Securing Your Computers for a Public Computing Environment
Securing Your Computers for a Public Computing Environment
Keep your computer lab safe and running strong
July 10, 2007
This article was updated by TechSoup Technology Analyst Kevin Lo.
Organizations, libraries, and schools running public computer labs face a variety of complex computer security challenges. Not only must these institutions take steps to ensure the physical safety of their hardware, they must also take into account desktop integrity and security.
Keeping a lab of just 5 to 10 computers up and running can pose a challenge to anyone, but it can be especially daunting to those without extensive technical backgrounds. Yet once you have a firm grasp on the fundamentals of public-access security, successfully running a public lab is far from impossible. Below, we'll outline steps you can take to keep your hardware safe — and your computer lab running smoothly.
In order to prevent theft or loss, you must safeguard the equipment in your computer lab. Large items — such as TVs, monitors, and CPUs — can be fastened to desks or workstations with cable locks available at office-supply retailers.
Smaller items, however, such as keyboards and mice, often cost less to replace than to secure. If this is the case, your best bet may be simply to dissuade users from walking off with them in the first place. Putting identification codes on all equipment, either by branding or with ID tags and labels, is not only a good way to discourage theft but can also help you keep track of your inventory.
Organizations wishing to reduce the risk of label tampering may also wish to invest in asset tags, which can be ordered online or through your hardware manufacturer or refurbisher. These tamper-resistant tags offer the added benefit of serving as a permanent identification number for your machines. After all, it is a lot easier to track maintenance and repairs of "machine WFZ0A11" over time than it is "that machine with the small dent on its side."
To minimize maintenance time in public computer labs, it is important to prevent users from inadvertently causing problems, a constant risk in labs where patrons may make system changes without even realizing it. Altered settings or accidentally deleted applications and files can result in hours of potentially costly recovery work.
One way to control what users can and can't do on your public computers is to create group policies for different types of users. These policies, enforced through the logins, set up different levels of access to your system settings for different types of users. Whereas a certain group of users may have permission to make installations or access the control panel, for example, regular users might be restricted to surfing the Internet and creating and saving documents only.
This solution has its share of problems, however. Too many different access levels or interfaces may confuse users, and the various permissions can be difficult for computer lab administrators to monitor, especially in labs where there is no central server.
For this reason, administrators often use third-party desktop security programs that help them control permissions while at the same time simplifying user access. Lockdown software programs allow administrators to disable features (such as control panel settings, desktop patterns, and so on), determine what applications users can run, and specify the location where users must save files.
Because they do not necessarily require extensive IT knowledge, lockdown programs can be a good option in labs where administrators have limited technology experience or resources. Another benefit of lockdown programs is that they do not always require a server.
Depending on your lab setup, you may be able to monitor these settings from a central computer. If you are on a server-client network, you can create and manage permissions from a single computer. If you do not have a server and are using a peer-to-peer network, however, you will need to either install the program and set up permissions individually for each machine, or set up permissions on one computer and then clone your settings.
The following are some lockdown solutions available to computer labs using PCs. While one of these solutions, SteadyState, is free, Fortres 101 and WINSelect prices will vary according to the number of licenses purchased and any available nonprofit or academic discounts.
In addition to simplifying your computer interface by limiting the number of features available to users, Fortres 101 monitors and controls any changes to your system, such as file and drive access, user preferences, and software installations. And while not a substitute for content-filtering tools, Fortres 101 manages browser functionality as well.
When used with network add-on Central Station, Fortres 101 also allows you to quickly and easily manage permissions from a single computer on a client-server network.
Like Fortres 101, WINSelect provides an easy interface that allows you to control user permissions and restrictions on Windows computers. WINSelect does this by transforming your computer into what it calls a “kiosk-style” workstation with very limited permissions.
Because WINSelect does not allow you to manage settings centrally from a server, you can use it to set up permissions on one computer and then export and replicate these settings across the lab. WINSelect works with all versions of Windows, including older versions such as Windows 98 and 2000 and newer systems like XP and Vista.
SteadyState is a free download for computers running Windows XP. SteadyState's user interface allows you to monitor user settings and preferences as well as the settings for any Microsoft Office programs installed on your computers. While SteadyState will not run off of a central network, you can create settings using the program and then clone them on other computers in your lab.
One beneficial setting SteadyState offers is setting time limits on user sessions, eliminating the need for a lab employee to keep track of how long each visitor is spending on the computers. Together with its disk-protection features, SteadyState provides a complete package to safeguard and monitor your shared computers.
What if, instead of restricting users, you want to allow them to make as many changes as they want to the machines in your lab? For example, say you are running a basic computer course on how to install software and change settings; in this case, you would want to let users make changes freely. Fortunately, there are a number of disk-protection programs that can give you the ability to automatically undo changes and revert your machines to their previous, unaltered state once a user session has ended.
