Choose the security settings for the profile that best suit your situation. See the User Restrictions section below for more details about specific settings.
5. Repeat steps 3 & 4 for each public profile.
6. Click OK.

4. Log in and test the public account
Log into each public user profile and make sure that the profile works the way you intended. Check to be sure that you can't get access to sensitive areas or administrative tools, such as the command prompt, the run command, or the folders on the C:\ drive. Also check to make sure that the programs that patrons will use are still functioning and accessible.

About User Restrictions
There are many choices to make on this screen. Below is a list of selected features with a description of what each does. Remember to click Apply or OK after you have made your choices.

General Settings

• Home Page: Sets the Internet Explorer home page for the profile. The setting here will override anything set from inside the profile.
• Proxy: You can set the proxy server for each profile. If you have a proxy server, this setting will probably be the same for every profile. If you're not sure whether you have a proxy server, contact your network administrator.
• Session Timers: Set session timers for each profile. The timers force a user to log out a certain number of minutes after logging on, or after a specified amount of idle time. You can't control the session timers from a central computer or tie the timers into a pc reservation system. Simple timers such as these can be easily circumvented, because a patron can simply log back on when their session is over.
• Select Drives to Restrict: Choose to restrict user access to drives on your computer by drive letter. Most libraries choose to restrict all drives except for the floppy drive (A:\), the CD drive and the USB drives (the letter of the CD and USB drives will vary by computer).
  
  
  
  Note that restricting access to the C:\ will prevent Microsoft Office from saving to the desktop. Some libraries might prefer that the C:\ drive and other drives be hidden in My Computer and Windows Explorer rather than restricted altogether, so that patrons could still save to the desktop from Office programs. 
• Lock this profile: Checking this option prevents public users from making permanent changes to the profile.  Patrons can still make temporary changes (e.g. moving desktop icons, or changing accessibility options), but those changes are erased at logoff.
• Restart at logoff: Forces the computer to completely restart when the profile is logged off. If you have Windows Disk Protection enabled, this ensures that all changes to the computer that were not prevented otherwise are erased when the session is finished. This option may be most useful for libraries who do not wish to use the Lock this profile feature.

Recommended Restrictions for Shared Accounts:
The Recommended Restriction checkbox allows you quickly apply a set of user restrictions recommended by Microsoft. Most of these are appropriate for public user profiles; however there are a few restrictions that block access to features that patrons find useful. We recommend that you first check the Recommended Restrictions for Shared Accounts box, and then selectively uncheck any options that you don't want. Most of the options are self-explanatory, but here are a few settings that may have unintended consequences.

• Prevent access to some Windows Explorer features (such as Search) under General Windows XP Restrictions will remove the system tray from your public user profile, keeping patrons from accessing commonly used shortcuts such as those to MSN Messenger and the volume control. If your library does not allow MSN Messenger, and doesn't want patrons changing the headphone volume, this may be a useful setting.
  
  
  
• Prevent access to some Internet Explorer toolbar buttons leaves only the back, forward, stop, refresh and home buttons in Internet Explorer. If you uncheck this option, the entire toolbar is visible. These are the only two options in SCT for the display of the IE toolbar.
• Prevent right-click in Windows Explorer is the option that disallows right-clicking on the desktop.

Optional Restrictions
These restrictions are not enabled by checking the Recommended Restrictions check box, but some may be useful for particular situations. Again, most are self-explanatory, but here are a few to watch out for.

• Prevent programs from the All Users folder from appearing on the Start Menu - This can be very useful if you wish to limit what appears on the user's Start Menu, but just enabling it may disable items you wish to display. If you wish to use this restriction, you can copy items you wish to retain from the All Users folder - C:\Documents and Settings\All Users\Start Menu - to the Start Menu folder located under the public user's profile folder.
• Prevent Internet access from Internet Explorer - located under Additional Internet Explorer Restrictions, not only blocks Internet access from IE, but also from any program that relies on the Internet Explorer proxy settings. If you wish to replicate the child profile from the Gates Foundation computers, use this setting.
  
  
  
• Prevent Windows Messenger and MSN Messenger from running - located under Additional Software Restrictions. Be aware that blocking access to the Messenger programs won't stop patrons from visiting web sites such as MSN Web Messenger and chatting from there. 
  

Securing Your Hard Drive with Windows Disk Protection
Once everything else on the computer is installed, configured and updated, you are ready to turn on Windows Disk Protection (WDP). WDP creates a temporary working partition on your hard drive where all changes are written. When the computer restarts the temporary partition and changes are deleted. Even used on its own, without enabling any of the other SCT features, the WDP will prevent a user or outside threat from making permanent changes to the computer.

Unlike some disk protection tools, WDP is very flexible. Once you turn it on, there are four options for how it will work. 

• Clear changes with each restart - the default option discards all changes each time you reboot your computer. This is the setting you will use most of the time.
• Save changes with the next restart allows you to make a change to the system, then reboot once to both save the change and turn back on protected mode.
• Retain changes for one restart allows you to make a change to the system, restart the computer saving the changes, and then later restart the computer to revert back to before the changes were made. This option is useful when you're testing a program that requires a reboot.
• Retain changes indefinitely is similar the third option, except your changes are retained through as many restarts as you want, until you come back and choose Save changes with next restart to save the changes permanently, or Clear changes with each restart to erase the changes.

Critical Updates
With some disk protection tools, downloading and installing operating system patches and virus updates frequently require three restarts of the computer: once to turn the disk protection off, once after the updates are installed, and once to turn the disk protection back on. With Windows Disk Protection, you schedule a time to automatically update the operating system and your antivirus software. At the time you've chosen, Windows Disk Protection will force any users to log off, and then restart the computer so that all recent changes are erased. Once it's restarted, WDP will set itself to "Save changes with next restart," download critical updates, and run any scripts that you've specified. Finally, WDP will restart your computer again, setting itself back to "Clear changes with each restart."



 

The Accessibility Tool
When you install the SCT, you also install the Accessibility Tool. This tool is just a simplified version of the Accessibility applet in the Control Panel. The Accessibility Tool is placed at the top of the Start menu in all your profiles, and it allows patrons quick access to the major accessibility options (e.g. the Narrator, the Magnifier, StickyKeys, High Contrast, etc.). For more information, open the Accessibility tool and click on Help.




Copying your settings from computer to computer
The SCT is fairly complex, and it could take an hour or more to set up a single workstation, even after you've become familiar with the main features. This is especially true if you're creating several different profiles and using Windows Disk Protection. There is no import or export feature in the SCT, so for multiple computers, we advise using a disk copying utility (e.g. Symantec Ghost). For a list of free, open source disk copying tools, go to http://www.thefreecountry.com/utilities/backupandimage.shtml.

If you have a Windows domain, you won't need a disk copying tool. Instead you can put your public user profiles on a domain controller. For more on this subject, see Chapter 10 of the SCT Handbook.

Other Resources

• The official homepage for the SCT:
  http://www.microsoft.com/windowsxp/sharedaccess/default.mspx
• A printable version of the SCT Handbook and an online tutorial:
  http://www.microsoft.com/windowsxp/sharedaccess/library.mspx
• The online version of the SCT Handbook can be found at:
  http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sct/default.mspx
• The official support and discussion forum for the SCT
• Library staff have also been discussing the tool on WebJunction Discussions.
• A downloadable PDF version of this article is available here.