Depending on what kind of business you operate, you may have a need for public-facing kiosk systems. A kiosk system provides an interactive self-service interface, usually via a software application, that allows customers to perform things like ordering and registering for service. When you pull up to an ATM to withdraw cash or enter a DMV and register for a ticket number, you are interacting with kiosk systems. If you run a bar or restaurant, you may want to mount multiple TVs across the premises to stream sports. Those also qualify under the same security considerations as kiosk systems. Since these systems are all public-facing, there are a number of specific security controls that should be implemented.
First of all, kiosk systems should be placed on a dedicated network segment. Since they are accessible to the public, they should automatically be disqualified from resting on the same network as critical business systems. Implementing a dedicated VLAN for kiosks is the best security procedure, very similar in concept to isolating IoT devices to VLAN. You may be tempted to connect wireless kiosk systems to your Guest Wi-Fi network as an easy way out. However, this can be equally as dangerous as connecting them to your enterprise network, since threat actors snooping the Guest network could collect customer details and even financial data if such systems are used. You should always opt for a dedicated segment for kiosks and kiosks only.
Kiosk systems may use either wireless or wired connections. TVs may be more likely to be connected wirelessly due to their locations and the ease of setup. However, kiosks that require high availability and good speeds will usually have wired connections. This is usually done by connecting the network interface card of the system to a wall jack, which feeds back into a network closet. Issues can arise due to the fact that these wall jacks are facing the public. An attacker could find a way to sneak in and unplug the cable from the wall jack, then connect their own device to the network. Doing this allows the attacker to perform many different attacks, from rogue access points to ARP poisoning. To mitigate this, implement MAC address filtering on the kiosk network segment. This allows you to whitelist the MAC addresses of your kiosk systems. Whitelisted systems can use the network as normal, while all other systems are denied access.
In addition to network security considerations for kiosks, there are controls that need to be implemented at the operating system and application levels as well. It can be difficult to figure out the appropriate OS to use for kiosks. Usually, kiosks will be running one application continuously throughout the day. If you are using Windows, you may be concerned about the intrusive nature of the OS and the automatic updates. Windows presents a setting to enable kiosk deployments on the system. You can choose between single app deployment and restricted user experience.
The single app kiosk experience has two features: Assigned Access and Shell Launcher. Assigned Access launches a single Windows Platform App or a Microsoft Edge window as soon as the kiosk account signs in. As soon as the app is closed, the system restarts. On the other end, Shell Launcher allows you to specify a Windows desktop app to replace the traditional Windows user interface. If you are using Windows, it is your choice as to which deployment is best for your environment.
The Restricted User Experience is tailored towards a more interactive user experience. There may be cases where you want customers to be able to sit down and use a computer for any variety of tasks. However, it would be dangerous to give the public full access to a Windows device. Restricted User Experience allows you to pre-specify a very specific collection of apps the user should be able to run. Everything else is hidden, and the start menu only shows the whitelisted apps.
If your kiosk deployment only requires a webpage to be run in a browser window, you can use Microsoft Edge Kiosk Mode. There are two deployment styles for this mode as well. Digital/Interactive Signage Experience allows you to run a specific site in full-screen mode. For example, you could load a slideshow to be played continuously throughout the day in a lobby or waiting room. You could also use this deployment method if you wanted a dedicated monitor to display the web interface of your network security cameras in an administrative office. The other method is the Public Browsing Experience, which is similar in style to Assigned Access. The Public Browsing Experience allows you to present a limited, multi-tab version of the Edge browser for customers to interact with. This would be a useful deployment in cases where you need customers to sit and register for an account or service on a website.
The issue with the Windows approach is that it is geared towards using their platform's apps and web browser. If you need to run a few Windows apps or a web application in an Edge window, this approach is fine. But if you want to run a third-party browser or app, you may want to look elsewhere. Raspberry Pi Kiosk Mode is a good, less expensive approach. Since a Raspberry Pi is an extremely small device, deployment can be easier as well. You can obscure the physical hardware of the kiosk better, such as mounting it to the back of a large monitor. Raspberry Pi Kiosk Mode also allows you to implement secure remote access and additional hardening techniques to protect the systems. The downside of this approach is that the configuration is more complicated than the Windows approach. It requires some work on the Linux command line to configure functionality. It is not difficult, and if you follow the instructions well, you can do it with little issue. However, if you don't want to work from the command line, you may want to have a more experienced person configure it.
Once you have decided on an OS to host your kiosk applications, you should create a dedicated local account for each kiosk system. You should not use a personal network account on a kiosk, as this opens the attack surface for the account. Creating simple user accounts called Kiosk1, Kiosk2, etc with strong passwords will isolate the systems from any user identities and keep the attack surface more confined.