This is a clever way that we came up with of providing a secure internet access terminal for use in public spaces. We did it in response to a request from one of retail customers who wanted a way of providing secure access to the internet for staff and customers. This was the brief:
- Provide a cheap and secure internet access kiosk in each of their shops
- The browser should be configured to allow general internet browsing so that staff are able to show third-party on-line catalogues to their customers.
- Users should be able to print directly to an in-store printer for click-and-collect orders that they place from the on-line catalogues.
- User data and browsing history should not be stored on the kiosk.
- The kiosk should reset back to it’s default settings if there is no activity for a specified amount of time.
- Users should be restricted to using the internet browser only, they should not be able to access the desktop, operating system settings or file system.
Rejected kiosk solutions
Initially I looked at several commercial hardware and/or software solutions for this but found that they either did not meet the brief or were too expensive for the customer’s budget.
Next, I looked at using Internet Explorer in kiosk mode (to open IE in kiosk mode, press Win+R and then enter iexplore.exe -k <your URL>).
Internet Explorer’s kiosk mode opens the browser in full screen with no toll bars – the web page essential takes up the entire screen. While it may be suitable for displaying a single web page, it does not meet the brief that we were given: there is no address bar, no navigation buttons, no tabs, or any other intuitive way of browsing between different web pages (users can open a new web page by pressing CTRL+O and print using CTRL+P, but most of them wouldn’t know that). Kiosk mode is also much too easy to break out of and get to the desktop – just press ALT+F4.
Google Chrome also offers a kiosk mode, but it suffers from the same limitations as Internet Explorer.
Our Kiosk Solution
The public kiosk solution that we finally came up with, and which met the clients brief, is made up of an inexpensive micro-computer from Dell running Windows 8.1 with Bing, a touch-screen monitor, Firefox web browser with an add-on called mkiosk and a bit of hacking of the registry to lock it down. We have used Windows 8.1 in this case, but it should work equally well for Windows 7 and Windows 10. It is easy to set up, highly configurable and secure.
Setup of kiosk user account
Firstly, create a new local user account called kiosk (or whatever you like) and make it an administrator account for the initial setup. We will change it back to a standard user account later. Now log in with the kiosk user account. Once logged in:
You probably don’t want this computer going into hibernation or the screen turning off after a period of inactivity so turn all power savings options. Also ensure that the screen savers is not enabled.
Install and set up Firefox with mkiosk addon
When Firefox restarts it will look somewhat different and the mkiosk configuration window will automatically open. There are a number of different ways that you could configure mkiosk so have a look through all the options and set it up as it suits you best. Following is how I set it up for this particular client:
- In the Basic tab,
- Tick the “Always start in full screen” checkbox.
- In the “Home Page” text box, add the URL of the home page that you want to use. If you want multiple tabs to open then separate each page with the “|” symbol.
- The “Reset Time Options” dictates how long the the kiosk can be idle for before it resets itself. When it resets itself it closes any open pages and sessions and reverts back to the home page(s) that you have set above.
- Disable the screen saver
- In the Appearance tab,
- Tick the “View address bar in full screen” checkbox to show the address bar to users
- Untick the “Read only, disabled” checkbox to allow users to change the URL.
- Ensure that the “Show printer button” checkbox is ticked if you want your users to be able to print. If the “Direct” checkbox is ticked then any prints will be sent directly to the default printer.
- In the Security tab,
- Tick the “Private Mode” checkbox. This will open all browsing sessions in private mode, preventing and user data or history being stored on the kiosk.
- Tick the “Use Passwd” checkbox and enter a strong password into the “New Password” text box. This prevent users from shutting down or reconfiguring the browser unless they know the password.
- Now click OK and confirm the new password when prompt.
- Restart Firefox and your kiosk should look something like this:
Locking-down the kiosk
So far, this is looking pretty good and we have met the first five points of the customer’s brief with only the sixth (securing the computer) to complete. Before we get into that, let’s have a look at administering the kiosk interface.
- To change the mkiosk options, press F1
- To exit full screen mode and access the Firefox options and settings, press F11
- To close the browser, press F12 (or ALT-F4)
You will be prompted to enter the mkiosk security password that you set earlier before you can complete any of these functions. You will also note that the big red “X” at the top-right does not close the browser but simply resets it to default so, on the surface, it appears to be locked down. However, any user with a little technical savvy will be able circumvent these basic security measures. Specifically:
- CTRL-ALT-DEL will give the user access to the tack manager and the browser can be shut down from there. It also allows the user to lock the computer, switch user, sign out, change the password and shut the computer down.
- Moving the mouse to “hot corners” or swiping from the right edge when using a touch-screen monitor will bring up the Windows 8 charm bar. From the charm bar users can access the start screen and computer settings.
- Swiping from the left edge when using a touch screen monitor in Windows 8 will switch between applications.
Disabling CTRL-ALT-DEL options
Pressing CTRL-ALT-DEL gives any user of our kiosk the ability to access a number of security functions that we don’t want them using. This is your typical windows security screen, I have added the red boxes to show all the the security functions that we want to hide from the kiosk users.
