Safe From Prying Eyes:
Protecting Library Systems
By Karen G. Schneider
American Libraries Columnist
Director of the Garfield Library in Brunswick, New York, and author of A Practical Guide to Internet Filters (Neal-Schuman, 1997)
kgs@bluehighways.com
Column for January 1999
Last month's column discussed some methods for allocating time at Internet workstations, from sign-up sheets to special software that manages time control to cataloging computers as if they were books. This month we'll focus on tools and techniques for preventing patrons from rearranging your desktop, tampering with files, downloading to your hard drive, launching program files (with or without viruses), booting from the a: drive, or otherwise disturbing your computer system.
Don't assume security measures are only directed at “bad” patrons. Our library has a new public Internet computer, Pat'N'Joe (named for the legislators whose pork funded its purchase). No sooner had we hooked up Pat'N'Joe to our ultra-fast cable Internet connection—and before I had a chance to set up any security software—an elderly man, his arms full of books, begged to “see the Internet.” His delight was so obvious I tenderly logged in and let him have at it, while I did the reference/administrator/whatever gig for a few minutes. When I happened to glance over I noticed he was installing a piece of software on the computer. The staff are still laughing at my brisk response: “All righty then! It's time to log off, and I'll check out those books for you!”
I was at fault for forgetting how bewildering a computer is to new users, and for assuming a patron would know what he shouldn't be doing. The Golden Rule of public computer security, according to Robert Sullivan of Schenectady County (N.Y.) Public Library, is “hide what drives you need to and can, and don't allow them to run anything else that you can't hide.” Since then, I have taken a belt-and-suspenders approach and installed Cybrarian and WinSelect Kiosk (just two of many good security programs; WinU and Fortres are also frequently mentioned on library discussion lists). These programs fulfill many key security objectives. When they launch, the Start menu and most files vanish; users can only save to the a: drive; and instead of the complicated Windows 98 desktop, the user sees a simple menu with one or two options on it. The curious user digging through files sees only one empty a: directory. “My Computer” and “Network Neighborhood” are invisible. Both programs disable the right-click button on the mouse, which prevents all kinds of misbehavior, from saving “interesting” Web sites onto your desktop to drilling through your files.
In our library, users log in with their library card numbers and read the library policy before they launch the Web browser (the only software Cybrarian and WinSelect Kiosk will let them use, except for a telnet program that launches our online catalog). They can save to the a: drive, but they can't run any programs. After half an hour, their session times out and they can't log in for two more hours. Logging in has become more complicated and takes more time. I next want to pull everything together into an automated log-on sequence that means we only have to turn on a computer and type in one or two passwords to be “up and going.”
Just another pretty interface
Another goal is a simple and consistent interface--that is, for the desktop to remain the same for every user, every time he or she uses it--the same colors, configuration, and files—and to be as obvious as possible to the user. Menuing tools such as WinU or Cybrarian present a very simple menu in place of the Windows desktop.
The security features in lockdown tools are also helpful for maintaining a consistent interface. Most security software allows you to prevent users from closing, resizing, or minimizing programs. Some allow you to disable menu items in many software programs—for example, if you don't want users tinkering with the size of the screen fonts or changing your default home page or your print settings.
Home groan
There are librarians, such as Robert Sullivan, who swear that the only way to secure public-access computers is through the “home-grown” approach. A number of these librarians maintain computer networks based on Microsoft NT, which has powerful security features, or have become adept at manipulating the internal features of Windows 95/98. I bow before these gurus, but most of us do not have the staff, time, or patience to endlessly tweak operating systems. I'd rather let a vendor deal with the challenge of new features and the heartache of software conflicts. Life is short, and the to-do list is never-ending.
Even so, you can't slap a software program on a computer and expect that workstation to be secure. To quote the excellent public-computer security documents at the California State Library's InFoPeople Project, “No matter what security package you use, you should still enable your computer's built-in security features.” Most computers will let you reverse the boot sequence (so users can't boot from the a: drive—a favorite method for tampering with computers) and password-protect your computer's deepest, darkest innards (so users can't attempt to override your computer settings).
Spend some time on the InFoPeople Web site to learn how. If you delegate this work to others, be sure they document their work and show you what they've done so you can tweak the computers later. Once you tinker with the settings of a computer, unpredictable things can happen, and you want to be able to tweak settings as quickly as possible.
These solutions are just the tip of the iceberg. There are many programs and a few good Web sites that discuss computer security. The Web4Lib discussion group archive is particularly useful for staying up to date.
|