The following disk-protection solutions are just a few examples of systems often used in computer labs and other public-access environments. Prices will vary depending on the number of licenses you need to purchase, so check out the vendors’ Web sites for more information.
Clean Slate works by allowing administrators to set up certain permissions — such as antivirus updates or Windows updates — while disallowing other, unauthorized requests. As with Fortres 101, Clean Slate can be used with Central Station to centrally manage desktops on a network. (Without Central Station, however, Clean Slate settings on each client workstation must be changed individually.) Clean Slate works on Windows 2000 SP4, and Windows XP.
Deep Freeze allows a lab manager to maintain a large number of workstations; while users can make changes to a workstation during their session, Deep Freeze will reset the entire desktop upon rebooting. The program also offers a feature that allows users to save files in a space where they will not be lost upon restarting. Deep Freeze works with many different lab configurations and setups, and is compatible with all versions of Windows (including Vista) and Mac OS X 10.3 and 10.4.
Centurion's advanced management capabilities allow you to tailor it to your own facility's size and needs. You can use DriveShield to selectively revert changes to your workstations upon rebooting. Like Clean Slate, a central administration program can be used in conjunction with the program for easy management. DriveShield software runs on Windows 95 through Windows XP; while Centurion'sMacShield runs on Mac OS 8 through 10.
The aforementioned SteadyState not only lets you to control permissions on your computers, it also allows you to restore computers to their original settings following a session. Once the software is installed, administrators can determine how changes should be retained or reverted upon reboot, depending on the user that was logged on
SteadyState runs on Windows XP SP2 and is free for use on computers running a licensed version of the operating system.
If configured properly, your workstation-lockdown software should prohibit malicious programs from installing themselves; nevertheless, it's still essential that every computer in your lab be installed with up-to-date antivirus and anti-spyware software. Each computer should also be set to automatically check for virus definition updates; otherwise, you should to do this manually about every two weeks. All of the lockdown and disk-protection programs listed above work seamlessly with anti-spyware and antivirus programs.
You can also help avoid viruses and spyware by enforcing your lab's acceptable use policy, which we discuss in the following section. This policy should address the lab’s rules about downloading email to lab computers; saving and opening attachments; and downloading and installing software. This extra precaution — in combination with lockdown software — can help prevent users from inadvertently exposing the systems to malware.
Along with solid software protection, a sound acceptable use policy is also a must for most computer labs. Users of public computers should be asked to agree to the rules of such a policy before they are permitted to log on to the computers or enter the lab.
You should take into account a number of considerations when drawing up your acceptable use policy. Your policy should cover everything from protecting your equipment and your resources — for example, forbidding food or drink in the computer lab — to establishing appropriate use guidelines, such as whether users can play sound files on the computers.
Most acceptable-use policies touch upon the following guidelines, though your lab may have unique circumstances that require you to include additional items:
- Whether visitors under a certain age must have parental or guardian approval before using the machines.
- How chat rooms and social networking sites may be used.
- Whether fees apply for services such as printing and removable media (such as CDs or flash drives).
- Which topics users under 18 years old may access while surfing the Web.
- Whether food and drink are permitted in the computer lab.
- Whether teachers are responsible for monitoring the sites their students visit.
- Whether outside or downloaded software is permitted.
- Which sites users are prevented from visiting.
- Whether some equipment, like scanners, is restricted to staff use only.
- How visitors should sign in.
To help you create your document, you may find it useful to consult peers in your area with similar facilities, such as other schools, libraries, or organizations with comparable public-access areas. TechSoup also has a downloadable Sample Youth Center Acceptable Use Policy (DOC) for youth centers that you can use when drafting your own.
Copyright and Software Piracy
While the Internet has opened up exciting possibilities for teachers, students, researchers, and potential self-publishers, it has also increased the temptation to "borrow" others' copyrighted intellectual property, such as creative writing, art, photography, graphics, and software programs. For this reason, it is important that public computer labs protect themselves from possible lawsuits by educating their staff, clients, and students about copyright law. The U.S. Copyright Office and Creative Commons sites are good resources for fair usage and licensing.
Some of your labs' users may be tempted to bring in computer programs from home and install them in your lab without entering a valid license or installing it on multiple machines. Workstation lockdown and disk protection can address this on the system level, but users need to be educated that installing unlicensed software is a prohibited activity. In addition, the public lab should not be used as a conduit for violating software copyright laws, such as file sharing and illegal distribution of copyrighted material.
Though keeping your public computer lab safe and vibrant should always be a top priority, it doesn't have to take over every minute of your workweek. If you implement the right security and maintenance software, and educate your lab's patrons about proper computer usage practices, you can offer a valuable service to your students — one that you and your employees can enjoy running.
About the Author:
Hilary Naylor is a technology consultant who specializes in projects for nonprofit organizations. She worked at CompuMentor from 1995 to 2004.
Copyright © 2007 CompuMentor. This work is published under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 License.