Locking down PCs

From Library Success: A Best Practices Wiki
(Difference between revisions)
Jump to: navigation, search
m (Reverted edits by SunshineMcFadden (talk) to last revision by Librarycomputerguy)
 
(9 intermediate revisions by 2 users not shown)
Line 1: Line 1:
==Introduction==
+
=Introduction=
Privacy protection, legal protection, and computer security are key concerns for libraries. It is important that Public PCs contain security features designed to detect when users have left the station but forgotten to log out and ensure that all their personal files and information are automatically cleared from the station to protect the user's privacy.
+
Legal protection, patron privacy protection, and computer security are key concerns for libraries that provide public access computers (PACs). Providing access to computers and the Internet are now seen as an integral role for libraries, and along with that expanded role come a host of new threats and concerns.  Providing this technology and protecting from the increasing level of threats is a constant battle.
 
+
=Filtering=
==Patron Use Management and Policies==
+
[http://www.webjunction.org/do/DisplayContent?id=12027 Filtering] is a contentious issue and is required for E-rate by [http://www.fcc.gov/cgb/consumerfacts/cipa.html CIPA]. This requires filters to be installed on all PACs with Internet access with the ability to remove the filter for any patron over the age of 18. Filters can limit end user's exposure to undesirable content, but may also restrict their access to legitimate content. There are numerous commercial and opensource web-filtering programs available.
Libraries need to control the time that patrons have access to computers to insure that all users get a fair chance to utilize these services. Some libraries may still used manual methods to do this, but many automated systems exist.  For exampe, pc management system like Envisionware's PCres (for windows systems) make this possible.  Free and OSS options are available for both [http://userful.com/products/pre-book GNU/Linux] and [http://userful.com/products/pre-book-win-client Windows]. Most of these packages will include a click-through [http://www.webjunction.org/do/Navigation?category=394 Acceptable Use Policy] to ensures that all Patrons agree to the library's terms of use. 
+
=Computer Use Policy=
==Filtering==
+
The use of policies has been an important tool for libraries and apply to PACs as well.  Library computer use policies should outline acceptable and unacceptable uses of both the equipment and the Internet access.  The policy should also outline how the policy is enforced and include a disclaimer that the patron is using the computer and the Internet at their own risk.  It is impossible to guarantee that patrons will be absolutely safe in using these PACs.  Most PC Management solutions include a click-through [http://www.webjunction.org/do/Navigation?category=394 Acceptable Use Policy] to ensures that all Patrons agree to the library's terms of use.
[http://www.webjunction.org/do/DisplayContent?id=12027 Filtering] is a contentious issue and is required for E-rate by [http://www.fcc.gov/cgb/consumerfacts/cipa.html CIPA]. Internet filters can limit end user's exposure to undesirable content, but widely seen as  inefective. There are numerous opensource web-filtering programs out there.
+
=Patron Privacy Protection=
 
+
It is important that PACs contain security features designed to detect when users have left the station but forgotten to log out and ensure that all their personal files and information are automatically cleared from the station to protect the user's privacy. Libraries also need to control the time that patrons have access to computers to insure that all users get a fair chance to access these services. Some libraries may still use manual methods to do this, but many automated systems exist.  For example, [http://www.envisionware.com/en/pc_reservation Envisionware's PCres] (for windows systems) make this possible.  Free and OSS options are available for both OSs:
==Securing Public Access Computers(PACs)==
+
*[http://userful.com/products/pre-book GNU/Linux]
===GNU/Linux===
+
*[http://userful.com/products/pre-book-win-client Windows].
====DIY====
+
=Securing PACs=
GNU/Linux machine are more secure in their design, and some GNU/Linux distributions will work as they are.
+
==Key Loggers==
*[http://www.ubuntu.com/ Ubuntu]
+
Computers should be physically secured for use. It is important to visually inspect the computers at regular intervals to make sure no devices have been attached to record keystrokes.  These devices may look like part of the keyboard plug and can record keystrokes for up to 12 months and they are undetectable to scanning software.
*[http://www.pclinuxos.com/ PCLinuxOS]
+
==BIOS==
====Turnkey Solutions====
+
Another consideration is the [http://en.wikipedia.org/wiki/BIOS Basic Input/ Output Settings (BIOS)] which boots the computer. The BIOS settings should be password protected and the boot order should start with the internal hard drive and if possible any other boot option should be removed.  This is to prevent someone from booting from a CD, Floppy, or USB drive which could allow them to steal passwords, alter the computer settings or gain access to the network resources.
 +
==Turnkey Solutions==
 +
Several turnkey solutions are available based on GNU/Linux and OSS.  These solutions free up staff from dealing with most of the maintenance tasks involved in securing PACs.
 
