Northeast Iowa Library Service Area [month, day, year]
Waterloo, IA
Presented by:
Michael J. Dargan
Technical Systems Administrator, Waterloo and Cedar Falls Public Libraries
415 Commercial Street
Waterloo, IA50701
319 291 4496/fax 319 291 6736
&
Welcome to the workshopDeepFreeze,
Fortres, PublicBrowser, and the Public Library. The goal of this workshop
is to help libraries with simple networks to easily and inexpensively limit
computer access so that tampering by patrons (and sometimes staff members)
is held to a minimum. The procedures and programs demonstrated during this
workshop are either free, or easily available at nominal cost. Samples
of freeware, shareware, and demo-ware are included on the accompanying
compact disk. Only four of the software titles on the CD will be installed
and examined in the workshop. The others are items that either I or my
colleagues have found to be useful.
The workshop format
is discuss, demonstrate, and apply. For each BIOS or software related topic
we will
·Understand
why the topic is worth our attention.
·Demonstrate
the activity using a projector
·Perform
the activity on participant workstations
·Debrief:Discuss
how the process worked.
As these lines are
written it's not clear to me how many will be attending the workshop. We'll
have a total of nine workstations: One for the demonstrations and eight
for participants. Enrollment has been limited to 24 so it is possible that
each machine will have as many as three users. My advice is to choose the
least adept computer user of each group and have him handle the keyboard
while the others coach. When you've successfully completed the unit, look
around you and see how others are doing. If you want to jump up and help,
go ahead.
An old professor once
told me that no course is ready to be taught until it has been taught three
times. Today is my first attempt at this workshop. I'm hoping to complete
the first four units before lunch and the other two afterwards. In any
case, I'd rather do four topics well than five or six poorly. Therefore,
I've purposely left the anti-virus software for last as most of you can
figure out how to install it on your own. If, by chance, we complete all
five software demonstrations and we still have a reasonable amount of time,
we can discuss inventory procedures.
·BIOS
When shipped from the
factory most computers will boot from the A: drive and the BIOS is accessible
when the system is booting. Both conditions are problematic in the public
library. Booting from the A: drive allows for bypassing of the intended
operating system and any security measures you have installed. Or, a user
might inadvertantly boot with a floppy which contains a virus which could
infect the computer.
Equally bad is unfettered
access to the BIOS, which allows the user to disable or inappropriately
enable devices on the computer. With access to the BIOS an inept or malevolent
user can actually lock down the PC to the point where a technician must
flush the CMOS so that the computer returns to the default settings. A
wise librarian will limit access to the setup.
Fortunately, forcing
a machine to boot from the hard drive and setting a system password are
fairly simple and straightforward tasks. The computers being used today
have the ASUS version of BIOS. We’re going to set them to boot from the
C: drive and to require a password for access to the BIOS setup.
BIOS Setup
|
Step
|
Action
|
|
|
1
|
Reboot
|
Reboot the computer
by choosing Start | Shutdown | Restart.
|
|
2
|
Enter BIOS Setup
|
When the message
"hold down the delete key to enter BIOS setup" appears, hold down the delete
key.
|
|
3
|
Enter BIOS Features
Setup
|
Use the down arrow
to select "BIOS Features Setup" and press the <enter> key.
|
|
4
|
Set BIOS to boot
from hard drive
|
·Use
the down arrow to select "Boot sequence."
·Use
the pageup/pagedown keys to select C:A:
·Press the escape key and return to Setup Menu. |
|
5
|
Set System Password
|
·Use
down arrow key to select "Supervisor Password" and press the enter key.
·When
the "Enter Password" box appears, type the password: ILA99 and press the
enter key.
·When the "Confirm Password" box appears, retype the password: ILA99 and press the enter key. |
|
6
|
Exit BIOS setup
|
·Use
the down arrow key to select "Save & Exit Setup," and press the enter
key.
·When
the "Save to CMOS and EXIT box (Y/N)" appears press "Y."
|
|
7
|
Test your work
|
·Place
a diskette in the A: drive and reboot. If a "non-system disk. . . ." error
appears the boot sequence was not reset.
·Press
the delete key as the system reboots. If the setup does not ask for a password
the system password was not reset.If
the system does ask for a password it was reset.
|
Once the BIOS is secured
from tampering the next level of vulnerability is the operating system.
