Home > Basic > Access/Security

Access/Security

You can use the access options to intercept system-critical key combinations and suppress windows and dialog boxes, block access to CD-ROM drives and, in particular, adjust browser-related access settings.

Note:
When using the configuration view optimized for the kiosk content management system SiteCaster, this page will only show the required security settings.


1. Security settings
1.1 Lock workstation when removable disk is attached
As long as the ports of your computer remain accessible to the users of your terminals, your users may take advantage of this fact by inserting removable storage drives (such as USB sticks, ZIP drives, etc.). In doing so, they open up a security gap in SiteKiosk because they will be able to launch any tool or program that is stored on these media.

Enabling this option ensures that your workstation will be locked as soon as a removable storage drive is attached to or inserted into any of your machine's ports. The user will be notified about the lockup by a pop-up box. Please note that this rule does not apply to internal floppy drives.

Note:
Due to technical restrictions this feature will only work properly if shell replacement is enabled on systems with Windows 8 or higher.

1.2 Activate lock for CD-ROM drive(s)
You will find that in some cases blocking access to the CD-ROM door makes sense, for instance, if you want to protect CDs from theft or safeguard the drive itself against damage (e.g. caused by chewing gum). Once this option is on, the CD-ROM drive can no longer be opened by pressing the button on the drive as long as SiteKiosk is running. Some systems require that you reboot your computer after exiting SiteKiosk in order to be able to open your drive again.
1.3 Encrypt configuration
The SiteKiosk configuration can be encrypted using the Advanced Encryption Standard (AES). This is usually not required because the default security settings of SiteKiosk and the restricted SiteKiosk Windows user will be sufficient. Since the encryption is using the SiteKiosk license key, you will need a valid license key. Encrypted configuration files are only readable on computers where the same SiteKiosk license key is available.
1.4 Block system-critical key combinations
The most well-known key combination you can intercept by means of this function is CTRL-ALT-DEL. However, you may also want to block other key combinations when using a regular keyboard in combination with public-access computer systems. By default, SiteKiosk will already block the most critical key combinations. You also have the option of adding or blocking your own key combinations.

When installation is complete, the system must be restarted once to allow SiteKiosk to monitor keyboard input.

Note:
Make sure the key combination you picked for exiting SiteKiosk is not among the combinations you are blocking here.

If system-critical key combinations such as CTRL-ALT-DEL are not blocked successfully, this may be due to the USB keyboard you connected. Unless the keyboard is Microsoft compatible, intercepting key combinations will not work. Please use an MS-compatible USB keyboard or a regular PS2 keyboard.

The configuration tool allows you to easily add four custom key combinations, that should be blocked by SiteKiosk. By manually editing the SiteKiosk configuration file with an editor like Notepad you can add as many combinations as you like. By default a line for a key combination looks like this:

<custom enabled="false" scancode_0="0" scancode_1="0" scancode_2="0" scancode_3="0" />

enabled determines whether the key combination is blocked (true) or allowed (false). Every combination not listed is allowed (as long as it is not part of the standard combinations already blocked by SiteKiosk). Note that if you block a single key, every combination that contains that key is automatically blocked.

scancode_0 to scancode_3 are the scancode values of the single keys that make up a key combination, 1. modifier, 2. modifier, 3. modifier and final key. A value of 0 means that key is not used in a key combination. There are numerous web pages that list the scancodes of key (starting point can be for example http://en.wikipedia.org/wiki/Scancode). Please note that the web pages usually list the scancodes as hex values. They need to be converted to decimal values for usage in the SiteKiosk configuration file.

1.5 Block system-critical windows & dialog boxes
In addition to system-critical key combinations, SiteKiosk can also intercept windows & dialog boxes so that a SiteKiosk user will not be able to see them. The setting options are described in more detail here.



2. Browser security
2.1 Run Java & VB scripts
Specify if you want to allow scripting languages. You may want to turn this option on as you may otherwise prevent a great number of websites from working properly.
2.2 Allow Java applets
Java applets are stand-alone programs. There is a great number of websites that offer Java games and Java chats. You can usually leave this option turned on as well. SiteKiosk will only run applets that have previously been installed/allowed in Internet Explorer.

You should always use the most up-to-date Java Runtime Environment in order to ensure that Java applets are always properly displayed on websites. Log on to http://www.java.com/ to find the most recent version. Before installing the current JAVA version, uninstall any previous versions to make sure you prevent any overlap and clear the cache of your Internet Explorer manually as well (Attention: as this setting is user-specific, you should always set it for the user under which you plan on running SiteKiosk).

