Support Request: System Security lockdown issue

Description

Hello,
we are using fully automated Sitekiosk setup - silent installation, silent autologin and then we need to lock the machine with the SystemSecurity tool, also silently.
We need to be able to use browser and be able to open Word application, but user cannot be able to anything on the C:\ drive, only on removable USB sticks.
However, if we apply the System security settings to hide the System drive and lock down some folders with the read rights only, it does not work - there is no error message, we still see and are able to use the C:\ drive and we get only partial lock (cant open explorer.exe etc).
We are not signing in with the local Sitekiosk account, but using domain service account, which is also admin on the machine.

This we use for the installation:
SiteKiosk.msi /qn ALLUSERS=1 REBOOT=ReallySuppress INSTALLDIR="C:\SiteKiosk" INSTALLSYSTEMSECURITY=1 DOWNLOADVNC=1 DEFAULTPASSWD=XXX

Autologon setup:
SKStartup.exe /i {SystemDrive}\SiteKiosk\Config\startup.xml /l "LICENCE" /s LICENCE

System Security patch:
We edit the swconfig.xml like we want (only to hide C:\ drive and set permissions on the folders), copy it to the Kiosk\SystemSecurity folder and call:
SystemSecurity.exe /applydefault /user:DOMAIN_ACC /pass:DOMAIN_PSWD /domain:DOMAIN

The kiosk autologon works fine, there is really just issue with the fact that the System Security does not get applied (or only partially).

Do you might know what would be the reason for this? The configs are attached.
As this is really urgent, we would prefer to arrange a meeting where we could discuss this further.
Thank you

Answer: (1)

Re: System Security lockdown issue 7/1/2019 9:10 AM
Hello,

Theses settings apply to the corresponding Windows user account settings you run SiteKiosk within (e.g. NTFS access rights).
>>>We are not signing in with the local SiteKiosk account, but using domain service account, which is also admin on the machine.<<<
The System-Security-Manager is just to lock down the local SiteKiosk user account.

With using parameters (see systemsecurity.exe /?) you can also apply the settings to a domain account but note:
Generally this applies to the domain settings and domain settings even can / will overwrite any settings done with the System-Security-Manager.
The advised way is using the local SiteKiosk user account or restricting the domain account you want to use with SiteKiosk accordingly with using domain policies.

Regards,
Michael Olbrich

P.S. Please also note that there is no free support for creating custom installation scripts.
But you can find a general article: http://devblog.provisio.com/post/2013/05/17/Creating-an-Automated-SiteKiosk-Installation.aspx

If you need further assistance in creating individual coding solutions you can contact us via e-mail that we may find a solution against payment for your needs.
https://www.provisio.com/web/uk/company/contact
The adjustment fees are depending on the complexity of the changes and in general it costs 120 Euro per hour.
My Account
Login
Language (Tickets):