<div dir="ltr">As a matter of course, on public computers, I do the following to prevent anything other than the installed OS to run:<div>1) Put an admin password on the CMOS/BIOS config so a pesky patron doesn't get in there and change things.</div>
<div>2) Change the boot sequence to boot from the hard drive first and all other devices second.</div><div>3) If required, specifically disable the ability to boot from removable USB devices.</div><div><br></div><div>By doing the previous, you lock the computer into the OS/config of your choice and prevent the patron from booting to their own portable device. Typically, you can still boot to your own removable USB device or PXE network boot by entering the admin BIOS password.</div>
<div><br></div><div>That lays the foundation for keeping your OS secure.</div><div><br></div><div>Beyond that, you can change group policies to prevent autorun from running when a USB stick is plugged in. You can also change the policies in all sorts of ways to prevent patrons from getting into places they shouldn't ought to be. If you're desperate, you can also use GP to limit the programs that will run in Windows to the specific executables of your choosing. (Supposedly, anyway. I've never bothered to take things quite that far.)</div>
<div><br></div><div>You might also explore any lock-down options SAM gives you. There may very well be an option somewhere in there to prevent executables from running from USB drives, etc.</div><div><br></div><div>HTH,</div>
<div>Chad</div><div><br></div></div><div class="gmail_extra"><br clear="all"><div>______________________________<br><b>Chad Neeper</b><br><font size="1">Senior Systems Engineer</font><br><br><b>Level 9 Networks</b><br><font size="1">740-548-8070 (voice)<br>
866-214-6607 (fax)</font><br><br><font size="1"><i>Full LAN/WAN consulting services -- Specialized in libraries and schools</i></font><br></div>
<br><br><div class="gmail_quote">On Thu, May 29, 2014 at 2:31 PM, Kyle D. Ledford <span dir="ltr"><<a href="mailto:kledford@columbus.rr.com" target="_blank">kledford@columbus.rr.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="auto"><div>Do you know are the patrons restarting the pcs and booting from a USB? I know you can do this and pretty much run an entire OS off a USB drive as I have done this and have thumb drives with different options of OS.. Then the act of just removing the drive would freeze up the PC .... <br>
<br>Kyle Ledford<div>Sent from my iPhone</div><div><br></div></div><div class=""><div><br>On May 29, 2014, at 11:59 AM, Bob Neeper <<a href="mailto:neeperro@oplin.org" target="_blank">neeperro@oplin.org</a>> wrote:<br>
<br></div></div><blockquote type="cite"><div>
<div><div class="">I don't know anything about SAM but is
it possible just plugging in a USB stick opens Windows explorer?<br>
It will depend on how SAM is written.<br>
<br>
Explorer allows browsing in your PC, where Internet Explorer (or
almost anything) could be started.<br>
<br>
You can test this easily enough with a USB stick.<br>
If you see this, click on the icon.<br>
<br></div>
<dajiidbc.png><br>
<br>
<br>
<div>
<pre cols="80"><div class="">R. W. (Bob) Neeper
<a href="http://sunbury.cool-cat.org" target="_blank">Community Library</a>
44 Burrer Dr. <a href="http://maps.google.com/maps?q=40.243961,+-82.863007" target="_blank">Map</a>
Sunbury, Oh 43074
Tel: <a href="tel:%28740%29-965-3901" value="+17409653901" target="_blank">(740)-965-3901</a>
</div><a href="http://info.cool-cat.org" target="_blank"><COOL.jpg></a></pre>
</div><div class="">
On 5/29/2014 10:40 AM, Amy Deuble wrote:<br>
</div></div><div class="">
<blockquote type="cite">
<div>
<p class="MsoNormal">We are using Comprise’s SAM for public
computer sign-up. For the most part it works fine, but we are
beginning to notice an increase in patrons bypassing the
system most likely by running an app from a USB drive or
Smartphone. Occasionally, when a patron has bypassed SAM we
find the computer hung up with a message saying the version of
Windows is invalid. The only way to reset the computer is by
unplugging it. Shutdown or pressing the power button doesn’t
work. The computers all have Deep Freeze installed and work
fine once they have been reset. <u></u><u></u></p>
<p class="MsoNormal">Any
ideas on how to prevent this from happening? We don’t want to
turn off the USB ports since a patron may legitimately need to
save something to a USB drive. The odds seem to be stacked
against us when companies like LastPass (<a href="https://lastpass.com/go-premium/" target="_blank">https://lastpass.com/go-premium/</a>)
offer tools like the one described below. This makes it sound
like they can bypass not only SAM but our filters as well.
Certainly makes things more interesting for us! <span style="font-family:Wingdings">J</span><u></u><u></u></p>
<p class="MsoNormal"><b><span>Tools for Locked-Down
Computers<u></u><u></u></span></b></p>
<p class="MsoNormal"><span>Does your workplace prohibit
downloads? Or block access to most external sites? Utilize
LastPass for Applications or IE Anywhere to hook into your
browser by running LastPass from a USB thumb drive, so you
can still access your important data where you need it.<u></u><u></u></span></p>
<p class="MsoNormal">Amy Deuble<u></u><u></u></p>
<p class="MsoNormal">Marion Public Library<u></u><u></u></p>
<p class="MsoNormal">Marion, Ohio<u></u><u></u></p>
<p class="MsoNormal"><a href="mailto:adeuble@marion.lib.oh.us" target="_blank">adeuble@marion.lib.oh.us</a><u></u><u></u></p>
<p class="MsoNormal"><a href="tel:740-383-9722" value="+17403839722" target="_blank">740-383-9722</a><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
OPLINTECH mailing list
<a href="mailto:OPLINTECH@lists.oplin.org" target="_blank">OPLINTECH@lists.oplin.org</a>
<a href="http://lists.oplin.org/mailman/listinfo/oplintech" target="_blank">http://lists.oplin.org/mailman/listinfo/oplintech</a>
Search: <a href="http://oplin.org/techsearch" target="_blank">http://oplin.org/techsearch</a>
</pre>
</blockquote>
<br>
</div></div></blockquote><div class=""><blockquote type="cite"><div><span>_______________________________________________</span><br><span>OPLINTECH mailing list</span><br><span><a href="mailto:OPLINTECH@lists.oplin.org" target="_blank">OPLINTECH@lists.oplin.org</a></span><br>
<span><a href="http://lists.oplin.org/mailman/listinfo/oplintech" target="_blank">http://lists.oplin.org/mailman/listinfo/oplintech</a></span><br><span>Search: <a href="http://oplin.org/techsearch" target="_blank">http://oplin.org/techsearch</a></span><br>
</div></blockquote></div></div><br>_______________________________________________<br>
OPLINTECH mailing list<br>
<a href="mailto:OPLINTECH@lists.oplin.org">OPLINTECH@lists.oplin.org</a><br>
<a href="http://lists.oplin.org/mailman/listinfo/oplintech" target="_blank">http://lists.oplin.org/mailman/listinfo/oplintech</a><br>
Search: <a href="http://oplin.org/techsearch" target="_blank">http://oplin.org/techsearch</a><br>
<br></blockquote></div><br></div>