Announcement

Collapse
No announcement yet.

Pros and Cons of having kiosk machines joined to a domain vs. in a workgroup

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Pros and Cons of having kiosk machines joined to a domain vs. in a workgroup

    Hello all,

    I'm no stranger to needing to set up kiosk machines that are accessible by the general public. However, it seems that there is some debate amongst competent IT people about whether or not Kiosk machines should be joined to the corporate domain or left in their own workgroups.

    I'm faced with setting up a group of public-facing Kiosk machines (only two for now, but with the prospect of adding a few more in the future) and I'm wondering once again if I should join them to the SBS domain or not.

    Of course, the Kiosk user account will be completely locked down via GPO (either local or domain, depending on what I find out about this topic) and the machines are in an area that is visible by employees so I think that addresses most security concerns that I'm acquainted with. What are some of the other areas of concern that you folks have when setting up Kiosk style machines (e-mail stations in a lunch room for the factory workers, public interaction machines, exhibit computers etc.).

    Here's some of the things that have come to my mind:

    Pros:
    • All kiosk machines can have their settings centrally managed via GPO's applied to the proper OU.
    • Ditto for kiosk user accounts
    • New Kiosk machines need less set-up time. Just join to the domain, put it in the proper OU, install the needed apps and enjoy!



    Cons:
    • If someone steals a kiosk machine, any cached credentials would be susceptible to cracking attempts.
      • Mitigating factors: This place isn't a high profile target, cracking good credentials seems to be rather tough and most thieves aren't interested in cracking a computer.
    • Domain computers might be trusted on the network in more ways than a workgroup computer and any viruses could be more dangerous.
      • Mitigating factors: the user account would be locked down and proper A/V and firewalls would be in place so the insertion of a virus would be extremely unlikely


    All things considered, I don't see any real disadvantages to joining kiosk machines to the domain. Have I overlooked some things?
    Wesley David
    LinkedIn | Careers 2.0
    -------------------------------
    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
    Vendor Neutral Certifications: CWNA
    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

  • #2
    Re: Pros and Cons of having kiosk machines joined to a domain vs. in a workgroup

    Well I think the pro's wins from the cons.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Pros and Cons of having kiosk machines joined to a domain vs. in a workgroup

      Originally posted by Nonapeptide View Post
      If someone steals a kiosk machine, any cached credentials would be susceptible to cracking attempts.
      You can always set the GPO of the Interactive logon: Number of previous logons to cache (in case domain controller is not available) to 0

      I would join the domain, makes it easier to manage.
      "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan

      Comment


      • #4
        Re: Pros and Cons of having kiosk machines joined to a domain vs. in a workgroup

        I can say also that I would add the Kiosk stations to the domain. Especially because the advantages are so big (the Pros you mentioned).
        Solve the Cons and the path to the domain is free:
        - you said the stations are in places with some type of surveillance. Is theft still a worry? Go with Lior's suggestion.
        - viruses? What are users doing on those stations? Internet? E-mail? Do they come with their own files (floppies, CDs, DOKs)? If so, all these can be controlled through GPO also.

        Sorin Solomon

        »»»»»
        In order to succeed, your desire for success should be greater than your fear of failure.
        -
        «««««

        Comment


        • #5
          Re: Pros and Cons of having kiosk machines joined to a domain vs. in a workgroup

          I would also opt for joining the machines to the domain.

          I'm sure you've considered this in addition to what you have mentioned in this topic, but as well as making sure that the machines are 'supervised' (ie, employees can see what's going on), make sure that they are physically secured. Ideally, the bases would be in a locked (ventillated) cabinet with only the heads accessible. And plenty of other things that you can do too, but outside the scope of this thread. Just wanted to stress the point as I've seen these considerations overlooked too many times.
          Gareth Howells

          BSc (Hons), MBCS, MCP, MCDST, ICCE

          Any advice is given in good faith and without warranty.

          Please give reputation points if somebody has helped you.

