Questions about access control for community computer center

Categories:

Hi guys,

Hope everyone's first week is going well! I was hoping to get some ideas and suggestions from those of you who have any knowledge about what I guess I am calling access control. This is an area that I am unfamiliar with and trying to utilize all of my resources to learn more about:)

We would like to find some software for our computer center that will allow us to:

-require users to login and logout

-track who logs in and when

-prevents users from accessing certain controls and settings 

-and return the computer to its original settings (so that nothing is permanently saved) upon logout 


Comment from cheryl jerozal on September 18, 2006 - 10:11am

...i will take a shot at this since no one else has yet even though i am far from an expert on this. i assume your computers are running windows.

as for requiring users to login and logout, you could just make the only account on each computer have a password and then share that account info with your users. unfortunately that will not allow you to track who is logging in.

the only decent way i can think of to track who logs in involves giving everyone their own usernames so that you can tell who has logged on by the username. if you want each user to be able to use any computer, you will need to set up a server computer which will store the account info (and it could keep records of users logging in and out - see http://msmvps.com/blogs/kwsupport/archive/2005/02/24/36942.aspx ) and then when a user tries to login to a computer their request will go through the server. (unless you only have a few users and can manually make each of them an account on each computer they might use. or unless you decide to assign users to particular computers. and in those cases i am not sure how user logon/offs could be tracked but i bet there is a way.)

to prevent users from accessing certain controls and settings you could make the accounts they use non-administrator accounts. that may or may not be enough control for you. if not, there are software programs that can be used to block access to certain things but i only know about them from having used computers with these programs on them.

if you have separate user accounts on a server, one way to return the computers to their original settings is to have logoff scripts that erase files, undo changes etc. or you could use the server to reset their profile to a clean one at each login.

good luck and let us know how this goes.

 

Comment from danielle martin on September 22, 2006 - 4:35pm

Hi Andrea,

I too am useless in this area, but deep in my consciousness comes out the term "workstation protection management" and the software Deep Freeze, which might do what you need.

Also, this sounds like a very tech assistance to np question, so maybe hit up Aliya, VISTA leader for that priority area.

Also, check out Tech Soup, especially the Network section or this article "Securing Public Access PCs Without Shutting Out Users"

-Danielle

 

Comment from John Miller on October 31, 2006 - 6:53pm

I think Cheryl summed it up pretty well: usernames and passwords.

Are your workstations Windows-based? Mac-based? Linux-based? A mixture? Setting up usernames and passwords is slightly different with each. I'm guessing that you'd like a particular user to be able to log into any workstation she chooses with the same username and password. This requires a centralized username/password database.

In the Windows world, this means having one machine act as a primary domain controller. You can do this with WIndows 2000 server, Windows 2003 server, or a Linux-based Samba server. You configure all workstations to grab their username/password info from the server. All logins and logouts are monitored by the server, and should give you all the information you could ever want (username, IP address, WINS/DNS address, times, etc.).

Unix machines (Macs included) use a different sort of password database, but they can still be configured to get information from a Windows server.

As far as access control to various programs, Cheryl's again right about "administrator" access. Actually, Windows 2000 and newer have several groups to which you can add users. They're called:

System Operators, Replicators, Guests, Power Users, Print Operators, Administrators, Account Operators, Backup Operators, Users.

You can add usernames to each of these groups (to more than one group, even), and that will give them basic permissions. You'll probably want to keep things simple and mainly use the Administrators and Users groups. Everyone in the Administrators group will have full power over all systems.

As far as access control to different programs, I'm no expert, but I assume that this can be done.

As far as saving files, you'll need to decide how much control you're willing to give people. Will they get a "My Documents" folder? Will saved files stick around after logout? Should people be confined only to a USB thumb drive or CD drive? You most likely do not want to allow people to execute files from these sources, though. If you can quickly restore a computer, this may not be such an issue for you. Logout scripts can be of service in restoring settings.

Accessing the Internet: What services do you want to allow? What is your privacy policy going to be? Do you monitor network traffic? Do your workstations have public IP addresses, or do you use Network Address Translation (NAT) and private IP numbers? A proxy server would be a good way to monitor network traffic, but it brings along the headaches of having to configure web browsers, e-mail clients, IM clients, etc. If you're using NAT, and your server logs diligently, you'll know at what time a given computer is accessing a given service (website, IM, e-mail, etc.).

Good luck and let us know how it's going!

--John