Carson Block compares four of the most popular software and hardware applications.
By Carson Block April 15, 2001In part one of this article (netConnect, Winter 2001), we examined practices and methods that can give a fighting chance at system stability before putting workstations out for the public. In this part, we'll look at one of the best ways you can keep normal use from taking its toll on each machine--operating system (OS) helper applications.
There are many good reasons to use an OS helper, including consistency of appearance and applications, protections against tampering and/or system-damaging modifications, increased uptime and availability of workstations, and a better chance at overall lower maintenance.
But which one?
| Products discussed in this article: |
There are a number of vendors offering products with different strengths and weaknesses, and trying them can be a hit-or-miss affair. Further complicating a simple, direct comparison, many libraries are not relying on a single vendor or solution but applying good practices with software helpers from different vendors to keep workstations stable and fresh.
My interest in workstation security started when we installed our first public Internet workstations at the Loveland PL, CO, in 1996. Previously, we had no Internet access, and the fresh install of a T-1 circuit for a dozen or so workstations left me thrilled by the possibilities but horrified by the potential for mischief.
The first time I realized I would need help protecting the stability of the operating system from users came as we were setting up the Tech Center (our Internet access lab) prior to opening it to the public. Out of curiosity, I did a search for 'warez' (the term used for illegally copied and shared software) and found a number of sites that could serve up a great number of illicit software packages, including remote access clients and even copies of entire operating systems. On our uncluttered T-1, any of the packages could be downloaded and installed in no time. Yow!
On total reflection, though, we realized that other needs were important, including patron privacy, local network security, regulation of printing to the network LaserJet, and more. Like many of the libraries highlighted below, Loveland uses a variety of physical and software methods to protect workstations. With the size of our staff and number of other areas of responsibility, we elected to use the OS Helper combination of Ikiosk and WinSelect from Hyper Technologies.
Evaluating the need
Are third-party OS helpers really necessary? The answer depends on your local technical expertise, time, and inclination. Free tools are available to control powerfully the look, feel, and security of your workstations. But the time, expertise, and inclination factors are not trivial considerations.
In one public school district I visited I was very impressed by the amount of technology available to high school students. The school has high-speed Internet access and several fully equipped computer labs with powerful content creation tools. Then the instructor of the lab told me that to solve a problem with saving student files to removable media, he let everyone log on as 'Administrator.' On an NT system, Administrator is the most powerful user account. An entire computer lab full of bright and imaginative high school students with internal access to a high-bandwidth intranet and a T-1 Internet connection? The very thought leaves me in a cold sweat.
In this case, the instructor and the sole tech support person were overburdened. They had too many network points to manage and not enough time to use built-in methods to configure machines that would allow users all the flexibility they need without compromising network security or stability. Even though this district had the software tools to manage workstation security, it would probably be a good choice to invest in a third-party OS helper.
Each library is different, but the case studies below are meant to help you find out what is best for you after learning the experiences of a number of libraries in Colorado. There are several products on the market that perform in a similar fashion; the four outlined here have been tested on a daily basis in real-world situations.
WinSelect back to top
The popular WinSelect application from Hyper Technologies Inc. (www.winselect.com) comes in two separate flavors, or as a combined program that offers the features of both programs through a single shared interface.
WinSelect Ki-osk helps manage workstations by disabling menu items and buttons (such as the preferences and history files in Netscape Navigator), disabling program hot keys or added key combinations, recording and disabling any program feature (including minimize, maximize, resize, close, move, restore, and the all-powerful right mouse button).
WinSelect Policy can control where data are saved (e.g., by limiting downloads to a floppy or other removable media drive), what programs can be opened, and a great many printer options such as number of pages, print to file, and other functions.
Deb Lueth, who continues to manage the public workstations at Loveland, gives high marks to the WinSelect Kiosk and Policy combo. 'In a setting where 25,000 user sessions per year challenge the stability of even the best PC configuration design, I am thrilled with the consistency, ease of use, and ease of implementation we have found with WinSelect/Kiosk.' The library media staff had a lot to consider with testing software. Lueth especially likes the ease of implementing workstation builds that allow users access to the resources they need while preserving privacy between user sessions.
She also likes being able to control printer functions. 'We had users print dozens of pages only to 'pick up and run' with one or two pages, resulting in a huge waste of paper and ink. Policy allows us to limit every PC to only one set of ten pages. Kiosk allows us to disable access to any or all the Windows operating system controls and deny access to the hard drive. The Internet access computers remain stable, reliable, consistent, and as shortcut-free as we had hoped.'