          "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

          "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

          Comment


          • #6
            Re: Pros and Cons of having kiosk machines joined to a domain vs. in a workgroup

            Originally posted by Lior_S View Post
            You can always set the GPO of the Interactive logon: Number of previous logons to cache (in case domain controller is not available)
            So true!


            Originally posted by sorinso View Post
            you said the stations are in places with some type of surveillance. Is theft still a worry?
            Well, when people go home for the night it might be possible that one of the members of the general public liked what they saw and decided to come back to get a door prize. All of the domain policies in the world are useless against smash-and-grab thieves. Theft is actually my biggest concern for these machines, but that's kinda outside of the scope of this thread... unless you all wouldn't mind me hijacking my own thread.


            Originally posted by sorinso View Post
            viruses? What are users doing on those stations? Internet? E-mail? Do they come with their own files (floppies, CDs, DOKs)? If so, all these can be controlled through GPO also.
            It's primarily for school kids to watch the educational videos of their choice (although anyone could watch them if they wanted). All of the DVD files will be ripped (with appropriate permission acquire first of course ) and placed on the hard drive so I'll be locking the user profile down so that no external media is accepted. Although, I wonder if I'll have to allow the DVD player to be used. For now I'm planning on keeping internet access to only a whitelisted group of web sites. I'll play with security settings to prevent any files from being downloaded.

            Oh, and what's a DOK? I'm always intrigued by a new TLA...

            Originally posted by gforceindustries View Post
            I'm sure you've considered this in addition to what you have mentioned in this topic, but as well as making sure that the machines are 'supervised' (ie, employees can see what's going on), make sure that they are physically secured. Ideally, the bases would be in a locked (ventillated) cabinet with only the heads accessible.
            Unfortunately, securing the "body" and exposing the "head" is not possible in this situation. The PTB purchased two of these and essentially said "make it work" (I'm actually typing this post on one of them now ). Two Vista Ultimate upgrades later, I'm at where I am now. Fortunately I discovered that it has a slot for a Kensington lock (a nice surprise since NONE of the documentation for the TouchSmarts that I found on the internet said anything about it) but annoyingly enough, there's nothing nearby to lash it to.


            Originally posted by gforceindustries View Post
            And plenty of other things that you can do too, but outside the scope of this thread. Just wanted to stress the point as I've seen these considerations overlooked too many times.
            Oh, now you've gone and piqued my curiosity? What else "outside the scope of this thread" were you thinking about? Motion sensing turrets? You are rather fond of grounding fault "security measures"...


            Thanks everyone for the discussion so far!
            Wesley David
            LinkedIn | Careers 2.0
            -------------------------------
            Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
            Vendor Neutral Certifications: CWNA
            Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
            Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

            Comment


            • #7
              Re: Pros and Cons of having kiosk machines joined to a domain vs. in a workgroup

              Originally posted by Nonapeptide View Post
              Unfortunately, securing the "body" and exposing the "head" is not possible in this situation. The PTB purchased two of these and essentially said "make it work" (I'm actually typing this post on one of them now ). Two Vista Ultimate upgrades later, I'm at where I am now. Fortunately I discovered that it has a slot for a Kensington lock (a nice surprise since NONE of the documentation for the TouchSmarts that I found on the internet said anything about it) but annoyingly enough, there's nothing nearby to lash it to.
              Lash them to whoever ordered them

              While you're never going to have full control, I always advise IT staff to include in their policy the requirement to be consulted and/or give approval for all new purchases. Sure, you can "make it work", but a base with separate head would probably have been more desirable for this particular use.

              Originally posted by Nonapeptide View Post
              Oh, now you've gone and piqued my curiosity? What else "outside the scope of this thread" were you thinking about? Motion sensing turrets? You are rather fond of grounding fault "security measures"...
              I consider it to be true that anybody who should be using electrical equipment is well aware of the risks that electricy poses and should be taking suitable measures to protect themselves

              Or have I been reading too much BOFH.

              Hmm... turrets would be cool.

