Mohammed S Ali, wrote an interesting article about the dangers of using public PCs, so to continue with the topic I’ll be explaining what you need to do to secure a machine for public use.
1. Physical Security
The first step in securing a public machine is a tricky one and that is ensuring its physical security. The customer should not have direct access to the machine. If you wish to provide USB support then use a USB hub or a male to female USB cable but do not allow customers to insert their USB device directly into the computer. The reason for this is that a malicious customer would have the possibility to install a USB or PS2 key logger and be able to steal potentially valuable data typed by other users such as login details and passwords. It is also good to remember to secure said USB cable so that a user with malicious intent would not be able to simply pull the USB cable off and denying all other users its usage.
2. USB Security
The first threat that comes to mind on a public PC is the USB port and with good reason. The USB port should be controlled. If you do not intend to allow your customers to insert any USB devices then ensure that there is no physical access to the port. In the event that you need to allow customers to use USB ports then install software that can control USB usage. Customers should not be allowed to copy executables and other potentially malicious software such as DLLs and OCXs. To implement such a strategy you need software that doesn’t simply filters certain extensions but that is also able to detect the real file type of a file irrespective of its extension. It goes without saying that such a solution should be able to look into archives and not allow password protected archive to go through either.
3. Patch Management
It is essential that your public machines contain the latest security patches. Public machines are a lot more vulnerable to exploits because while most remote exploits require tricking the user to visit a malicious site, any malicious users intent on infecting a public machine will simply access the malicious site thus using this exploit as a vector to get his malware installed on the public machine.
4. Hardware Inventory
It is also important to ensure that no new hardware is installed or left connected to the machine after hours. Ideally you’d have inventory software which scans the machine after closing time and promptly notifies the person in charge if new hardware is detected. Malicious hardware to protect against includes rouge access points, key loggers and possibly pen drives loaded with malware which are planted to be found by people who will plug them into their home machines to see what they contain, infecting their machine in the process.
5. Web Access Monitoring/Control
If you’re allowing your customers to connect to the internet it might be a good idea to restrict access or at least monitor their activity. Such a machine might offer the anonymity that a malicious attacker needs to attack other sites so any legal fallout from such attacks will fall on to you. Adequate internet monitoring can help you in case of legal action.
6. Controlled Access to the Machine
Do not allow full administrative access to users. Even if you think you are blocking any possible route for users to introduce software, one of them might find a clever way to go around these limitations. Therefore you want to limit the damage he might cause.
7. Virus Scanning
Ensure that the machine is equipped with adequate virus scanning capabilities. It is advisable that other machines monitor that the antivirus software is running as expected and is up to date. This precaution is essential to ensure that if malicious users find a way to introduce software from the outside they are not able to introduce malware.
8. PC Connection to the Internet
If your public machine has Internet access ensure that it’s either not directly connected to the internet or if it is and has a public IP which is directly addressable from the internet, that it is protected by adequate firewalls. A malicious user can access the machine simply to investigate what software it is running, effectively scouting it for subsequent remote attacks launched later on via the internet.