Have I made this Windows laptop sufficiently middle-schooler-proof?

In My Humble Opinion
1

I’m technical director for a play my wife is directing for her middle school. We’ll be using digital scenery provided by Broadway Media, and played back using their app, Stage Player. It is essentially a slide-show program using animated (and copyright-protected) content.

I’ll be running lights during the show, so one of the students will be operating the Windows 10 laptop that will control the scenery. And during the rehearsal process over the next few weeks, he’ll probably be alone with the computer. (He won’t be taking it home.)

The kid is not a troublemaker, and I have no reason to think he would get up to no good with the computer. But he is as trustworthy as any average middle-schooler, so I think it prudent to take some precautions. (I had been hoping he used Apple devices at home, in which case I probably wouldn’t have gone as far, but no, his family uses Windows.)

Perhaps some Dopers who are more computer-savvy than I am can either assure me that what I’ve done is sufficient, or suggest some additional steps I can take to protect the computer, the show, the school, and my wife’s reputation.

I’ve been using PCs professionally for decades, but I know I don’t know everything. In fact, I had never used Group Policy settings before this week, so I’m pleased I’ve been able to figure it out and do what I’ve done so far.

(FYI, if you were going to suggest using Kiosk mode, I looked into it, but it doesn’t support the Stage Player program. There are other reasons it probably wouldn’t be a convenient solution.)

What I’ve done so far:

Created a standard User, with no Administrator rights, and loaded the Stage Player software on it.

I’ve changed the settings for Chrome and Edge so that only an administrator can launch them. I have a disguised shortcut to Firefox (my preferred browser) so that I can go online myself if I need to.

Using MMC, I created a Local Group Policy for Non-Administrators that provides the following restrictions under Administrative Templates:

Control Panel:
Settings Page Visibility is set to show only Display options, because the PC output will be driving a projector, and we’ll need to be able tweak those settings.

Likewise, Show Only Specified Control Panel Items is set to Display only.

System:
Prevent access to the command prompt
Prevent access to registry editing tools

Start Menu and Taskbar:
I’ve modified quite a few of these settings. See the screenshot.
Google Photos

This may all be overkill, but better safe than sorry. As far as what I am worried about/trying to prevent, just imagine yourself as a clever middle schooler and what you might try to do if you had a laptop and nothing better to do.

Anything else I should do?

Thanks.

2

Have you done anything to prevent putting a USB stick in the computer and running files off of that? And have you password protected the BIOS, while making sure it won’t boot from external media?

I believe you can set things up where only certain programs can be run at all. Lookup a program whitelist.

(Just thinking about what I would do if I wanted to use the laptop. The number one thing would be to try and bring in my own stuff.)

3

Will he need access to the internet? If not, blocking it’s ability to access the internet will probably stop the majority of things a kid with a laptop may try to do.

4

No, and that’s why I locked out the three browsers.

I hadn’t thought of this, thanks. I’ll start Googling, but do you have any suggestions for how to do it?

5

What are you worried about?

6

If someone keeps installing trash on the computer what you can do is roll it back, automatically if necessary, to a known, presumably OK snapshot. Or run your Stage Player in a VM in the first place.

7

I’d basically be googling the same things. I just know it’s possible to set up Windows that way, where it disables USB drives and where you set up a whitelist for programs.

As for the BIOS–they all work a bit differently, but usually there’s a way to get to the Advanced version, and then you can choose the boot order and make sure it lists the main drive first. There is also usually something about a password in the options.

Getting to the BIOS can be tricky on new, fast machines, though. The fool proof way is to type “uefi” into the Google start menu, and it will give you “Advanced Startup Options”. Click that, and select Restart now under Advanced startup. From the next screen, select Troubleshoot > Advanced options > UEFI Firmware Settings > Restart.

8

That’s a big loophole for preventing online access. If you only hid the firefox shortcut, it’s trivially easy to find the executable (firefox.exe, it’s either in the Programs folder or in the user files, but easily findable in a search).

9

I’d prefer to stop that from happening in the first place.

I’m not up on VMs. I’ll Google, but if you have any further advice, please feel free.