              The things I would have suggested would be to supplement software policies with drive restriction by physically removing optical drives etc from the machine, disconnecting USB ports, disabling things in device manager (arguably more foolproof than disabling in the BIOS). Installing flamethrowers. Etc etc

              Edit: Last minute suggestion from a colleague reading over my shoulder:

              Originally posted by tom
              kiosk machines should explode if rammed
              Last edited by gforceindustries; 4th December 2008, 22:46.
              Gareth Howells

              BSc (Hons), MBCS, MCP, MCDST, ICCE

              Any advice is given in good faith and without warranty.

              Please give reputation points if somebody has helped you.

              "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

              "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

              Comment


              • #8
                Re: Pros and Cons of having kiosk machines joined to a domain vs. in a workgroup

                Originally posted by gforceindustries View Post
                While you're never going to have full control, I always advise IT staff to include in their policy the requirement to be consulted and/or give approval for all new purchases.
                I'm the first serious IT person that they've had in their midst, so it'll take some time before things change to the degree that I'm hoping for. Actually, I was consulted about kiosk machines before the present decision was made. I pointed them to SeePoint, a kiosk manufacturing company that I have experience with. The pricetag scared them off, so when OfficeDepot had the TouchSmarts on sale for $1149 apiece they jumped on them.


                Originally posted by gforceindustries View Post
                Sure, you can "make it work", but a base with separate head would probably have been more desirable for this particular use.
                Actually, I prefer all-in-one kiosk models that can be bolted down. For instance, SeePoint's Counter Point product line. All in one wallmounted models are spiffy too. However, you get what you pay for... and pay for what you get. How's $5,000 apiece sound to you?

                The PTB weren't thrilled either.


                Originally posted by gforceindustries View Post
                The things I would have suggested would be to supplement software policies with drive restriction by physically removing optical drives etc from the machine, disconnecting USB ports, disabling things in device manager (arguably more foolproof than disabling in the BIOS). Installing flamethrowers. Etc etc
                Or I could fill the USB ports with epoxy. Oh wait, I've got Vista... nevermind. I'm also wondering about the best way to disinfect the thing... and I'm not talking about digital virii. We won't be using a keyboard and mouse; only the touchscreen. No one should need to type much on this thing and it will discourage some abuses. Just think of all the sticky, germy fingers being smeared all over the thing.

                Three cheers for remote desktop and Dameware.
                Wesley David
                LinkedIn | Careers 2.0
                -------------------------------
                Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                Vendor Neutral Certifications: CWNA
                Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                Comment


                • #9
                  Re: Pros and Cons of having kiosk machines joined to a domain vs. in a workgroup

                  I've got some 400W UV cannons going cheap

                  Those Seepoints are nice bits of kit. But you're right - purpose built kiosk hardware is a niche market with a pricetag to reflect that.

                  Originally posted by Nonapeptide View Post
                  aOr I could fill the USB ports with epoxy. Oh wait, I've got Vista... nevermind
                  Well played
                  Last edited by gforceindustries; 6th December 2008, 15:56.
                  Gareth Howells

                  BSc (Hons), MBCS, MCP, MCDST, ICCE

                  Any advice is given in good faith and without warranty.

                  Please give reputation points if somebody has helped you.

                  "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                  "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                  Comment


                  • #10
                    Re: Pros and Cons of having kiosk machines joined to a domain vs. in a workgroup

                    How many kiosk machines will be deployed?
                    I thought that that the kiosk software already lock the box down.

                    If you are only talking about internet access for those things, then keep them out of the domain, put them in a seperate VLAN and give that VLAN only access to the internet.
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment


                    • #11
                      Re: Pros and Cons of having kiosk machines joined to a domain vs. in a workgroup

                      Originally posted by Dumber View Post
                      How many kiosk machines will be deployed?
                      Two for right now with the possibility of a few more in the future (one year or so).


