After I wrote about Windows 7 and SteadyState last week, Sarah Washburn asked me a question that led me to look up some of the alternatives to Windows SteadyState that might help libraries secure and manage their public access computers if they’re really anxious to leave behind XP and/or Vista for Windows 7.
I can’t promise that all of the products I mention below have released versions compatible with Windows 7, but this list should serve as a starting point for anyone who wants to do their own research. If you’re comfortable with Windows SteadyState, it combines aspects of a computer reset system and desktop lockdown software. If you need a complete replacement for SteadyState, you may need to acquire a program from both of those categories.
There are several ways to design and implement public computer security software. Some systems install locally to each computer and administrators have to manage each computer individually. Other products and approaches allow administrators control over the security configuration of all their workstations from a centralized network management console.
Computer Reset Systems: Other terms for this type of software include “hard drive restore software” and “system rollback applications”. These utilities generally prevent permanent changes to one or more hard drive partitions. They usually function in one of two ways: intercepting changes at the hardware level or overwriting the hard drive with a clean image on a regular basis. In other words, some of them intercept any attempts by the current end user to alter the hard drive or any of the files it holds. The software then discards those attempted changes or quarantines them to a temporary location (e.g. a file or disk partition). When the user ends the current logon session by logging off or shutting down the P.C., the software erases the contents of the temporary-save location, and the hard drive returns to its original configuration.
Alternately, some systems store a pristine copy of the system administrator’s preferred hard drive configuration in a safe, protected location. In other words, in this pristine image, all files and applications are in a clean, unmodified, post-installation condition, or close to it. The security application and/or the system administrator then overwrites the entire hard drive on a regular basis (e.g. daily or weekly). This approach is more resource-intensive, and could slow your network significantly if the timing and implementation weren’t handled carefully.
Examples of computer reset systems include:
• Fortres CleanSlate
• Returnil RVS
• Faronics DeepFreeze
• Norton Ghost
• Centurion SmartShield
• Windows System Restore: While not as full-featured as Windows SteadyState or the commercial products listed above, System Restore is built into Windows XP, Windows Vista and Windows 7. Therefore it’s free of charge and you don’t have to install it. You will have to create one or more “restore points”, which refers to the clean, uncorrupted state that you’ll be restoring to should something go wrong on one of your public computers.
• Gates Foundation PAC Security Tool: If your library received one or more free computers from the Gates Foundation between 1998 and 2004, chances are they arrived with a security
Desktop Lockdown Software: Also known as “Access Control Systems”, software in this category prevents access to powerful, sensitive administrative utilities such as the Control Panel and the Computer Management Console, along with any other programs, files and directories that the systems administrators consider inappropriate, unnecessary or a potential source of trouble.
• Fortres 101
• Librarica’s Cassie: Alison Pruntel wrote “My Path to PC Management Heaven:CASSIE” for us in late 2008 about her positive experience using this product.
Web Browser Lockdown Tools: Librarians and systems administrators know fairly well that the Internet is the main source of trouble on most public access computers. Therefore, a large percentage of all their management troubles would go away if they could limit what patrons do on the web. Public Web Browser and PublicFox are two tools that give administrators some control over web browser settings on public access computers.
Thin Client Solutions: Other systems rely on thin-client or multiseat
Multiseat Configuration Systems: Multiseat systems resemble thin-client systems. However, instead of sending input and output over a network, the client interfaces (mouse, keyboard and monitor) are attached directly to the computer that does the processing. That computer runs a program or operating system capable of managing multiple user sessions at the same time. In other words, you and nine others can share the same workstation hardware (excepting monitor, mouse and keyboard) without tripping over each others’ files and programs. Userful Multiplier and Windows Multipoint are two programs that fall into this category.
After I had written 90% of the article you’re reading, I remembered that Dale Musselman at WebJunction created a Public Access Security Product List three years ago that listed the major public computer security products on the market at that time. As far as I can tell, the market hasn’t changed much in the mean time, though I did find a company I hadn’t heard of before called Returnil that relies on virtualization and virtual machines to roll computers back to a controlled, baseline configuration. Also,
The bottom line is that managing public access computers has never been easy or cheap, but Windows SteadyState made it a little easier and cheaper. However, if