Physical security is also taken into consideration with access cards and locked doors to keep unwanted visitors off of the local network. This is all fine and good for corporate environments, but what about open environments like libraries and university campuses? When an organization’s purpose is the dissemination of knowledge, the paradigm (don’t you just love that word) of information security shifts tremendously and one can not be sure that all users on the LAN are completely benevolent.
This article will be geared towards techies at libraries and schools and will attempt to address common security problems that may pop up at these institutions. I’ll gear the solutions towards Open Source, freeware, and base operating system security in a Windows XP/2k environment to keep the information useful to the largest number of people. Not all of us have the budget to buy software like Deep Freeze or other products to protect our patron workstations. Too many articles recommend expensive solutions when there are plenty of free or cheap solutions available. Links to most of the software mentioned as well as sites for further research can be found here.
A word about terminology
I’ll generally use the term patron to refer to students, faculty, staff and general visitors except where a more specific term is needed.
Also, I will use the term attacker or deviant user instead of “hacker” or “cracker” because the later terms have so many different meanings depending on who you talk to (a hacker is a wood cutter and a cracker is some white dude from Georgia).
Some folks like the terms White Hat Hacker and Grey Hat Hacker, but those are still too flexible (I prefer to consider myself a Plaid Hat Hacker).
A different kind of environment
Institutions like Universities and Libraries are different from the corporate world. You can’t physically lock the patrons out of every computer at your facility. The entire mission of a library or university is to give patrons the tools and information they need to learn and the faculty what they need to teach. At the same time a system administrator has to protect staff and patron workstations from deviant users on the network. Every information security professional worries about internal attacks, but this worry is greatly amplified in a campus or open environment where so many users have physical access to the computers and the network.
So how do we hold back the hordes when the barbarians are already past the gates? In this article I hope to point out some of the common security problems with campus environments and some of the solutions. Many problems may not be solvable because the solution would be counter to the mission of your organization, but with a watchful eye many troubles can be averted.
Local Security on Windows Boxes