[WEB4LIB] [Web4Lib] RE: Floppy Disks

[Andrew I. Mutch]

I've always followed the "castle" mentality to lock down everything and
only open the drawbridge when necessary on our public Internet and word
processing computers.

:)

In our case, we have just started to allow floppy drive use. On our
computers, I use StormWindows and registry hacks as the first layer of
defense. At some point, I'll use Windows2000's Group Policy as a
replacement for this setup. Next, I use Windows2000's internal permissions
by setting the account permissions set to "User". This places additional
restrictions on what files can be changed/deleted/etc. The goal is to
protect the machine for tampering and to prevent patrons from installing
applications that we don't want on there.

We run F-Secure for anti-virus protection both for the users and the
computers. It provides both on-access and on-demand scanning. The F-Secure
server automatically downloads updates from the web and the clients
pick-up and install these updates automatically. This should ensure that
our anit-virus protection is as current as possible.

Finally, we have segmented our networks so that our public PCs are
segregated from our staff PCs and network servers. This includes a
physical separation of the network to further protect the Township Wide
Area Network.

Compared to some others, this might seem like overkill. But these are the
points that we have taken into consideration:

1) There are all kinds of malicious programs that patrons can run from
floppies or download off the net. We want to make it as hard as possible
to keep them from using those applications on our network. Unsecured PCs
don't provide that protection.

2) Restoration programs, like DeepFreeze, don't protect against viruses.
Once the PC is infected, it can infect other PCs and patron floppies. If a
another patron uses the computer before the system is restored, they could
be infected. Sure, it's a user-beware world out there but we want to
provide at least some level of protection against those kind of
situations.

3) Allowing patrons to install whatever they want leads to inconsistent
PC configurations and patron confusion. Whenever patrons are confused,
there is likely to be frustration and wasted time for both patrons and
staff. Of course, with DeepFreeze, you can reboot and restore, but our
goal is to avoid the problem in the first place. It's also why we use PWB
on the Internet computers and K-Meleon on the OPACs. Both programs are
locked down against patron modification.

Our approach is not without its drawbacks. It makes us more restrictive
than some other institutions. For example. today I had a patron who wanted
to use a ZIP program to unzip some files he downloaded off the Internet. I
don't provide access to WinZip from our public PCs so he was out of luck.
Also, the security layers make modifications tedious and it has gotten
beyond the point where staff can troubleshoot those kinds of problems. If
something is too locked down, I'm the one who has to correct that where as
before, staff could do some of that on their own.

On the other hand, I would not feel comfortable allowing patrons to
install whatever they wanted on the PCs, even if I knew I could restore
the PC with a reboot. Call me paranoid.
:)
Plus, I don't think our staff or administration would be too happy with
that situation. Also, my network administrator wouldn't allow that to
happen as he's even more paranoid than I am. But, every institution has
their own setup that works best for them. I'm not knocking others
arrangements, just explaining why we do things the way we do here.

Andrew Mutch
Library Systems Technician
Waterford Township Public Library
Waterford, MI





On Wed, 3 Jul 2002, SAMANTHA YEUNG wrote:

> Kyle,
> 
> I am wondering if your public computers are on a completely different network or subnet from your staff computers.  Could you elaborate on your network infrastructure? Do you also use Win2K System Policy to lock down the computer?
> 
> We are due for some network upgrade and would like to get more information .
> 
> Thanks,
> Samantha
> 
> 
> ******************************************************************
> Samantha Yeung                 v: (805) 449-2660 x. 232
> Systems Librarian                 f: (805) 373-6858
> Thousand Oaks Library        syeung at mx.tol.lib.ca.us
> 1401 E. Janss Rd.
> Thousand Oaks, CA 91362
> ******************************************************************
> 
> >>> Kyle Harriss <kharriss at d.umn.edu> 07/03/02 01:59PM >>>
> Re: Floppy and Zip disks..
> 
> We are reworking our public PC setup, but
> it looks like this.
> 
> 1. We use DeepFreeze Pro to prevent any
>    changes to the hard drive from persisting.
> 
>    (This will be paired with a software
>     distribution package, like Prism Deploy,
>     by Fall.  We haven't made a final decision
>     on this piece of the puzzle.  Up until now
>     we have used PCRdist, but I'm looking for
>     something simpler.)
> 
> 2. Other than the above, our PCs are completely
>    open.  Patrons can use floppies and zip100 disks.
>    They can download or upload.  The hard drive
>    is not protected (except by DeepFreeze).
> 
>    If a PC gets messed up, we turn it off
>    (using the power switch - no need to use
>    the Windows ShutDown command), and turn it
>    back on.
> 
> 3. Software usage is not restricted beyond
>    our decision to load certain programs and
>    not others.  If a patron can load their own
>    software without rebooting, it works.
>    If a reboot is required, the changes they've
>    made disappear.
> 
> We have 31 PCs managed this way at the moment,
> and will add 10 more by Fall.  
> 
> (In our building we also have other computing 
>  facilities, managed by the campus IT department.
>  The 31 PCs described above are just the ones 
>  we manage, located in the vicinity of our 
>  Reference Desk.)
> 
> ==
> Kyle Harriss
> UMD Library
> 10 University Drive
> Duluth   MN  55812
> 
> voice: 218-726-6546
> email: kharriss at d.umn.edu (work)
> 
> 
> 
>