Re: Securing common access computers

[David Gillett <gillettdavid () FHDA EDU>]

 We use DeepFreeze in some areas, but not in all.  Besides users (usually
students but we don't know that's always the case...) downloading and
installing unauthorized software, we have some number who believe they're
entitled to unplug the college machine (cutting though any inconvenient
cable ties in the way) to plug a personal machine into the network.  (Our
most serious virus infestations have arrived this way!)  And I've had one
report of someone bringing in an external FireWire hard drive and rebooting
a college machine from it, so although it was mostly legitimate hardware the
O/S environment was entirely rogue.

David Gillett, CISSP


-----Original Message-----
From: Zach Jansen [mailto:zjanse20 () CALVIN EDU]
Sent: Wednesday, March 24, 2010 13:39
To: SECURITY () listserv educause edu
Subject: Re: [SECURITY] Securing common access computers

We use a program called Deepfreeze from Faronics to secure the public lab
machines from configuration changes. Basically it removes any changes from a
machine upon reboot, returning it to the state it was deployed in. The nice
thing here is that students can do whatever they want on the machines, such
as install software, change settings, and it's removed on reboot. Faronics
has a similar program for kiosk type machines, though it has some additional
browser lockdown features.

We do have individual logins for accountability, except on kiosk machines,
and have few problems with misuse. Kiosk machines are more likely to be
abused since anyone can use them without a login. Deepfreeze does tend to
make investigation harder, though not impossible.

Hardware keyloggers are certainly a threat, though I've yet to run into one
in my environment.

Zach Jansen





--
Zach Jansen
Information Security Officer
Calvin College
Phone: 616.526.6776
Fax: 616.526.8550

> > > On 3/24/2010 at 12:08 PM, in message
<EB4A14AA71CE71448233A27D6E0953B101DF98C3392E () SNHU-CCR-A snhu edu>, "Witmer,
Robert" <r.witmer () SNHU EDU> wrote:
> Even though we require every student to have a laptop computer,
> historically our organization has provided personal computers in
> common areas around main campus/remote campuses for students to access
specialized software, print
> papers, access email or their student accounts, etc.   I'm wondering how
> other organizations are securing their common access computers located
> in pc labs, library, etc.  Specifically, from a hardware point of
> view, does someone inventory every device for hardware key
loggers/recording devices?
> Do you require users to log into the machine for accountability?  Do
> you restrict users from executing programs other than those you've
> loaded on the pc?
>
> Thanks,
> Bob
>
>
> Please consider the environment before printing this e-mail.