Last update: July 2009 Introduction This article presents ideas for readers to consider when developing a strategy for securing public access computers. Regardless of the solution you decide upon, it is important to remember that your strategy should not be seen as static; it should include regularly scheduled updates and revisions as necessary. A first step in developing your security policy is to identify exactly what it is that you are trying to protect, and what your existing vulnerabilities are that someone might be able to exploit. For example, are you trying to physically protect your computers from malicious attacks? If so, then how accessible are the cases, monitors and peripherals right now? Are you attempting to prevent users from viewing certain data that is stored on a computer's hard drive? If so, then what steps must a user currently take to access that data? How likely is it that your users will be able to figure out those steps and see the data that you hope stays hidden? This article focuses on protecting the software (the operating system and installed programs) and/or data (user-created files and folders) on your public access computers, and the way in which your software is currently configured. You should develop both proactive and reactive components of your overall strategy. Proactive measures are those that you put in place in order to prevent a problem from occurring. For example, if you want to prevent a user from uninstalling programs on a Windows 2000 computer, you might install software that hides the Add/Remove Programs icon in Control Panel. In this article, the methods that are focused on a proactive approach to security are presented in the section Protecting Software and Data on Public Access Computers. Reactive measures are those that you put in place in order to recover from a security breach, such as a user who has been able to delete critical operating system files, change network configuration settings, uninstall software or otherwise do harm to the computer. The techniques and tools that are focused on a reactive approach to security are presented in the sections of this article entitled Restoring Software and Data on Public Access Computers and Restoring Data Only on Public Access Computers. Within each of these types of security components, not all of the products and techniques you can employ are equally effective. Nor are they all equally relevant to each site's specific needs. By identifying what it is that you are trying to protect and what your existing vulnerabilities are, you'll be able to better decide how to strengthen your defenses. Protecting Software and Data on Public Access Computers Overview There are two ways in which you can protect the contents of a computer's hard drive. The first and most thorough method is to install additional hardware or software that enables you to return the computer's software configuration to a preset state when the computer is restarted. The second method, which is sometimes used in conjunction with the first, is to prevent users from accessing and modifying critical files and features on the computer by installing hardware or software that hides these sensitive areas. Recovering a Preset Configuration Hardware and software is available that can essentially force your computer configuration to remain in a pre-determined state. This means that you can setup a computer to look and feel a specific way, and then “lock” it. When the computer is locked, users cannot make any permanent changes to the contents of the hard drive. It may sometimes appear to users that they are modifying the computer, but any changes disappear when the computer is restarted. These products are especially beneficial to sites where computer administrators want the public access computers to look and feel like most other personal computers, since the products do not alter menus, application appearances, features, etc. For example, a high school computer lab might need its Windows 2000 Professional computers to provide students with access to Control Panel and Administrative Tools for their computer classes. The products below would allow students to access all resources on the computer, and would still get rid of any changes made by a student when the computer is restarted. Popular Configuration Recovery Products Centurion Guard http://www.centuriontech.com/products/centurionguard/ Clean Slate http://www.fortres.com/products/cleanslate.htm Deep Freeze http://www.faronics.com/html/deepfreeze.asp Drive Shield http://www.centuriontech.com/products/driveshield/ Denying Users Access to Critical Parts of the Computer Sometimes you might want to prevent users from seeing or using certain files, folders and features on a public access computer. The goal in blocking users' access to these resources is typically to ensure that they cannot modify the contents of the hard drive in a way that might harm the computer. For example, if you want to prevent a user from modifying or uninstalling printers on a Windows-based computer, you might install software that hides the Printers folder on the Start Menu and in Control Panel. When used alone, these products do not always provide as thorough protection as the “configuration recovery” products listed above. However, when used alongside configuration recovery products, the software listed below can serve as an effective management tool, and can greatly reduce the number of reboots support staff must perform in order to repair their public access computers. Securing Your Computers… Popular Software Protection Products FoolProof http://www.horizondatasys.com/product_page.html?page_id=12 Fortres 101 http://www.fortres.com/products/fortres_101.htm Microsoft Windows Steady State (formerly the MS Shared Computer Toolkit) http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx Overview of Windows SteadyState: http://www.webjunction.org/tech-security/-/articles/content/448713 Restoring Software and Data on Public Access Computers Overview In some cases, a computer will lose its software and data regardless of the protective (preventative) measures put in place. Perhaps the best example of this would be a hardware failure in which the computer's hard drive breaks and must be replaced. When software and data are lost in this way, the most efficient way to return the computer to its normal working order is to copy a backed-up version of the lost hard drive contents to a new hard drive. This process is often referred to as a “hard drive restoration.” Some of the ways you can restore a hard drive are: software cloning, hard drive duplicating, and the use of a Redundant Array of Independent Disks (RAID). Software Cloning The security in place on many public access computers does not allow public users to save data such as user-created documents to the computer's hard disk, nor does it allow the public user to make permanent configuration changes to the computer. Therefore the system configuration, along with the directory structure and the files it