[WEB4LIB] RE: Locking down public access terminals

[Kyle Harriss]

We have only addressed two aspects of "locking down" our
public access computers.  The solution we chose also allows
us to add new software to a single PC and automatically
propagate it to the rest of our PCs the next time they boot up.

This message is long.  Anyone wanting info on commercial
PC security software (Sentry, Fortres, FoolProof..) won't
find it here.  Hit the delete key now.  <grin>


1.	We make it a hassle for users to run
	any software other than what we have loaded
	and listed in the Win95 "Start Menu".

	We use the Win95 policy editor to lock users
	out of control panels, to hide items on the
	desktop, to remove "Find" and "Settings" from
	the Start Menu.  We set the shell to allow 
	users only to run specified Windows programs.
	We eliminate access to the DOS prompt...

	This doesn't secure the PC tightly, and
	certainly doesn't prevent someone from changing
	the wallpaper, etc.  But it also doesn't conflict
	with the installation of any other software.
	(We use a pay-per-page printing solution that
	puts hooks in the Windows print spooling system..
  	and this can't coexist with the commercial
	security software we USED TO use on our PCs.)

2.	Each of our public computers rebuilds itself
	to a standard configuration at bootup.
	Has a PC been messed up?  Reboot and everything
	reverts to the standard setup.  All modifications
	that may have been made by a user are wiped out.
	
	Added files get deleted.  Missing files get
	replaced.  Modified files get replaced with
	the originals. Registry keys get reset.

	Every morning when we start up the computers,
	every PC starts out in "pristine condition".
	..And at any time of day, we can walk up to any
	PC that shows any signs of tampering, and rebuild
	it to it's proper state with a click of the mouse.

When we want to upgrade the software on all of our 
public PCs, we:

	Rebuild a sample PC - getting rid of any
	variation from the current standard configuration.

	Upgrade or add software on that PC..

	Upload a copy of it's hard drive contents to our
	Novell server.  (We call this the "master hard
	drive image".)
	
	Export a copy of it's registry to our novell server.

	Reboot the other PCs so they can pick up the 
	new configuration.

And YES we have a variety of PCs, from different manufacturers,
with different video cards, motherboards, etc..  that all rebuild 
from the same master image.  (Although they all have to have the 
same version of Windows installed.)

	When we add a new PC that has different hardware
	and drivers, we run a test rebuild to find out 
	what drivers would be deleted from it - and add
	those drivers to our master set of files on the
	server.  THEN we can perform a real rebuild on that
	PC and it's ready for use.

	The Win95 registry branches that contain hardware
	specific data are left untouched during the
	rebuild process.	

Yes, the individual steps are more complicated than what I've 
listed above..  But it isn't too bad.  


We use PCRdist - website: www.pyzzo.com

Another, similar product is advertised at www.altiris.com/4

I don't know if the current version of Ghost would work
well for this.  (I believe it is now owned by Symantec.)

An intriguing alternative is "Centurion Guard", a hardware
device.  I've only looked at it very briefly, but it is
intriguing.

I also understand that Microsoft has some sort of 
enterprise configuration management software that can
do this - and more (possibly with some caveats).

=======================================================
Kyle Harriss		      voice: (218) 726-6546
UMD Library		      email: kharriss at d.umn.edu
10 University Drive
Duluth,  MN  55812