[ List Archives Home ] [ Thread index for 2008 ]
[ Date index for 2008 ]
[ Author index for 2008 ]
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
- Date: Wed, 19 Mar 2003 08:56:58 -0600
- From: "Peter Caton" <peterc@xxxxxxxxxx>
- Subject: RE: Public-Access Computer Security
For us, the best solution is using Group Policies in tandem with a
product called Deep Freeze. Deep Freeze works similar to some of the
products mentioned here before. A reboot "undoes" any changes patrons
have made. Deep Freeze does work with our sign-up system, Pharos, as
well.
In terms of our Group Policies, we block access to "Search, Run, Control
Panel, Network Browsing, all drives but the CD-ROM and floppy, Right
Clicking on the Taskbar or Desktop, among others.
We also block the installation of programs to the computer as well. We
find that even though these policies are pretty restrictive, most, if
not all, patrons have access to everything they need.
The one thing you have to be careful if you do give patrons full access
to machines is their ability to get on to your network. Of course, if
you have a separate subnet with a firewall dividing the two subnets,
this might not be an issue. For those of us who only have one subnet,
we have to be extremely careful how much access we give patrons.
Allowing too much access could give them the ability to "hack" into our
servers. We do have our servers locked down pretty tight, but there are
always holes in Microsoft's products. Therefore, instead of taking a
chance, we lock the patron machines down using Group Policy.
Group Policy is the most efficient way to lock down the machines, as we
can edit policies from the server, and then watch the changes go out
system wide. This is much easier than going from machine to machine.
Of course, Group Policies are not 100% efficient for the public arena,
and this is why we have chosen to use Deep Freeze as "secondary system"
as you will.
It is very difficult to know how to balance security vs. usage, but we
feel that if we give our patrons too much access, this could jeopardize
our ability to serve them. If patrons can "hack" into our system,
causing damage, we would not be able to serve them until we had a chance
to fix the problems that resulted from this attack.
Such an explanation usually placates most patrons. There are those that
do get infuriated by the minor inflexibility of our setup. However,
this type of patron is few and far between.
Peter W. Caton
Network Administrator
North Suburban Library
6340 N. Second Street
Loves Park, Illinois 61111-4184
(815) 633-4247 ext. 22
(815) 636-5042 (Fax)
e-mail: peterc@xxxxxxxxxx
Home
Mailing list