[Web4lib] Authenticating public workstations

David Jones DJones at scu.edu
Thu May 31 14:20:09 EDT 2007 

>>> "Don Hamilton" <dhamilton at wlu.ca> 5/31/2007 10:20 AM >>>
We set most of our workstations to require a novell login in order to
get access to the desktop. That limits access to patrons that have been
authenticated via Novell login. We do keep a few 'public' machines where
no login is required, but they don't have word/excel/etc, just IE.
<<<

Our setup is similar.

We prompt for a Novell login via the Novell Netware client. That establishes the local profile for that user on the machine and places an authenticated user in a specific set of privileged local groups. 

We also have a local workstation-only login defined (on all of our machines) that the public (and lazy locals) can use to get access to the machine, but the local user is only a member of a very specific local community group. The applications we want to restrict are denied to that local community group by the simple expedient of setting the security on the primary application executables to deny for that group. 

So, Novell authenticated users have access to everything and community users don't. The local community user's profile is setup with a different desktop and icons explaining to them why they don't have access to Microsoft Office, Macromedia Studio, SPSS, etc...

The machines lock after 5 minutes and reboot after 20 minutes of inactivity, so community users can get access to machines as privileged users if the privileged user was lazy and didn't logoff/restart, and we do have some community users that surf around looking for just those opportunities. If the moocher misbehaves and any investigation is necessary, it's our local campus policy that it's the original user's responsibility and they may have their network privileges suspended/revoked after review.

We also have a few stand-up 'kiosk' machines that auto-login, but really only have internet browsers on them.

We use some mild gpedit policies to restrict some functions and we use DeepFreeze Enterprise to further secure the machines from change. We image the machines with partimage when they need updating (we used to use Ghost).

HTH,
David

_____________________________________________________________________
David Jones                                     mailto:djones at scu.edu 
Library Systems Manager                  http://www.scu.edu/library/ 
University Library                               fax:   408-551-1805
Santa Clara University                            phone: 408-551-7167
500 El Camino Real
Santa Clara CA 95053-0500
_____________________________________________________________________
Reality is that which, when you stop believing in it, doesn't go away.
-- Philip K. Dick

More information about the Web4lib mailing list