But for many libraries, a single-vendor solution isn't enough. Westminster PL, CO, a two-branch system located in a Denver suburb, uses WinSelect and a variety of other methods and techniques to keep 129 (69 public and 60 staff) workstations in both locations secure. Library computer technician Eric Sisler is part of a two-person team that oversees the computer technology for libraries that serve the needs of the general community as well as a community college. Application support includes web browsers, telnet clients (for PAC access), CD-ROM databases, and a number of other applications.
With such a diverse mix of users and applications, Sisler says he can't imagine having public PCs without security measures in place. 'There would be no continuity of installed software applications/versions since many users would download and install software. Beyond that there are other security implications to think of--an unsecured PC can leave your network and servers open to mischief or attack.'
But even further, Sisler says security measures help ensure the appearance, application, and version consistency across all PCs; reduce the chance that a patron could render a workstation inoperable by accident or through mischief; provide enhanced security by reducing the likelihood of having the library's network and servers attacked from inside; and limit where downloaded files may be stored.
Sisler says Westminster settled on WinSelect several years ago for an important role in its overall security plan after trying another product. 'Initially we were using an older version of Fortres but found it didn't work and play well with PAC for Windows (a component of its Innovative Interfaces automation system) and Norton Anti-Virus,' he explains. 'We were looking for something that was more 'network aware' and could control not only which applications could be run but what menu items were available from within the application.'
Maintaining standard configuration can be simplified in a couple of ways. 'The client portion must be installed on each PC,' Sisler says. 'The administration portion can be installed locally on the PC or on a network drive. The configuration file is stored locally on the PC but can be updated via the network.' WinSelect has the ability to poll a network server periodically to check for configuration file updates, but Westminster elected to copy the configuration file to the PC as part of the network logon process. 'This reduces some network traffic, and we haven't had to update the configuration file all that often anyway so having the client periodically check for updates seemed unnecessary.' Sisler also favors being able to have multiple configuration files for WinSelect for different PC locations and uses (such as training classroom vs. generic Internet access points) and being able to update the configuration file from the network as part of the boot process, which saves time and shoe leather.
Sisler likes WinSelect's ability to restrict what menu items are available for a particular application. Since Westminster uses the I-Gear Internet cache/filter, it's necessary to restrict patrons from launching Netscape's preferences file and bypassing the proxy. But the setup is not without its difficulties. Sisler characterizes being able to restrict what menu items are available for a particular application as a double-edged sword. 'While it's nice to have this ability, some applications have many menus and shortcut keys and trying to configure them all can be time-consuming. Predefined controls are provided by the vendor for some applications, primarily web browsers, but it would be nice to see some for other applications.'
Sisler has been happy with the ease of maintenance and the effectiveness of WinSelect when combined with Westminster's other management practices and methods. To serve the needs of training lab users better, Sisler is planning to use another Hyper Technologies product in conjunction with WinSelect called Deep Freeze (see below), a program that has similar features to a hardware solution called Centurion Guard (see below).
'We're looking at using WinSelect and Deep Freeze in our library instruction classroom. We will be installing the MS Office Suite, and there are far too many menu options even to try and restrict access. We'll use WinSelect to keep students out of areas they shouldn't be in--the control panel, network neighborhood, the web browser's proxy setting, and other 'sensitive' areas. We'll leave MS Office and other applications wide open and use Deep Freeze to restore the PC to its original (unmolested) state by rebooting it. If this works out well we may do something similar to the regular public PCs.'
Fortres 101 back to top
Another popular security agent for computer workstations, Fortres 101 seems to have a very strong showing in the schools market in classroom situations. Fortres Grand Corporation (www.fortres.com) describes Fortres 101 as follows: 'A computer sentinel, Fortres 101 monitors each action the user makes and determines if that action is legal or not. Fortres 101 offers you the ability to restrict/block local hard drives and removable floppy disk drives as well as any local file, folder, or application.'
The product has won a top 100 products award from Curriculum Administrators magazine and another award from Media & Methods Magazine. But Fortres is not just for classrooms or school libraries--many public libraries have used it to help manage public computers.
The Fort Collins PL, CO, has had a good degree of success mixing Fortres with other methods and programs such as WinSelect and Centurion Guard on its workstations. Jacque King, library technical support specialist, says the library has been using security measures since they got their first two Internet PCs in 1995. 'When we made the transition from dumb terminals to PCs and started to offer Internet access, we had to consider the security of our network,' she says. 'We also hoped to limit support calls and prevent against viruses.'