*[http://userful.com/products/library Userful DiscoveryStation.]
 
*[http://userful.com/products/library Userful DiscoveryStation.]
*[http://groovix.com/solutions_public_access.html Groovix].
+
*[http://groovix.com/solutions_public_access.html Groovix].
 
+
==OS Patches==
===Windows===
+
All [http://en.wikipedia.org/wiki/Operating_system operating systems (OS)] require frequent system updates to patch security holes discovered in the OS. For example, in Windows, running Windows update will insure that the system has the latest updates. Virtually all OSs have some type of automatic update for critical patches, but it wise to periodically run these services manually to insure that all software is patched.  Libraries should be aware that Microsoft no longer supports versions of Windows before Windows 2000.  This means that any systems running Windows 98, Windows ME or Windows NT are at risk to be compromised because Microsoft no longer provides patches for them.
Because of fundamental Windows design aspects,and because it is more ubiquitous and therefore a larger target for crackers, more diligence is required in securing a Windows machine for public use.
+
==Malware==
====Windows 2000 or older====
+
One of the greatest threats that exist for operating systems (especially Windows) are those from malware, which includes viruses, worms and spyware. There are a number of commercial solutions, but there are also some free solutions available:
[http://www.webjunction.org/do/DisplayContent?id=979 Public Access Computing Security Tool]
+
*[http://free.grisoft.com/ Grisoft AVG](A free version of commercial software)
====Windows XP and Vista=====
+
*[http://www.clamwin.com/ ClamWin] (Free/OSS)
*Step by step howto for [http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx SteadyState.]
+
*[http://www.safer-networking.org/ SpyBot Search & Destroy] (freeware)
 
+
*[http://www.javacoolsoftware.com/sbdownload.html Spyware Blaster] (freeware)
 +
==Third Party Solutions==
 +
Many Commercial products exist to protect PACs by locking down the harddrive.  These software solutions bring the system to a restored state after reboot.  This is also helpful to protect the privacy of users because it clears out any personal information stored during their session.
 +
*[http://www.faronics.com/html/deepfreeze.asp Faronics DeepFreeze]
 +
*[http://www.fortresgrand.com/ Fortres 101 & Cleanslate]
 +
==Free Tools for Windows==
 +
The [http://en.wikipedia.org/wiki/Bill_and_Melinda_Gates_Foundation Bill & Melinda Gates Foundation (B&MGF)] provided a free tools to help secure Windows computers for public use.  [http://www.webjunction.org/do/DisplayContent?id=979 Public Access Computing Security Tool]. This was related to the computers granted to libraries. Though this tool is no longer supported, it still works well on older Windows operating systems like Windows 2000.
 +
Microsoft has recently released [http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx SteadyState](replacing Microsoft Shared  which is a tool to secure Windows XP and Windows Vista systems for shared use.
 +
*Step by step howto for SteadyState
 
  1.Un-install old security software (if applicable)
 
  1.Un-install old security software (if applicable)
 
  2.Install SteadyState as per instructions.
 
  2.Install SteadyState as per instructions.
Line 42: Line 52:
 
  13.Set restriction in SteadyState:
 
  13.Set restriction in SteadyState:
 
  a)Windows Restriction : Select high and UNCHECK:
 
  a)Windows Restriction : Select high and UNCHECK:
  Start Menu > Remove the control panel icon
+
  Start Menu > Remove the control panel icon ''use this to allow safe removal of USB devices''
 
  General Restrictions > Prevent Autoplay on CD / DVD
 
  General Restrictions > Prevent Autoplay on CD / DVD
 
  General Restrictions > Prevent access to Windows Explorer features...
 
