locked
Pre-Installation Setup Concerns in XP SP3 RRS feed

  • Question

  • I'm exploring the use of Windows SteadyState v.2.5 in a shared-use environment. We're using Windows XP Home computers on a small network. (BIG mistake! Home Edition was selected for its entertainment features. But, I wish they'd have gotten Pro for its flexibility and ease of Administration.) I'm trying to see whether SteadyState's Computer Restrictions feature will enable me to implement some type of Group Policies that Home Edition doesn't have natively.

    I've been a Hyper Technologies (Faronics) Deep Freeze user for years. And, I'm comparing the features and ease of use between SteadyState and Deep Freeze, before deploying one of them on our network. However, I've read the FAQs and browsed the Handbook, and I still have several questions.

    Thanks in advance for any assistance you can provide!
    - Cool Groove




    QUESTIONS :

    1. Can SteadyState selectively lock down specific user accounts and not others on the system drive? I only want to restrict the Limited account users and not the Local Administrators. If so, how do I accomplish this?

    [Note: I installed SteadyState briefly to see what the GUI looks like, and uninstalled it without making any changes or saving any setups. I noticed when clicking around in it (before removing it) that the only user accounts it inherited upon installation were the Limited Accounts. The Local Administrator account (which I was logged in with) wasn't included, nor was the System Administrator account. Is this by design? And, do you have to manually add additional users, or was there a problem with the install?]


    2. If user profile folders (particularly My Documents) are saved to a non-System drive to preserve the users' documents and files, is the non-System drive subject to NTFS security restrictions? If not, what's the best way to secure other users' profile folders from prying eyes using SteadyState? (I recently discovered that an Adobe photo application bypasses standard NTFS profile restrictions and performs routine searches in all user accounts for photos, etc.!)


    3. Can SteadyState lock down a user's settings on the system drive, while storing their My Documents folder on a non-System drive? If so, what is the best way to do this for the maximum security?


    4. I see in the Quick Start DEMO that after SteadyState is installed, a new User Account must be created. I assume this is because SteadyState maintains its global settings in a User Account template, similar to the way .NET creates a user account. Is a Profile also created for this account? If so, what's the difference between the SteadyState profile and a customized Default Users profile? And, if the Default User profile has already been customized the way I like it, can it be copied or substituted for the new SteadyState profile?


    5. Is the new SteadyState account (and its profile) hidden? If not, is there a way to hide it from all users except the System Administrator?


    6. I notice that SteadyState can selectively hide such items as the Control Panel and My Computer from the Start Menu. However, this can also be accomplished in other ways, such as using the "Start Menu|Properties|Customize..|Advanced" tab. The problem with using Properties to hide certain functions is that even though the selected links are hidden on the Start Menu (e.g., Control Panel), they're still visible (in the left-hand pane, or the Menu Bar) of Windows Explorer. Does SteadyState do a better job of completely hiding all access to such links that have been selected for removal from some profiles? If not, is there a better way to accomplish this task so that nobody but the System Administrator can access them? I only want Limited users to be able to access their own Profile folder, and the external (flobby and USB) drives.


    7.
    Finally, I understand that System Restore must be disabled when using SteadyState's Disk Protection. However, is it possible to continue using System Restore and disable Disk Protection instead, while still using the other features of SteadyState?

    Monday, June 15, 2009 6:41 PM

Answers

  • Thanks for the update.

     

    1a. Yes. Except administrator and guest, SteadyState can restrict local users including the users with administrator privilege.

     

    1b. No. It's easier way to create a shared account and then setup restrictions in SteadyState at once.

     

    2. Usually, we use external USB device to save personal folders or files if you want to lock those profiles.

     

    4a. Of course, this is optional. You can select existing local users and restrict them.

     

    4b. Yes and they are not hidden.

     

    4c. In Windows SteadyState UI, we can only export/import existing user profiles. Since default user profile does not show in User Settings, we cannot import or export it.

     

    5. Yes, however, it requires to hide drive C (system partition).

     

    6. In Windows SteadyState, it cannot hide certain path, it only helps hiding certain partition.

     

    7. Because WDP is a very helpful tool in libraries, internet café and schools. Personally, I'll select WDP instead of System Restore on shared computers.

    Meanwhile, I also suggest you install and try Windows SteadyState on a computer so that you may have deep understanding on how to utilize this tool.

    Thank you for your time.


    Sean Zhu - MSFT
    • Marked as answer by Sean Zhu - Tuesday, June 23, 2009 8:08 AM
    Thursday, June 18, 2009 7:23 AM

All replies

  • Hi Cool Groove, thanks for the post. To answer your questions:

     

    1.       Windows SteadyState can lock down local users under "User Settings". However, it does not detect domain accounts so we cannot use Windows SteadyState UI to restrict non-local accounts. Also, built-in administrator and guest account do not include in SteadyState for security purpose. You can add accounts both in the system or Windows SteadyState to setup shared users.

