Keep updated

Securing Public Access Computers: Some Alternatives to Windows SteadyState

Tags:

After I wrote about Windows 7 and SteadyState last week, Sarah Washburn asked me a question that led me to look up some of the alternatives to Windows SteadyState that might help libraries secure and manage their public access computers if they’re really anxious to leave behind XP and/or Vista for Windows 7.

I can’t promise that all of the products I mention below have released versions compatible with Windows 7, but this list should serve as a starting point for anyone who wants to do their own research. If you’re comfortable with Windows SteadyState, it combines aspects of a computer reset system and desktop lockdown software. If you need a complete replacement for SteadyState, you may need to acquire a program from both of those categories.

There are several ways to design and implement public computer security software. Some systems install locally to each computer and administrators have to manage each computer individually. Other products and approaches allow administrators control over the security configuration of all their workstations from a centralized network management console.

Computer Reset Systems: Other terms for this type of software include “hard drive restore software” and “system rollback applications”. These utilities generally prevent permanent changes to one or more hard drive partitions. They usually function in one of two ways: intercepting changes at the hardware level or overwriting the hard drive with a clean image on a regular basis. In other words, some of them intercept any attempts by the current end user to alter the hard drive or any of the files it holds. The software then discards those attempted changes or quarantines them to a temporary location (e.g. a file or disk partition). When the user ends the current logon session by logging off or shutting down the P.C., the software erases the contents of the temporary-save location, and the hard drive returns to its original configuration. 

Alternately, some systems store a pristine copy of the system administrator’s preferred hard drive configuration in a safe, protected location. In other words, in this pristine image, all files and applications are in a clean, unmodified, post-installation condition, or close to it. The security application and/or the system administrator then overwrites the entire hard drive on a regular basis (e.g. daily or weekly). This approach is more resource-intensive, and could slow your network significantly if the timing and implementation weren’t handled carefully.

Examples of computer reset systems include:

•    Fortres CleanSlate

•    Returnil RVS

•    Faronics DeepFreeze

•    Norton Ghost

•    Centurion SmartShield

•    Windows System Restore: While not as full-featured as Windows SteadyState or the commercial products listed above, System Restore is built into Windows XP, Windows Vista and Windows 7. Therefore it’s free of charge and you don’t have to install it. You will have to create one or more “restore points”, which refers to the clean, uncorrupted state that you’ll be restoring to should something go wrong on one of your public computers.

•    Gates Foundation PAC Security Tool: If your library received one or more free computers from the Gates Foundation between 1998 and 2004, chances are they arrived with a security tool already built in. If you’ve lost the documentation that came with these computers and forgotten your training, WebJunction has preserved many of the tech support documents written to help grantees diagnose and fix problems with their Gates computers.

Desktop Lockdown Software: Also known as “Access Control Systems”, software in this category prevents access to powerful, sensitive administrative utilities such as the Control Panel and the Computer Management Console, along with any other programs, files and directories that the systems administrators consider inappropriate, unnecessary or a potential source of trouble.

Examples include:

•    WinSelect

•    Fortres 101

•    CybraryN

•    Librarica’s Cassie: Alison Pruntel wrote “My Path to PC Management Heaven:CASSIE” for us in late 2008 about her positive experience using this product.

Web Browser Lockdown Tools: Librarians and systems administrators know fairly well that the Internet is the main source of trouble on most public access computers. Therefore, a large percentage of all their management troubles would go away if they could limit what patrons do on the web. Public Web Browser and PublicFox are two tools that give administrators some control over web browser settings on public access computers.

Thin Client Solutions: Other systems rely on thin-client or multiseat technology. In a thin client approach, one or more powerful servers provide the central intelligence and control center for the security system. The end-user terminals do little more than display the graphical interface and process input from the mouse and keyboard. Most of the intensive processing happens on the server(s). Typically, organizations that implement a thin client solution expect to save money on desktop computers because almost any computer with a processor and a small amount of storage will adequately run the minimal commands and output streams that the terminal server sends its way. Also, as long as the server has enough storage, it’s relatively easy to save a pristine version of the client desktop and use it to overwrite the working client image that patrons and other end users see when they log on.  

Thin client technology comes in many different varieties, and some flavors have limitations due to the minimal power on the client side, and the need to transmit all input and output over the network. Also, more and more often, thin-client vendors are relying on virtualization and other cloud computing technologies. In other words, instead of helping you set up your own thin client network, the vendor will host your standard desktop image(s) (image refers to the operating system and all of your organization’s standard software). You still have control over these images, usually via FTP, or a password-protected, web-based management console. However, you’re outsourcing the cost of acquiring and maintaining the terminal server hardware and software. The Moderro Xpack is an example of a product that uses this approach.

