Login Assistant: Setting up on a domain (no workstation software)
You can set up a domain-level SKA if you do not want to install software on users’ workstations.
A domain-level secure kiosk account is a network login account defined in an Active Directory domain. It typically has a help login ID. A security policy is applied to the help account that restricts access to the operating system and network resources when using the SKA.
Create a policy to lock down Windows workstations.
Remove the help account from the Bravura Security Fabric account list, to prevent users from changing the help account password or attaching the ID.
Advertise the help account to Bravura Security Fabric users.
These steps are explained in detail in the following sections.
Unless otherwise stated, all steps are performed on an Active Directory DC (domain controller), and must be performed using administrator credentials. Details vary depending on your version of Windows.
Create a help user
To create a help user to serve as an SKA:
Open .
Create a new user with the User logon name help and a hard-to-guess password that complies with your password complexity rules. Ensure that you:
Select the following checkboxes:
User cannot change password
Password never expires
Deselect the following boxes:
User must change password at next logon
Account is disabled
Create a new global security group named Help SKA.
Add the help user to the Help SKA group. Set this group as the user’s primary group.
Close .
See Microsoft’s documentation for detailed steps on how to create an account.
Configure the runurl program
If you do not install Credential Provider software on users’ workstations to allow them to access the domain help account, the runurl program, which is used to launch a web browser in kiosk mode, must be installed on a public share accessible to computers in the domain. You can then add runurl to the group policy for the help user, and it will be executed when the help user logs into the domain.
To configure the runurl program:
Copy the files from the addon\Domain Login Assistant\ directory in your Bravura Security Fabric installation to the SYSVOL share on each domain controller.
You can determine the location of your SYSVOL share by typing net share from the command prompt on your DC.
Locate the
gina.zfile from the skin\default\en-us\ directory and make a copy of that file to the sysvol share as well.Create a text file called
runurl.cfgthat contains arguments (separated by whitespace) for the runurl program. Place this file with the other runurl files on the SYSVOL share.Test
runurlfrom a command prompt on the Active Directory DC by typing:%LOGONSERVER%\sysvol\runurl.exe -cfg %LOGONSERVER%\sysvol\runurl.cfg
Ensure that a web browser opens to the specified URL, and that the workstation is locked down according to the options you specified.
Test
runurlfrom the command prompt of a workstation logged into the domain by typing:%LOGONSERVER%\sysvol\runurl.exe -cfg %LOGONSERVER%\sysvol\runurl.cfg
Ensure that a browser window opens to the specified URL, and that the workstation is locked down according to the options you specified.
runurl usage and examples
The runurl program launches a web browser on a Windows workstation and opens it to a specified URL. When configured to launch in kiosk mode the browser window fills the screen, removes all window borders and decorations, disables navigation, and disables all function keys, the Alt and Ctrl keys, the Windows logo key, and any combination of keys that you specify.
A major use for the runurl program is to enable users to reset their own passwords using a secure kiosk account (SKA).
Requirements
When invoked by a local SKA or Credential Provider, runurl is launched from the Login Assistant\ directory on the user’s workstation.
The following files must be located in the share or directory from which runurl is launched:
msgmap.txt– used to disable Windows message events on Windows workstations.webbrowser.dll– used to block the [Ctrl], [Alt], and the right mouse button, and to run the web browser. It is also used by the Credential Provider.pscredprov.dll– used to block the [Ctrl], [Alt], and the right mouse button, and to run the web browser. It is used by the Credential Provider.launch_ska.exe– used to launch the SKA and invoke the runurl command.
Ensure that Internet Explorer 9 or higher is installed on the domain controller and all workstations that will access the help account. The runurl program relies on some components that are part of Internet Explorer 9 or higher.
