Hi,
Thanks for getting this discussion started. This is a problem we have been working on as well. It is difficult. But we've been able to remove all shared domain logins. With persistence I convinced most of the public service points that it had to be done. In some cases, this involved adjusting the work flow (staggering shift changes a bit so that only one person at a time is logging into their account). We also tried to ease the pain by working on shortening the login process (more memory and SSD drives) and setting up templates that imported the shared bookmarks from the previously shared user. Also we have really been taking the long view of really working the cybersecurity awareness program with constant and consistent messaging (which I *think* is helping).
But you are right: for a truly shared workstation where users are popping back and forth often, there really isn't a good solution that I've found. It seems like it should be out there. It exists for healthcare workers but I haven't found something that can be implemented on a smaller scale than a hospital system. I keep thinking that there might be a solution using persistent virtualized sessions but I couldn't find any way around the need for access to the local RFID pad.
But I think the next best option is a shared local login (as opposed to a shared domain user). If the workstation is compromised, then at least they don't have access to domain resources. This presents its own difficulties: Printing, for example (cloud printing can be a possible workaround), access to files (or shared scan locations) and the ones you have been discussing below. Could RDP access to a dedicated workstation help?
I also like your Kiosk idea. If you set that up, I'm sure we would appreciate getting a report on how it works out.
Brent
From: Code for Libraries <[log in to unmask]> On Behalf Of Hammer, Erich F
Sent: Thursday, December 14, 2023 2:21 PM
To: [log in to unmask]
Subject: Re: [CODE4LIB] Securing shared workstations
Another thing that came up (and I forgot about previously) is that in order to print shipping labels, ILLiad requires MS Word be installed. That is a *terrible* design choice considering how many "Google-shops" there are and how expensive MS Office is for single purchases. Consider that LibreOffice is free and open source and also has mail merge capability. Heck, Atlas/OCLC could "steal" the code from LibreOffice to make their product stand-alone.
Anyway, I have not had a chance to test it, but this Group Policy setting looks promising:
User Configuration -> Policies -> Administrative Templates -> Microsoft Office 2016 -> Miscellaneous
Block signing into Office
Thought someone might find that intriguing too.
Erich
|