Kiosk for bill payment site

[phishphreek]

I've been tasked with the job of deploying a kiosk in my company lobby. The kiosk is only supposed to be used to access two SSL websites. One is a company related website. The other is a third party bill payment site. Below is a brief description of the security in place thus far. The last part is a problem I'm running into.

I'm pretty confident with the physical, network and OS security that I've setup on it. I've attacked it from every angle that I can think of and I'm pretty close to deploying this box. I'm going to have a couple of other people have a go at the box before I deploy it. I've had some trouble finding resources and documentation on how to setup a Kiosk. This is by far the most secure box I've ever had to deploy. I'm kind of nervous about it because users will be paying their bill with a third party online bill payment site and they will be entering account information on the workstation.

I'm using an actual computer enclosure and the user only has access to the mouse and keyboard. The mouse has been physically modified and only the left mouse button works. The mouse and keyboard are PS2 style and have no way to attach any devices inline with it. If they pulled hard enough, they might be able to remove the mouse and keyboard from the back of the computer. Even still, I've attached the cables to the side of the enclosure to try to prevent this. The USB controllers have been disabled and the floppy/cd rom has been disconnected. The BIOS has been locked down as much as I could and two passwords are required to either 1.) Enter the BIOS and 2.) Change any BIOS settings. A password is not needed to boot the system. It's set to power on after power failure and it's set to boot to HD only.

It's connected to a UPS inside the case, so removal of external power will only cause the UPS to alarm and send alerts to IT staff. It is under a security camera and the live feed is fed into our security office. The lobby is manned during business hours by customer service and the enclosure is locked after business hours. The computer power is controlled in the BIOS. It turns on 15 min prior to business opening and a scheduled task powers it off at the end of the day.

Network security consists of segmentation via VLAN, strict ACL between the VLAN subnets, border firewall, proxy. The switchport it's connected to has "sticky mac" enabled and only that machine's MAC can be used on that port. If a hub or switch were to be plugged in, the switch will go into blocking and disable that port. On the host there is symantec endpoint security in which both the local firewall is configured as well as various other settings. The Fw will only allow the box to a few specific locations. The OSSEC server, symantec server, windows update server and the two websites the KIOSK is designed for. All web traffic is done over SSL. OSSEC is being used as a HIDS.

OS security was setup via modified NSA XP Security config guides, local security policy and Microsoft Steady State. The machine is set to autologon as a guest user who only has access to execute iexplore.exe in kiosk mode. IE 7 has been locked down considerably using the local security policy and steady state. The user only has access to two internet sites. This is controlled in Steady State and also the firewall/proxy as backup. The machine can only go out to those sites over SSL and all other protocols have been restricted.

Access to all computer management software has been removed or restricted via local security policy and steady state. Same for any network and scripting utility that I could think of. The binaries have either been renamed, removed or restricted. Access to all local resources have been restricted. The OS filessytem and registry have also been locked down.
In order to access any account other than the auto login guest account, physical access to the computer enclosure is needed. The power has to be removed in the cabinet. Just before it auto logs on, if you hold left shift, you'll get a normal logon screen where you can enter a different user id. The admin local admin account has been renamed and caching of the local passwords has been disabled. All unneeded services have been disabled and the machine is running barebones. I've removed just about everything.

Now, onto my problem.

I can't think of a way to get IE to timeout to a specific homepage after x seconds/minutes of inactivity.

If a user starts their session and walks away without gong back to the homepage, the session stays active. The website will timeout after a couple of minutes but if another customer is behind them, the customer can pick up the last customer's session. That customer would have access to the previous customer's Name, Address, Account Number and amount due. All of this info is public knowledge except for the amount due. I have no control over the website itself.

How can I work around this problem?

Steady State has a way to introduce session timers. It will count down the sessions and logoff the machine. The machine will auto logon again and launch IE in kiosk mode. Once in kiosk mode, access to the start menu and desktop are removed. There is nothing on the start menu or on the desktop anyway. Right click has been removed and all keyboard shortcuts have been disabled. Problem with this is, I can see the session timing out in the middle of a transaction and cause problems.

There is also another setting for it to reboot/logout after x min of idle time. However, for some reason, it doesn't detect the machine as idle as long as IE is open... It won't logout. If I close IE and leave it, it will logout.

[Negative]

Sounds like a cool project
Can't you use dedicated kiosk software? Something like http://www.sitekiosk.com/en-US/SiteKiosk/Default.aspx ?

[IKnowNot]

phish: I have never done anything like this, but after thinking about it, wouldn’t some type of proximity sensor and/or pressure mat be more appropriate then just a software timeout ?

[phishphreek]

Hmm. Good idea about the proximity sensor/pressure mat. I've never seen anything like it but I'll do some searching. I had looked into kiosk type software but most of what I found was just a fancy gui for the local security policy. It always annoys me when people build software to control the features windows already has. I'll check out the link you posted though. I don't recall seeing that one. I'll load it up in a vm here shortly. There is very little in ways of documentation about setting up kiosks. There are more guides for linux than windows.