Before installation

What should be considered before the installation:

 

If that Shared Computers Toolkit (the predecessor of Windows Steady State) is installed,
this must be uninstalled beforehand.
The hard disks (but in any case the system disk) should be defragmented.
A system restore point should be set.
The users to be managed should already be set up.

Now that we have created the best prerequisites for success, we log on to the computer as an administrator, download the Microsoft installation package and install it.

The program is available here:

 

Download details: SteadyState

And that 66! manual (unfortunately only available in English):

 

Download details: Windows Steady State Handbook

(An internet connection and operating system validation are required for installation, as this program is only available for original XP users

 

 

The first start

For demonstration purposes I simply created a user account called Internet, this is displayed (like all other restricted user accounts) on the right-hand side when SteadyState is started for the first time. We just click away the display of the "Getting started" tips. (that's why there's this tip ;-)

 

The user settings

After clicking on the user account to be managed, the settings window for this user is displayed:

 

 

What exactly do you set here:

 

1. This prevents any changes that the user makes to the system (if you allow this later) from being applied when the system is shut down.
2. Here you can set a maximum usage time for the user per login or set a specification after which the user should be logged out without interaction (very practical for setting a time limit for your children on the computer)
3. Here you can restart the computer when the user is logged out (and thereby discard all changes to the system)
4. These are the same settings that can be found in XP under user accounts:
   - Change Password
   - Change user picture
   - Delete user

So, now to the next page:

And now there is some adjustment work to be done again:

 

1. There are four prefabricated security levels available (they should actually be self-explanatory) but you can also allow (without a tick) or prohibit (with a tick) each individual start menu entry. If you go to High Restrictions, the user will only see the following in the start menu: log out user and programs ( Autostart, accessories, Internet Explorer and media player)
   NOTHING MORE !!
   If you scroll down a bit you will see the sub-item "General Restrictions", which can be used to influence the behavior of Windows components, so that the hidden start menu entries (e.g. Run) cannot be accessed by calling them directly. You can also set here, for example, whether programs that are not in the Windows or Programs folder are at all can be executed, so no more password crackers or snooping tools!! (but more on that later)
   Since that is exactly what I want for my "Internet" user account, I leave it that way.
2. Here you can set all drives that the user should not see (i.e. cannot change anything on them).

And now to the next page:

Under Feature Restrictions you can set the behavior of Internet Explorer and a few details of MS Office.

 

1. Here you can, for example, block internet access completely (except for the homepages shared below) or prevent the execution of VBA scripts and macros in Office (more on this later)
2. Here you can enter a home page for each user (i.e. a different one can be set for each user!)
3. Here you can share individual websites if you have restricted internet access (also a very good function if children are allowed to use the computer)

So and finally the last page of the user settings:

 

And what do we see there? It is actually possible to forbid every single program that is installed on the computer!
Some programs that have already been found are listed here by default, but the "Browse" button can be used to block any exe file on the computer.

 

The general settings

Now let's take a closer look at the general settings:
On the start page of SteadyState we see three setting items in the middle

 

1. Set computer restrictions
   (general rules can be specified here)
2. Schedule software updates
   (here you can allow and set Windows and security program updates)
3. Protect the hard disk
   (here you set the hard disk protection for the system partition)

 

 

Let's take a closer look at them:
Under 1. we find the following:

The first 3 points concern the "privacy" of the computer:

 

The first point regulates whether the last logged in user is displayed in the login screen (i.e. the classic user login). (so no more guessing passwords based on the username)

 

The second point regulates whether users who do not yet have a folder under "Documents and Settings" are allowed to log on to the computer (i.e. no longer able to access the computer with a borrowed laptop via a known domain user profile)

 

The third point is there to set whether copies of a network user profile should be saved on the computer (i.e. no reading out the passwords or copying files from borrowed laptops)

 

What can be set in the Security Settings area:

 

1. Remove the administrator username from the welcome screen. (The administrator can only log in if the password AND user name are known, and then only by pressing Ctrl+Alt+Del twice)
2. Remove the "Shutdown" option from the welcome screen. (So ​​there is no way to shut down the computer and restart it without logging in, except with a hardware reset. You should also set the BIOS securely, so only boot from the hard drive and assign a BIOS password)
3. Prevent the storage of user names and passwords in the old LMhash format (so no more insecurely stored passwords that can be read with Ophcrack)
4. Prevent saving Windows Live ID user data. (The Windows Live ID is used, for example, to log in to the new MS Messenger)
5. Prevent users from being able to create files and folders on the C: drive (this setting is very useful if you have prevented the execution of programs that are not on C:, then it is almost no longer possible to run programs "imported" from removable storage devices , so no use of password crackers is possible, at least not as long as you haven't installed them yourself beforehand ;-) )
6. Prevent Office documents from being opened in I-Net Explorer. (with the restrictions that can be made under -> User Settings -> Feature Restrictions -> Microsoft Office Restrictions, this prevents the "unintentional" use of VBA scripts and macros in Office)
7. Prevents files from being written to USB storage media (very useful to prevent data theft, with the setting item: Remove CD and DVD Burning Function under -> User Settings -> Windows Restrictions -> General Restrictions, it is almost impossible to get data down from the computer , except possibly via the network)

The menu item Scheduled Software Updates

It's supposed to make it possible to activate Windows updates and anti-virus updates on a time-controlled basis even under non-administrative user accounts, but firstly it doesn't work correctly and so far it only recognizes 4 anti-virus programs; the others would have to be integrated using self-created scripts. (So ​​we just don't set anything here, we prefer to do updates manually as an administrator.

 

 

The most important: the disk protection

And now, in my opinion, the most important menu item for "pure" Internet computers:
The disk protection.

What was previously only possible with commercial programs is integrated here free of charge.
Disk Protection sets up a kind of virtual hard disk cache (which can be up to 40GB in size) on which everything is stored that normally comes directly onto the hard disk. If configured correctly, this function automatically deletes ALL changes made during the last session on restart. So when used correctly, the almost perfect weapon against viruses, worms, etc., even if they get on the computer, they are gone when you restart at the latest (I've already tried it myself with a deliberate infection with a virus and spyware).

 

Of course you shouldn't do without an antivirus and firewall program, because as long as the computer is not restarted, the malware is still active !!!!!

This function is also not absolute ("Retain Changes temporarily" and "Retain all Changes permanently"),
In other words, desired changes (e.g. desired software updates) can also be permanently adopted when shutting down (also a reason not to forego security programs, since malware could creep in during the update)

 

 

 

The help and online features

And what do we have on the leftmost home page?
The registration, which can be found at the top, does not seem to work yet, but requires a Windows Live ID anyway.
Below you will find help and FAQs on Steady State, some of which are only available online.
At the bottom there is LiveOneCare, a kind of user-dependent child protection, which is only available online.
I will possibly deal with the two points registration and parental controls in an additional tip, if they work properly at some point.
(at the moment you sometimes still get 404 error messages, i.e. unavailable HP pages)

So, that's it for now with the overview and the first settings,
If you set all settings to the highest restrictions (High Restrictions), you have an Internet user account with which (almost) nothing can go wrong.

A detailed list of the individual settings under User Settings can be found in the second tip!

 

Windows SteadyState Part 2

 

_

___________________________________________________
This tip comes from www.win-tipps-tweaks.de
© Copyright Michael Hille

Warning:
Using Registry Editor or its tips incorrectly can cause serious system problems that may require you to reinstall your operating system. Tampering with the registry files and using the tips is at your own risk.