• Shared Computer Toolkit Homepage
• FAQ zum Microsoft Shared Computer Toolkit

(Quelle s.o.)

A shared computer is one that is used by many different people—typically, this means a computer available for public or shared access, such as those found in schools, libraries, Internet and gaming cafes, and other public locations. Shared computers are also known as public access computers, Internet kiosks, lab computers, and instructional computers, depending on their purpose.

The Microsoft Shared Computer Toolkit for Windows XP is a new set of software tools and documentation that helps make it easy to set up, safeguard, and manage shared computers running Windows XP. Specifically, it helps restrict local user profiles, defend shared computers against unauthorized changes to the hard disk, and enhance the user experience. The Shared Computer Toolkit is an add-on to Windows XP and is available for download.

Customers have told us they would like it to be easier to set up and manage Windows XP on shared computers. They have also told us that shared computers are used heavily and get exposed to many threats that result in computer downtime. We want to make sure Windows XP is the easiest and most reliable operating system to use in shared computing environments. We also want to help ensure the privacy of students and others who use shared computers.

The Shared Computer Toolkit is designed for people who manage shared computers in school computer labs, public libraries, community technology centers, Internet cafes, or other public places. You do not need to be an IT professional to use the toolkit, and the toolkit does not require a server infrastructure.

The toolkit is free for computers that have genuine Windows XP software (software legally licensed from Microsoft). Genuine Windows software is confirmed by the Windows Genuine Advantage validation process.

Every year, millions of consumers and businesses are hurt by counterfeit software they have purchased unwittingly, and many companies that sell legitimate software have difficulty competing with the low prices offered by software pirates. Consumers, businesses, and resellers continually ask Microsoft for help mitigating the threat posed by pirates. Windows Genuine Advantage (WGA) is part the ongoing effort at Microsoft to combat piracy by educating customers, engineering products that address piracy-related issues, and enforcing anti-piracy policies and laws.

WGA enhances the value of genuine Windows software for Microsoft customers by differentiating it from counterfeit software, so that customers can enjoy greater security and reliability, faster access to updates, and richer Windows experiences. For more information about Windows Genuine Advantage, see the Genuine Microsoft Software site.

• Download the toolkit installer. This will automatically start a process that involves downloading an ActiveX control. The ActiveX control will validate the product key on the computer. If the computer passes, no further validation will be required.
• Download the toolkit installer on one computer, copy it to another, and then install the toolkit. When you run the installer on the second computer, you will be prompted to download the same ActiveX control to complete validation.

After a computer has been validated, you will not be required to do any additional validation checks unless you reinstall Windows and try to install and run the toolkit again.

The toolkit requires that you have Internet access to validate your copy of Windows. Internet access is only required temporarily for validation—you can remove it after validation has completed.

Yes.

Initially, the toolkit will only be available in English. We hope to make the toolkit available in other languages, but have not yet finalized plans to do so.

The toolkit makes shared computers more reliable because:

• Students or patrons are easily restricted from tampering with system settings and data or running unauthorized software.
• Spyware, viruses, and other unauthorized changes to the hard disk can be cleared every time the computer restarts.

The toolkit saves teachers, librarians, and system administrators time because:

• More reliable computers translate into less maintenance and support.
• Restarting computers undoes the negative effects of spyware and viruses.

The toolkit enhances the experience of students and other users because:

• Their privacy is protected by features that refresh user session information (such as Web history, passwords, and so on) each time a new user logs on.
• They see a simple, streamlined interface.

Windows Disk Protection keeps track of the changes that users or programs make to the Windows partition (typically the C drive), including changes made by viruses, spyware, or users who tamper with system files. When the computer restarts, changes are cleared and the hard disk returns to its original state. However, because some changes need to be saved permanently, Windows Disk Protection lets you schedule critical updates, antivirus updates, and other updates you want to save. Windows Disk Protection also gives you the flexibility to save other changes whenever you choose.

User Restrictions allow anyone to create restricted local user profiles without having to use such advanced utilities as Group Policy or the Registry Editor. With User Restrictions, you can:

• Create a custom desktop for different categories of users (for example, one for elementary school students, another for high school students, and another for teachers).
• Restrict students or patrons from accessing system resources such as Control Panel, the command prompt, or the Registry Editor.
• Prevent or allow access to any data drive on the computer.
• Prevent students or patrons from running unauthorized software—software that was not explicitly installed by the toolkit administrator in the Programs Files directory.
• Lock a user profile so the profile is refreshed each time a new student or patron logs on. Locked profiles refresh Internet history, passwords, desktop settings, and other personal information from one session to the next.
• Set session timers that force a student or patron to log off after a pre-determined period of time or after a specified amount of idle time.