If you are running Windows 8 pro, or higher, then you can achieve this relatively easily using the group policy editor. However, we are using Windows 8 with Bing in this instance so group policy editor is not available to us. Instead we are going to have to do it using registry settings.
Open a new document in notepad and paste in the following registry settings:
Windows Registry Editor Version 5.00
Save the file as DisableCAD.reg and then double click it to merge the settings into the registry.
Once this is done, press CTRL-ALT-DEL and your secuity screen should now look like this:
Disabling Charms bar and swipe gestures
Disabling some of the swipe gestures and hot corners is possible using registry settings but there is no Windows setting for disabling the charms bar completely and if you are using a touch screen monitor then users will always be able to access it by swiping from the right edge. The solution that we came up with was to write a small script that shuts down the entire Explorer shell and then opens the internet kiosk browser. Because all swipe gestures and hot corner are controlled by Explorer, none of them are available when the internet kiosk browser is running. When the browser is shut down the script will restart Explorer and return full functionality to the desktop.
This is a really neat solution with the added benefit of disabling all desktop functionality so that users cannot do anything besides use the browser as long as the browser is running – even if the somehow manage to minimise the browser all they will see is a blank screen. The only way to restore the desktop is to shut down the browser and that functionality is restricted by the mkiosk password that we set earlier.
So open a new document in notepad and paste the following commands into it:
REM kill explorer (this disables all desktop functionality)
taskkill /f /im explorer.exe
REM start firefox
“C:\Program Files (x86)\Mozilla Firefox\firefox.exe”
REM Restart explorer
Save the file into your documents folder as kiosk.bat
The first command kills the Explorer task. The second command opens Firefox which has been configured as a browsing kiosk by using the mkiosk addon. The third command restarts Explorer. These commands will be run in the order they appear and each command will not run until the preceding one has completed running. Therefore, the third command (to start Explorer) will not trigger after Firefox has started, but only after it has been shut down because up until that point it is still running.
Anti-virus and content filtering
This is an optional, but highly recommended step. To ensure that users don’t access inappropriate or malicious websites and downloading malicious software, we installed AVG CloudCare anti-virus and content filtering.
Automating the start-up
The final stage is to configure the computer so that the internet kiosk browser runs automatically whenever PC is started. To achieve this we need to set up the kiosk user account to log in automatically when the computer starts and the ineternet kiosk browser to run automatically when the kiosk user logs in.
Setting up the kiosk user account to sign-in automatically
To set the kiosk user to log in automatically, follow our How to enable and disable automatic logon in Windows tutorial
To set the internet kiosk browser to open automatically when the kiosk user logs in
Now we need to run the kiosk.bat file that we created earlier whenever the kiosk user logs in. This will automatically shut down the Explorer shell and start the Firefox kiosk.
- Open the Windows task scheduler by pressing WIN+R and running taskschd. Right-click Task Scheduler (local) in the left navigation menu and select Create Basic Task.
- In the Create Basic Task Wizard give your task an appropriate name. I have used Start Kiosk. Click Next
- In the Task Triggers window, select When I log on. Click Next
- In the Action window, select Start a program. Click Next
- In the Start a Program window, browse to the kiosk.bat file that we created earlier and select it. Click Next
- In the Summary window, tick the Open the Properties dialog for this task when I click Finish checkbox. Click Finish
- When the task properties window opens, under the Settings tab, remove the tick from the Stop the task if it runs longer than checkbox. This will prevent the task from being terminated if the kiosk computer is left turned on with the browser open. Click OK
You can now test the solution. Restart the computer and it will automatically sign-in using the kiosk user account. the desktop/start screen while initial appear but after a few seconds the kiosk.bat file will trigger, the Explorer shell will shut down and you will briefly see a blank blue screen with nothing but the kiosk.bat command box in it. A few seconds later, Firefox will start and you will see your internet kiosk browser running in full screen mode.
To shut down the browser, press F12 and then enter the security password that you set for mkiosk. Firefox will shut down and you will briefly see the blank blue screen with the command box in it before the Explorer shell starts up again and your normal desktop is restored.
There are two steps to do before before we are finished:
Firstly, I like to put a shortcut icon for on the desktop and name it “Start Kiosk”. This shortcyt points to your kiosk.bat file and provides users with an easy way to restart the browser if they ahve had to shut it down for any reason.
Secondly, you may remember that we originally set up the kiosk user as an administrator account and we want to switch it back to a standard user account. To do this, sign out of the kiosk account and sign in using your administrator accont. You can’t sign out of the kiosk user account using CTRL-ALT-DEL because it has been disable; instead you have to shut down the the browser, as describe above, to rstore the desktop and then sign out from the start button. Once you have signed in with your administrator account, go to user manager in the control panel and change the kiosk user account type to Standard.
That’s it! If this tutorial has been useful to you then I would appreciate it if you would ‘like’ it using the social media buttons on this page. Please feel free to leave any comments and suggestion if you can think of any way of improving this solution.