     

    2.       You can redirect profile folders to non-system partition and lock them. For detailed steps, please check Windows SteadyState handbook on page 46 and page 22. You can download it via the following link:  

     

    http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=f829bb8b-c7a9-426b-a7a4-2b504a6238d2

     

    3.       You can refer to #2.

    4.       It does not require to create a new User Account after installing the latest version of Windows SteadyState.

    5.       If you want to restrict user from navigating system partition/deleting system files, you can either enable Windows Disk Protection or hide partition in SteadyState UI.

    6.       I consider the better way is to enable Windows Disk Protection so that those changes will not be retained.

    7.       Yes. If you do not want to use WDP, System Restore can be enabled. However, we still recommend you using WDP.

     

    Hope this helps!


    Sean Zhu - MSFT
    Wednesday, June 17, 2009 8:23 AM
  • HEY Sean -

    Thanks for your timely and succinct response! It answers most of my questions. However, I have a few follow-up concerns, if you don't mind.


    REGARDING :

    1a.  To be clear, are you saying SteadyState can selectively lock down some local users and not others? And,

    1b.  Is there a difference in the local user accounts (e.g., features, how they function, etc.) related to whether or not the account was added through the system or through SteadyState?

    2.   Thanks for the link to the SteadyState User Manual! On page 23 I read, "Note: If a user profile is locked, Windows Disk Protection restores the profile to its default configuration regardless of whether the locked profile is saved to the protected system partition or on another drive. " This note seems to refute your statement that My Documents (and other select folders) if redirected to a non-system partition can be permanently stored without being deleted on reboot (assuming WDP is enabled). As I stated, I need to lock the local users' profile while allowing them to change and save their My Documents folder and other personal files without clearing them out on reboot. In view of this statement in the Manual, why do you suggest that I use Disk Protection rather than System Restore (see your response #7)? Am I misunderstanding something here?

    3.   (see #2, above)

    4a.  Regarding the new User Account upon initial SteadyState setup [see http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx; click the Demonstration tab; click the Demos tab on the pop-up window; click the SteadyState Quick Setup link, and scroll to :29 seconds.], are you saying that this new User Account is optional?

    4b.  What exactly is this "new SteadyState account" for? What does it do?

    4c.  If this new account is truly optional, is there a related User Profile that's created automatically that coincides with it? If so, is that profile hidden?

    4c.  Can a (Default) User Profile that's previously been approved for shared use be imported into SteadyState to save time and improve accuracy in creating a shared SteadyState profile?

    5.   So you're saying I can hide the SteadyState account/profile (if I have one) without it having a negative impact on the use or function of SteadyState?

    6.   I think that's a potential security hole, in that not only do I not want any possible changes to be retained (which DP would fix), but I also have files or folders that I don't even want users to see, much less edit or change, even if it'll be returned to its previous state. Instead, I prefer to completely restrict the user's ability to browse/navigate certain areas of the disk.

    7.   Why do you prefer WDP over System Restore?



    Thanks for answering these additional questions, and for clarifying for me the best way to use SteadyState in my network!
    -Robert
    Thursday, June 18, 2009 2:57 AM
  • Thanks for the update.

     

    1a. Yes. Except administrator and guest, SteadyState can restrict local users including the users with administrator privilege.

     

    1b. No. It's easier way to create a shared account and then setup restrictions in SteadyState at once.

     

    2. Usually, we use external USB device to save personal folders or files if you want to lock those profiles.

     

    4a. Of course, this is optional. You can select existing local users and restrict them.

     

    4b. Yes and they are not hidden.

     

    4c. In Windows SteadyState UI, we can only export/import existing user profiles. Since default user profile does not show in User Settings, we cannot import or export it.

     

    5. Yes, however, it requires to hide drive C (system partition).

     

    6. In Windows SteadyState, it cannot hide certain path, it only helps hiding certain partition.

     

    7. Because WDP is a very helpful tool in libraries, internet café and schools. Personally, I'll select WDP instead of System Restore on shared computers.

    Meanwhile, I also suggest you install and try Windows SteadyState on a computer so that you may have deep understanding on how to utilize this tool.

    Thank you for your time.


    Sean Zhu - MSFT
    • Marked as answer by Sean Zhu - Tuesday, June 23, 2009 8:08 AM
    Thursday, June 18, 2009 7:23 AM
  • Sean -

    You've been great ! Your answers are giving me a much clearer picture of what I can expect if I deploy SteadyState. Unfortunately, I have a limited time frame and resource crunch that prohibits me from using a "sandbox" approach to testing the application. I'm depending on this dialog with you to get me up to speed on what the application can and can't do. We'll take our chances from there. (I know, not the best way of doing things!) If you don't mind, I have a few more questions and then I think I'm done.