For the purposes of this workshop we will look only at the Microsoft Windows
95 and 98 products which are running in either a "standalone" or "peer-to-peer"
network environment.
The BIOS needs an operating
system which creates and manages the environment in which the applications
run. The operating system formats diskettes, manages files, launches programs,
determines the appearance of the display and performs other tasks beyond
the scope of this workshop. Users of Internet computers in the public library
have little need for access to the operating system as this would allow
them to change the configuration, delete files, install pirated software,
and otherwise wreak havoc upon the computer. The cheapest and easiest way
to secure the Windows 9x operating system is through the use of a third
party security package. The package used by this workshop is Fortres 101
V4 created by the Fortres Grande corporation (www.fortres.com).
Fortres 101 costs $49 for one license, $239 for 10, and $395 for an entire
building.
Once installed and
activitated Fortres 101 will limit access to the operating system. When
the product is properly configured the user will be able to operate only
those features of the operating allowed by the system administrator.
|
Step
|
Action
|
|
|
1
|
Locate the Fortes
Installer
|
·Double
click "My Computer."
·Double
click the drive containing the CD (assume the d: drive).
·Double click the "d:\Fortres" folder. |
|
2
|
Launch the Fortres
Installer
|
·Double
click the "F101v4b306.exe" file.
·Click
"next."
·At the password prompt type burger. |
|
3
|
Install Fortres
|
·Click
"Next."
·Name:
Workshop.
·Company: ILA99. ·SN: Leave blank and accept as a 30 day demo ·Installation type: Typical. ·Type of data storage: Local Click "Next." ·When prompted for password use ILA99. ·Destination folder c:\fgc: Click "Next." ·Select "Launch Fortres 101 Security Interface" Click "Next." ·Restart: Click "Finish." |
|
4
|
Configure Fortres
|
·Upon
restarting, at the "Do you want to continue loading Fortres 101 choose
"Yes."
·Bring
up the Fortres interface by holding down the ctrl and shift keys then tapping
the esc key.
·Type the password: ILA99. ·Click the + sign to the left of the Fortres 101 label. ·Uncheck the "Disable all security" box in the lower right hand corner of the security screen. ·Choose "File" and "Exit." ·When prompted to "Save current Fortres 101 Configuration" click "Yes" |
|
5
|
Test your work
|
·Right
click the desktop and see if you have access to properties.
·Double
click the My Computer and Network Neighborhood icons to see if you have
access.
·Click the Start button and see if you have access to the start menu options. ·If any of the above features remains available, check your work. |
|
6
|
Practice
|
·While
holding down the shift and control keys, press the escape key.
·Type
the password: ILA99.
·Look at the "Windows Disable" setting and see if the "disable all security" box is checked. |
Starting Point
for the Secure Browser:
Netscape Navigator
Standalone 4.08
Netscape Communicator
and Internet Explorer, the two most popular Internet browsers, have many
features. Either application can be used to check email, Usenet News, edit
webpages, or for net conferencing. Useful as these features are, there
is no good reason for public users to have access to anything beyond the
browser itself. A good way to create that secure "single-purpose" browser
is to start with a product which is already shorn of unnecessary features:
Netscape Navigator Standalone 4.08.
|
Step
|
Action
|
|
|
1
|
Disable the Fortres
101
|
·While
holding down the shift and control keys press the escape.
·Click
the "Disable all Security" box.
|
|
2
|
Locate Netscape Navigator
Standalone 4.08 on the CD
|
·Double
click "My Computer."
·Double
click the cdrom drive.
·Double click the folder "Netscape." ·Double click the folder "Standalone." |
|
3
|
Install NNS 4.08
|
·Double
click the icon "n32d408.exe."
·Accept
the installation defaults by clicking "next" and "yes."
·When prompted to view the README file click "no." ·Close the Netscape folder by clicking the "x" in the upper right hand corner of the window. |
|
4
|
Configure Netscape
Navigator Standalone 4.08
|
·Double
click the "Netscape Navigator" icon on the desktop
·Click
next and continue to click "next" without entering data until asked to
decide if you want Netscape as your default browser.
·Click yes and wait for the program to time out (we’re not on the Internet) then click "ok." ·In the Netscape browser click Edit | Preferences | Navigator. ·In the location box type d:\index.htm (where "d" is the drive letter where the workshop CD resides) and click "ok." ·In the Netscape browser click "home" and go to the CD home page. |
The BIOS is protected
in the setup, the operating system is protected with Fortres 101 and we've
installed a web browser with a limited number of features. We now have
to protect the browser from tampering. An unprotected browser allows users
to change the settings (e.g, home page, mail server, fonts, colors, bookmarks,
and appearance) and also allows browsing of all local and network drives.