Usage
runurl.exe -url <URL> [<options>] runurl.exe -cfg <filename>
The runurl program works with the following command-line arguments:
Argument | Description |
|---|---|
-url <URL> | Specify the URL that will be displayed in the web browser. |
-userid <userID> | Bravura Security Fabric user ID to pass through the URL. |
-ntkeymap <args> | Enable or disable a key or combinations of keys on a Windows workstation . |
-msgmap <filename> | Specify a file containing Windows message events to block. Do not modify this file unless you know what you are doing. |
-reg <filename>.reg | Load the named registry file into the registry before terminating runurl. This is used to restore standard registry entries in case runurl was launched during the first login of the help account, using a restrictive security policy, and the user elected to not save settings – which means that registry changes were applied to the default user rather than help. |
-kiosk | Start the web browser in kiosk mode. |
-keylock | Disable [ Ctrl] , [Alt] , and the right mouse button. This is implied by -kiosk. |
-no_icw | Do not pop up Internet Connection Wizard when the user starts up the browser the first time. |
-logoff | Log off from the workstation after the web browser closes. |
-run "<programname>, <args>" | Run this program with these parameters before exiting, and before logging off. The run option requires quotes around the external program name and param arguments. If you need quotes inside of this then use a \ to escape them. If both run and logoff are specified, run will execute first. |
-cfg <filename> | If the command line is too long, use this option to read all arguments from this file. Write the file with the arguments separated by white space. |
-trapsesslock | Trap the Windows workstation lock notification to ensure that runurl handles locked workstations correctly; for example a browser displaying a User notifications (PSN) module notification is returned to the state it was in before the lock. |
Enabling or disabling key combinations
You can run runurl with the -ntkeymap option to enable or disable keys and combinations of keys on a Windows workstation (XP or higher). Write the arguments for -ntkeymap using the following syntax:
[-] [(] [<MOD>+] <KEY> [)] [, ...]
Where:
-enables the keys that follow( )are optional brackets (these are for formatting only, they do not modify the meaning of the text)<MOD>specifies one of [Alt] , [Shift] , [Ctrl] , or the Windows key <KEY > specifies the name of the key to enable/disable<KEY>can be any of the following:’ B F22 Num+ S , Backspace F23 Num- ScrollLock - C F24 Num0 Shift . CapsLock F3 Num1 Space / Ctrl F4 Num2 SysReq 0 D F5 Num3 T 1 E F6 Num4 Tab 2 Enter F7 Num5 U 3 Esc F8 Num6 V 4 F F9 Num7 W 5 F1 G Num8 Win 6 F10 H Num9 X 7 F11 I NumDel Y 8 F12 J O Z 9 F13 K P [ ; F15 L Pause \ = F2 M Q ] A F20 N R ‘ Alt F21 Num* RightShift
Examples
To launch a web browser in kiosk mode and open it to the Change passwords (PSS) module, open a command prompt, and type on one line:
runurl.exe -kiosk -logoff -no_icw -trapsesslock -url https://<server>/<instance>/change-passwords
If
runurlis run from a public share rather than your current workstation, specify the UNC path torunurlin your command. If the share is located on an Active Directory domain controller, open a command prompt, and type on one line:\\MyADDC\SYSVOL\runurl.exe -kiosk -logoff -no_icw -trapsesslock -url https://<server>/<instance>/change-passwords
To disable keys on a Windows workstation using the -ntkeymap option, open a command prompt, and type on one line:
runurl.exe -kiosk -logoff -no_icw -trapsesslock -url https://<server>/<instance>/change-passwords -ntkeymap Win+F1,-Shift+F1,Alt+Shift+F1,F1
This is the same as:
runurl.exe -kiosk -logoff -no_icw -trapsesslock -url https://<server>/<instance>/change-passwords -ntkeymap (Win+F1),(-Shift+F1),(Alt+Shift+F1),(F1)
To print a list of available key names for the -ntkeymap option on the command line, type the following in the Login Assistant\ directory:
runurl -ntkeymap ?
An example of a
runurl.cfgfile:-kiosk -logoff -no_icw -trapsesslock -url http://<server>/<instance>/?
To run commands from a configuration file, type:
runurl -cfg runurl.cfg
Create the group policy
If you do not install Credential Provider software on users’ workstations to allow them to access the domain help account, you must set up a group policy to determine the configuration of a user’s desktop environment.
To create a group policy for use with an SKA:
Create the help account policy. Name the group policy Help SKA.
For example, on Windows 2022:
Open .
Under the forest domain sub-section, right-click the domain object, then select Create a GPO in this domain, and Link it here ….
