Windows SteadyStateMarch 13, 2008 – 5:06 AM
A couple of years ago Microsoft released the Shared Computer Toolkit, a free set of tools to help administrators manage PCs used by multiple users, especially in order to create safe configurations that would undo any changes made by careless or malicious users.
Now they have released the next generation of those tools, Windows SteadyState. SteadyState appears, from the documentation, to support only Windows XP Service Pack 2.
Families, libraries, classrooms, Internet cafes, lots of people have a need to let users share computers. Inevitably, someone will do something unpleasant to the computer, like make the system font tiny, install shell extensions that make it unstable, or set up a password-protected screen saver (and not tell anyone the password). SteadyState helps you to limit the damage that users can do, and to undo the damage they manage to do.
If you’re already set and happy with the Shared Computer Toolkit, why should you change to SteadyState? Here’s what’s new:
- A new consolidated user console.
- No need to set up partitions for Windows Disk Protection; it’s file-based. (Of course, you’ve already set up the partitions, so this doesn’t help you.)
- Windows Disk Protection (which protects against permanent changes by users in the configuration) now supports group policy in case you’re in a Windows domain.
- More software restriction options
- More user restriction options, including significantly greater control over Internet Explorer.
- Easier security customization with better defaults
- Easier setup and documentation.
The new version has relatively hefty disk requirements. Windows Disk Protection needs at least 4GB of free disk space on the system partition.
The Shared Computer Toolkit had special provision for anti-virus software; after all, you don’t want to undo virus definition updates when you restore system state. SteadyState does too, and the good options are limited: Computer Associates eTrust 7.0, McAfee VirusScan and TrendMicro 7.0 are directly supported. Other AV programs are supported, but you have to write a script to schedule updates for them. This appears to be a matter of finding the right command line for your anti-virus tool for performing the update. Scheduling that command appears easy to do based on the SteadyState docs.
SteadyState is not meant to be bulletproof security. A determined user can overwrite it, for instance by booting off another operating system on the CD drive. It tries instead to protect against casual screwups by users and to be as easy as it can to administer.