Using NT for Security
Robert Sullivan
SCP_SULLI at sals.edu
Tue Nov 23 12:49:01 EST 1999
Karen Schneider wrote:
>I am pretty confident that we would be able to secure
>our Internet-only workstations to our satisfaction. I am unclear about just
>how complicated it would be to configure NT Workstation to provide access to
>a variety of applications (though a set variety--primarily Microsoft Office
>and a couple of genealogy packages).
Look away from your e-mail for a minute and they're talking about you...
Having been in a meaningful relationship with the NT registry for two years
now, I can say it depends.
We wanted to secure our machines without using anything which required access
to a server, or even to a peer-to-peer network. We also didn't want to have to
buy extra security software.
While this led me on an odyssey which frequently made me feel I was mucking
around in Things Man Was Not Meant to Know (or shouldn't have to, at any rate),
it does work. If you have someone on staff who understands the registry, you
can script it so that Internet Explorer or MS Office is set up almost entirely
automatically. You don't need to have this knowledge to run the scripts, but
you will probably need to change them as new versions arrive.
If you don't have in-house expertise or access to it through your library
system or whatever, you will probably be better off using WinU/Fortres/Cooler
et al. You could use the Policy Editor, but I'm not sure that customizing
those templates is much easier than writing KiXtart scripts (which I find quite
easy now that I understand what's going on - think batch files with easy
registry manipulation).
My first try at automating Internet Explorer setup took weeks (in between other
things). When I moved from 4 to 5, it took about 3 days, and that included the
usual destructive testing to make sure no new holes were added. There was a
significant R&D investment in this, but it's paying off big time now. I will
shortly be modifying my Office 97 scripts to work with Office 2000 and I don't
anticipate any major difficulties.
We are not at the stage where we can use Ghost or one of the other cloning
programs, but that's another option.
Regarding Karen's "variety of software" - we have found that most software will
work under NT easily or with some persuasion. Tweaking of permissions may be
required. You'll probably have to figure it out yourself, as many vendors are
clueless about running their software on a secured computer, but I'd say more
than 90% has eventually yielded. (Running kids' CDs from a hard disk - now
there's a nightmare!)
I have some of my procedures on our site at <http://www.scpl.org/publicnt>. I
hope to get more stuff up there shortly, but it will give you some ideas.
Bob Sullivan scp_sulli at sals.edu
Schenectady County Public Library (NY) http://www.scpl.org
More information about the Web4lib
mailing list