[OPLINTECH] Moving to less-locked-down public computers with DeepFreeze

Bill Hardison bhardison at norweld.org
Tue Jan 27 14:30:36 EST 2009


I would say the best reason to reboot between patrons (if not about the only
one) is patron to patron protection.  If I stroll in and have a nasty bit of
malware on a thumb drive and infect (even with GREAT protection software
running) the public PC, the next patron, with a storage device, is likely to
take it home with them.

Just my 2¢ worth

Bill

Bill Hardison
Computer Services Coordinator
Northwest Regional Library System (NORWELD)

On Tue, Jan 27, 2009 at 12:46 PM, JKENZIG <JKENZIG at cuyahogalibrary.org>wrote:

>  Not sure why you want to totally reboot between patrons.  Cassie clears
> out internet cache at logout.  You will have a lot of issues with cassie
> scheduling if you reboot after each patron.
>
> We set up deepfreeze to go into maintenance mode overnight once per week
> and set it to download and install updates and then refreeze the workstation
> on a reboot prior to opening.
>
>
>
> We only reboot the systems if a patron starts having problems on them and
> then Deepfreeze resets them to normal.
>
>
>
> *Jim Kenzig*
> Network Manager
> Cuyahoga County Public Library
>
> *Administrative Offices*
>
> 2111 Snow Road / Parma, OH 44134-2728
>
> *p *216.749.9389 / *f *216.749.9445
>
> www.cuyahogalibrary.org
>
>
>
> *From:* oplintech-bounces at oplin.org [mailto:oplintech-bounces at oplin.org] *On
> Behalf Of *John Librarian
> *Sent:* Tuesday, January 27, 2009 9:42 AM
> *To:* oplintech at oplin.org; SYSLIB-L at listserv.buffalo.edu
> *Subject:* [OPLINTECH] Moving to less-locked-down public computers with
> DeepFreeze
>
>
>
> Right now our public computers are locked down so that you can't install
> anything, can't run anything that's not on our run-only list, etc.  This of
> course is in order to keep each computer from getting messed up for
> subsequent patrons, and to protect other machines on the network.  Of
> course, there are times when the computers won't do something a patron wants
> to do, like using a web site that requires its own special software to be
> installed or running a program from a CD-ROM for school.
>
> So, we're going to try switching to a less-locked-down setup.  We're going
> to use Deep Freeze to restore computers when they reboot, and we're going to
> use CASSIE to reboot between patrons.  (Both of these programs are new to
> us.)  I would appreciate any suggestions for further measures to take to
> keep things secure and running nicely.  Our environment: We have 34 public
> PC's which we're replacing with new ones (with Windows XP); we have an
> Active-Directory-enabled Windows domain with one DC, runningServer 2003.
>
> My ideas are to have one user account per computer (with permissions only
> to that computer) as a local power user, to put these computers on a
> separate subnet and if possible a VLAN, and to make sure our Windows server
> is locked down as much as possible.  I could put them on a separate segment
> of the firewall, but I understand that you can't manage a Windows domain
> through a firewall (or any other kind of router) and it seems like it would
> be useful to manage these computers on our existing domain.  I don't yet
> know how we can keep users from turning off CASSIE after they log in; I'm
> not sure if keeping them from running taskmgr.exe will do it; if nothing
> else I suppose we can have a script run every minute or 5 minutes, check for
> the CASSIE process, and reboot if it's not running (I think I can make this
> invisible to the user using a VBS instead of just a BAT file).
>
> Thanks for any help you can give me, even if it's just thoughts, or reasons
> you think this is a bad idea.  If you reply privately I won't forward your
> info to anyone - I know you might not want to talk publicly about your
> security.
>
>  johnqlibrarian at gmail.com
>
> _______________________________________________
> OPLINTECH mailing list
> OPLINTECH at oplin.org
> http://mail.oplin.org/mailman/listinfo/oplintech
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.oplin.org/pipermail/oplintech/attachments/20090127/c1efc00b/attachment.html


More information about the OPLINTECH mailing list