The SiteKiosk System Security Manager helps you to manage the restricted SiteKiosk user. The user is created by the SiteKiosk installer. It is a local standard Windows user account. The System Security Manager further restricts this account to increase the security of the kiosk terminal. The manager enables you to customize the restrictions for the SiteKiosk user to your needs. We strongly recommend to run SiteKiosk with this user, which is the default behaviour when using the Auto Start mode of SiteKiosk.
In case your kiosk environment requires the usage of another user you can do so by using the Customized start options of SiteKiosk. For those scenarios we recommend to use the default Windows options, e.g. local or domain policies, to secure this user to meet your project requirements.
If you want to apply the same restrictions to your user which the System Security Manager applies to the local SiteKiosk Windows user, you can use command line parameters for this. Please note that these parameters are unsupported and provided as is. Use the following information at your own risk. Also note that if you apply the restrictions to a domain user they might only last until the next periodic domain policy update on the computer, because domain policies always overrule local settings if they overlap.
The SystemSecurity.exe is located in the main installation folder of SiteKiosk Windows, e.g. C:\Program Files (x86)\SiteKiosk.
To open the graphical user interface of the SiteKiosk System Security Manager with a user of your choice, use the follwing command line parameters:
SystemSecurity.exe /user:<UserNameOrSID> /pass:<Password> /domain:<DomainName>
To apply the default settings used for the restricted SiteKiosk user to a user of your choice without using the graphical user interface, you can use the following command line parameters:
SystemSecurity.exe /applydefault /user:<UserNameOrSID> /pass:<Password> /domain:<DomainName>
SiteKiosk uses the browser engine of the installed Internet Explorer to render web pages. To minimize security risks you should therefore keep the Internet Explorer updated by using the automatic Windows Update feature that comes with the operating system.
Unfortunately there is the risk of so called zero day attacks. There was one just recently that affected the Internet Explorer and was covered extensively in the media. Because SiteKiosk uses the Internet Explorer engine it is also affected. While the security features of SiteKiosk do limit the attack options to a certain degree a possible risk remains.
It is also notable that one aspect of zero day attacks is, that even antivirus software does not help as a required signature update takes its time to become available.
This is where Microsoft EMET or Enhanced Mitigation Experience Toolkit comes in. The toolkit can be used to harden an application so that flaws cannot be used as easily and zero day attacks have no or a more limited effect. It is free to use and easy to configure.
When you install EMET make sure to select to install it for all users. After the installation is finished you can just add the SiteKiosk.exe and other applications you want to protect using EMET in the EMET configuration. That's it. You can keep on using SiteKiosk as you did berfore, but now with the extra protection that EMET provides.