Desktop Security Software
Third party software is available to add control that does not come standard with Microsoft Windows or Office. There are literally hundreds of different products for different purposes. What follows is a summary of the most popular and useful products for libraries. For more information on library workstation security, see this Webjunction site.
Lockdown software can control the computer at the application level and the OS level. Various methods are used to implement restrictions. Registry manipulation is a very popular method; however, the restriction features offered are usually the same features found in Microsoft policies. The only difference is that you use a third party interface to change the underlying policies. A more powerful method is to directly disable features. Using their own proprietary technology, programs like WinSelect and Fortres are able to disable any menu command or hotkey using predefined templates or user-recorded functions. This is especially useful in locking down features on applications that have no security restriction features. For example, WinSelect would allow you to disable the "download updates" button or menu on a program that you would otherwise have no way of disabling.
Examples of workstation lockdown software:
- WINSelect: http://www.faronics.com/en/Products/WINSelect/WINSelectReplaceGPO.aspx - Using a proprietary non-registry lockdown method, this program allows for customizable restrictions on most features on most programs.
- Fortres: http://www.fortresgrand.com/products/f101/f101.htm - Similar to WINSelect, Fortres monitors each action the user performs and determines if it is authorized or not. This product also allows for central administration of a security policy for multiple computers.
- Secure PC: http://www.citadel.com - Secure PC uses registry manipulation as well as direct monitoring of application functions. This product also uses profiles to allow for administration of multiple computers.
Menu replacement software replaces the standard windows desktop with a third party program. Under standard operation, explorer.EXE is run to present the user with the Start Menu, Task Bar, System Tray, and Desktop. Menu replacement programs override explorer.EXE with their own executable and present the user with a different desktop, usually without the Start Menu, Task Bar, etc. The look and feel of the desktop can be designed to meet the needs of the library by placing buttons and links to launch specified programs. This approach is secure because it removes the "Windows Explorer" interface, which provides a patron with too many opportunities to access functions you prefer be left alone.
Examples of menu replacement software:
- WinU: http://bardon.com/winu.php - Provided by Bardon Data Systems, this product also features timeouts, logging, web-browser monitoring, and remote administration.
- CybraryN: http://www.cybraryn.com - This product also incorporates time control and logging features. It can be configured with desktop replacement or with the standard Windows desktop.
Rollback Software ensures that the computer is restored to its original state upon a certain execution point—usually reboot. This software is especially helpful for libraries that want to give more desktop control to its patrons. A patron can make changes to settings and configurations; however, the changed settings will all be reset to their original configuration when the rollback software executes. This software can also be used in conjunction with other security software to restrict certain features, yet to allow customization and control over others. For example, a workstation may deploy Fortres to lock down certain program menu items, while leaving other items unrestricted so that a user can make changes to application settings. Rollback software would restore any of those application settings. However, this software does not lock down a computer. If a computer is protected with rollback software, only the computer itself is protected. The software won't prevent a user from gaining access to the computer and using it as a staging point to attack other computers. Rollback software technology is mostly proprietary. There are also hardware solutions that perform the same function.
Examples of rollback software:
- DeepFreeze: http://www.faronics.com/en/Products/DeepFreeze/DeepFreezeCorporate.aspx - On reboot, the computer is restored to its original state. Other features include idle time reboot and automatic disabling for software updates, such as scheduled antivirus updates.
- CleanSlate: http://www.fortresgrand.com/products/cls/cls.htm - CleanSlate will restore a computer to its original state on reboot as well as logoff. CleanSlate also allows for central management, temporary disabling for software updates, and security integration based on groups and users.
- RestoreIT: http://www.farstone.com - RestotreIT creates a separate partition on the hard drive that keeps track of any changes made to the computer. Changes are recorded incrementally to allow the system to be restored to its starting point from any chosen point in time.
What timer software does is fairly simple. It controls the amount of time a patron can use a workstation. There are many products that perform this function but that are designed for different needs. Some timer software uses card readers to track time, some use logon accounts, and some simply apply a time limit to a given session before the workstation automatically logs out.