Multiseat Configuration Systems: Multiseat systems resemble thin-client systems. However, instead of sending input and output over a network, the client interfaces (mouse, keyboard and monitor) are attached directly to the computer that does the processing. That computer runs a program or operating system capable of managing multiple user sessions at the same time. In other words, you and nine others can share the same workstation hardware (excepting monitor, mouse and keyboard) without tripping over each others’ files and programs. Userful Multiplier and Windows Multipoint are two programs that fall into this category.

After I had written 90% of the article you’re reading, I remembered that Dale Musselman at WebJunction created a Public Access Security Product List  three years ago that listed the major public computer security products on the market at that time. As far as I can tell, the market hasn’t changed much in the mean time, though I did find a company I hadn’t heard of before called Returnil that relies on virtualization and virtual machines to roll computers back to a controlled, baseline configuration.  Also, Symantec no longer develops GoBack and recommends Norton Ghost 15 as an alternative.

The bottom line is that managing public access computers has never been easy or cheap, but Windows SteadyState made it a little easier and cheaper. However, if Microsoft abandons development of SteadyState, libraries will have to go back to parsing the small, hard-to-understand differences between the wide variety of fee-based products on the market.  I can’t recommend one tool over another, but I’ll make a few suggestions for those doing their own research: install trial versions of the software you’re considering; try them out yourself, and ask a librarian who serves patrons directly for their opinion. Also, consider buying multiple PAC Security products from the same vendor. This strategy frequently minimizes the number of vendor relationships you have to manage and decreases the likelihood that you’ll have to troubleshoot system integration problems. However, that vendor then becomes a single point of failure for your PAC Security so choose carefully.

SiteKiosk

Hi,

when steadystate stopped, I was looking for other free tools but couldn't find any that would fulfill my needs. I run a small motel here in the Netherlands and wanted to allow my guests to use nearly all features like online-access and printing for pay. I would also suggest to use as many trial versions as possible to find out which may fit your needs. I finally decided in favour of SiteKiosk, especially because I'm not really familiar with programming and SiteKiosk's configuration assistent makes it really easy to set up anything you want. So if you haven't already test it or found another lockdown software I would recommend you to do so.

Cheers,

Sjef

Tool recommendation: SiteKiosk

Thanks, Sjef, for sharing your tips on using trial versions before selecting (and paying for) a tool to lock down public computers. I hadn't heard of SiteKiosk; thanks for the tip! I wonder if anyone used this tool in public libraries?

There are some references on

There are some references on their site which name quite a lot of libraries:

Clare County Library Headquarters
Openbare Bibliotheek Enschede
Openbare Bibliotheek Venray
Rigas Centrala biblioteka
Russian State Library
Santa Monica Public Library
Tallinn Central Library
...

Testimonials for SiteKiosk

Thanks, Sjef, for continuing to share useful information on SiteKiosk. I see that there are testimonials on the site as well. Interesting to see a wide range of library types from different regions of the world using it, too. Thanks, Sjef!

Inteset Secure Lockdown

We use Secure Lockdown by Inteset to replace the functionality of Windows SteadyState. It works with Windows 7.

Librarica's CASSIE Does Support Windows 7 and Vista

Both 32-bit and 64-bit, see OS requirements link here.

Compatibility w/ Win7 - resources for computer reset software

Clean Slate 6.5 supports Windows 7 according to system requirements page

RVS 2010 Enterprise Classic supports Windows 7 according to system requirements page

Deep Freeze Standard and Enterprise support Windows 7 according to this product data sheet (860K PDF)

SmartShield Library Client supports Windows 7 according to this system requirements page

Here at the John C. Fremont

Here at the John C. Fremont Library in Florence, Colorado, we've had a lot of luck using a mixture of SteadyState and Crystal Office's WinLock. SteadyState only has the disk protection activated; we use WinLock for almost all of the lockdown because it can be deactivated in one step, simply by entering a password.

This might not be the right solution for every library, but we're loose. We unlock the computers a fair amount to allow patrons to install various tools.

Really, with SteadyState, you could not lock them down at all if you wanted. The only reason we do is to prevent some smart aleck from putting last month's Playmate on the desktop or installing a keylogger between restarts.

Have a story to tell?

Tell us about your daily routine maintaining public computers, or a moment when you were particularly proud. Don't forget that what might be "that's nothing" to you may be an "aha!" to someone else!