    FOLLOW-UP REGARDING :

    2.    Am I understanding you correctly that using a removeable drive that can be disconnected prior to reboot is the only way to "permanently" store personal files/folders on a non-system drive if WDP is enabled? External USB devices (flash drives) are not available in this instance. And, the personal files/folders are not to be removed from the computer.

    2i.   What if we enable SteadyState but not WDP. Can SteadyState lock down non-System partitions as well, without clearing them as with WDP?

    2ii.  If I relocate personal folders such as My Documents to a non-System drive, do NTFS privacy restrictions still apply to the non-System partition (i.e., can one user browse another's My Documents folder relocated to the non-System partition)?

    [Note: sorry for my misnumbering of the sub-parts of Question 4. I accidentally listed two Question 4c's, instead of 4c. and 4d.  And, you didn't answer my question 4b. I think your answer 4b. was really an answer to my first question 4c.]

    4b.  I'm confused about the purpose of the (optional) SteadyState account. You recommend in your answer to 1b. that use of an (optional) new SteadyState account simplifies the process of adding new users and restricting their privileges, as opposed to using both System User Accounts and SteadyState to accomplish the same thing. Is that the only (or the primary ) purpose for creating a SteadyState account? My interpretation from reading the Manual is that the SteadyState account facilitates making global user restrictions, similar to Group Policies. And, I assume multiple SteadyState accounts can be created to provide additional group configurations. Is that correct? Please clarify the purpose for and use of the SteadyState account.

    4bi. In your answer 4b., am I correct in understanding that a SteadyState profile is not hidden from other users by NTFS privacy restrictions the way System profiles are hidden from other users?

    4ci.  In your answer 4c., is it possible to import a previously "restricted" user profile into SteadyState? If so, how? I asked about importing the Default User profile because we're using XP Home OS which doesn't allow Group Policies. I'm trying to create a restricted user profile and use it as a template (similar to the way Default User can be customized) to automatically apply the appropriate restrictions to new users. Can this be done in SteadyState, and if so how?

    4cii.  Is there a need or use for Default User when using SteadyState if new users are added through SteadyState instead of System User Accounts?

    5-6.  I don't want to hide the entire System drive, only certain folders. Can you recommend a better way of hiding specific folders and paths on the System drive while enabling others to still be navigable?


    Thanks again! You're giving me a pretty good handle on what this utility can and can't do. I think I'll be ready to test it once I read your answers to these questions.

    -Robert
    Thursday, June 18, 2009 4:43 PM
  • Hi Robert, I'd like to answer your questions above.

    2. You can also save your data to a separate partition with permission.

     

    2i.  Windows SteadyState does not lock down non-system partition.

    2ii. Yes, you can use NTFS on non-system partition so that users can access his/her own documents.

     

    4b. Yes. You are correct.

    4bi. Yes.

     

    4ci. Yes. Like Sean said, I also recommend you install Windows SteadyState on a test machine or virtual PC. This is easy to accomplish by clicking the "Import User" on Windows SteadyState main UI.

     

    4cii. Yes.

     

    5-6. In Windows SteadyState restrictions, it only provides way to hide system partitions other than certain folders.

     

    Also, in the future, I suggest you post one question per post so that our forum users can get clear idea on each issue/question. Thank you.

    Monday, June 22, 2009 9:12 AM
  • Hi 2759 -

    Not sure what happened to Sean, but thanks for taking over and answering my questions. We're a small operation. And, in case I wasn't clear, there are a variety of reasons why we're unable to implement a sandbox or test system for trying SteadyState in a safe or secure environment. The Manual does a good job of explaining "how" to setup and implement SteadyState. But, it doesn't do much for explaining "why" you should use SteadyState and in what instances is it good or bad, based on what you're trying to accomplish and in what environment, which are the questions I've asked.

    Sorry if I've asked too many questions! All my questions were based on trying to gain a more thorough understanding of the software's use in a security situation that is not specifically addressed in the Manual. Seeing how I had to wait 4 days for this last response, and the number of qustions I've had, I can't imagine how long it would have taken me to ask each of them individually, especially since they're all related. I don't think they're so disparate that your users will get confused. Plus, the title is all inclusive. And, I've noticed that some online experts get a bit testy or downright insulting if I ask for more details or explicit explanations than what they initially provide. So again, thanks for answering all my questions!

    One final thought which arose after reading your response. You said "Yes" to my Question 4cii. But, you didn't say what that use or reason for still using a Default User profile would be in a SteadyState environment where new user accounts can also be added. Would you please explain the rationale or difference for using both methods?

    -Robert
    Wednesday, June 24, 2009 12:49 AM