Re: Securing common access computers

["Brewer, Alex D" <Brewerad () MONTEVALLO EDU>]

We use a 2 different tools, one is Deep Freeze, but we also use Clean Slate by Fortress, they both work exceptionally 
well.

Alexander Brewer * Network Specialist* SunGard Higher Education * University of Montevallo * Technology Services* 
Station 6520 Montevallo, AL 35115 * Tel (205) 665-8474 * Fax (205) 665-6519 * Brewerad () montevallo edu * Alex.Brewer 
() Sungardhe com 


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michael 
Sana
Sent: Wednesday, March 24, 2010 4:47 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Securing common access computers

Deep Freeze too for about 10 years now!  But let's not forget to implement "defense in depth" strategies...

Enable 802.1x if your switch supports it - this helps to prevent users from unplugging and plugging in their own 
machines...
Physically lock the computer down so it's more difficult to be stolen
Put a lock on the computer so it's more difficult to steal the hard drive
Set the system to boot from hard disk only (or network if you jumped onto the whole VDI bandwagon) so users cant reboot 
into their favorite linux hacking distro!
Set a BIOS password so that they cant go in and change the boot sequence to CD, etc.  
When creating the deepfreeze seed file, make sure you have the system set to reboot after hours (based on the location) 
so that no lingering scripts or software continues to "phone home" after hours.  This creates a desktop refresh period.
If your seed file contains "thaw space", create a windows scheduled task to purge this space hourly, daily/nightly so 
that no malicious scripts continue to live in there while we are out saving the rest of the world :)
Don't think of deep freeze as an anti-virus program

Just my quick two cents off the top of my head...

mike.sana.

Michael C. Sana MSIA, CISSP, CISM, CISA
Information Security Officer
Information Technology Services Division
 
Hawai`i Pacific University
1132 Bishop St. Suite 307
Honolulu, Hawai`i 96813
Telephone: (808) 687-7034
Fax: (808) 544-1404
Email: msana () hpu edu

"Quis custodiet ipsos custodes?"

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP, 
MICHAEL
Sent: Wednesday, March 24, 2010 11:06 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Securing common access computers

We use DeepFreeze, too.....Are there any other options to this software?.....or is this "the state of the art"?

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Zach 
Jansen
Sent: Wednesday, March 24, 2010 2:39 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Securing common access computers

We use a program called Deepfreeze from Faronics to secure the public lab machines from configuration changes. 
Basically it removes any changes from a machine upon reboot, returning it to the state it was deployed in. The nice 
thing here is that students can do whatever they want on the machines, such as install software, change settings, and 
it's removed on reboot. Faronics has a similar program for kiosk type machines, though it has some additional browser 
lockdown features. 

We do have individual logins for accountability, except on kiosk machines, and have few problems with misuse. Kiosk 
machines are more likely to be abused since anyone can use them without a login. Deepfreeze does tend to make 
investigation harder, though not impossible.

Hardware keyloggers are certainly a threat, though I've yet to run into one in my environment.

Zach Jansen





-- 
Zach Jansen
Information Security Officer
Calvin College
Phone: 616.526.6776
Fax: 616.526.8550

> > > On 3/24/2010 at 12:08 PM, in message
<EB4A14AA71CE71448233A27D6E0953B101DF98C3392E () SNHU-CCR-A snhu edu>, "Witmer,
Robert" <r.witmer () SNHU EDU> wrote:
> Even though we require every student to have a laptop computer, historically 
> our organization has provided personal computers in common areas around main 
> campus/remote campuses for students to access specialized software, print 
> papers, access email or their student accounts, etc.   I'm wondering how 
> other organizations are securing their common access computers located in pc 
> labs, library, etc.  Specifically, from a hardware point of view, does 
> someone inventory every device for hardware key loggers/recording devices?  
> Do you require users to log into the machine for accountability?  Do you 
> restrict users from executing programs other than those you've loaded on the 
> pc?
>
> Thanks,
> Bob
>
>
> Please consider the environment before printing this e-mail.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.