Director of technology for the Shenendehowa Public Library in Clifton Park, New York.
kgs@bluehighways.com
Column for April 2001
The business of protecting your computers and network against public intrusions—accidental or intended—absorbs countless hours of IT time, and explains why your computer-support people disappear for long periods while you crawl around on the floor trying to figure out how to reconnect your mouse. We aren’t goofing off in front of cozy servers; we’re schvitzing over hot computers, struggling mightily to prevent the public-access version of Hannibal Lecter from devouring your network.
There are numerous methods for securing computers—far more than I could review in this column (and subject to daily change). However, I’ve singled out two resources for accolades and attention because they work well, they are free, they answer obvious security needs, and they’re designed and maintained by librarians.
Public Web Browser, or PWB, is a software program written and maintained by Scott Vermeersch of Mayo Clinic Libraries in Rochester, Minnesota. You install PWB in addition to Internet Explorer 5.5, and it allows you to modify Explorer’s appearance and capabilities. Our library uses PWB to provide a highly stripped-down browser that nonetheless is fully functional, highly customizable, and easy for patrons to use. It has worked so well at the Mayo libraries, reports Scott’s supervisor, David Brown, that departments outside of the library have begun using PWB as well.
Some of the features available in PWB are duplicated elsewhere; for example, Microsoft NT System Policy (a Microsoft-specific security tool) provides capabilities for removing or disabling features in the Internet Explorer browser. Additionally, we continue to use Microsoft System Policy and third-party software (Fortres 101) as part of our security program for our public computers, since nothing does it all.
Nevertheless, PWB is so easy to implement and modify, and addresses so many of the “gotchas” in public browsers, that many settings we already do in system policy we duplicate in PWB in anticipation of eliminating the system policy settings down the road. There are also some functions that PWB performs more easily than any other program, such as removing individual menu items, customizing the title bar, and adding custom buttons. Finally, for ease of maintenance, I keep the configuration files for PWB on a central file server.
I try to be initially skeptical with home-brewed tools maintained by the equivalent of a couple of folks in a garage; the support may not be there when you need it. However—and this isn’t always well understood by people who do not work directly in technology—for the most part, Microsoft support is strictly YOYO (You’re On Your Own), unless you think a $125 support call qualifies as assistance.
There are many helpful discussion lists and similar self-help resources, and the Gates computers do qualify for technical support from the foundation; but for most of us, when we’re securing Windows, it’s still us and that damn computer—and in the case of PWB, Scott Vermeersch.
After a month-long test deployment on four computers, I’ve concluded that for our 26 public machines, as long as Scott keeps maintaining PWB, we might as well use it. Peter Osterhoudt of the Neil Hellman Library at the College of Saint Rose in Albany, New York, enthused, “When I run into trouble [with PWB], the author responds to my e-mails within hours and solves my problems in only a short time. Try that with the Microsoft help services!”
Andrew Mutch, library systems technician at the Waterford Township (Mich.) Public Library, has made Netscape security his personal calling. His Web site includes clear instructions for securing Netscape in Kiosk mode, getting rid of that pesky Comet cursor, and more. Like Scott, Andrew is known for his altruistic sharing and warm bedside manner; as John Richmond, director of the Palestine (Tex.) Public Library, put it, Andrew “should be canonized.”
The best trick up Andrew’s sleeve is an incredibly simple (and free) method to lock down Navigator to a restricted set of sites for computers you want to reserve as Web catalogs and online databases. (A similar procedure works for Internet Explorer, too.) Some time ago I dubbed this procedure the Mutch-o-matic in his honor.
Andrew’s Web site has the full instructions, but essentially you fool the browser into thinking it’s going through a proxy server, restricting the browser to the handful of sites you want to make available at these special-use machines. (Andrew credits Glen Davies of New Zealand for first proposing this method, but Andrew has been responsible for documenting it online and ensuring librarians know about it.) You still need to restrict the browser so patrons can’t change the settings—something that can be accomplished through third-party software, Windows NT system policy, or registry edits—but the proxy fake-out works extremely well.
We used the Mutch-o-matic until last summer in combination with NT System Policy to secure the browser and centrally manage the list of allowed sites, and only moved on to a “real” proxy server when our list of allowed databases became very large.
Librarians from fairly sizeable institutions have mentioned to me that they use the Mutch-o-matic and PWB. These two resources remind us that some of the best tools work so well and so easily that they belie the intelligence and imagination that went into their invention.