  General Restrictions > Prevent access to Windows Explorer features...
Line 63: Line 73:
 
  16.Reboot
 
  16.Reboot
 
  17.Set disk protection to Remove all changes at restart.
 
  17.Set disk protection to Remove all changes at restart.
====Commercial Solutions for All Operating Systems ====
 
*[http://www.faronics.com/html/deepfreeze.asp Faronics DeepFreeze]
 
*[http://www.fortresgrand.com/ Fortres 101 & Cleanslate]
 
  
----
 
  
===Resources===
+
=Resources=
*Carter, Howard. 2002. "Misuse of Library Public Access Computers: Balancing Privacy, Accountability, and Security." Journal of Library Administration 36, no. 4: 29. Academic Search Elite, EBSCOhost (accessed October 21, 2007).
+
*Balas, Janet L. 2004. "Managing Public Access Computers and the People Who Use Them." Computers in Libraries 24, no. 6: 35-37.
*Huang, Phil. HOW YOU CAN PROTECT PUBLIC ACCESS COMPUTERS and Thier Users. Computers in Libraries. 27(5).  
+
*Carter, Howard. 2002. "Misuse of Library Public Access Computers: Balancing Privacy, Accountability, and Security." Journal of Library Administration 36, no. 4: 29.
 +
*Huang, Phil. "HOW YOU CAN PROTECT PUBLIC ACCESS COMPUTERS and Their Users." Computers in Libraries. 27, no. 5. 16:5.
 +
*Sendze, Monique. 2006. "THE BATTLE TO SECURE OUR PUBLIC ACCESS COMPUTERS. (Cover story)." Computers in Libraries 26, no. 1: 10-16.
 
[[Category: PC Management]]
 
[[Category: PC Management]]

Latest revision as of 19:50, 18 July 2011

Contents

[edit] Introduction

Legal protection, patron privacy protection, and computer security are key concerns for libraries that provide public access computers (PACs). Providing access to computers and the Internet are now seen as an integral role for libraries, and along with that expanded role come a host of new threats and concerns. Providing this technology and protecting from the increasing level of threats is a constant battle.

[edit] Filtering

Filtering is a contentious issue and is required for E-rate by CIPA. This requires filters to be installed on all PACs with Internet access with the ability to remove the filter for any patron over the age of 18. Filters can limit end user's exposure to undesirable content, but may also restrict their access to legitimate content. There are numerous commercial and opensource web-filtering programs available.

[edit] Computer Use Policy

The use of policies has been an important tool for libraries and apply to PACs as well. Library computer use policies should outline acceptable and unacceptable uses of both the equipment and the Internet access. The policy should also outline how the policy is enforced and include a disclaimer that the patron is using the computer and the Internet at their own risk. It is impossible to guarantee that patrons will be absolutely safe in using these PACs. Most PC Management solutions include a click-through Acceptable Use Policy to ensures that all Patrons agree to the library's terms of use.

[edit] Patron Privacy Protection

It is important that PACs contain security features designed to detect when users have left the station but forgotten to log out and ensure that all their personal files and information are automatically cleared from the station to protect the user's privacy. Libraries also need to control the time that patrons have access to computers to insure that all users get a fair chance to access these services. Some libraries may still use manual methods to do this, but many automated systems exist. For example, Envisionware's PCres (for windows systems) make this possible. Free and OSS options are available for both OSs:

[edit] Securing PACs

[edit] Key Loggers

Computers should be physically secured for use. It is important to visually inspect the computers at regular intervals to make sure no devices have been attached to record keystrokes. These devices may look like part of the keyboard plug and can record keystrokes for up to 12 months and they are undetectable to scanning software.

[edit] BIOS

Another consideration is the Basic Input/ Output Settings (BIOS) which boots the computer. The BIOS settings should be password protected and the boot order should start with the internal hard drive and if possible any other boot option should be removed. This is to prevent someone from booting from a CD, Floppy, or USB drive which could allow them to steal passwords, alter the computer settings or gain access to the network resources.

