[OPLINTECH] Moving to less-locked-down public computers with Deep Freeze

John Librarian johnqlibrarian at gmail.com
Tue Jan 27 09:42:12 EST 2009 

Right now our public computers are locked down so that you can't install
anything, can't run anything that's not on our run-only list, etc.  This of
course is in order to keep each computer from getting messed up for
subsequent patrons, and to protect other machines on the network.  Of
course, there are times when the computers won't do something a patron wants
to do, like using a web site that requires its own special software to be
installed or running a program from a CD-ROM for school.

So, we're going to try switching to a less-locked-down setup.  We're going
to use Deep Freeze to restore computers when they reboot, and we're going to
use CASSIE to reboot between patrons.  (Both of these programs are new to
us.)  I would appreciate any suggestions for further measures to take to
keep things secure and running nicely.  Our environment: We have 34 public
PC's which we're replacing with new ones (with Windows XP); we have an
Active-Directory-enabled Windows domain with one DC, runningServer 2003.

My ideas are to have one user account per computer (with permissions only to
that computer) as a local power user, to put these computers on a separate
subnet and if possible a VLAN, and to make sure our Windows server is locked
down as much as possible.  I could put them on a separate segment of the
firewall, but I understand that you can't manage a Windows domain through a
firewall (or any other kind of router) and it seems like it would be useful
to manage these computers on our existing domain.  I don't yet know how we
can keep users from turning off CASSIE after they log in; I'm not sure if
keeping them from running taskmgr.exe will do it; if nothing else I suppose
we can have a script run every minute or 5 minutes, check for the CASSIE
process, and reboot if it's not running (I think I can make this invisible
to the user using a VBS instead of just a BAT file).

Thanks for any help you can give me, even if it's just thoughts, or reasons
you think this is a bad idea.  If you reply privately I won't forward your
info to anyone - I know you might not want to talk publicly about your
security.

 johnqlibrarian at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.oplin.org/pipermail/oplintech/attachments/20090127/3aa600c4/attachment.html

More information about the OPLINTECH mailing list