Kiosk Hardening

Auto login

If MetaDefender Kiosk is being used on a dedicated system we recommend that the Windows system on the kiosk is configured to auto-login into the account with Administrator privileges that Kiosk will run with. If the Kiosk system is part of a domain additional steps may be required to allow this.

User Access Control (UAC)

OPSWAT recommends that UAC is disabled on systems that are being used as dedicated MetaDefender Kiosks. If UAC is not disabled MetaDefender Kiosk's watchdog functionality may not work correctly.

There are two ways to completely disable UAC in Windows:

By editing the registry

1. Click Start and type regedit.exe to open the Registry Editor
2. Navigate to the registry key at HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Policies > System
3. Set EnableLUA to 0
4. Restart Windows

By adjusting Local Group Policy settings

1. Click Start and type gpedit.msc to open the Group Policy Editor

2. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

3. Right pane is populated with policies, locate the ones for User Access Control and set:

   1. User Account Control: Only elevate executables that are signed and validated → Enabled
   2. User Account Control: Switch to the secure desktop when prompting for elevation→ Disabled

4. Restart Windows

Windows Update

Install all patches and updates available through Windows Update. Once all updates are installed, OPSWAT recommends that automatic updates are turned off to prevent system reboots.

1. Navigate to Start > Control Panel > Windows Update > Change settings
2. Select Never check for updates from the menu
3. Click Apply or OK and close the dialog box

If turning off automatic updates is not desired, a process must be configured to restart the MetaDefender Kiosk system. We recommend using standard organizational patch practices and tools.

Setting the power saving options

Select the maximum performance power saving option.

1. Navigate to Start > Control Panel > Power Options
2. Click Change plan settings
3. Click Change advanced power settings
4. Select High Performance from the menu
5. Click OK

Disabling mouse cursor pointer

OPSWAT recommends that mouse cursor points are turned off after MetaDefender Kiosk has been configured. If the system touchscreen configuration software does not have this feature, it can be done manually by following the steps below:

1. Navigate to Start > Control Panel > Mouse
2. Click the Pointers tab
3. Browse to C:\Program Files (x86)\OPSWAT\Metadefender Kiosk\Client\blank.cur
4. Customize each pointer type to the provided blank pointer: blank.cur
5. Click Apply and close the dialog box.

Disabling hotkeys

By default, the Kiosk will ignore any command that is a combination of Ctrl and another key.

The Ctrl + Alt + Del combination is disabled once you launch the Kiosk. When a user presses these keys, it is expected to see a screen with no options displayed.

If you want to disable completely where nothing happens, please follow how to disable Windows hot keys.

Other system hardening configuration

MetaDefender Kiosk does the following system hardening when installed:

• Disables auto-run on all plug-and-play media and drives
• Captures and disables all hotkey combinations such as the Windows Key, Alt+Tab, etc... when Kiosk is running