[OPLINTECH] Moving to less-locked-down public computers with DeepFreeze

Vanessa Bradt vanessab at norwalk.lib.oh.us
Thu Jan 29 14:07:38 EST 2009 

I agree with Bill. Rebooting between patrons is the ideal solution.

Vanessa Bradt


[cid:image001.jpg at 01C9821A.F0F37F20]
46 West Main St.
Norwalk, OH  44857
419-668-6063

visit us at www.norwalk.lib.oh.us

Keys to the Past...Gateway to the Future



From: Bill Hardison [mailto:bhardison at norweld.org]
Sent: Tuesday, January 27, 2009 2:31 PM
To: JKENZIG
Cc: oplintech at oplin.org
Subject: Re: [OPLINTECH] Moving to less-locked-down public computers with DeepFreeze

I would say the best reason to reboot between patrons (if not about the only one) is patron to patron protection.  If I stroll in and have a nasty bit of malware on a thumb drive and infect (even with GREAT protection software running) the public PC, the next patron, with a storage device, is likely to take it home with them.

Just my 2¢ worth

Bill

Bill Hardison
Computer Services Coordinator
Northwest Regional Library System (NORWELD)
On Tue, Jan 27, 2009 at 12:46 PM, JKENZIG <JKENZIG at cuyahogalibrary.org<mailto:JKENZIG at cuyahogalibrary.org>> wrote:

Not sure why you want to totally reboot between patrons.  Cassie clears out internet cache at logout.  You will have a lot of issues with cassie scheduling if you reboot after each patron.

We set up deepfreeze to go into maintenance mode overnight once per week and set it to download and install updates and then refreeze the workstation on a reboot prior to opening.



We only reboot the systems if a patron starts having problems on them and then Deepfreeze resets them to normal.



Jim Kenzig
Network Manager
Cuyahoga County Public Library

Administrative Offices

2111 Snow Road / Parma, OH 44134-2728

p 216.749.9389 / f 216.749.9445

www.cuyahogalibrary.org<http://www.cuyahogalibrary.org>



From: oplintech-bounces at oplin.org<mailto:oplintech-bounces at oplin.org> [mailto:oplintech-bounces at oplin.org<mailto:oplintech-bounces at oplin.org>] On Behalf Of John Librarian
Sent: Tuesday, January 27, 2009 9:42 AM
To: oplintech at oplin.org<mailto:oplintech at oplin.org>; SYSLIB-L at listserv.buffalo.edu<mailto:SYSLIB-L at listserv.buffalo.edu>
Subject: [OPLINTECH] Moving to less-locked-down public computers with DeepFreeze



Right now our public computers are locked down so that you can't install anything, can't run anything that's not on our run-only list, etc.  This of course is in order to keep each computer from getting messed up for subsequent patrons, and to protect other machines on the network.  Of course, there are times when the computers won't do something a patron wants to do, like using a web site that requires its own special software to be installed or running a program from a CD-ROM for school.

So, we're going to try switching to a less-locked-down setup.  We're going to use Deep Freeze to restore computers when they reboot, and we're going to use CASSIE to reboot between patrons.  (Both of these programs are new to us.)  I would appreciate any suggestions for further measures to take to keep things secure and running nicely.  Our environment: We have 34 public PC's which we're replacing with new ones (with Windows XP); we have an Active-Directory-enabled Windows domain with one DC, runningServer 2003.

My ideas are to have one user account per computer (with permissions only to that computer) as a local power user, to put these computers on a separate subnet and if possible a VLAN, and to make sure our Windows server is locked down as much as possible.  I could put them on a separate segment of the firewall, but I understand that you can't manage a Windows domain through a firewall (or any other kind of router) and it seems like it would be useful to manage these computers on our existing domain.  I don't yet know how we can keep users from turning off CASSIE after they log in; I'm not sure if keeping them from running taskmgr.exe will do it; if nothing else I suppose we can have a script run every minute or 5 minutes, check for the CASSIE process, and reboot if it's not running (I think I can make this invisible to the user using a VBS instead of just a BAT file).

Thanks for any help you can give me, even if it's just thoughts, or reasons you think this is a bad idea.  If you reply privately I won't forward your info to anyone - I know you might not want to talk publicly about your security.

 johnqlibrarian at gmail.com<mailto:johnqlibrarian at gmail.com>

_______________________________________________
OPLINTECH mailing list
OPLINTECH at oplin.org<mailto:OPLINTECH at oplin.org>
http://mail.oplin.org/mailman/listinfo/oplintech


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.oplin.org/pipermail/oplintech/attachments/20090129/5abd5e28/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 5071 bytes
Desc: image001.jpg
Url : http://mail.oplin.org/pipermail/oplintech/attachments/20090129/5abd5e28/image001-0001.jpg

More information about the OPLINTECH mailing list