Print

Print


So many people sent great advice about securing our public-use PCs... thanks!  Several people asked me to post this to the list.  I've included the messages below along with the recommendations I sent to my administration. 

Some of the points that seemed to recur are:
- desktop protection software like Fortress, FoolProof, Window Washer, Centurion 
- keep virus software up to date
- forced logon
- WindowsNT or Linux are more secure operating systems
- post policies
- routinely clean temp or cache files

Thanks again for all the help!  

Priscilla Shontz
Driscoll Children's Hospital Medical Library
Corpus Christi, TX 
http://www.driscollchildrens.org/library/
________________________

My recommendations.

(1) IS install protection software on library public-use PCs, such as Fortress, FoolProof, Window Washer or Centurion.  (Note: turns out one of our IS people is quite familiar with Fortress, so that's probably what we'll use)

(2) IS upgrade library's public-use PCs to Windows NT.  I'm told that Windows NT and Linux are more secure for multi-user PCs.  (Note: we currently have 2 NT machines & 4 Windows95 machines)

(3) Investigate the idea of forced logons - where each user would have to log on and off to use the PC.  The campus is going toward this; library users now have to logon to use the PCs.  One hospital says they do this at night only.  I'm a little concerned about teaching everyone to do this (to remember to log off) and about what to do about students & patients who won't have a logon, though.  We could assign a logon to all med students (similar to the medres one) and have a guest logon for patients/public users.  (Note: med staff, residents, nurse managers, & med students can use the library after hours)

(4) Library staff delete the temporary Internet download files once a week.  We'd like to talk with someone  from IS about what other caches or drives we should routinely clean. 

(5) Library staff check Command Antivirus software once a week to be sure it's set on "disinfect."  IS staff teach library staff how to update virus software or check to see if virus software is updated.  (Note: this is only because the settings appear to have been changed recently) 

(6) Library staff will post Internet policy signs stating that computers are for work-related use and that Internet use is monitored.  
______________________

Here are the steps we took to prevent "inappropriate" use of the library
public computers:


1.      Posted signs stating Hospital Internet policy, computers to be used
for work related use only
2.      Met with ITS to discuss security steps
3.      Met with Security to discuss monitoring options (camera monitoring) 
4.      Purchased and installed the desktop security software FoolProof
5.      SJCRH assigned login/password required for access
6.      ITS set up printers on network  so printing can be monitored if
necessary
7.      Posted notices that internet use was being monitored
8.      Library staff makes its presence visible to computer users during
business hours 
9.      Library staff monitors Internet temporary files list (review and
delete once a week)
10.     Reports all inappropriate activity to HR, Security
11.     Printed out Internet file log from all 10 computers everyday for the
week of May 10-17, 1999, requested by HR. 

We are currently investigating software to clean out the cache and temp
files automatically. FoolProof has worked well locking them out of the
desktop. They can't save shortcuts or change wallpaper. They must log in and
save to network or floppy disk.
_________________________

Depending on what kind of computers you're running, there may or may not be
much you can do.  Computers running single user operating systems like
Windows 95/98 or Macintoshes (I'm going to take a giant leap and assume
you're using Windows 95/98 here) have no real security features; they were
designed with the notion that the computer would be used by one person (and
futhermore networking capabilities are a recent add-on feature for these
systems rather than being a fundamental part of the design philosophy) and
that security and access permissions are non-issues.  Because of this, it's
difficult to control what happens to these machines in a public-access
setting.  You can physically lock the box away so that people don't have
access to the disk drives, but if the machines are connected to the
Internet, it's still possible to download files via the Web, FTP or email
attachments.  There's also nothing preventing users from deleting or
modifying existing files.

There undoubtedly exist software packages that are designed to help mitigate
these problems by doing things like periodically trying to clean out suspect
files, but there's no way that this can be done with 100% reliability, since
during normal, legitimate operation, many files will be created and
modified, and there's no good way for a program to definitively figure out
which files should stay and which should go.  Also, there isn't much
stopping a creative user from disabling any such software, and you may have
to manually run it periodically, which can add a lot of administrative
overhead.  Realistically, the only way to maintain a high degree of control
over such a system is to physically control access to the machine; if anyone
can come in to the library and use the machines, you really can't expect to
have too much control over how they're (ab)used.

There are a few important distinctions that you have to draw regarding your
users.  If the problems with your computers are arising as a result of user
ignorance about things like viruses, executables and what is and isn't
appropriate use for your machines, than a little education might be all you
need.  A lot of users don't really know what they're doing and may not
realize that they're downloading and running dangerous files.  If you think
that users will respect your computer use policies, simply posting a copy
near the machines may take care of all the naughty pictures and executables.