No authenticated user should have such access and Ikiosk is a good way
to stop it.
There are other products
that do a good job of locking down Netscape. Two of the better ones are
Full Control by Bardon (www.bardon.com)
and Cooler by Fortres Grande. However, it's been my experience that Ikiosk
is far easier to install and configure. And, at $20 a seat from CARL (www.carl.com)
it's a real bargain.
|
Step
|
Action
|
|
|
1
|
Disable Fortres 101
security
|
·While
holding down the control and shift keys, press the escape key.
·Select
"Windows Disable" and click the "Disable all Security" box.
|
|
2
|
Install Ikiosk
|
·Double
click My-Computer.
·Double
click the CDROM containing the workshop materials.
·Double click the Ikiosk folder. ·Double click the Win9x folder. ·Double click ws332epk.exe. ·Click next, yes, next, next, finish (accept all defaults). ·The computer will restart. |
|
3
|
Configure Ikiosk
|
·When
the computer restarts, close the installation folder.
·While
holding down the shift key, double click the green check mark on the right
hand side of the taskbar.
·When prompted for a password, select "Login to Administrator" and click OK. ·Observe the security warning and click OK. ·Click the Tools menu and click "Password Settings." ·Type ILA99 in the top box then tab and retype ·Click OK. Don't select "Case Sensitive." ·Click File and Exit. |
|
4
|
Install the Ikiosk
autoconfig file for Netscape
|
·Double
click My-Computer.
·Double
click the CDROM containing the workshop materials.
·Double click the Ikiosk folder. ·Double click the Win9x folder. ·Double click wsauto.exe. ·In the "extract to" box double click the C:\. ·Scroll down and double click C:\Program Files. ·Double click C:\Hyper Technologies. ·Double click WinSelect. ·Click "extract." |
|
5
|
Configure Ikiosk
to secure Netscape
|
·Hold
down the shift key and doubleclick the green arrow.
·Select
"Login to Administrator" and type ILA99 in the password box.
·Click "Programs" and "Add." ·In the "Look in" box browse to c:\program files\netscape\communicator\program\netscape.exe. ·Click "Open." ·Click "Netscape Navigator 4.08 (disabled). ·Click "Save Changes." ·Click "Turn on" (if not already on). ·Click File and Exit. ·Ignore any illegal operation messages. |
|
6
|
Test Netscape
|
·Start
Netscape from the desktop icon.
·Try
to change the Netscape settings (e.g. home page).
·Try to print. ·Turn Ikiosk on and off using the shift and double click the check mark method. |
|
7
|
Enable Netscape Printer
|
·Hold
down the shift key, double click the check mark.
·Choose
"Login to Administrator" type ILA99 as the password and click OK.
·Click "Programs," "Netscape," and "Kiosk." ·Click the "Toolbar" tab. ·Scroll down and deselect "Toolbar Button: Print this page." ·Click "Save." ·Note that Ikiosk is "On." ·Choose "File" and "Exit." ·Start Netscape and see if the print option is available. |
Allowing public access
to computers which are not protected with up-to-date anti-virus software
is problematic. Sooner or later someone will introduce a virus into the
system via one of several vectors. Infected diskettes are probably the
commonest culprit, but nowadays we’re also seeing executable email attachments
which transfer viruses into the system. The Mellisa virus of last spring
is a good example an MS Word macro virus which was spread quickly and widely
by email attachments.
No anti-virus program
provides 100 percent protection, but the better ones can make downtime
due to an infection a rarity. There are literally dozens of anti-virus
products on the market and a good place to find a selection is www.tucows.com.
Despite the large number of anti-virus programs, the workshop CD includes
demo versions of only three popular programs: McAfee, Symantec, and F-Prot.
This workshop will examine the McAfee product because I’m familiar with
it. I particularly like the ease with which it can automatically acquire
and install updated virus definitions. The Symantec version is comparable
to McAfee in cost and effectiveness while the F-Prot is shareware and is
a bit harder, in my opinion, to install, configure, and update. However,
if you are willing to figure it out, F-Prot can be a very economical solution
at one dollar per year per machine.
|
Step
|
Action
|
|
|
1
|
Install Viruscan
|
·Go
to "My Computer" and click the workshop CD.
