We've used both SmartShield and DeepFreeze (forgetting which we are using currently) but both met our needs, with few problems coming up. Biggest issue at first is ensuring users remember share on OneDrive, pre-mapped SMB shares, and the like, instead of C, but of course been trying to get them to move in that direction anyway.
Another pathway that's coming available from our campus IT people, VDI, virtual desktops. User logs into the PC only to connect to the server served VDI image, that has all their necessary apps.
Mostly been aimed at students so far, but just starting to explore for shared PC staff roles, such as our access services (manned check in/check out desk, etc).
Bruce Orcutt
UTSA Libraries: Systems
(210) 458 – 6192
________________________________
From: Code for Libraries <[log in to unmask]> on behalf of Lolis, John <[log in to unmask]>
Sent: Thursday, December 14, 2023 11:20 AM
To: [log in to unmask] <[log in to unmask]>
Subject: [EXTERNAL] Re: [CODE4LIB] Securing shared workstations
**EXTERNAL EMAIL**
This email originated outside of The University of Texas at San Antonio.
Please exercise caution when clicking on links or opening attachments.
I find your report of Deep Freeze being "fiddly" surprising. We've been
using it for years for our in-house public access computers, and it's been
rare that we've come across an issue. That notwithstanding, there's also
Reboot Restore Rx which only reverts to a saved configuration on demand,
not automatically upon reboot. We use it for our circulating laptops which
of course you don't want to restore with every reboot. There's also a free
version for home use: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhorizondatasys.com%2Freboot-restore-rx%2F&data=05%7C02%7Cbruce.orcutt%40UTSA.EDU%7Cf0e25c93084246c5880208dbfcc94439%7C3a228dfbc64744cb88357b20617fc906%7C0%7C0%7C638381713613027818%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9Na5Y0JHZpXxB%2FqrR7mPsHNAZGqDVbkcigGZ2WXIs7U%3D&reserved=0<https://horizondatasys.com/reboot-restore-rx/>.
Other than that, it's possible to script something that overwrites the
browser profile with the original, first-use one so that things are back to
square one as far as the browser is concerned. I did just that years ago
with a home-grown Linux OPAC kiosk using Chromium that would check for the
browser process and if it wasn't running, would kick off another script
that overwrote the profile to clear the history and relaunch Chromium.
As for dealing with authentication for MS365 and other cloud-based services
on shared computers, I feel your pain, Erich. I've reached the conclusion
that we as IT professionals spend far too much time working with or around
authentication processes and procedures all because it's become an abysmal
mess--and one that's continually foisted upon us whether we like it or not
by one nanny or the other: Microsoft, Google, Apple, et al.
John Lolis
Coordinator of Computer Systems
100 Martine Avenue
White Plains, NY 10601
tel: 1.914.422.1497
fax: 1.914.422.1452
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwhiteplainslibrary.org%2F&data=05%7C02%7Cbruce.orcutt%40UTSA.EDU%7Cf0e25c93084246c5880208dbfcc94439%7C3a228dfbc64744cb88357b20617fc906%7C0%7C0%7C638381713613027818%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=un57ZiIaEIrAEFtvOvGl%2BWtCeZXCkaaivmlJ4EN1uCc%3D&reserved=0<https://whiteplainslibrary.org/>
*“I would rather have questions that can’t be answered than answers that
can’t be questioned.”*
— Richard Feynman
<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fclick.fourhourmail.com%2F5qure95xkf7hvvo93wh2%2F7qh7h8h05vr4zrtz%2FaHR0cHM6Ly9lbi53aWtpcGVkaWEub3JnL3dpa2kvUmljaGFyZF9GZXlubWFu&data=05%7C02%7Cbruce.orcutt%40UTSA.EDU%7Cf0e25c93084246c5880208dbfcc94439%7C3a228dfbc64744cb88357b20617fc906%7C0%7C0%7C638381713613027818%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=IlRnnheXpzK6s32XB3bVkKEe%2BTcAlfhBMKEFlMuJvB0%3D&reserved=0<https://click.fourhourmail.com/5qure95xkf7hvvo93wh2/7qh7h8h05vr4zrtz/aHR0cHM6Ly9lbi53aWtpcGVkaWEub3JnL3dpa2kvUmljaGFyZF9GZXlubWFu>>,
theoretical physicist and recipient of the Nobel Prize in Physics in 1965
On Thu, 14 Dec 2023 at 10:33, Hammer, Erich F <[log in to unmask]> wrote:
> Ray,
>
> Because none of the users is an administrator on these workstations, I
> have no concerns about resetting the machines back to a previous state. If
> users log in as themselves, they can't affect other users. If they log in
> with a generic account, they won't/don't log out (so no reboots until the
> update system forces it). One of my questions about the circulation desks
> is whether they are logging out of their cloud services (i.e. Alma) or
> closing the browser any time they step away during "the swirl". If not,
> then they are violating the University usage policy (using other peoples
> accounts). If they are, then how much different would it be to just log
> out of Windows completely.
