Kiosk Hardening
OPSWAT recommends that the following additional setup is performed if MetaDefender Kiosk is deployed on a dedicated system.
Auto login
If MetaDefender Kiosk is being used on a dedicated system we recommend that the Windows system on the kiosk is configured to auto-login into the account with Administrator privileges that MetaDefender will run with. If the MetaDefender Kiosk system is part of a domain additional steps may be required to allow this.
User Access Control (UAC)
OPSWAT recommends that UAC is disabled on systems that are being used as dedicated MetaDefender Kiosks. If UAC is not disabled MetaDefender Kiosk's watchdog functionality may not work correctly.
There are two ways to completely disable UAC in Windows:
By editing the registry
Click Start and type "regedit.exe" to open the Registry Editor
Navigate to the registry key at HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Policies > System
Set EnableLUA to 0
Restart Windows
By adjusting Local Group Policy settings
Click Start and type "gpedit.msc" to open the Group Policy Editor
Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Right pane is populated with policies, locate the ones for User Access Control and set:
User Account Control: Only elevate executables that are signed and validated → Enabled
User Account Control: Switch to the secure desktop when prompting for elevation → Disabled
Restart Windows
Windows Update
Install all patches and updates available through Windows Update. Once all updates are installed, OPSWAT recommends that automatic updates are turned off to prevent system reboots.
Navigate to Start > Control Panel > Windows Update > Change settings
Select Never check for updates from the menu
Click Apply or OK and close the dialog box
If turning off automatic updates is not desired, you must configure a mechanism or process to restart MetaDefender Kiosk system. We recommend using standard organizational patch practices and tools.
Setting the screen saver and power saving options
Select the maximum performance power saving option.
Navigate to Start > Control Panel > Power Options
Click Change plan settings
Click Change advanced power settings
Select High Performance from the menu
Click OK
You should turn off the screensaver.
Navigate to Start > Control Panel > Personalization > Change screen saver
Select (None) from the menu
Click Apply or OK and close the dialog box
Disabling mouse cursor pointer
Note: This configuration is optional. Once these steps are taken, there will be no visible mouse pointer.
OPSWAT recommends that mouse cursor points are turned off after MetaDefender Kiosk has been configured.. If the system touchscreen configuration software does not have this feature, it can be done manually by following the steps below:
Navigate to Start > Control Panel > Mouse
Click the Pointers tab
Browse to C:\Program Files (x86)\OPSWAT\Metadefender Kiosk\Client\blank.cur
Customize each pointer type to the provided blank pointer, blank.cur
Click Apply and close the dialog box.
Disabling hotkeys
By default, the Kiosk will ignore any command that is a combination of Ctrl and another key.
The Ctrl + Alt + Del combination is disabled once you launch the Kiosk UI first time. When a user presses these keys, the following screen appears and it is expected.
if you want to disable completely where nothing happens, please follow 2.2. Disabling Windows Hot Keys.
Other system hardening configuration
MetaDefender Kiosk does the following system hardening when installed:
Disables auto-run on all plug-and-play media and drives
Captures and disables all Hotkey combinations such as Windows Key, Alt+Tab, etc...