Please note that you may experience problems if the Microsoft Java VM (Virtual Machine) and the current Sun Java Runtime are installed. The Microsoft VM is commonly found on older Windows systems (including early versions of XP). You can find out if it is installed on your machine by checking Tools -> Internet Options -> Advanced. If installed, the Microsoft VM will have its own dedicated segment. Since Microsoft VM cannot be easily uninstalled using the control panel, Microsoft provides a small tool for this purpose (use at your own risk). You can download it here: http://www.sitekiosk.com/download/tools/uninstall_msjavavm.exe.
2.3 No script error messages
This option should stay turned on to prevent script errors that are displayed on web pages. Although no dialog box will appear, possible script errors will be displayed in Log files.
2.4 Disable Windows accessibility features
When you open the control panel in Windows, you will find accessibility options that are specially designed for handicapped people. These options can, however, create problems for Internet terminals. There is a test you can perform in order to find out if these accessibility features are available on your machine. Press the key combination ALT (left side of keyboard), Shift (left side of keyboard) and PRINT. If your display settings have changed, you can undo the change by pressing the same key combination again.

In order to prevent your users from being able to call up similar functions, you should leave this option turned on.
2.5 Load new ActiveX controls
This option allows you to block the option of loading new ActiveX controls that have not yet been installed on your computer.

Caution:
Do not turn this option on as automatic dialer programs, viruses, or hacker tools may otherwise be installed on your computer.
If your website makes use of an ActiveX control, load it in your regular Internet Explorer. This will allow the control to be installed on your computer. After this, you can also use the control in SiteKiosk. You may have to check the box ..always trust when downloading the ActiveX control to prevent it from being run only once.

2.6 Allow insecure ActiveX controls
There are ActiveX controls that may be harmful when used on a kiosk system. These controls are managed in the file UnsafeActiveXCtrls.xml in the XML subdirectory of SiteKiosk.

By default these controls are allowed because they are used on several well known websites (e.g. the webmail pages of T-Online). If you want maximum security for your kiosk system you should untick this option.

Note that this option is not related to the default handling of insecure ActiveX controls. These are user specific settings of the IE and they are applied under SiteKiosk as wel,l as long as a specific control is not handled by this option.

Whenever the activation of an unsecure ActiveX control has been prevented, SiteKiosk will add a notification log entry to the Log files.
 
To change the behaviour for individual controls, expert users can edit the file UnsafeActiveXCtrls.xml located in the XML subdirectory of SiteKiosk and delete or add (if you want to permanently block additional controls) some control CLSIDs. Note that these adjustments are made at your own risk and not necessary to run SiteKiosk.
For example, the following entry will prevent the VBScript printer controls from being displayed:

<control clsid='8856F961-340A-11D0-A96B-00C04FD705A2'/>
< !-- WebBrowser -->
2.7 Display PDF toolbar
By default SiteKiosk hides the PDF toolbar when displaying PDF documents. Use this option to activate the PDF toolbar.

Note that this feature requires at least Acrobat Reader 10.
2.8 Run SiteKiosk with lower privileges
This option is enabled by default in Vista/Win7/Win8 to meet Windows Vista/7/8 requirements and, therefore, not shown. However, this option will be shown in Vista/Win7 if UAC (User Access Control) was disabled. Note: Win8 does not allow to completely deactivate UAC.

Activating this check box will restrict the user rights of the SiteKiosk process to increase the security of the terminal. This does not apply to the already limited SiteKiosk user, but any other Windows user under which the SiteKiosk process is started.

Note that this does not generally strip the Windows user of some of its rights, but affects only the SiteKiosk process started under Windows and processes started by it. For example, even a user with administrator rights will need to authenticate again if trying to open an application that explicitly requires administrator access, e.g. the SiteKiosk configuration when started from the Escape menu.

2.9 IE content advisor
SiteKiosk will generally adopt the settings of Internet Explorer. The button will load a settings dialog box that deals with topics like the Security/Privacy/Content/Connection, etc. of IE. Consult IE's help file for more information on the respective settings.

Please note that most settings are user-specific and, therefore, should be defined explicitly in IE for the user under which SiteKiosk is supposed to be run (if changes are necessary at all).



3. URLs with SiteKiosk Object Model permission
For security reasons, the powerful SiteKiosk Object Model will only work in the paths/URLs specified here.

This ensures that the SiteKiosk Object Model cannot be used by just any third party. This means that a hacker will not be able to execute any SiteKiosk script functions simply by using an HTML page she created and stored on the Web.

For instance, if you store web pages containing SiteKiosk Model script elements on the Web and want to use them in SiteKiosk, you must specify the paths/URLs to these elements here as will otherwise be shown an error message that reads "Unauthorized Function Call."

If using local HTML pages (file://), you can also set %SiteKioskPath% as a variable for your SiteKiosk installation directory (instead of, for instance, c:/program files/sitekiosk).




4. Tips and recommendations
  1. Do not turn on the option "Load new ActiveX controls" unless absolutely necessary for your project. You will find that there is usually no reason to enable this option.

See also

Password
Start Page & Browser
Surfing Area
Screensaver & 2nd Monitor
Logout
Applications
Print
Email
Files & Downloads
Input Devices
Maintenance
Logfiles


Back to top