The dialog appears.
Name the group policy
Help SKA.Right-click on the Help SKA policy you just created, then select Edit.
The snap-in appears.
Ensure the help account policy is applied only to the Help SKA group.
Warning
Failure to perform this step will result in the Help Account Policy being applied to every user – making it almost impossible to log back into the domain.
In the snap-in, while the Policy is selected, navigate to Actions > Properties.
Select the Security tab.
Click Add, type
Help SKA, then click OK to add the Help SKA group.Select the Help SKA group. Under the permissions for this group, ensure that the Allow checkbox is selected in the Apply Group Policy row.
Select the Authenticated Users group. Under the permissions for this group, clear the Allow checkbox in the Apply Group Policy row.
Click OK to apply the policy.
Restrict the help user’s rights by configuring the group policy settings as described in:
All other settings should be left in the "Not configured" state.
See Microsoft’s documentation for detailed steps on how to create a group policy.
This group policy is now in effect every time the help user logs into the domain. Should it appear that the group policy is not applying properly, check to ensure that your workstations are using a primary DNS server that supports dynamic updates.
Active Directory 2012, 2016, 2019, and 2022 group policy settings
Policy | Setting | |
|---|---|---|
Windows Components | ||
> Internet Explorer | ||
Disable AutoComplete for forms | Enabled | |
> AutoPlay Policies | ||
Turn off Autoplay | Enabled | |
Turn off Autoplay on: All drives | ||
Start Menu and Taskbar | ||
Remove user’s folders from the Start Menu | Enabled | |
Remove links and access to Windows Update | Enabled | |
Remove common program groups from Start Menu | Enabled | |
Remove Documents icon from Start Menu | Enabled | |
Remove programs on Settings menu | Enabled | |
Remove Network Connections from Start Menu | Enabled | |
Remove Favorites menu from Start Menu | Enabled | |
Remove Search link from Start Menu | Enabled | |
Remove Help menu from Start Menu | Enabled | |
Remove Run menu from Start Menu | Enabled | |
Remove Pictures icon from Start Menu | Enabled | |
Remove Music icon from Start Menu | Enabled | |
Remove Network icon from the Start Menu | Enabled | |
Add Logoff to the Start Menu | Enabled | |
Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate command | Enabled | |
Prevent changes to Taskbar and Start Menu Settings | Enabled | |
Remove access to the context menus for the taskbar | Enabled | |
Do not keep history of recently opened documents | Enabled | |
Turn off personalized menus | Enabled | |
Force classic Start Menu | Enabled | |
Remove Balloon Tips on Start Menu items | Enabled | |
Remove pinned programs list from the Start Menu | Enabled | |
Remove frequent programs list from the Start Menu | Enabled | |
Remove All Programs list from the Start Menu | Enabled | |
Remove the "Undock PC" button from the Start Menu | Enabled | |
Hide the notification area | Enabled | |
Do not display any custom toolbars in the taskbar | Enabled | |
Desktop | ||
Hide and disable all items on desktop | Enabled | |
Remove My Documents icon on the desktop | Enabled | |
Remove Computer icon on the desktop | Enabled | |
Remove Recycle Bin icon from desktop | Enabled | |
Don’t save settings at exit | Enabled | |
> Desktop | ||
Disable Active Desktop | Enabled | |
Control Panel | ||
Prohibit access to the Control Panel and PC settings | Enabled | |
> Personalization | ||
Enable screen saver | Disabled | |
System | ||
Don’t display Getting Started welcome screen at logon | Enabled | |
Custom user interface | Enabled | |
Interface filename: %logonserver%\sysvol\runurl.exe -cfg %logonserver%\sysvol\runurl.cfg | ||
Run only specified Windows applications | Enabled | |
List of allowed applications: runurl.exe | ||
> Ctrl+Alt+Del Options | ||
Remove Task Manager | Enabled | |
Remove Lock Computer | Enabled | |
Remove Change Password | Enabled | |
Active Directory 2008R2 group policy settings
Policy | Setting | |
|---|---|---|
Windows Components | ||
> Internet Explorer | ||
Disable AutoComplete for forms | Enabled | |
Turn off Managing Phishing filter | Enabled | |
Select phishing filter mode: Off | ||
> AutoPlay Policies | ||
Turn off Autoplay | Enabled | |
Turn off Autoplay on: All drives | ||
Start Menu and Taskbar | ||