·Double
click the "Anti-Virus" folder.
·Double click the "McAfee" folder. ·Double click the "setup.exe" file. ·Accept all defaults when prompted (e.g., "yes," "next," or "finished." ·The computer will restart and a McAfee Viruscan icon should appear on the desktop. |
|
2
|
Run McAfee Viruscan
|
·Double
click the McAfee Viruscan icon.
·Click
"Scan."
·Browse to choose target (e.g., A:) or accept defaults. |
|
3
|
Set VShield Password
|
·Start
McAfee Viruscan if not already running.
·Click
"Vshield."
·Click "Security." ·Click "Enable Password Protection." ·Enter the password ila99. |
The need to inventory
computer equipment is obvious: the city will want reports on fixed assets,
if the library were to be destroyed in a tornado the insurer would want
to know what was lost and in the event of a burglary the police would like
to know the serial numbers of missing items. And, when it comes time to
dispose of the device being able to show exactly what was sold or junked
will do much to allay the suspicions of auditors.
I
try to be very methodical with new equipment. As the device is unpacked
I fill out a datasheet containing all of the pertinent information. After
the machine passes its functional tests it receives a barcode. The corresponding
number of the barcode is placed on the datasheet. After a number of datasheets
accumulate the information is entered into a spreadsheet table and datasheet
is then placed in a file folder. When the machine or device is disposed
of, the sheet is pulled from the folder, its disposition noted, and the
table updated.
If the device is a
PC, the keyboard box is saved and all of the software and licenses are
placed inside for safekeeping. A marker is then used to record, directly
on the box, a description of the device and its date of purchase. This
box is then placed on a shelf and is very handy when software needs to
be reinstalled or when its necessary to prove that the software is legitimate.
Finally, a copy of the invoice is stapled to a copy of the purchase order.
This is then filed according to fiscal year. Being able to identify when
a product was purchased and from whom makes resolution of warranty issues
much easier.
Inventory
Data Sheet:
|
Library
ID (barcode sticker)
|
Equipment Type: CPU
Monitor Printer Hub Switch
Other:
|
|
|
Make:
|
Model:
|
|
|
SN:
|
CPU Speed:
|
|
|
NIC Model:
|
NIC MAC:
|
|
|
Monitor size: 14
15 17 19 21 other
|
RAM:
|
|
|
Monitor Library ID
(barcode sticker)
|
Monitor SN:
|
|
|
Vendor:
|
Vendor phone number:
|
|
|
Customer ID:
|
Invoice #:
|
|
|
PO #:
|
Purchase Date:
|
Cost:
|
|
Operating System:
Win95 Win98 WinNT Novell
Other:
|
Licensed Apps: MS/Office
95 MS/Office 95 Pro
MS/Office 97 SBE
MS/Office 97 Pro
Other: |
|
|
IP Address:
|
Machine Name:
|
|
|
Department:
|
Disposal: Junk Friends
Sale Other:
Cost recovery:
Date: |
|
Unless otherwise noted
all products are for Win9x
·Adobe
Reader 3.01
is a *.pdf viewer for Netscape and Internet Explorer
·Adobe
Reader 4 *.pdf viewer for Netscape and Internet
Explorer
·Anzio
Lite is a telnet application
·Cyberpatrol
is an Internet content filter
·Cybersitter
is an Internet content filter
·Fortres
101 is an operating system security program
·F-Prot
is a shareware anti-virus program
·Full
Control is and operating system and browser security program
·Hyperterm
is a freeware telnet program
·Ikiosk
is a browser security program
·McAfee
is a demo anti-virus program
·MSIE5
is the setup program for Microsoft Internet Explorer 5.0
·Netnanny
is an Internet content filter
·Netscape
is a standalone web browser
·Netterm
is a shareware telnet application
·Norton
is a demo anti-virus program
·NTSP5
is the Windows NT 4.0 Service Pack 5
·Office97
contains the MS/Office 97 service releases 1 and 2
·PKWare
contains a popular shareware compression utility
·QVT
contains a shareware telnet program
·RSAC
contains an Internet filter program
·Win95
contains the Windows 95 service release 1
·WPDOCS
contains the instructions for this workshop
·WS-FTP
is an FTP program
·Y2K
contains a BIOS tester and the Windows 95 Y2K patch
Prepared January 11,
2002