With 121 workstations to manage (57 for public use, 15 for circulation, 49 for staff) and a tech support staff of three, Fort Collins uses the different products to provide a strong public security plan for its workstations. King says they use Fortres and WinSelect for public machines running Windows 95, NT, and 2000, and Centurion Guard on a few public stations that have word processing.
King uses 'WinSelect for locking down applications so patrons cannot change application settings such as Netscape preferences, bookmarks, proxy settings, etc.; Fortres for file and desktop security such as preventing the deletion of desktop icons or saving to the hard drive; and Centurion Guard for file and desktop security and to prevent unwanted changes to the hard drive.'
King finds Fortres's centralized management utility, General Control, a powerful security administrator. It can be used to assign security settings based on user names and groups. If you are running Windows NT, General Control can retrieve your existing user list from the server, which King says has been very convenient for Fort Collins.
'We use the same user name on all of our PAC stations. Using Central Control, when a change is made for the 'PAC' user, the change applies to any and all workstations logged on as 'PAC.' This saves trips to each workstation to lock/unlock individual settings. It also frees up the workstation for other uses because in order to change security settings, all you need to do is logon as a different user.'
The Fortres Diagnostics feature is particularly useful for troubleshooting. 'Most applications need to have access to system files or the hard drive at some level, but it is impossible to know exactly which files are needed by which application,' King says. 'The diagnostics feature displays which files are needed by your applications in a text box where you can highlight them and click the 'stop blocking' button. This way, you can allow access to only the needed files, without disabling security on the entire directory or system.'
Fort Collins has experienced some difficulty with Fortres under Windows NT with Service Pack 4. 'We kept getting blue screens (complete system crashes) every time a user logged on,' she explains, but has been pleased with the company's tech support in dealing with the issues. 'Unfortunately, the only workaround was to disable the file security portion of Fortres and just use it for desktop security. I have not had this problem with Windows 95 or 2000. I have yet to try it using NT 4 with SP 6--although tech support (at Fortres) says that should resolve the problem.'
But as with a number of other libraries, King says third-party products alone are augmented with other measures for a total security plan. 'We sometimes use the freely available Netscape Configuration Editor to change some features of the Netscape browser on our PAC stations.' In one case, she says, 'instead of disabling the 'search' button, we were able simply to change the search URL to point to our catalog keyword search page instead of the default Netscape Internet search site.
'We also sometimes use local registry edits to disable or enable certain items,' King says. 'We disable items in the BIOS. For example, we don't allow booting from the floppy drive, and we assign setup and system passwords to prevent unwanted access to the PC. Not only do we want to secure our computers, we also want to protect our users from other users. Privacy issues are addressed by using logon scripts and/or batch files to perform common tasks like clearing temp, history, cookies, and Cache files.' [For more on the use of such native OS features, see Part 1, netConnect, Winter 2001.--Ed.]
Centurion Guard back to top
From Centurion Technologies (www.centuriontech.com), Centurion Guard is a hardware solution, complete with a key to 'lock' the protections in place. The philosophy of the protection is different from many other OS helpers in that it does allow changes to be made at the user level, from simple application settings to a complete reformat of the C drive. But the user changes are not permanent.
The device write-protects the hard drive at the physical level. 'When an application needs to write to the hard drive, the Centurion Guard automatically redirects file writes to a separate non-write-protected area on your hard drive,' explains the company web site. 'When the system is rebooted, any changes that were made to DOS or Windows are forgotten, and the system is put back to its default configuration.'
Centurion Guard accomplishes this by requiring 32-bit formatting of the hard drive and 'hiding' the stable system build on a separate partition. To make system or application setting alterations that administrators want to retain, Centurion Guard can be disabled (with the key) and changes can be made.
Such a configuration can be handy when you do want your users to have the power to change settings (such as in a training lab environment), but you want fresh, consistent builds between user sessions.
Al Lustie, director of computing and bibliographic services for the Arapahoe Library District, CO, uses Centurion Guard to secure the workstations for public libraries serving the south region of the Denver Metro area with patrons he describes as a combination of poor working class, immigrant, and upper middle class with lots of high-tech expectations. He has three (soon to be four) computer/network technicians to oversee about 215 workstations (141 public PCs, about 65 for staff, four servers, and miscellaneous other PCs in various stages of use for research).
Lustie says Arapahoe switched to Centurion Guard after using Fortres and Ikiosk for a time. 'Centurion Guardian is the most useful tool so far,' he says happily. 'It is a 'set and forget' system--we have to disable it to do LiveUpdates on Norton Anti-Virus or to upgrade a computer, but it has enabled the library staff, most of whom are not very computer literate, to switch a machine off and turn it back on and provide a patron with an excellent computer experience. Without it we would have had to double our staff (or more) or provide shoddy experiences to patrons.'
