[OPLINTECH] Patrons bypassing computer sign-in system

Chad Neeper cneeper at level9networks.com
Thu May 29 23:49:00 EDT 2014 

As a matter of course, on public computers, I do the following to prevent
anything other than the installed OS to run:
1)  Put an admin password on the CMOS/BIOS config so a pesky patron doesn't
get in there and change things.
2)  Change the boot sequence to boot from the hard drive first and all
other devices second.
3)  If required, specifically disable the ability to boot from removable
USB devices.

By doing the previous, you lock the computer into the OS/config of your
choice and prevent the patron from booting to their own portable device.
Typically, you can still boot to your own removable USB device or PXE
network boot by entering the admin BIOS password.

That lays the foundation for keeping your OS secure.

Beyond that, you can change group policies to prevent autorun from running
when a USB stick is plugged in. You can also change the policies in all
sorts of ways to prevent patrons from getting into places they shouldn't
ought to be. If you're desperate, you can also use GP to limit the programs
that will run in Windows to the specific executables of your choosing.
(Supposedly, anyway. I've never bothered to take things quite that far.)

You might also explore any lock-down options SAM gives you. There may very
well be an option somewhere in there to prevent executables from running
from USB drives, etc.

HTH,
Chad


______________________________
*Chad Neeper*
Senior Systems Engineer

*Level 9 Networks*
740-548-8070 (voice)
866-214-6607 (fax)

*Full LAN/WAN consulting services -- Specialized in libraries and schools*


On Thu, May 29, 2014 at 2:31 PM, Kyle D. Ledford <kledford at columbus.rr.com>
wrote:

> Do you know are the patrons restarting the pcs and booting from a USB? I
> know you can do this and pretty much run an entire OS off a USB drive as I
> have done this and have thumb drives with different options of OS.. Then
> the act of just removing the drive would freeze up the PC ....
>
> Kyle Ledford
> Sent from my iPhone
>
>
> On May 29, 2014, at 11:59 AM, Bob Neeper <neeperro at oplin.org> wrote:
>
> I don't know anything about SAM but is it possible just plugging in a USB
> stick opens Windows explorer?
> It will depend on how SAM is written.
>
> Explorer allows browsing in your PC, where Internet Explorer (or almost
> anything) could be started.
>
> You can test this easily enough with a USB stick.
> If you see this, click on the icon.
>
> <dajiidbc.png>
>
>
>  R. W. (Bob) NeeperCommunity Library <http://sunbury.cool-cat.org>
> 44 Burrer Dr.  Map <http://maps.google.com/maps?q=40.243961,+-82.863007>
> Sunbury, Oh 43074
> Tel:  (740)-965-3901
> <COOL.jpg> <http://info.cool-cat.org>
>
>  On 5/29/2014 10:40 AM, Amy Deuble wrote:
>
>  We are using Comprise’s SAM for public computer sign-up. For the most
> part it works fine, but we are beginning to notice an increase in patrons
> bypassing the system most likely by running an app from a USB drive or
> Smartphone. Occasionally, when a patron has bypassed SAM we find the
> computer hung up with a message saying the version of Windows is invalid.
> The only way to reset the computer is by unplugging it. Shutdown or
> pressing the power button doesn’t work. The computers all have Deep Freeze
> installed and work fine once they have been reset.
>
> Any ideas on how to prevent this from happening? We don’t want to turn off
> the USB ports since a patron may legitimately need to save something to a
> USB drive. The odds seem to be stacked against us when companies like
> LastPass (https://lastpass.com/go-premium/) offer tools like the one
> described below. This makes it sound like they can bypass not only SAM but
> our filters as well.  Certainly makes things more interesting for us! J
>
> *Tools for Locked-Down Computers*
>
> Does your workplace prohibit downloads? Or block access to most external
> sites? Utilize LastPass for Applications or IE Anywhere to hook into your
> browser by running LastPass from a USB thumb drive, so you can still access
> your important data where you need it.
>
> Amy Deuble
>
> Marion Public Library
>
> Marion, Ohio
>
> adeuble at marion.lib.oh.us
>
> 740-383-9722
>
>
>
>
>
>
> _______________________________________________
> OPLINTECH mailing listOPLINTECH at lists.oplin.orghttp://lists.oplin.org/mailman/listinfo/oplintech
> Search: http://oplin.org/techsearch
>
>
> _______________________________________________
> OPLINTECH mailing list
> OPLINTECH at lists.oplin.org
> http://lists.oplin.org/mailman/listinfo/oplintech
> Search: http://oplin.org/techsearch
>
>
> _______________________________________________
> OPLINTECH mailing list
> OPLINTECH at lists.oplin.org
> http://lists.oplin.org/mailman/listinfo/oplintech
> Search: http://oplin.org/techsearch
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20140529/edd00544/attachment-0001.html>

More information about the OPLINTECH mailing list