8 Steps to Securing a Public Machine
Mohammed S Ali, wrote an interesting article about the dangers of using public PCs, so to continue with the topic I’ll be explaining what you need to do to secure a machine for public use.
1. Physical Security
The first step in securing a public machine is a tricky one and that is ensuring its physical security. The customer should not have direct access to the machine. If you wish to provide USB support then use a USB hub or a male to female USB cable but do not allow customers to insert their USB device directly into the computer. The reason for this is that a malicious customer would have the possibility to install a USB or PS2 key logger and be able to steal potentially valuable data typed by other users such as login details and passwords. It is also good to remember to secure said USB cable so that a user with malicious intent would not be able to simply pull the USB cable off and denying all other users its usage.
2. USB Security
The first threat that comes to mind on a public PC is the USB port and with good reason. The USB port should be controlled. If you do not intend to allow your customers to insert any USB devices then ensure that there is no physical access to the port. In the event that you need to allow customers to use USB ports then install software that can control USB usage. Customers should not be allowed to copy executables and other potentially malicious software such as DLLs and OCXs. To implement such a strategy you need software that doesn’t simply filters certain extensions but that is also able to detect the real file type of a file irrespective of its extension. It goes without saying that such a solution should be able to look into archives and not allow password protected archive to go through either.
3. Patch Management
It is essential that your public machines contain the latest security patches. Public machines are a lot more vulnerable to exploits because while most remote exploits require tricking the user to visit a malicious site, any malicious users intent on infecting a public machine will simply access the malicious site thus using this exploit as a vector to get his malware installed on the public machine.
4. Hardware Inventory
It is also important to ensure that no new hardware is installed or left connected to the machine after hours. Ideally you’d have inventory software which scans the machine after closing time and promptly notifies the person in charge if new hardware is detected. Malicious hardware to protect against includes rouge access points, key loggers and possibly pen drives loaded with malware which are planted to be found by people who will plug them into their home machines to see what they contain, infecting their machine in the process.
5. Web Access Monitoring/Control
If you’re allowing your customers to connect to the internet it might be a good idea to restrict access or at least monitor their activity. Such a machine might offer the anonymity that a malicious attacker needs to attack other sites so any legal fallout from such attacks will fall on to you. Adequate internet monitoring can help you in case of legal action.
6. Controlled Access to the Machine
Do not allow full administrative access to users. Even if you think you are blocking any possible route for users to introduce software, one of them might find a clever way to go around these limitations. Therefore you want to limit the damage he might cause.
7. Virus Scanning
Ensure that the machine is equipped with adequate virus scanning capabilities. It is advisable that other machines monitor that the antivirus software is running as expected and is up to date. This precaution is essential to ensure that if malicious users find a way to introduce software from the outside they are not able to introduce malware.
8. PC Connection to the Internet
If your public machine has Internet access ensure that it’s either not directly connected to the internet or if it is and has a public IP which is directly addressable from the internet, that it is protected by adequate firewalls. A malicious user can access the machine simply to investigate what software it is running, effectively scouting it for subsequent remote attacks launched later on via the internet.
Smart, common sense advice. What concerns me is how many people use public machines to log into their social networking account or check their email, and then walk away without logging off. Public machines need some kind of software that automatically logs someone off after a pre-determined period of non-activity.
That’s a very valid point Sue. I guess that happens because people are used to that at home so the same behavior continues in public places too.
In any case your suggestion for systems to log off automatically after a short period is definitely a very good one and actually deserved to be in the list above! Thanks a lot for pointing it out
I completely agree that physical security should be the utmost priority in securing and working on a public PC. With remote access to the PC being readily available to the public, it’ll be hard enough to try to traffic the varied number of users, even more so the kind, type and amount of data being installed, used and retrieved from the unit. Having a separate USB cable to manage public devices is always a good idea.
Not to veer too far off topic or anything, but I am curious on how the popularity of netbooks has affected the prevalence of public use computers now that netbooks are, definitely, more affordable than ever before. I see more and more places offering wireless connectivity since most people nowadays bring their own laptop or netbook anyway.
On a related note, are there any security vulnerabilities when accessing a public network?
I’ve actually run into public use PCs where the employed systems admin runs a restore on all workstations as soon as they’re used. It may seem like a drastic measure on their end, but I also figure it keeps them from doing more costly acts of maintenance should their computers actually be compromised by user error. They’ve managed to design their systems so that system restoration is quick, painless and efficient, so that PCs are up and running in a couple of minutes.