[edit] Turnkey Solutions

Several turnkey solutions are available based on GNU/Linux and OSS. These solutions free up staff from dealing with most of the maintenance tasks involved in securing PACs.

[edit] OS Patches

All operating systems (OS) require frequent system updates to patch security holes discovered in the OS. For example, in Windows, running Windows update will insure that the system has the latest updates. Virtually all OSs have some type of automatic update for critical patches, but it wise to periodically run these services manually to insure that all software is patched. Libraries should be aware that Microsoft no longer supports versions of Windows before Windows 2000. This means that any systems running Windows 98, Windows ME or Windows NT are at risk to be compromised because Microsoft no longer provides patches for them.

[edit] Malware

One of the greatest threats that exist for operating systems (especially Windows) are those from malware, which includes viruses, worms and spyware. There are a number of commercial solutions, but there are also some free solutions available:

[edit] Third Party Solutions

Many Commercial products exist to protect PACs by locking down the harddrive. These software solutions bring the system to a restored state after reboot. This is also helpful to protect the privacy of users because it clears out any personal information stored during their session.

[edit] Free Tools for Windows

The Bill & Melinda Gates Foundation (B&MGF) provided a free tools to help secure Windows computers for public use. Public Access Computing Security Tool. This was related to the computers granted to libraries. Though this tool is no longer supported, it still works well on older Windows operating systems like Windows 2000. Microsoft has recently released SteadyState(replacing Microsoft Shared which is a tool to secure Windows XP and Windows Vista systems for shared use.

  • Step by step howto for SteadyState
1.Un-install old security software (if applicable)
2.Install SteadyState as per instructions.
3.Start SteadyState
4.Set Computer Restrictions:
a)Privacy Settings: use all defaults
b)Security Settings: use defaults plus:deselect “Turn on the Welcome screen”
5.Create  user 'all' and remove all restrictions.
6.Give “all” administrative rights. 
a)Click Start > Control Panel > Users > All > Change account type
7.Click on Home in user control panel and “Change the way users log on and off”
a)remove Welcome Screen
8.Log in to 'all'
9.Set desktop background, silver theme, power settings and icons on desktop.
10.Run programs, MS Office apps and OpenOffice to insure installation and Adobe reader for license prompt.  Set search options for I.E.
11.Log out of “all” and log back into administrative account.
12.Run SteadyState.
13.Set restriction in SteadyState:
a)Windows Restriction : Select high and UNCHECK:
Start Menu > Remove the control panel icon use this to allow safe removal of USB devices
General Restrictions > Prevent Autoplay on CD / DVD
General Restrictions > Prevent access to Windows Explorer features...
this will allow the tabs to function in IE7.
General Restrictions > Remove CD and DVD burning
General Restrictions > Disable Notepad and Wordpad
General Restrictions > Prevent users from saving files to Desktop
Hide Drives > Local Disk (C:)
b)Feature Restrictions : high but unchecked:
Internet Explorer Restrictions > Prevent Printing
Menu Options > Remove Help
Toolbar Options > Size, Full Screen, Print and Third Party Extensions Buttons.
Microsoft Office Restrictions > Prevent use of visual basic...
this option will allow wizard templates to run, but could pose some risks.
c)Set home page to your library home page url.
14.Set session timers (this is to prevent the screen saver from showing.)
a)Log off after 700 minutes of use.
b)Log off after 700 minutes idle.  
15.Lock profile
16.Reboot
17.Set disk protection to Remove all changes at restart.


[edit] Resources

  • Balas, Janet L. 2004. "Managing Public Access Computers and the People Who Use Them." Computers in Libraries 24, no. 6: 35-37.
  • Carter, Howard. 2002. "Misuse of Library Public Access Computers: Balancing Privacy, Accountability, and Security." Journal of Library Administration 36, no. 4: 29.
  • Huang, Phil. "HOW YOU CAN PROTECT PUBLIC ACCESS COMPUTERS and Their Users." Computers in Libraries. 27, no. 5. 16:5.
  • Sendze, Monique. 2006. "THE BATTLE TO SECURE OUR PUBLIC ACCESS COMPUTERS. (Cover story)." Computers in Libraries 26, no. 1: 10-16.
Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox