Public access machines and network security - response summary

Robin Boulton rboulton at linc.lib.il.us
Fri May 24 15:42:20 EDT 2002 

Recently I asked what people were  doing about this topic and got a lot of 
replies. Somebody asked me to summarize for the list, so here's my best 
effort. Hearty thanks to all who spent their time and effort in responding.

>Summarizing for the list, as requested.

__Original question(s)__:

>We are getting closer to beginning work on a public access technology 
>center, and we're wrestling with the concept of allowing the patron to 
>perform all sorts of functions - such as running courseware which would 
>require the ability to create, delete and modify files on the local hard 
>disk - versus maintaining the security of our network. (For the moment the 
>cost of setting up an entirely separate network is prohibitive). I would 
>appreciate any feedback you can provide on the following points.
>
>On machines that provide anything more than catalog and simple internet 
>access:
>
>What applications do you make available?
>
>How much access do patrons have to the local hard disk?
>
>How much access do they have to the network?
>
>How do you prevent malicious mischief from being done?

_____________________________________________________________________________________

__Answers (Not necessarily in order of receipt):__


1.This might be of some help.

Our new Gates Foundation Library computer recently arrived and came with 
the software and hardware for Centurion Guard. ( see: 
http://www.centuriontech.com/English.html ).

2. As for functions that the patrons are allowed to perform(in addition to 
using IE and, in the appropriate stations, scanning and using MS Office), 
we've taken it on a case by case basis but generally said no to any 
installations. Some exceptions were a plug-in that allowed patrons to take 
on online driving class and a program allowing patrons to register for 
classes at UIUC. In both cases we thought it could be beneficial to other 
patrons in the future. Currently our patrons have no access to the local 
hard drive.

3.--- Robin Boulton <rboulton at linc.lib.il.us> wrote:
 > On machines that provide anything more than catalog
 > and simple internet access:
 >
 > What applications do you make available?
Word, Excel, Works, Calculator
 > How much access do patrons have to the local hard
 > disk?
In theory, none.
 > How much access do they have to the network?
ditto
 > How do you prevent malicious mischief from being
 > done?
Fortres, a 3rd party product. We may be switching
soon to CybraryN, because Fortres is a great huge
pain.

4. > Fortres, a 3rd party product. We may be switching
 > soon to CybraryN, because Fortres is a great huge
 > pain.
We were just about to purchase Fortress & Clean Slate, why is fortres a
pain? and what would other people recommend instead.
We will be using them on Windows XP

5.On our WinNT workstations that were given to us by the Gates Foundation, we
have all the software they provided: Office 2000, 3 Barney programs, 3
Magic School Bus programs, several Encarta applications, 3 Corbis titles,
Streets and Trips 2000, Acrobat Reader, and a Mouse Tutorial.

Patrons can save to the hard disk, but as we have "don't save settings on
exit" checked in our System Policies, material saved disappears upon reboot.
We turn the machines off at the end of the day and on at the beginning,
which is usually the only reboot. Patrons cannot use NT Explorer, and they
cannot delete any files (even their own) from the hard disk.

Network Neighborhood is invisible on public access computers.

I do not know all the ins and outs of how our security works on the Gates
Foundation computers, because they set it up. On machines we've purchased
recently, we use Centurion Guard for "reboot amnesia."

6. On our public machines in this public library we run a wide range of
software including, Office XP Suite, a variety of CD and Internet based data
base products, Windows Media Player, a good dozen educational games for
children, adaptive software for visually impaired patrons, and of course
Internet access. We are just now putting out CD burning hardware/software
as well.
We have a partition on each public computer's hard drive that patrons can
save files to. They can also save to the floppy drive and a zip drive. But
we are finding the zip drives get very little use.
Patrons cannot access network drives or resources.
We secure the computers through a mix of Windows Policies and Permissions,
the security product Winshielf PCSecure, and by making configuration changes
for public use. For example disconnecting CD/DVD drives, renaming Windows
Help file, using strong passwords, and the like. We use Public Web Browser
for it's security features as well.

7.We use deepfreeze so they can do whatever to the harddrive. We can also
re-image pretty quickly with Ghost. We offer the MS Office products. No
CD-rom access. We prevent booting from the floppy in the bios. The network
is just protected with standard network file security. I would like to have
public on a separate network, but haven't had time to pursue that yet.

8.Would the courseware need to be revisited or would it be used by the
patron just on that day? If it's a one day use.. you may want to consider a 
product like centurian
guarde or vault-x which maintains the hard drive integrity on reboot. (if
someone makes changes during a session, when the computer is rebooted, it
goes back to your original settings- wiping out anything they loaded or
changed.)

9.What applications do you make available? Easier to say what is not
available. There are no office (Word, Access, WP, etc) Only Wordpad as
a word processor is available. We do provide a Word Reader and a Power
Point reader. Many of our faculty use one or both for their classes.

How much access do patrons have to the local hard disk? They can access
it and save mail, etc. to it. They can not load applications.

How much access do they have to the network? -- All their access is to
the Web. They can see the network, but not access any of it.

How do you prevent malicious mischief from being done?--- We use
DeepFreeze. Anything they save to the hard disk, etc. is gone on a
reboot. We encourage saving only to the A drive. With W98, we used the
policies to control what they could do. We've just gone to WkPro, and I
am just learning how to control access to the control panel, etc.

10.What applications do you make available? MS Office, several CD-Rom 
databases, Print Shop, Adobe Suite.

How much access do patrons have to the local hard disk?We let them copy 
things to the local hard disk. However, we run Deep Freeze which 
automatically erases everything and restores the disk when the computer is 
rebooted. This has been best security measure we have.

How much access do they have to the network? None.

How do you prevent malicious mischief from being done? We use Deep Freeze 
to protect local computers. We use WinU for security. Together they are 
excellent. We do not experience and mischief problems.

11.> What applications do you make available?
We have some homework computers that high-school students can write up
their homework assignments on.
 > How much access do patrons have to the local hard disk?
None. They can save to the floppy disk only.>
 > How much access do they have to the network?
None. We do not want to open any avenues for hackers.
 > How do you prevent malicious mischief from being done?
         Windows 2000 Server: Policies, Profiles, and local permissions.
If this is too much for you to deal with, then get copies for Fortres or
Deep Freeze.

12. As for functions that the patrons are allowed to perform(in addition to 
using IE and, in the appropriate stations, scanning and using MS Office), 
we've taken it on a case by case basis but generally said no to any 
installations. Some exceptions were a plug-in that allowed patrons to take 
on online driving class and a program allowing patrons to register for 
classes at UIUC. In both cases we thought it could be beneficial to other 
patrons in the future. Currently our patrons have no access to the local 
hard drive
































*********************************************************************
Due to deletion of content types excluded from this list by policy,
this multipart message was reduced to a single part, and from there
to a plain text message.
*********************************************************************

More information about the Web4lib mailing list