I found one way that I couldn’t make work but then I found I could do it within the Group Policy, and it works perfectly. Thanks for that suggestion.

I’m still looking into the BIOS thing. That may be more than needed.

Yeah, and I tried to set it so that Administrator rights were required to launch it, but that didn’t work the way other programs had.

And I’ve found another problem: if you click on the start menu and type anything, Edge will pop up with an answer. I need to disable that, too.

Back to the Group Policy editor.

Thanks for all the replies so far. Keep them coming.

10

Does this kid has access to a computer other than yours? If so, it doesn’t seem worthwhile to lock yours down any tighter than the one they have access too.
And, if you are worried about them installing malware on it, just plan on wiping it when you are done.

11

There is a feature called Windows Sandbox that allows you to run things in an isolated container:

I guess I am vaguely suggesting you could configure a sandbox so that only the requisite software is installed and only certain folders are shared/accessible, the internet let us say not accessible, and you could configure a user account to start up the sandbox automatically.

Similarly for any other VM/container; the trick is to make sure “unauthorized” users cannot trivially shut down/escape from the VM.

12

I’d image the laptop (basically a snapshot of the laptop at a given point).

Make the laptop exactly as you would have it. Then, make an image of the laptop.

You can then restore the laptop to that state anytime you want without too much fuss (takes a little time so figure that in…run a test or three to see how long that takes so you can plan for it).

If the laptop is only to have one function then get the laptop daily from the miscreant and re-image it. It is then back to exactly the way you want it.

Sure, they could go home and get up to trouble with it but it would be difficult to stop that. That would be up to his/her parents to lock down their internet (which most do not do).

But, when they come back to school…poof…original laptop and all the bad junk is gone.

ETA: Resist the urge to look at the browser history. It will probably be upsetting.

13

Sorry, I’m not following you. Are you thinking he could access my computer from his?

No, this isn’t a major concern. I don’t think he’s malicious, and I’m not concerned that he’d do damage. I just don’t want him to be able to look at porn, play games, or get up to any kind of hijinks that might be embarrassing to my wife or the school, or potentially harmful to him. What he does on his own computer at home is of no concern to me.

Update: through the Group Policy editor, I’ve been able to block the Start menu from doing web searches and allowing access to File Explorer, so he can’t launch Firefox or any other programs, or access any files on the computer. Progress!

14

No, what I’m saying is:
If he has regular access to a computer that isn’t restricted in any way, then it doesn’t make much sense (to me) to lock yours down like it was Fort Knox.

15

Well, if the laptop is being used to run media for a school play it may be wise to prevent the student from doing something “funny” (in their view) and then the school and parents come down on you for not being able to stop that.

Chances are they have a cell phone and access to a friend’s computer so I doubt access to a laptop is going to be a new gateway to bad internet things.

I suppose making sure the laptop is okay with their parents might be worthwhile.

16

Thanks. I’ll take a look at this, but I’m so close to what I think I need right now, that unless it can be a lot better than what I’ve got, I don’t know if it will be worth trying a whole new tactic.

Two things: I don’t think this kid has mad hacker skillz, and as I mentioned before, I’m not particularly concerned about damage he may do to the machine. Two, he won’t have the computer overnight, just during rehearsals. So I don’t expect anything as drastic as reimaging will be necessary.

@Whack-a-Mole has got it. This kid has his own computer, phone, and the school has given him a Chrome Book. We’re not worried that the kid is going out on the InterWebz for the first time, only that he’ll do something inappropriate while using our machine.

17

If the laptop does not need internet access, then go into the bios and disable the wireless adapter, and then set a bios password, so it can’t be re-enabled. Write down the bios password, because it can be bad to forget it.

This won’t block someone who is a sophisticated enough hacker to carry a usb network adapter, but realistically will prevent 99% of the stuff you care about.

18

Since you have disabled the browsers, this is probably unnecessary, but I would password protect the passwords file. In firefox this is done in the settings menu, I believe. I did this before taking my computer for service. Make sure you can recall the password.

19

Maybe someone’s addressed this, but could you take the laptop to the school’s IT administrator, and make sure you have all the roadblocks you want installed?

20

If he does, reinstalling won’t help anyway. You will be rooted forever :slight_smile: