Locking down PCs

From Library Success: A Best Practices Wiki
(Difference between revisions)
Jump to: navigation, search
Line 1: Line 1:
 +
==Introduction==
 
Privacy protection, legal protection, and computer security are key concerns for libraries. It is important that Public PCs contain security features designed to detect when users have left the station but forgotten to log out and ensure that all their personal files and information are automatically cleared from the station to protect the user's privacy. Users should be able to adjust the inactivity timeout period to suit their needs or disable this feature altogether or lock the PC if they need to go for a washroom break.
 
Privacy protection, legal protection, and computer security are key concerns for libraries. It is important that Public PCs contain security features designed to detect when users have left the station but forgotten to log out and ensure that all their personal files and information are automatically cleared from the station to protect the user's privacy. Users should be able to adjust the inactivity timeout period to suit their needs or disable this feature altogether or lock the PC if they need to go for a washroom break.
  
A click-through Acceptable Use Policy is also a good idea to ensures that all Patrons agree to the library's terms of use;
+
==Patron Use Management and Policies==
 +
We must control the time that patrons have access to computers to insure that all users get a fair chance to utilize these services. Many pc management system like Envisionware's PCres (for windows systems) make this possible.  Free and OSS options are available for both [http://userful.com/products/pre-book GNU/Linux] and [http://userful.com/products/pre-book-win-client Windows].  Most of these packages will include a click-through [http://www.webjunction.org/do/Navigation?category=394 Acceptable Use Policy] to ensures that all Patrons agree to the library's terms of use
 +
==Filtering==
 +
[http://www.webjunction.org/do/DisplayContent?id=12027 Filtering] is a contentious issue and is required for E-rate by [http://www.fcc.gov/cgb/consumerfacts/cipa.html CIPA]. Internet filters can limit end user's exposure to undesirable content, but widely seen as  inefective. There are numerous opensource web-filtering programs out there.
  
Filtering is a contentious issue. Internet filters can limit end user's exposure to undesirable content. There are numerous opensource web-filtering programs out there.
+
==Securing Public Access Computers(PACs)==
 +
===GNU/Linux===
 +
====DIY====
 +
GNU/Linux machine are more secure in their design, and some GNU/Linux distributions will work as they are.
 +
*[http://www.ubuntu.com/ Ubuntu]
 +
*[http://www.pclinuxos.com/ PCLinuxOS]
 +
====Turnkey Solutions====
 +
*[http://userful.com/products/library Userful DiscoveryStation.]
 +
*[http://groovix.com/solutions_public_access.html Groovix]. 
 +
 
 +
===Windows===
 +
Because of fundamental Windows design aspects,and because it is more ubiquitous and therefore  a larger target for crackers, more diligence is required in securing a Windows machine for public use. For those in systems where OSS options can not be realized, there are some helpful applications to secure a Windows machine.
 +
====Windows 2000 or older====
 +
[http://www.webjunction.org/do/DisplayContent?id=979 Public Access Computing Security Tool]
 +
====Windows XP and Vista=====
 +
*[http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx SteadyState.]
 +
 
 +
1.Un-install old security software (if applicable)
 +
2.Install SteadyState as per instructions.
 +
3.Start SteadyState
 +
4.Set Computer Restrictions:
 +
a)Privacy Settings: use all defaults
 +
b)Security Settings: use defaults plus:deselect “Turn on the Welcome screen”
 +
5.Create  user 'all' and remove all restrictions.
 +
6.Give “all” administrative rights.
 +
a)Click Start > Control Panel > Users > All > Change account type
 +
7.Click on Home in user control panel and “Change the way users log on and off”
 +
a)remove Welcome Screen
 +
8.Log in to 'all'
 +
9.Set desktop background, silver theme, power settings and icons on desktop.
 +
10.Run programs, MS Office apps and OpenOffice to insure installation and Adobe reader for license prompt.  Set search options for I.E.
 +
11.Log out of “all” and log back into administrative account.
 +
12.Run SteadyState.
 +
13.Set restriction in SteadyState:
 +
a)Windows Restriction : Select high and UNCHECK:
 +
Start Menu > Remove the control panel icon
 +
General Restrictions > Prevent Autoplay on CD / DVD
 +
General Restrictions > Prevent access to Windows Explorer features...
 +
''this will allow the tabs to function in IE7.''
 +
General Restrictions > Remove CD and DVD burning
 +
General Restrictions > Disable Notepad and Wordpad
 +
General Restrictions > Prevent users from saving files to Desktop
 +
Hide Drives > Local Disk (C:)
 +
b)Feature Restrictions : high but unchecked:
 +
Internet Explorer Restrictions > Prevent Printing
 +
Menu Options > Remove Help
 +
Toolbar Options > Size, Full Screen, Print and Third Party Extensions Buttons.
 +
Microsoft Office Restrictions > Prevent use of visual basic...
 +
''this option will allow wizard templates to run, but could pose some risks.''
 +
c)Set home page to your library home page url.
 +
14.Set session timers ''(this is to prevent the screen saver from showing.)''
 +
a)Log off after 700 minutes of use.
 +
b)Log off after 700 minutes idle. 
 +
15.Lock profile
 +
16. Reboot
 +
17. Set disk protection to Remove all changes at restart.
 +
====Commercial Solutions for All Operating Systems ====
 +
*[http://www.faronics.com/html/deepfreeze.asp Faronics DeepFreeze]
 +
*[http://www.fortresgrand.com/ Fortres 101 & Cleanslate]
  
 
[[Category: PC Management]]
 
[[Category: PC Management]]

Revision as of 04:21, 21 October 2007

Contents

Introduction

Privacy protection, legal protection, and computer security are key concerns for libraries. It is important that Public PCs contain security features designed to detect when users have left the station but forgotten to log out and ensure that all their personal files and information are automatically cleared from the station to protect the user's privacy. Users should be able to adjust the inactivity timeout period to suit their needs or disable this feature altogether or lock the PC if they need to go for a washroom break.

Patron Use Management and Policies

We must control the time that patrons have access to computers to insure that all users get a fair chance to utilize these services. Many pc management system like Envisionware's PCres (for windows systems) make this possible. Free and OSS options are available for both GNU/Linux and Windows. Most of these packages will include a click-through Acceptable Use Policy to ensures that all Patrons agree to the library's terms of use.

Filtering

Filtering is a contentious issue and is required for E-rate by CIPA. Internet filters can limit end user's exposure to undesirable content, but widely seen as inefective. There are numerous opensource web-filtering programs out there.

Securing Public Access Computers(PACs)

GNU/Linux

DIY

GNU/Linux machine are more secure in their design, and some GNU/Linux distributions will work as they are.

Turnkey Solutions

Windows

Because of fundamental Windows design aspects,and because it is more ubiquitous and therefore a larger target for crackers, more diligence is required in securing a Windows machine for public use. For those in systems where OSS options can not be realized, there are some helpful applications to secure a Windows machine.

Windows 2000 or older

Public Access Computing Security Tool

Windows XP and Vista=

1.Un-install old security software (if applicable)
2.Install SteadyState as per instructions.
3.Start SteadyState
4.Set Computer Restrictions:
a)Privacy Settings: use all defaults
b)Security Settings: use defaults plus:deselect “Turn on the Welcome screen”
5.Create  user 'all' and remove all restrictions.
6.Give “all” administrative rights. 
a)Click Start > Control Panel > Users > All > Change account type
7.Click on Home in user control panel and “Change the way users log on and off”
a)remove Welcome Screen
8.Log in to 'all'
9.Set desktop background, silver theme, power settings and icons on desktop.
10.Run programs, MS Office apps and OpenOffice to insure installation and Adobe reader for license prompt.  Set search options for I.E.
11.Log out of “all” and log back into administrative account.
12.Run SteadyState.
13.Set restriction in SteadyState:
a)Windows Restriction : Select high and UNCHECK:
Start Menu > Remove the control panel icon
General Restrictions > Prevent Autoplay on CD / DVD
General Restrictions > Prevent access to Windows Explorer features...
this will allow the tabs to function in IE7.
General Restrictions > Remove CD and DVD burning
General Restrictions > Disable Notepad and Wordpad
General Restrictions > Prevent users from saving files to Desktop
Hide Drives > Local Disk (C:)
b)Feature Restrictions : high but unchecked:
Internet Explorer Restrictions > Prevent Printing
Menu Options > Remove Help
Toolbar Options > Size, Full Screen, Print and Third Party Extensions Buttons.
Microsoft Office Restrictions > Prevent use of visual basic...
this option will allow wizard templates to run, but could pose some risks.
c)Set home page to your library home page url.
14.Set session timers (this is to prevent the screen saver from showing.)
a)Log off after 700 minutes of use.
b)Log off after 700 minutes idle.  
15.Lock profile
16. Reboot
17. Set disk protection to Remove all changes at restart.

Commercial Solutions for All Operating Systems

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox