[OPLINTECH] patron USB drive

Joe Knueven joe at gtownlibrary.net
Tue Aug 18 13:14:51 EDT 2015


I want to give a +1 to Chad’s comment about running with a more open approach.

Here, we only lock down our computers enough to prevent the public from disabling/circumventing our time limit software and our deepfreeze-like software.  I too have come to the conclusion that it’s not worth the time and cost to try to lock out the one in 200 who is going to try to do something and annoy several of those other patrons in the meantime.

Besides that, even if they do get past our defenses and blow up the installation, I can reimage the computer and have it back in service in about 30 minutes, and only about 5 of those minutes require my presence..

Have a good day.

Joe


Joseph Knueven
Director
Germantown Public Library
51 N. Plum St.
Germantown, OH 45327
937-855-4001
joe at gtownlibrary.net

From: oplintech-bounces at lists.oplin.org [mailto:oplintech-bounces at lists.oplin.org] On Behalf Of Chad Neeper
Sent: Monday, August 17, 2015 11:18 AM
To: OPLINTECH
Subject: Re: [OPLINTECH] patron USB drive

It sounds like you're already doing pretty much all you can do. You've disabled boot from USB in the firmware config  and  disabled autorun in Windows. I'm not sure there's much more you can do without disallowing USB devices entirely. I assume you Deep Freeze...

I suppose one more thing you could do would be to make use of a white-list type manager that would disallow any executables from USB devices except what's white-listed. I think Faronics (makers of Deep Freeze) also has a white-list type of tool. If you could prevent all executables from the USB devices, you might limit it to data storage only.

Personally, these days I tend to prefer a more open approach and let the patrons pretty much do what they will and rely on DF to restore the computer between patrons. For all the effort and money I might put into locking the computers down and restricting usage to a completely controlled set of use cases, I could be driving dozens of patrons with legitimate needs away from the library for every one potentially malicious user I might prevent (or delay) from their nefarious doings...and then some brilliant nine year old is going to negate the efforts in 30 seconds anyway. LOL!




______________________________
Chad Neeper
Senior Systems Engineer

Level 9 Networks
740-548-8070 (voice)
866-214-6607 (fax)

Full IT/Computer consulting services -- Specialized in libraries and schools

On Mon, Aug 17, 2015 at 8:47 AM, Kevin Jones <kjones at coshoctonlibrary.org<mailto:kjones at coshoctonlibrary.org>> wrote:
Hello everyone,

A patron recently forgot a USB drive in one of our computers.  After looking at it to discover the owner, I found that it was made into a portable gaming USB drive that had Technic Launcher on it for Minecraft.  After reading about this, it allows them to install and manage modpacks for Minecraft.

I don't allow the USB drives to be bootable at startup or to autorun in order to keep patrons from getting past PC Reservation without logging in.  I am not very familiar with the online gaming stuff, so I was wondering if there was any security issues with allowing patrons to continue using USB devices in this manner?

Is there a way to keep portable OS devices and game launching devices form working without stopping the use of USB drives for saving files or opening Word docs and the like?
[http://www.coshoctonlibrary.org/images/signature.jpg]

_______________________________________________
OPLINTECH mailing list
OPLINTECH at lists.oplin.org<mailto:OPLINTECH at lists.oplin.org>
http://lists.oplin.org/mailman/listinfo/oplintech


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20150818/5035fc6c/attachment-0001.html>


More information about the OPLINTECH mailing list