Examples of timer software:
- PC-Cop: http://www.cmsdiginet.com/pccop.htm - Allows users to make their own reservations. Access is authorized with a password or a library card. Users can schedule a time or place themselves on a waiting list. This software is for multiple networked workstations, not stand-alones.
- PC Reservation: http://www.envisionware.com/pc_reservation - PC Reservation is a robust application with many features. Reservations can be made through a self reservation station, directly at a client PC, through the web, or with a touch tone telephone. The program can utilize a library card as well.
- Other products with timers included - Some security products integrate a timer. WinU and CybraryN are examples of this.
A well-designed public access workstation is configured so that there are very few, if any, files or settings left behind by a patron. These files and settings include temporary files created by Internet applications, Microsoft Office products, cookies, and history of accessed files retained by programs and the operating system. Cleanup software helps to erase all of these. A library with a good programmer on staff may be able to create a quick cleanup program; however, there are many products already available that can perform these tasks. Some are more for home use, but there are also products that can be integrated into a public access computer.
Examples of cleanup software:
- CyberScrub Privacy Suite: http://www.cyberscrub.com/en/privacy-suite/ - Privacy Suite removes the sensitive information (Temporary Internet Files, Cookies, etc.) from the user account in which it was run. To clean sensitive information from other users, you need to switch to another user and run Privacy Suite from that user.
- Window Washer: http://www.webroot.com/En_US/consumer-products-windowwasher.html - Window Washer cleans many features like scandisk temp files, Media Player, Run History, Find Search History, Auto complete, Custom directories and registry entries, as well as more options on how the program runs.
Although a distribution agent (or application deployment software) isn't necessarily a consideration when planning network security, it is an excellent tool for cutting down administrative overhead when deploying software applications and updates. It is especially useful for large networks that require frequent updates and application rollout.
What is a Distribution Agent?
A distribution agent is a client server program that automates the process of installing an application or update to workstations on a network. Two of the most popular programs are Microsoft's SMS and OnDemand's WinInstall.
An administrator creates an update or application installation by running the actual process on a model workstation that records the procedure. The update or installation is then packaged and stored on a server or multiple servers depending on the size of the organization. The distribution program keeps track of the application or update in a database.
There are various ways to deploy an application or update package. Clients need to run client side software that allows them to communicate with a server and determine whether or not it should install a package. This check can be performed when the client logs on, at a specified time (often during off hours so the user is not bothered), or at random times to prevent an overload of network traffic. As the check is performed, the client's list of installed packages is compared to a list stored on a database on the server. If a package is not installed on the client that is indicated on the server, the package is then rolled out.
Most distribution agent software provides configuration options that allow administrators to determine deployment options in various ways. Deployment can be based on a user, a computer, or groups defined in the network operating system or application rollout program.
Most application rollout programs are highly customizable and flexible. Microsoft's SMS server is somewhat usefully configured with default options, but it can be transformed into a virtually proprietary application when fully customized for a specific network.
Drawbacks of Distribution Agents
Application rollout software works best when all the workstations in a network are configured identically. It is important to understand that even though you may install the same program or update on two different computers, each computer may install the program or update very differently. If an application package is configured on one computer and is then distributed to 200 computers that are not identical, the package may fail on many of the computers. If a network administrator gives users the freedom to configure and install software on their own computers, distribution software may not be the best solution. Furthermore, rollout packages need to be extensively tested before deployment to make sure they are reliable.
As software evolves, updates and installations become more and more customizable. Many software programs now have releases with fully customizable installation procedures for rolling out to network installations. Many Microsoft products, such as Microsoft Office and Internet Explorer, provide special accompanying programs called "Administrator's Kits" that provide tools to create a specialized installation package. As these installation tools evolve, application deployment software becomes necessary primarily for enterprise organizations.
There are products that combine many features in to one product. They may be comprehensive; however, because some of these products try to cover all areas of security, each feature may not be as robust as in products that concentrate on only one feature.
Examples of multipurpose software:
Next: Browser & Email Security