>
> In my previous job, we wrestled with DeepFreeze for years for our labs and
> found it very "fiddly". It definitely was *not* trouble free, and we
> ultimately dropped it as Windows (and apps) got much better about
> restricting unprivileged users to their own profile.
>
> Appreciate the feedback anyway.
>
> Erich
>
>
> On Thursday, December 14, 2023 at 10:01, Ray Voelker eloquently inscribed:
>
> > This doesn't really solve your "shared login" problem, but I was always a
> > big fan of using the DeepFreeze software on shared computers. It does a
> > fantastic job of preventing those changes you were talking about from
> > "sticking" -- especially if you force a reboot after logout, which isn't
> > too hard to create a logout script to do that.
> >
> > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.faronics.com%2Fdeep-freeze-on-cloud&data=05%7C02%7Cbruce.orcutt%40UTSA.EDU%7Cf0e25c93084246c5880208dbfcc94439%7C3a228dfbc64744cb88357b20617fc906%7C0%7C0%7C638381713613027818%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=fPTkXlBpH8UpGdk9iiwATHxcNey5r%2Bi1bkkwt2iJvm0%3D&reserved=0<https://www.faronics.com/deep-freeze-on-cloud>
> >
> > --Ray
> >
> > On Thu, Dec 14, 2023 at 9:36 AM Hammer, Erich F <[log in to unmask]>
> wrote:
> >
> >> All,
> >>
> >> First, I apologize because this is much more of an IT question than a
> >> coding question, but I come from an IT/desktop support background with a
> >> particular interest in security.
> >>
> >> How are larger, academic libraries securing your employee-used, shared
> >> workstations -- specifically, the circulation desk machines and the
> >> back-end, ILL scanning stations? I have been trying mightily for a few
> >> years to eliminate the shared-password generic accounts because they
> >> present a real security/privacy concern. I am running into some real
> >> road-blocks though, and I'm wondering if anyone here has found solutions
> >> that work.
> >>
> >> Having viewed the chaotic state of the circulation desk with the
> constant
> >> churn of employees using the stations, I have conceded that it is
> better to
> >> use a generic login than to have folks log in/out constantly.
> >>
> >> The ILL employees who do a lot of scanning don't have the rapid-fire
> >> turnover at their workstations, but they (or their manager) is
> >> insisting on a generic login because the scans need to be saved in a
> >> specific, network location and Acrobat has no mechanism to set the
> >> default save location for all users. (I hate Adobe!) When we have
> >> tried using personal logins, folks forget, don't notice, or don't know
> >> about watching that the PDFs are saved in the proper location, and
> >> those scans have to be redone by someone else or are inaccessible
> >> within the particular employee's private user profile until they return
> >> to work (which could be days-weeks with student employees).
> >>
> >> In both cases, users still need to sign into services as themselves
> >> (the LSP -- Alma --, scheduling, wiki documentation, ILLiad, etc.), so
> >> I'm not really sure what the security advantages are with the generic
> >> account (especially for ILL scanning). I've had to push settings to
> >> prevent the browsers (Edge, Chrome and FireFox) from saving passwords.
> >> I also have automated scripts running to regularly blow away the MS
> >> Teams configuration to prevent users from using it as someone else.
> >> (Teams "helpfully" remembers credentials for one-click login even after
> >> logging out of it and rebooting.) I have not been able to find a way
> >> to do the same with MS Office, so I have been forced to uninstall it
> >> completely. Otherwise, everyone who uses it while logged onto the
> >> computer with the generic account is signed into/owns all the M365
> >> documents as the user who first used it (and had to sign into M365).
> >>
> >> The lack of Microsoft Office is the particular issue that I'm being
> >> pressed on to prompt me to post this. I should add that I can't use
> device
> >> licenses for M365 (where login/registration isn't required) because they
> >> only work with Azure Active Directory which we do not have. What are
> you
> >> all doing? I've been considering trying to set circ desk systems up as
> >> mulit-app, auto-login kiosks so at least we don't need to share the
> generic
> >> password, but the other problems still remain.
> >>
> >> Any feedback is appreciated.
> >>
> >> Thanks,
> >> Erich
> >>
> >>
> >>
> >> --
> >> Erich Hammer Head of Library Systems
> >> [log in to unmask] University Libraries
> >> 518-442-3891 University @ Albany
> >>
> >> "Faith is the unflagging determination to remain ignorant
> >> in the face of any and all evidence that you're ignorant."
> >> -- Shaun Mason
> >
> >
>
>
>
|