IKIOSK? Fortres? Both?

Jean-Marc Edwards jedwards at uottawa.ca
Sat Nov 22 08:31:49 EST 1997


Stacy,

Here at the University of Ottawa, Canada, we just launched our 
Internet Public Access and security was a major concern.

This is how we decided to set up Internet Public Access:

The 10  dedicated Public Internet Access workstations are running
under Windows 95 from a Netware server. Our machines are Pentium 133
with 32 meg of ram and 15 inch monitors. Users do not need to login
in with ID and passwords. The machines autologs themselves when they 
boot.

The only applications that are running on those machines are Netscape
3.01, TCP3270 for telnet access and the following plugins and helper
apps: Acrobat Reader plug-in, ClearVideo plug-in, Quicktime movie
player plug-in, QVTR plug-in, Word viewer plug-in. We have no sound.
We do not allow email from the client stations (people still use
hotmail). We do not censor and block any access to http. Usenet is
accesible only for reading not responding or sending messages. Netscape is
configured to go through the common  campus proxy server.

We use both Fortres 101 and IKIOSK on all machines and both software
are installed locally. Netscape is installed on the server. (By the
way, Netscape Communications told us on the phone that we should not
install Netscape as a network install as the software is not meant to
be installed on a server but on each individual machines, I do not 
know what other Web4lib's members experience is regarding Netscape as 
a network install)

IKIOSK is wonderful at disabling individual options at the
application level. It enables you to lock the configuration of a
given software or disable the option altogether. For example, with
IKIOSK we disabled the the "mail document option", all the items in
the "Preferences" menus, "Open file", "Bookmarks", sending and
responding to Usenet newsgroups messages and many other options  we
did not wish the user to use or alter. IKIOSK was also used to
disable unwanted options in Adobe Acrobat Reader, TCP3270 (our
telnet program), and Media Player of Windows 95. It also was used to
disable all "right-mouse clicks", a function we found was 
very dangerous as it alllowed the user to use the "open" command in
all softwares and enable the user to launch unwanted applications.

Fortres is used to lock down Windows 95 functionality. It can
disable the "My Computer" Icon, the "Start button", and allows you
to create a customized shortcut for the shutdown of the stations.
Our shortcut contains only one option, namely shutdown (It removes
restart in DOS mode, and the others). Fortres also allows you to
prevent running programs from a: (All these things are not done by
IKIOSK)

Fortres protects access to the C: drive only, not the network drives. 
These have to be protected from the server software (we use Netware).

All in all we are quite happy with our solution. The only problem we 
have so far is a conflict we have not been able to resolve with our 
anti-virus software. When we try to save a file with any extension 
other than .txt Netscape sends a message that the file we are trying 
to save seems to be larger than the amount of disk space available on 
the diskette (This problem is about to drive me insane!, if someome has 
encountered that problem and know a solution please let me know!)

In Ontario we can not provide open telnet access to the world from 
stations which do not require authentication. We asked our computer 
programming servives on campus to write a program which filters 
telnet access. When a user clicks on a telnet address, the program 
goes through a list of allowed telnet sites which we had to create,
and if the site is there, our telnet program is launched and the user 
then can login to that computer. If the address is not allowed 
(meaning not part of our list of selected sites) the user 
gets a message that the site is not authorized by the library and 
that they can suggest the inclusion of the site to the Library. The 
list of allowed telnet sites is maintained on the server. Even when 
our telnet program is launched for a specific telnet address our 
users can not go anywhere else because IKIOSK has been used to 
disable the "Open a new telnet session" .

I can just tell you that so far everything has been running smoothly 
and that I do think both software (IKIOSK and Fortres) need to be 
used to have a nice setup. We are happy with our decision.

You should also look into the NT workstation solution  if you are 
running NT. They offer a solution called "Taskstation mode" which 
seems to remove access to the taskbar and the start button and to 
give access to only one application, namley Internet Explorer. Users 
can not launch any program and  access drives. I know nothing about 
this. Maybe other list members could talk about their experience 
with Internet public access using NT workstations and servers. That 
would be interesting.

Good Luck Stacy!

Jean-Marc Edwards
Bibliothécaire des systèmes (Internet et formation)/ 
Systems Librarian (Internet and training)
Library Network, University of Ottawa
http://www.uottawa.ca/library/accueil.html


> Date:          Fri, 21 Nov 1997 18:04:48 -0800
> Reply-to:      Spober at manhattan.edu
> From:          "Stacy Pober" <Spober at manhattan.edu>
> To:            Multiple recipients of list <web4lib at library.berkeley.edu>
> Subject:       IKIOSK?  Fortres?  Both?

> When we started with public access computers in the library, the job 
> of clearing added software and recovering from students "fooling 
> around" in the system was still a burden, but was manageable because 
> we just didn't have that many pc's.  Now that we are expanding 
> rapidly, it's clear we should add some security software to protect 
> our machines from students changing program settings, etc.
> 
> I notice that some posters to this list are running both IKiosk AND 
> Fortres.  They seem to be the most popular security programs.  Are 
> both really necessary, or are you folks just being extra-careful?  If 
> you had to choose just one, which would you get?  
> 
> Our set up will be mostly  Pentium computers (we still have a 
> few 486's), some running Windows 3.1, some running Windows for 
> Workgroups 3.11 (the current platform used on our campus network) and 
> some will be running Windows95.  They are used primarily for web 
> browsing (mostly using Netscape 3.01) but the students also have 
> access through the campus network to a lot of other applications such 
> as MS Word, WordPerfect, Maple, Quatro, and the like.   We are 
> currently purchasing some new Pentiums to replace our dumb terminals, 
> as we move to a web-based library catalog, and I surely want some 
> security software on those as well.  
> 
> Suggestions?  Things you would do differently if you knew then what 
> you know now?
> 
> TIA.
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Stacy Pober                   Internet: spober at manvax.cc.manhattan.edu
> Information Alchemist         http://www.manhattan.edu/library/mclmenu.html
> Manhattan College Libraries   Phone:  718-862-7980
> Riverdale, NY 10471           Fax:  718-862-7995
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
Jean-Marc Edwards
Bibliothecaire de systemes (Internet et Formation)/Systems Librarian (Internet and Training)
Reseau de bibliotheques / Library Network
Universite d'Ottawa / University of Ottawa
email: mailto:jedwards at uottawa.ca
tel: 562-5800 ext.3225
Page web du réseau de bibliothèques: http://www.uottawa.ca/library




More information about the Web4lib mailing list