Lustie also has found some perhaps surprising flexibility of the hardware solution: 'We have recently purchased electronic switches connected to locks so we can disable the Guardian from an easier location (by key) on several machines at a time when we are doing updates.' He also says company tech support has been good.
Jeff Kuntzman, Internet and instruction librarian at the Denison Memorial Library, University of Colorado Health Sciences Center, Denver, also recently switched to Centurion Guard for workstation security after experiencing some problems with software OS Helpers.
'We started approximately eight years ago with a combination of Ikiosk/Fortres, then about a year ago switched to Centurion Guard.' He says they have found 'anecdotal evidence that Ikiosk was causing more crashes than it was preventing. When we switched to CG, we were looking for a solution that would be as nonintrusive as possible but would restore computers in a pristine fashion every time they are rebooted.'
With a staff of two to oversee 60 public workstations and 45 staff workstations, Kuntzman likes the hardware solution because 'it has reduced the number of crashes we were having on public workstations; it's also very secure and reduces any worries about viruses, since it basically circumvents viruses completely.'
The only drawback is when the time comes to update the system build. 'It is a pain to install new software--basically you have to turn off security with a key, reboot the system, install the software, then reboot again with the key in 'on' position. Also, crashes have been reduced--not eliminated.'
Despite the success with Centurion Guard, Kuntzman plans yet another change to the library's public workstations. 'When we migrate to Windows 2000, hopefully soon, we are hoping to use Win2000 policies for all the security and leave Centurion Guard behind.' He notes, however, that 'if that turns out not to work, there is a Win2000 driver available for our CG units.'
It's not only large institutions that use Centurion Guard. Arguably, it may be even more important for small libraries, with little or no technical staff, to have an automatic and easy-to-manage means of ensuring system stability.
Nancy Orth, technology consultant for the Plains and Peaks Regional Library Service System, has successfully deployed Centurion Guard in small public libraries in her region, like the largely rural Elbert County Library District. With total registered patron counts of 4500 to 6000 and no dedicated tech support, the libraries need a solution that is as simple to operate as it is easy to manage. She's been using Centurion Guard in those locations for more than two years.
Orth explains that Centurion 'looked like an easy way to maintain security and still give the patrons flexibility. No worry about setting up software and determining what parameters to use. The patrons can actually download items they might need without us having to worry about it. I've even seen someone reformat the C drive and the computer rebooted with no problems.'
Orth says one fault is that Centurion Guard doesn't work as well on computers with smaller hard drives because the computer has to be rebooted when the temp partition gets full. Still Orth is very enthusiastic about the company's responsiveness, again a plus for small systems without much on-staff expertise. 'The tech support is fantastic.' She says a technician 'even called me to ask how it was working even though it was only on one computer at the time.'
Deep Freeze back to top
Another rural library having a good deal of success with a software solution similar to Centurion Guard is Ruby Sisson Memorial Library in Pagosa Springs, CO. Cathy Dodt-Ellis, technology coordinator, has been using Deep Freeze from Hyper Technologies Inc. (www.winselect.com) for about seven months to help manage the library's 12 workstations.
Using passwords and software (instead of hardware and a physical key) to protect the integrity of the hidden partition and system builds, Deep Freeze accomplishes tasks similar to Centurion Guard.
Dodt-Ellis says her deployment of Deep Freeze was a response to 'day-to-day annoyances--people deleting programs or downloading programs that I would have to delete later. Much of this was apparently accidental--they were usually stuck and would start 'trying' things to help.
'It was easy to install, there haven't been any conflicts with the existing software, and, most importantly, it works,' she says. 'All staff have to do is reboot the computer and the original configuration will be back. This is very important for when I am not available to fix the computers.'
Like Centurion Guard, Deep Freeze needs to be disabled for system changes made by administrators to stick. 'I disable [Deep Freeze] during startup when I want to install upgrades or make modifications to the hard drive, and Deep Freeze automatically enables when the computer is rebooted.'
Finding your solution
Like just about everything else in libraries, there is no one, cookie-cutter solution that will address the issues. The real solution will depend on a number of factors, including the size of your tech staff, your comfort level managing your technology, the number of users you see in a day, the applications you want to employ, and your size--both in number of workstations and the number of staff to support them.
| Author Information |
| Carson Block (cblock@frii.com) is the Technology Consultant for the High Plains Regional Library System, Greeley, CO, a state-funded agency that serves libraries in nine northeast Colorado counties. |