Remove user’s folders from the Start Menu | Enabled | |
Remove links and access to Windows Update | Enabled | |
Remove common program groups from Start Menu | Enabled | |
Remove Documents icon from Start Menu | Enabled | |
Remove programs on Settings menu | Enabled | |
Remove Network Connections from Start Menu | Enabled | |
Remove Favorites menu from Start Menu | Enabled | |
Remove Search link from Start Menu | Enabled | |
Remove Help menu from Start Menu | Enabled | |
Remove Run menu from Start Menu | Enabled | |
Remove Pictures icon from Start Menu | Enabled | |
Remove My Music icon from Start Menu | Enabled | |
Remove Network icon from the Start Menu | Enabled | |
Add Logoff to the Start Menu | Enabled | |
Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate command | Enabled | |
Prevent changes to Taskbar and Start Menu Settings | Enabled | |
Remove access to the context menus for the taskbar | Enabled | |
Do not keep history of recently opened documents | Enabled | |
Turn off personalized menus | Enabled | |
Force classic Start Menu | Enabled | |
Remove Balloon Tips on Start Menu items | Enabled | |
Remove pinned programs list from the Start Menu | Enabled | |
Remove frequent programs list from the Start Menu | Enabled | |
Remove All Programs list from the Start Menu | Enabled | |
Remove the "Undock PC" button from the Start Menu | Enabled | |
Hide the notification area | Enabled | |
Do not display any custom toolbars in the taskbar | Enabled | |
Desktop | ||
Hide and disable all items on desktop | Enabled | |
Remove My Documents icon on the desktop | Enabled | |
Remove Computer icon on the desktop | Enabled | |
Remove Recycle Bin icon from desktop | Enabled | |
Don’t save settings at exit | Enabled | |
> Desktop | ||
Disable Active Desktop | Enabled | |
Control Panel | ||
Prohibit access to the Control Panel | Enabled | |
> Personalization | ||
Enable screen saver | Disabled | |
System | ||
Don’t display Getting Started welcome screen at logon | Enabled | |
Custom user interface | Enabled | |
Interface filename: %logonserver%\sysvol\runurl.exe -cfg %logonserver%\sysvol\runurl.cfg | ||
Run only specified Windows applications | Enabled | |
List of allowed applications: runurl.exe | ||
> Ctrl+Alt+Del Options | ||
Remove Task Manager | Enabled | |
Remove Lock Computer | Enabled | |
Remove Change Password | Enabled | |
Advertise Login Assistant
If you do not install Credential Provider software on users’ workstations to allow them to access the domain help account, users must be educated to use it when they cannot remember their passwords, or when their passwords have been locked out.
There are several ways to do this:
Add instructions to the help desk voice response system, so that users who call for help are instructed to try to log in with the help account.
Configure a domain policy to display a message to users attempting to logon.
Deploy a login screen background image to users’ workstations, so that the instructions to try the help account are always on the users’ screens.
Add instructions about the help account to whatever media are distributed to users to tell them about the corporate help desk. For example, some companies print information about how to call the help desk on mouse pads.
Display message text to users at logon
You can configure Windows to display a message to users when they log on. You can customize the message to educate or remind users about the help account. The message appears after the user presses Ctrl+Alt+Del. After the user reads the message and clicks OK , they can proceed with the logon process.
The message text to display to users is configured by modifying the domain security policy.
To display a message to users at logon:
On the domain controller, start the Domain Security Policy snap-in.
On Windows 2012, click the Windows Button > Apps > Local Security Policy.
Expand Security Settings > Local Policies > Security Options.
In the right pane, follow these steps to create the message text:
On a Windows Server-based domain controller:
Click Interactive logon: Message title for users attempting to log on, and then type the text that you want to appear in the dialog title bar.
Click Interactive logon: Message text for users attempting to log on, and then type the text that you want to appear in the body of the message.
The policy will take effect after the client has been rebooted.