Profile Manager allows you to create an account with a “persistent” user profile on the D drive if the C drive is protected by Windows Disk Protection. For example, a teacher who has a persistent user profile could save documents and not have them cleared by Windows Disk Protection. You can also delete the secured user profiles that you have locked with the User Restrictions tool.

Accessibility makes it possible for students or patrons to enable and disable all of the Windows Accessibility features in one easy-to-use interface. Such features include an on-screen keyboard, large fonts, high contrast screen, screen magnifier, and more. You can also create user profiles that have accessibility features enabled by default.

Command-Line tools allow you to accomplish advanced tasks. For example, you can:

• Configure a program, such as Microsoft Internet Explorer, to restart automatically when closed.
• Configure Windows to log on automatically with a specific account.
• Remove administrative accounts from the Windows Welcome screen.
• Disable accounts that should not be available.
• Configure the computer to sleep (to conserve energy) and then wake to perform critical updates.
• Automatically set up a demonstration computer to showcase the capabilities of the toolkit.

Handbook includes step-by-step instructions for properly configuring shared computers and additional guidance for making shared computers more secure.

The toolkit is an entry-level solution for managing shared computers.

The User Restrictions tool makes it easy for customers to restrict local user accounts, and it does not require any server infrastructure to use. The User Restrictions tool does not manage restrictions centrally.

In larger environments, Active Directory and Group Policy are preferred for centrally managing users, groups, and restrictions. The toolkit includes a Group Policy template to apply the same user settings and restrictions centrally that the User Restrictions tool provides for local user accounts.

Windows Disk Protection works well on stand-alone, workgroup, and domain computers.

The toolkit makes it easy to apply all of the settings and restrictions that are best for shared computers and shared accounts. It allows you to lock profiles (so they refresh with each logoff) making shared computers more private for your patrons and more resilient to tampering.

Additionally, the Windows Disk Protection tool clears all changes to the Windows partition with each restart, to help ensure that the results of tampering, malware, and spyware are not saved to disk.

Without the toolkit installed, users can make deliberate or accidental configuration changes, install software, or allow spyware and computer viruses to be installed—which can compromise the performance of a shared computer and the privacy of other users.

You can use the Windows Disk Protection tool to protect Windows files from being permanently modified during a user session. For example, if a user installs a program or allows the download of a virus, Windows Disk Protection can restore Windows to its previous state, preventing damage to the computer.

Support information for the Shared Computer Toolkit for Windows XP is available through the following resources:

• Shared Computer Toolkit Web site
• Known issues list on the Shared Computer Toolkit download page
• Shared Computer Toolkit Handbook, particularly Chapter 9, “Troubleshooting”
• Windows Shared Access Newsgroup—post free support queries and product questions
• Product Support Services (PSS) can be contacted for paid support, or if you already have a support agreement. Use the Shared Computer Toolkit Product ID when contacting PSS: 77695-100-0001260-04309.

The toolkit requires about 5 megabytes (MB) of space on the shared computer’s hard disk. In addition, the Windows Disk Protection tool requires you to configure at least 1 gigabyte (GB) or more on the hard disk as unallocated disk space.

Note: Unallocated disk space is not the same thing as unused or free space in an existing partition. The Shared Computer Toolkit Handbook contains guidance on creating the required unallocated disk space.

The toolkit requires Windows XP with Service Pack 2 (SP2) because it is the most secure version of the Windows XP operating system.

The toolkit requires that you have the User Profile Hive Cleanup Service installed and running and the computer must use the NTFS file system. To view or print the toolkit handbook, you must have Adobe Acrobat Reader 5.0 or later.

For more information about NTFS, see the Advantages of Using NTFS.

Microsoft recommends using Windows XP with Service Pack 2 on shared computers because of its significant security benefits.

The Shared Computer Toolkit does not work with earlier versions of Windows. The following companies sell products that provide similar capabilities (disk protection, user restrictions, software restrictions) that are important in shared access environments:

• Faronics: Deep Freeze for disk protection, WINSelect for user restrictions, and Anti Executable for software restrictions. Learn more about Faronics products.
• Fortres Grand: Clean Slate for disk protection and Fortres 101 for user and software restrictions. Learn more about Fortres Grand products.

Faronics and Fortres Grand also have enterprise versions of their disk protection products that can be centrally managed.

No, you don’t need Active Directory, or any server infrastructure, to use the toolkit. Stand alone, workgroup, and domain computers can all use the toolkit effectively.

For more information about using the tools with Active Directory, see the Shared Computer Toolkit in domain environments section in this FAQ.

Yes. The shared computers in the environment you manage can receive critical updates from Windows Update, Microsoft Update and Windows Server Update Services. The toolkit does not support the use of Software Update Services.

Although the toolkit is designed to secure and manage shared computers in public environments such as schools, libraries, and Internet cafes, there are certainly other possible uses for the tools including restricting a family computer or testing new software.

Although not the intended purpose of the toolkit, one exciting use for the tools is to restrict the actions of children on family computers.

On a family computer, the User Restrictions tool makes it easy to control the Windows features and programs a child can access. For example, you could:

• Prevent a child from using Internet Explorer or Windows Messenger.
• Prevent a child from changing their profile.
• Apply a session timer to a child’s computer use.
• Limit access to specific programs and prevent unauthorized programs from running.
• Restrict access to Windows management utilities.

You could use the Windows Disk Protection tool to ensure children can’t make permanent changes to Windows. Be careful using Windows Disk Protection on computers on which you want to save data permanently. Without careful planning, you might inadvertently clear documents, pictures, and other important files that you and your family want to keep.

You can use the Windows Disk Protection tool to help test software safely. When Windows Disk Protection is on and left in its default mode, the tool does not allow permanent changes to the Windows partition. When the computer restarts, changes (such as the installation of new programs) are cleared.

If Windows Disk Protection is on when you install a new program, any problems the program causes won’t become permanent. Of course, if you decide that you want to keep the program, you can use the tool to save changes. You can also retain changes temporarily for multiple computer restarts and then decide whether to clear or save the changes.

Yes. If the computer’s basic input/output system (BIOS) settings have not been correctly configured, any user can start the computer from CD, DVD, or USB media and bypass Windows XP and toolkit security.

The Shared Computer Toolkit Handbook includes a security checklist that describes important security setup and maintenance steps that are highly recommended for shared computers.

No. Windows XP safe mode requires knowledge of the administrator password to enable the user to log on. Unless the user has the administrator password, there is nothing the user can do to bypass security. Restricted administrators (a specially configured administrator account) are still subject to restrictions when in safe mode.

Yes. Microsoft recommends the use of antivirus or anti-spyware programs in addition to the protections provided by the toolkit.

Windows Disk Protection will detect McAfee VirusScan and Computer Associates eTrust and offer to update these products automatically.

Yes. The Getting Started tool and Welcome command-line tool allow you to hide accounts from the Welcome screen.

Yes. Microsoft recommends the use of a firewall, such as the Windows Firewall included in Service Pack 2, to protect your computers from any network attack.

Internet access can be controlled by third-party Web-filtering tools or through simple site filtering. For more information about simple site filtering, see the Shared Computer Toolkit Handbook.

Yes. Windows Disk Protection lets you schedule Microsoft Updates and other critical updates. For more information, see Chapter 6, “Windows Disk Protection,” in the Shared Computer Toolkit Handbook.

No. Windows Disk Protection only protects the Windows partition.

You can restrict access to programs, utilities, and elements of the Start menu and taskbar in Windows XP. You can also restrict what users can do with other programs such as Windows Explorer, Internet Explorer, and Microsoft Office.

Yes. You can restrict the Start menu and apply Software Restrictions to limit the programs which are allowed to run.

Yes. Each tool has a command-line counterpart that provides the same functionality. These command-line tools can be scripted to automate tasks.

Yes. You can use common disk imaging tools to image or clone computers that are using the toolkit. For more information about preparing a system for disk imaging, see Chapter 9, “Advanced Scenarios,” in the Shared Computer Toolkit Handbook.

Yes. The toolkit can be used to restrict users and provide disk protection on Windows XP-based computers that are members of an Active Directory domain.

Although the User Restrictions tool can be used to restrict local user accounts, Active Directory provides more powerful tools to restrict users and configure the computer. The toolkit includes a Group Policy template that you can use to implement user restrictions applied by the User Restrictions tool.

Yes. Windows Disk Protection can protect the Windows operating system partition of domain computers. For more information about this topic, see Chapter 10, “The Shared Computer Toolkit in Domain Environments,” in the Shared Computer Toolkit Handbook.

System Restore monitors any changes to a core set of system and program files to allow them to be restored at a later time in the case of problems. System Restore does not monitor personal user data (including files in My Documents, Favorites, Recycle Bin, Temporary Internet Files, History, and Temp folders), or image and graphics files, and some other types of files.

Windows Disk Protection, on the other hand, caches all changes made to any files on the Windows partition and clears them by default with each restart. This ensures that configured user profiles, third-party programs, and anything else on the disk is proactively protected from tampering or malware.

With System Restore, an administrator must manually revert the computer to a restore point in the event of tampering or a problem. With Windows Disk Protection, disk changes are cleared by default with each restart and the administrator must manually save the disk changes they want to keep. Windows Disk Protection offers better protection for shared computers with untrusted users and requires less effort to maintain the computer in a trustworthy state.

System Restore can continue to be used while Windows Disk Protection is on.