If your users are deliberately abusing the machines, you may need some sort
of access controls.  If your users aren't particularly computer savvy or
literate, you may find some software tools that allow you to make your
Windows or Macintosh machines reasonably secure.  If your users are more
technically sophisticated, there isn't much that you can really do to
protect such a machine from someone who really wants to abuse it.  Also, the
general rule is that the more capabilities you grant, the less secure the
computer will be.  If you want to set the computer up, for example, for Web
browsing only, it's probably easier to make secure than if you want to allow
access to all of the machine's applications.

If you need to implement access controls, my suggestion would be to use a
more appropriate computer system.  Operating systems like Windows NT/2000
and Unixes (such as Linux) are much more appropriate for a public access
computer, at least as far as security is concerned.  Both of these systems
are designed as multi-user, networking systems and so have a number of
built-in access control features.  Both systems allow for multiple user
accounts.  Each user account can be created with a separate username and
password, and users can be granted file permissions that control which files
and directories they are allowed to read from and write to.  Both systems,
especially Linux, are also less prone to viruses because of a combination of
the file permissions and the fact that fewer viruses are written for these
systems.

With user accounts and file permissions, you have a lot of flexibility.  You
can create a guest account for general use which has tightly controlled file
permissions.  In Linux, and perhaps Windows NT, you could also have a
maintenance script set up which runs hourly or nightly or at some other
specified period which deletes files from the guest home directory that
aren't supposed to be there.  For trusted users who use the machines, you
can create individual user accounts that they can use which allow them
greater freedom and flexibility than the guest account.  You would also be
able to hold them accountable for their actions, since you can trace files
and user activities to a particular account.  Both systems are also a lot
more stable than Windows 95 or a Macintosh.  If properly set up, Windows NT
can probably run for weeks at a time without needing to be rebooted, while
Linux can go for months if not years without crashing or needing to be
rebooted.

There are a few drawbacks to using either of these systems.  The first is
price.  Linux is basically free (realistically, you'll probably spend
between $3 and $100 for the software, but you can install it on as many
machines as you like) and should run on your existing hardware, but Windows
NT/2000 is pricey and may require a hardware upgrade, especially if your
machines aren't fairly new.  On the other hand, users familiar with using
Windows 95/98 should be able to use Windows NT/2000 without much difficulty,
but they may not be used to Linux (though the interface can be configured to
be quite similar to Windows).  Both systems will require a knowledgeable
administrator to set up and maintain, but I suspect that after the initial
setup, it will be less work to maintain either system than a public-access
Windows 95/98 machine.  The other possible disadvantage is the availability
of software.  Windows NT runs most of the software that Windows 95 does,
including all of the major Web browsers, office suites and so forth, but
doesn't run DOS or Windows 3.x programs and may not work with certain other
programs.  Linux has a more limited selection of "mainstream" software.  It
will run Netscape and WordPerfect, but there is no version of Internet
Explorer, Word or Excel, for example.  It has Windows and DOS emulation
software that allows you to run many DOS and Windows programs, but the
emulators are still in a developmental stage and support for programs,
especially Windows programs, is still spotty.  If you have need for a
specific program that only runs under Windows 95/98, you may be stuck.

Above all, I'd mention out that computer security experts commonly point out
that computer security is really about policies and common sense, and not
exotic technologies.  You can't expect to just install some "security
software" and walk away from the problem, confident that the program will
take care of things for you.  It's just like home security: simply locking
the front door and having a neighbor pick up your mail while you're gone is
probably going to have a greater effect on the security of your home than
installing an elaborate burglar alarm system will.

Hope some of this helps, or at least provides a starting point.
____________________________

We use FoolProof  and Window Washer on our public computers and
reboot at least once each day.  We do not use a filter or any limit to
searching for information.
____________________________

I'm associated with a medical school, so my answer may be
different.  But let me take the easy way out and answer dogmatically and
let you filter what is appropriate to you.

1) Let me shout at the top of my lungs: "If you're going to be on the
internet, you had better have a good virus scanning program and keep it
current or you WILL pay the consequences."  If you look in the PC
Magazines, you'll find that there are 3 major contenders for top honors.
Some features may vary between them and some are more amenable to offering
you a reasonable cost for a site license, some offer better upgrades to
their data files as new viruses come out.  But above and beyond all, if
you're getting EMail, surfing the web, or sharing files with other
machines, get a good virus program

2) Getting to the less dogmatic areas - if you have a PC open for public
use, you're going to have people who want to "tweak" the system and
download software to make the PC conform to their image.  However, too many
cooks break the PC (to mix a metaphor).  I can't see how we would survive
if we didn't do anything to lock down the PC.