                      Originally posted by Dumber View Post
                      I thought that that the kiosk software already lock the box down.
                      I won't be using any special kiosk software. It's just Vista Ultimate that I'll be configuring through GPO's (either local or domain depending on if I join it to the domain). I have looked into Windows SteadyState and there was some tinkering done with DeepFreeze at another worksite, but they seem to be a bit overkill for my purposes at the moment.

                      Originally posted by Dumber View Post
                      If you are only talking about internet access for those things, then keep them out of the domain, put them in a seperate VLAN and give that VLAN only access to the internet.
                      It's more than just internet access. In fact, internet access is still only optional. That might be removed totally. I'm still not sure. It's mostly to view videos and maybe play some educational games. I'm still thinking that it might be easier to join them to the domain.
                      Wesley David
                      LinkedIn | Careers 2.0
                      -------------------------------
                      Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                      Vendor Neutral Certifications: CWNA
                      Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                      Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                      Comment


                      • #12
                        Re: Pros and Cons of having kiosk machines joined to a domain vs. in a workgroup

                        Why not enjoying the both worlds? You can create another domain, completely separate from the enterprise one, only for theses kiosk machines and their users.
                        A simple machine will act as the DC, and you can back it up with a low-tech technique (like taking it's image every weekend or so).
                        With only two computers and probably only one user, there will be no real administrative burden. And you will have domain capabilities (much more powerfull GPs), without compromising the "real" domain...

                        Sorin Solomon

                        »»»»»
                        In order to succeed, your desire for success should be greater than your fear of failure.
                        -
                        «««««

                        Comment


                        • #13
                          Re: Pros and Cons of having kiosk machines joined to a domain vs. in a workgroup

                          Originally posted by sorinso View Post
                          Why not enjoying the both worlds? You can create another domain, completely separate from the enterprise one, only for theses kiosk machines and their users.
                          That sounds like a good idea... but for such a small office is that a bit overkill? See my continuation of this thought below...


                          Originally posted by sorinso View Post
                          And you will have domain capabilities (much more powerfull GPs), without compromising the "real" domain...
                          That sounds like a good idea for certain scenarios, but what pitfalls am I avoiding and what benefits am I gaining by this? I'm trying to figure out what are the precise compromises that are possible when a domain computer is accessible by the general public. I hear folks mention that as a security issue... but can't seem to find any specific reasons. I understand the security concerns associated with network-level access to the corporate network (access to the corporate network allows people to see file shares, servers and etc.) but proper access controls mitigate most of those threats (not all, of course). What baffles me isn't the network security concerns, but the specific concerns associated with allowing access to a domain member computer.

                          Any pointers?
                          Wesley David
                          LinkedIn | Careers 2.0
                          -------------------------------
                          Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                          Vendor Neutral Certifications: CWNA
                          Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                          Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                          Comment


                          • #14
                            Re: Pros and Cons of having kiosk machines joined to a domain vs. in a workgroup

                            I think that if you lock down properly a user and/or a computer account, you are pretty secure. I know, there will always be around a smart-ass that will try something... But, given the set-up you described, is that a high-risk?
                            I can only throw ideas, it is uo to you to decide what's best.

                            Sorin Solomon

                            »»»»»
                            In order to succeed, your desire for success should be greater than your fear of failure.
                            -
                            «««««

                            Comment


                            • #15
                              Re: Pros and Cons of having kiosk machines joined to a domain vs. in a workgroup

                              Originally posted by sorinso View Post
                              I think that if you lock down properly a user and/or a computer account, you are pretty secure. I know, there will always be around a smart-ass that will try something... But, given the set-up you described, is that a high-risk?
                              I can only throw ideas, it is uo to you to decide what's best.
                              It seems fairly low-risk... I was just curious what the precises risks are when you make a domain member publicly available. I wonder if I can utilize the TouchSmart's built-in webcam to turn on when too many "Access Denied" or "The local security policy does not allow this feature" error messages are encountered.

                              Oh the possibilities...

                              Wesley David
                              LinkedIn | Careers 2.0
                              -------------------------------
                              Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                              Vendor Neutral Certifications: CWNA
                              Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                              Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                              Comment

                              Working...
                              X