[OPLINTECH] Moving to less-locked-down public computers with DeepFreeze

Mohamed Ragheb mohamed.ragheb at wadsworthlibrary.com
Tue Jan 27 10:53:20 EST 2009 

Hello,

 

As far as Deep Freeze I have used it for long time now in different
libraries, it's very great product and easy to use. There are 2 different
versions available, standards and enterprise, I have used both of them and
defiantly recommend the enterprise edition, you will be able to install it
on your server and create an installation package which you can configure to
fit your purpose such as turn on computers at certain time through WOL "Wake
On Lan" which you can enable on the bios if your computers support it, turn
off the computers at a certain time, schedule your update either through
WSUS or locally in each machine, choose what drives to freeze and what to
leave thawed such as external hard drive "USB or Firewire"  then you will
install this package on each computer. Also you can create a seed instead of
the installation package.  On the other hand from the admin console you will
be able to restart any workstation at anytime or reboot it thawed for any
reason, send a text message and a whole punch of other things. If you are
going to install the workstations on a different subnet than where your
server is located then you need to go under miscellaneous then change the
default option from LAN to WAN/LAN then specify the IP for your sever.

 

The other part about Cassie , I never used it, I used envision ware and SAM.
But regardless of the situation I would NOT recommend to create a different
user per computer, this will be very hard to manage. Best way is to create
one user and configure GPO to control all the setting for that user from
your domain, that way you can lock or open any features at any point easily.

 

Thanks and hope that helps

 

 

 

 

Mohamed A. Ragheb 
Technology Manager 
Wadsworth Public Library 
132 Broad Street 
Wadsworth, OH 44281-1897 
Phone: 330-335-2600 
Fax: 330-334-6605 
http://www.wadsworthlibrary.com 

-----Original Message-----
From: oplintech-bounces at oplin.org [mailto:oplintech-bounces at oplin.org] On
Behalf Of John Librarian
Sent: Tuesday, January 27, 2009 9:42 AM
To: oplintech at oplin.org; SYSLIB-L at listserv.buffalo.edu
Subject: [OPLINTECH] Moving to less-locked-down public computers with
DeepFreeze

 

Right now our public computers are locked down so that you can't install
anything, can't run anything that's not on our run-only list, etc.  This of
course is in order to keep each computer from getting messed up for
subsequent patrons, and to protect other machines on the network.  Of
course, there are times when the computers won't do something a patron wants
to do, like using a web site that requires its own special software to be
installed or running a program from a CD-ROM for school. 

So, we're going to try switching to a less-locked-down setup.  We're going
to use Deep Freeze to restore computers when they reboot, and we're going to
use CASSIE to reboot between patrons.  (Both of these programs are new to
us.)  I would appreciate any suggestions for further measures to take to
keep things secure and running nicely.  Our environment: We have 34 public
PC's which we're replacing with new ones (with Windows XP); we have an
Active-Directory-enabled Windows domain with one DC, runningServer 2003. 

My ideas are to have one user account per computer (with permissions only to
that computer) as a local power user, to put these computers on a separate
subnet and if possible a VLAN, and to make sure our Windows server is locked
down as much as possible.  I could put them on a separate segment of the
firewall, but I understand that you can't manage a Windows domain through a
firewall (or any other kind of router) and it seems like it would be useful
to manage these computers on our existing domain.  I don't yet know how we
can keep users from turning off CASSIE after they log in; I'm not sure if
keeping them from running taskmgr.exe will do it; if nothing else I suppose
we can have a script run every minute or 5 minutes, check for the CASSIE
process, and reboot if it's not running (I think I can make this invisible
to the user using a VBS instead of just a BAT file). 

Thanks for any help you can give me, even if it's just thoughts, or reasons
you think this is a bad idea.  If you reply privately I won't forward your
info to anyone - I know you might not want to talk publicly about your
security.

  <mailto:johnqlibrarian at gmail.com> johnqlibrarian at gmail.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.oplin.org/pipermail/oplintech/attachments/20090127/573598f8/attachment.html

More information about the OPLINTECH mailing list