This doesn't really solve your "shared login" problem, but I was always a big fan of using the DeepFreeze software on shared computers. It does a fantastic job of preventing those changes you were talking about from "sticking" -- especially if you force a reboot after logout, which isn't too hard to create a logout script to do that. https://www.faronics.com/deep-freeze-on-cloud --Ray On Thu, Dec 14, 2023 at 9:36 AM Hammer, Erich F <[log in to unmask]> wrote: > All, > > First, I apologize because this is much more of an IT question than a > coding question, but I come from an IT/desktop support background with a > particular interest in security. > > How are larger, academic libraries securing your employee-used, shared > workstations -- specifically, the circulation desk machines and the > back-end, ILL scanning stations? I have been trying mightily for a few > years to eliminate the shared-password generic accounts because they > present a real security/privacy concern. I am running into some real > road-blocks though, and I'm wondering if anyone here has found solutions > that work. > > Having viewed the chaotic state of the circulation desk with the constant > churn of employees using the stations, I have conceded that it is better to > use a generic login than to have folks log in/out constantly. > > The ILL employees who do a lot of scanning don't have the rapid-fire > turnover at their workstations, but they (or their manager) is insisting on > a generic login because the scans need to be saved in a specific, network > location and Acrobat has no mechanism to set the default save location for > all users. (I hate Adobe!) When we have tried using personal logins, > folks forget, don't notice, or don't know about watching that the PDFs are > saved in the proper location, and those scans have to be redone by someone > else or are inaccessible within the particular employee's private user > profile until they return to work (which could be days-weeks with student > employees). > > In both cases, users still need to sign into services as themselves (the > LSP -- Alma --, scheduling, wiki documentation, ILLiad, etc.), so I'm not > really sure what the security advantages are with the generic account > (especially for ILL scanning). I've had to push settings to prevent the > browsers (Edge, Chrome and FireFox) from saving passwords. I also have > automated scripts running to regularly blow away the MS Teams configuration > to prevent users from using it as someone else. (Teams "helpfully" > remembers credentials for one-click login even after logging out of it and > rebooting.) I have not been able to find a way to do the same with MS > Office, so I have been forced to uninstall it completely. Otherwise, > everyone who uses it while logged onto the computer with the generic > account is signed into/owns all the M365 documents as the user who first > used it (and had to sign into M365). > > The lack of Microsoft Office is the particular issue that I'm being > pressed on to prompt me to post this. I should add that I can't use device > licenses for M365 (where login/registration isn't required) because they > only work with Azure Active Directory which we do not have. What are you > all doing? I've been considering trying to set circ desk systems up as > mulit-app, auto-login kiosks so at least we don't need to share the generic > password, but the other problems still remain. > > Any feedback is appreciated. > > Thanks, > Erich > > > > -- > Erich Hammer Head of Library Systems > [log in to unmask] University Libraries > 518-442-3891 University @ Albany > > "Faith is the unflagging determination to remain ignorant > in the face of any and all evidence that you're ignorant." > -- Shaun Mason > -- *Ray Voelker* Integrated Library Systems Administrator Mobile phone: (937)620-1830 <+1937-620-1830> Office phone: (513)369-4583 E-mail: [log in to unmask] Cincinnati & Hamilton County Public Library 800 Vine Street Cincinnati, Ohio 45202 *For Minds of All Kinds* CHPL.org <https://chpl.org/>