contains, tends to remain static, or unchanged. When a computer's hard disk contents are static, there isn't much need to back up individual files and folders on that computer. Additionally, organizations often prefer that most or all of their public access computers have a configuration that is not only static for each computer, but also standardized across as many computers as possible. Software cloning, also known as drive imaging, is an ideal disaster recovery solution in this type of an environment. Software cloning is the process of making a complete copy—or image—of a “source” computer's hard drive contents (its operating system, all installed programs, user-created files, etc.) and then saving this image to another medium, such as a CD-ROM or a server's hard drive. This image can then be copied back onto that same computer if the computer's software is somehow made unusable. The image can also be copied to other “target” computers in order to standardize a single configuration on multiple computers. The biggest advantage in using cloning software is the time that it can save. For example, if a hard disk on a computer fails, it likely that it will take a few hours or even longer to manually reinstall the operating system and all the necessary software programs. Restoring that same computer to working condition from a master image created using cloning software usually requires less than an hour of administrative effort. This Web page provides information about how to clone a hard drive when using a Microsoft Windows operating system. http://www.datarecoverylabs.com/how-to-back-up-computer-hard-drive.html Preserve Your Image This article identifies the key features to consider when selecting cloning software. http://www.pcmag.com/article/0,2997,ss%253D1479%2526s%253D1880%2526a%253D10311,00.asp Popular Software Cloning Products Acronis True Image http://www.symantec.com/home_homeoffice/products/backup_recovery/ghost10/index.html Hard Drive Duplicating Organizations that standardize a number of their computers on a single software configuration (i.e., many of their computers have the exact same software, security, etc. installed) can purchase a spare hard drive, and then use this hard drive to store a backup of the image. They can then use a hard drive duplicator to copy the master image to a new hard drive, or to an existing hard drive that has experienced an irreparable software failure. Hard drive duplicators range widely in price (from around $500 up to several thousand dollars) and features (some require hard drives to be identical in size, some work only with IDE drives, etc.) Be sure you understand the limitations of a particular model before making your purchase. Popular Hard Drive Duplicating Products Greystone http://www.ce-s.com/grystone.htm Intelligent Computer Solutions Logicube Promise Wytron http://www.ce-s.com/wytron01.htm Redundant Array of Independent Disks (RAID) NOTE: This option is only available for computers running a server operating system. One option for backing up/protecting data on servers is to implement RAID ("Redundant Array of Independent Disks"). RAID configurations protect data from being lost due to the failure of a single hard drive. In the event that more than one hard drive fails simultaneously, however, RAID does not provide a way to recover the lost data. So, RAID should be used in addition to, not instead of, whichever other data backup methods you are using (such as copying files that have changed since your last backup to tape or to CD). "Software" and "hardware" RAID both require two or more hard drives to be installed in the computer. However, software RAID is less expensive to implement since the creation and management of the redundant data is handled by the operating system and does not require the purchase of specialized controller hardware. RAID Level 1 or disk mirroring This method is useful because if one hard drive fails, then the other hard drive is immediately available for use, with limited downtime. Raid 1 does have a couple drawbacks. You are required to buy at least two hard drives for the server and RAID 1 is slower than using a single hard drive, because the operating system needs to write the information to multiple hard drives. RAID Level 5 or “strip set with parity” RAID 5 is similar to RAID 0, but parity is added to the striped set. With parity, the data is redundant, meaning that it can be repaired if one hard drive fails. , Your server must have at least three hard drives for it to store the parity information. If one of the hard drives in the stripe set fails, replace it with a new one, and you will not have lost any data. Getting to Know RAID RAID Levels Explained A Swiss consulting firm has put together a very clear overview of what different RAID levels are available and what they do. http://www.sohoconsult.ch/raid/raid.html The Skinny on RAID This is a comprehensive article explaining RAID and RAID levels with graphics. http://www.arstechnica.com/paedia/r/raid-1.html Get to Know RAID This website covers information on RAID, including advantages and disadvantages of each type. RAID Explained & Iwill Side Raid66 This link points to an explanation of basic RAID technology, followed by a review of the Iwill Side Raid66: http://www.slcentral.com/reviews/hardware/controllers/iwill/sideraid66/ Restoring Data Only on Public Access Computers Overview Typically, the term “backup” does not mean creating a complete image of all of a computer's software, data and configuration information. Rather, it refers to the process of copying data (i.e., user-created folders and files) from one medium, such as a computer's hard drive, to another medium, such as a tape, a CD, or a server's hard drive. This is done so that a duplicate copy of this data is available in case damage occurs to the data on the original medium. Since users are not often permitted to save their files to a public access computer's hard drive, this limited restoration method might not be especially useful in a public access environment. Backup Software Key features to consider when selecting a third-party backup software package: http://www.pcguide.com/care/bu/howSoftware-c.html Backups and Disaster Recovery Things to consider when deciding whether to back up your data: http://www.pcguide.com/care/bu/index.htm Popular Backup Products Veritas Backup Exec http://www.veritas.com/products/category/ProductCategory.jhtml?categoryId=2011&baseId=2001 Dantz Retrospect Professional NovaStor NovaBACKUP
Documents
| Protecting and Restoring Software and Data |
This article focuses on protecting the software (the operating system, installed programs, and configuration) and data (user-created files and folders) on any public access computer.
|
|
Contribute to this topic
Do you have an article, presentation, or other content to share on this topic?
You can post it on this topic page. Find out more about submitting documents in the Member Center.
Ratings You must be signed in to rate this item
|
Average (0 Votes)
|
Comments