Here's the setting:
- 10 Public Computers in a library running Windows XP Pro.
- There are no central servers or central file storage.
- 1 Local Printer.
What we want to do:
- Secure Public Accounts on each machine, have a default username/password guests can use.
- Share the one printer so that all computers may print.
Security for Public Accounts:
- Cannot run .exe
- Cannot run any harmful scripts
- Cannot disable anti-virus/anti-spyware
- Cannot modify any configuration settings
- Have the right to use all applications (ie, office) but without their settings saved.
- Dedicate a folder that clears itself at logoff.
- Anything I might have missed.
Optional:
- Be able to perform administrative duties on all 10 computers from one of them (if possible)
Right now I was able to network them fairly easily but one computer wouldn't access the printer for some reason, the biggest issue is the public account one.
Any part of the solution is appreciated!
Thanks! I'm pretty familiar with basic security control, would there be a good tool to redefine the permissions on guest or some user account to make sure it's "locked" down? Some tool that would allow me to easily fine tune the permissions.
I am already familiar with basic security as I am studying MIS right now. But the courses never really gets into the practical side for a small network. They would explain how to set ActiveDirectory and a central server but forgets the basic stuff.
Thanks! Oh buddy,
I'm going to break this down into two parts. Things you can probably handle yourself and will result in medium security. Then things I would suggest you get a security expert for.
First by medium security I'm specifying that an intelligent person bent on doing harm could probably find a way to violate the security of the host. Generally this will keep out most of your general users and may be ok for you.
First create a new Administrative account on each machine. Name it something you will remember and create a strong password and put it on each machine.
Secondly disable all other accounts on the machine including the Administrator account.
Next download and update all the security software (Anti-virus and so forth) set them all up as you want them to be and make sure you set it all to auto-update. Confirm windows is set to auto-update and then create your guest user. When creating him you can specify he is a limited access user.
Now it will get tricky... by default the guest account is pretty restrictive and that means you may not be able to do some things you will WANT them to do. This may require someone to come in and redefine what the guest account can do and set up proper privileges.
Now I would also suggest you pick up a few copies of Symantec's Ghost software. After the machine is set up just the way you want it you can create a disk image. Then you can recover any machine to the default image with nothing more than a CD.
Oh I'd disable any bios options that allow people to boot from anything but the hard drive and add a bios password. This prevents people from booting into an OS disk they brought and using the machine as they see fit.
You should have some sort of access control outbound and inbound in the form of a network firewall. I'd be sure to place some rules in there about what services you want to offer.
It gets more complicated now and a security professional may be required but you still need,
An Acceptable Use Policy can be found on the internet and customized make sure people sign it before they get to the machine. This clears up any legal issues that could result.
Net Nanny or other filtering software should be deployed.
You may want to by a monitoring software that allows you to monitor all the activity on any of the machines they are about 50 to 200 bucks depending. As a library you can likely get good discounts.
I could keep going :) If you want I could likely donate some of my time to help you. Just drop me a line through the site | 