Re: Authenticating public workstations

Hi Dan.
 
We have a fairly similar setup. Novell and XPPro
workstations. (and
Voyager as the ILS, as it happens)
 
We set most of our workstations to require a novell login in
order to
get access to the desktop. That limits access to patrons
that have been
authenticated via Novell login. We do keep a few 'public'
machines where
no login is required, but they don't have word/excel/etc,
just IE.
 
I'm not sure of the XP/Novell settings required... If this
sounds like
a solution, let me know and I'll get someone who does know
the setup to
tell you about it.
 
don

>>> "Dan Lester" <danriverofdata.com> 5/31/2007 1:04 PM >>>

I hope this is sufficiently on topic.  Feel free to reply
privately.



We have the usual urban academic library problem of
unaffiliated users
using too many computer resources, and, of course, some of
them are
surfing inappropriate material.  Nothing new there.



The campus has provision to authenticate users with LDAP,
and we do so
for off campus users, through EZProxy.



We'd now like to authenticate almost all of our public
computers, but
not just for web access, but for logon to any resources
(Word, Excel,
SciFinderScholar, etc.).  The possibilites we've found so
far don't
handle single search of multiple containers, and we're not
anxious to
try to develop a list of over a hundred Novell servers on
campus for the
software we've found to hit.



I know the above is pretty vague.  To further complicate it,
we're
dealing with a WinXP and Novell environment, and all of the
computers in
question are WinXPPro.



Any suggestions, ideas, etc, greatly appreciated.  And the
web access
is the biggest issue, but we've been told we need to cover
all access,
not just web.



thanks



dan



Show Up, Suit Up, Shut Up, and Follow Directions

danriverofdata.com 

Dan Lester, Boise, Idaho, USA
_______________________________________________
Web4lib mailing list
Web4libwebjunction.org 
http://lists.we
bjunction.org/web4lib/ 

_______________________________________________
Web4lib mailing list
Web4libwebjunction.org
http://lists.we
bjunction.org/web4lib/

>>> "Don Hamilton" <dhamiltonwlu.ca> 5/31/2007 10:20 AM >>>
We set most of our workstations to require a novell login in
order to
get access to the desktop. That limits access to patrons
that have been
authenticated via Novell login. We do keep a few 'public'
machines where
no login is required, but they don't have word/excel/etc,
just IE.
<<<

Our setup is similar.

We prompt for a Novell login via the Novell Netware client.
That establishes the local profile for that user on the
machine and places an authenticated user in a specific set
of privileged local groups. 

We also have a local workstation-only login defined (on all
of our machines) that the public (and lazy locals) can use
to get access to the machine, but the local user is only a
member of a very specific local community group. The
applications we want to restrict are denied to that local
community group by the simple expedient of setting the
security on the primary application executables to deny for
that group. 

So, Novell authenticated users have access to everything and
community users don't. The local community user's profile is
setup with a different desktop and icons explaining to them
why they don't have access to Microsoft Office, Macromedia
Studio, SPSS, etc...

The machines lock after 5 minutes and reboot after 20
minutes of inactivity, so community users can get access to
machines as privileged users if the privileged user was lazy
and didn't logoff/restart, and we do have some community
users that surf around looking for just those opportunities.
If the moocher misbehaves and any investigation is
necessary, it's our local campus policy that it's the
original user's responsibility and they may have their
network privileges suspended/revoked after review.

We also have a few stand-up 'kiosk' machines that
auto-login, but really only have internet browsers on them.

We use some mild gpedit policies to restrict some functions
and we use DeepFreeze Enterprise to further secure the
machines from change. We image the machines with partimage
when they need updating (we used to use Ghost).

HTH,
David

____________________________________________________________
_________
David Jones                                    
mailto:djonesscu.edu 
Library Systems Manager                  http://www.scu.edu/librar
y/ 
University Library                               fax:  
408-551-1805
Santa Clara University                            phone:
408-551-7167
500 El Camino Real
Santa Clara CA 95053-0500
____________________________________________________________
_________
Reality is that which, when you stop believing in it,
doesn't go away.
-- Philip K. Dick

_______________________________________________
Web4lib mailing list
Web4libwebjunction.org
http://lists.we
bjunction.org/web4lib/

>>> "Don Hamilton" <dhamiltonwlu.ca> 5/31/2007 10:20 AM >>>
We set most of our workstations to require a novell login in
order to
get access to the desktop. That limits access to patrons
that have been
authenticated via Novell login. We do keep a few 'public'
machines where
no login is required, but they don't have word/excel/etc,
just IE.
<<<

Our setup is similar.

We prompt for a Novell login via the Novell Netware client.
That establishes the local profile for that user on the
machine and places an authenticated user in a specific set
of privileged local groups. 

We also have a local workstation-only login defined (on all
of our machines) that the public (and lazy locals) can use
to get access to the machine, but the local user is only a
member of a very specific local community group. The
applications we want to restrict are denied to that local
community group by the simple expedient of setting the
security on the primary application executables to deny for
that group. 

So, Novell authenticated users have access to everything and
community users don't. The local community user's profile is
setup with a different desktop and icons explaining to them
why they don't have access to Microsoft Office, Macromedia
Studio, SPSS, etc...

The machines lock after 5 minutes and reboot after 20
minutes of inactivity, so community users can get access to
machines as privileged users if the privileged user was lazy
and didn't logoff/restart, and we do have some community
users that surf around looking for just those opportunities.
If the moocher misbehaves and any investigation is
necessary, it's our local campus policy that it's the
original user's responsibility and they may have their
network privileges suspended/revoked after review.

We also have a few stand-up 'kiosk' machines that
auto-login, but really only have internet browsers on them.

We use some mild gpedit policies to restrict some functions
and we use DeepFreeze Enterprise to further secure the
machines from change. We image the machines with partimage
when they need updating (we used to use Ghost).

HTH,
David

____________________________________________________________
_________
David Jones                                    
mailto:djonesscu.edu 
Library Systems Manager                  http://www.scu.edu/librar
y/ 
University Library                               fax:  
408-551-1805
Santa Clara University                            phone:
408-551-7167
500 El Camino Real
Santa Clara CA 95053-0500
____________________________________________________________
_________
Reality is that which, when you stop believing in it,
doesn't go away.
-- Philip K. Dick

_______________________________________________
Web4lib mailing list
Web4libwebjunction.org
http://lists.we
bjunction.org/web4lib/