Basically, we have the PCs set so the patrons can only touch a few of the
folders  (such as mydata) and not other folders.  This isn't 100 per cent,
but it helps enormously; even then, i often see the lab manager with a
scowl on his face as he spends yet another hour reloading windows.  Another
thing you may want to do is once the PC is set up how you want it, make a
copy of the hard drive onto a CD.  When the computer crashes (not if, but
when), you can reload the computer from the CD - there are programs made to
do just that (Norton Ghost comes to mind).

I will also add that I am a fan of Linux.  Having full Unix security
features, Linux lets you clearly assign who can alter the PC and who can't.

3) Filtering software is a fun area for debate.  I assume you're familiar
with court decisions about internet acces in PUBLIC libraries.  I also
assume that you're familiar with the fact that some filtering companies
have also had political agendas.  In a medical librray, it gets more
difficult as it is normal for patrons to look for information on things
that would not be appropriate in elementary schools (such as body parts).

As you may guess, I'm not a big fan of filtering software but I can see
where it may have a limited place.  Our position here has been that there
is recourse under "sexual harassment" but it hasn't been an easy decision.
At the same time, there have been instances where it was a very difficult
call to make in trying to balance individual rights, right to privacy,
right to academic freedom, etc. etc. etc. that make me want to take the
easy way out and open up a pizzaria.

Anyway, I hope that is helpful to you.
________________________

At present, I manually delete and 'clean-up' all 5 public computers once a
week (Monday mornings). We've set the history files to be kept for the
shortest possible time (one day) and request patrons not to accept cookies
unless absolutely necessary to enter a site; still, we often have to dump
the cache more than once a week. 

I recently purchased _Securing PCs and data in libraries and schools_ (Allen
C. Benson, Neal-Schuman Pubs., 1997) and I'm thinking of creating menus for
our pcs ... but that is venturing into the turf of IS staff (since our pcs
are on the hospital network), and we'd have to tread carefully.
__________________

We have our four "public" PCs in a central area where we can keep an eye on
them during the hours the library is staffed.  At night we shut them down to
the screen (Windows 98) where library users have to use their personal
network user id and password, so that there is some kind of record of who
uses them at night and weekends.  During the day we have a generic login for
the medical library which we use for these 4 PCs.  We too have had problems
with mis-use -- pornography, adult chat, gambing web sites, etc.  on these
PCs when we open the library in the morning, but I think it's helped since
we now require a personal login after hours.
_______________________

The two public user stations in our library operate using Windows NT.  We
had our IS people disable tons of options so that people cannot do much of
anything we don't want them to.  They are permanently logged onto the
hospital network under a special login, and individuals cannot log on as
themselves.  There is no filtering software, so they can, and have,
accessed, inappropriate sites, but I believe this is a very rare occurrence.
All of this work has resulted in stations which require almost no
maintenance on our part, which we love.
_________________________

We have a few things going on - we use a Novell network so our students,
faculty and staff have to sign on - this also keeps the time so if the
downloaded objects are objectionable enough, you can look at the date and
time on the file and match it to the person who was signed on then!  There
are also some software packages that can pretty well lock down the PCs -
if you go to tucows and search security you'll find some - we are testing
a couple (sorry don't know the names right off) but they will let you put
different security levels on - up to they can't do ANYTHING!  Yippee!  You
have to be careful not to block them from the a: drive and things like
that though...
_______________________________
We purchased "Fortres", a software program that can be configured to the
level of security you desire. We disabled access to the c: drive to
prevent people from saving files, deleting files, etc. We limit access to
certain programs.  From the "start" box, the only option is "shut down".
No access to "my computer", explore, find, settings, etc.

We have some CAI programs that require writing to the hard drive to track
student progress. We can make these "privileged applications" to allow
this.

We have had a problem with intermittent disabling of Fortres, which I
think is caused by our Internet connection. I've asked IT to check it out,
and am still waiting.

Otherwise I am very satisfied with the program, which costs about $50 for
a single user workstation.
__________________________________





___________________
Priscilla K. Shontz 
Librarian, Driscoll Children's Hospital 
Medical Library 
3533 S. Alameda, Corpus Christi, TX 78411
http://www.driscollchildrens.org/library/
Phone: 361-694-5467   |   Fax:       361-694-4249
E-mail:  [log in to unmask] or [log in to unmask] 
President, ALA New Members Round Table, http://www.ala.org/nmrt/
Co-chair, NASIG Continuing Education Committee, http://www.nasig.org/