Setting Up a Windows System to Protect Untechnical Users from Themselves

2020-12-27

Our goal is to set-up a system such that, if you're not a logged-in administrator, you cannot:

  1. Install new applications
  2. Install browser extensions
  3. Change security-related settings
  4. Use Microsoft Edge or IE to access the internet (since these aren't/can't be locked down)

Optionally, we'll install a firewall for an added level of healthy paranoia to make sure that network calls aren’t being made by scripts or programmes that don't require administrator privileges. This can occasionally break things if not calibrated properly.

Also optionally, we'll set-up ClamAV as a secondary antivirus to catch whatever isn’t picked up by the built-in Windows Antivirus.

Step 1) Windows Get

Acquire an image of the Microsoft Windows installation disk in the way you normally might. Here's a handy link.

I just use an existing Windows install to create a USB install media using the Media Installation Tool at the above link, and follow the normal installation process.

Step 2) Install Windows / Create the Admin Account

Install Windows using the image you acquired in the previous step. We'll be setting up this computer with two users:

  1. An admin which we (or other technical folks) will use to set-up and perform maintenance on the device. I usually give this account the name "Admin".
  2. A user which will be used by the untechnical person. This account is not an administrator, and I usually give this account the name of the end-user.

When prompted for user information at installation, we'll set-up the admin account. The user account will be created once Windows is installed (in fact, in the next step).

Step 3) Create the User Account

Once installed, booted, and logged in:

  1. Enter the Windows 10 Settings panel (type "Settings" in the Start Menu).
  2. Click on "Accounts", and then "Family & other users" tab on the left.
  3. Click "Add someone else to this PC" (it has a plus on the left with it).

By default, the account is a "Standard User" (non-administrator), but you can check that by click on the new user's name in the "Family & other users" page and click on the "Change account type" to verify.

You may wish to check for and download Windows Updates at this time, as we'll be prompted to restart in Step 7.

Step 4) Install Firefox

Use Microsoft Edge for the only thing it's good for; installing Firefox.

Step 5) Set-Up Non-Administrator Group Policy

We'll use Microsoft Window's Group Policy to apply rules and restrictions for non-administrator users.

Follow the steps in this TenForums tutorial and save the shortcut in the last step to the Desktop (we'll use it again later).

Step 6) Add Group Policy Rules for Microsoft Edge

Use the shortcut from the previous step to create non-administrator rules for Microsoft Edge. Use the Tree on the left to navigate to Console Root\Local Computer\Non-Administrators Policy\User Configuration\Administrative Templates\Windows Components\Microsoft Edge.

Change the following settings to lock-down Microsoft Edge:

  1. Allow Developer Tools to Disabled
  2. Allow Extensions to Disabled
  3. Allow Adobe Flash to Disabled
  4. Allow search engine customization to Disabled
  5. Allow Sidelaoding of extension to Disabled
  6. Configure Windows Defender SmartScreen to Enabled
  7. Allow web content on New Tab page to Disabled (this is the most important)
  8. Prevent bypassing Windows Defender SmartScreen prompts for sites to Enabled
  9. Prevent bypassing Windows Defender SmartScreen prompts for files to Enabled

Then, navigate to Console Root\Local Computer\Non-Administrators Policy\User Configuration\Administrative Templates\System.

Then change the key Don't run specified Windows applications to Enabled, click the "Show…" button with the "List of disallowed applications" label. In that window write msedge.exe as one of the entries.

Step 7) Add Group Policy Rules for Internet Explorer

In the same Window as before, use the Tree on the left to navigate to Console Root\Local Computer\Non-Administrators Policy\User Configuration\Administrative Templates\Windows Components\Internet Explorer

In the Security Page\Internet Zone page change the following settings:

  1. Turn on Protected Mode to Enabled
  2. Show security warning for potentially unsafe files to Enabled
  3. Allow file downloads to Disabled
  4. Allow font downloads to Disabled
  5. Java permissions to Enabled and set the Java permissions dropdown to Disable Java
  6. Launching applications and files in an IFRAME to Disabled

Then search "Turn Window features on and off", click it, and uncheck "Internet Explorer 11". You'll then get prompted to restart your computer, which you may do.

Step 8) Add Mozilla Firefox Policy Definitions

Download the Mozilla Firefox Policy Definitions from GitHub. Copy the *.adml files in the root of the repo to C:\Windows\PolicyDefinitions and the *.adml files in the en-us folder (or your locale) in the folder C:\Windows\PolicyDefinitions\en-us.

Step 9) Install Desired Firefox Add-ons on the User Account

Log-in to the Standard User account the untechnical user is meant to use. Then install the add-ons you desire, since we’ll be disabling this later. You can enable again later if you change your mind, so don't worry.

I recommend the following extensions to prevent users from putting themselves at risk:

  • uBlock Origin
  • Privacy Badger
  • HTTPS Everywhere

Step 10) Add Group Policy Rules for Firefox

Open up the Group Policy shortcut we saved to the desktop and go to Console Root\Local Computer\Non-Administrators Policy\User Configuration\Administrative Templates\Mozilla\Firefox.

Set the following keys:

  1. Application Autoupdate to Enabled
  2. Block Add-ons Manager to Enabled
  3. Block about:config to Enabled
  4. Block about:profiles to Enabled
  5. Disable Developer Tools to Enabled

Go to the child folder Addons in the Firefox folder we navigated to with the path above.

Set the following keys:

  1. Allow add-on installs from websites to Disabled

Go to the child folder Flash in the Firefox folder we navigate to with earlier.

Set the following keys:

  1. Activate Flash on websites to Disabled

If your user doesn’t plan on using in-browser video conferencing, you can block Camera and Microphone access.

Go to the child folder Permissions/Camera:

  1. Block new requests asking to access the camera to Enabled

Go to the child folder Permissions/Microphone:

  1. Block new requests asking to access the microphone to Enabled

Go to the child folder Search and set the following keys:

  1. Prevent Search Engine Installs to Enabled

Go to the child folder Tracking Protection and set the following keys:

  1. Enabled to Enabled
  2. Cryptomining to Enabled
  3. Do not allow tracking protection preferences to be changed to Enabled

Go to the child folder User Messaging and set the following keys:

  1. Extensions Recommendations to Disabled
Sysadminsysadminwindows

Position-Aware Graph Neural Networks

Multiple Sequence Aligning with STAR