Tag Archives: PACs

Privacy Primer for Public Access Computers

“We protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.” (Code of Ethics of the American Library Association)

Image from https://secure.flickr.com/photos/g4ll4is/8521624548/ used under CC BY-SA 2.0.

Image from https://secure.flickr.com/photos/g4ll4is/8521624548/ used under CC BY-SA 2.0.

In this post I’m going to detail some of the most common threats facing your patrons’ privacy when they use your public access computers, and provide guidance on how to better safeguard it, in keeping with the most vaunted code of ethics in librarydom. Continue reading

Advertisements

Increasing Security on Public Access Computers with EMET

EMETdownloadI’ve previously posted various steps you can take to keep your Public Access Computers safe and secure. Today I’m writing about another free and simple way you can greatly increase the security of any Windows machine: installing Microsoft’s Enhanced Mitigation Experience Toolkit.

Enhanced Mitigation Experience Toolkit is kind of a mouthful, so most people just call it EMET (like the otter). What “enhanced mitigation experience” means isn’t obvious–in essence, EMET acts to prevent rogue code from behaving badly on your computer. This is different from anti-malware software, Continue reading

Promising Practices for Public Access Computers, Part 3

This is the third in a series of posts on how libraries with limited resources can provide a reliable and safe public computing environment consistent with the tenets of Intellectual Freedom. If you missed the previous post on browser privacy or the post on setting up a guest account, you may want to check those out first.

rebootRestoreRxLogo

In this installment, we’ll learn how to install and configure Reboot Restore Rx, a freeware program that allows you to create an ideal state your computer will return to every time it’s rebooted. This helps ensure stability against anything your library patrons might do to it, and also helps protect their privacy by deleting any documents they may have inadvertently saved on one of your public access computers. This is a much more aggressive and thorough approach than the one we took using CCleaner, but it’s also a more involved setup process and makes future software updates slightly more cumbersome. As with previous posts, this is not an enterprise solution, and is best suited for smaller libraries with few public access terminals.

Once you’ve downloaded the program’s installer, the obvious next step is to run it. The installation process is pretty familiar until you get to this screen:

installPartitionSelectScreen

Note that your screen will look different, depending on how many hard drives you have and how they are partitioned.

You can select any or all of your partitions at this point, but in most cases you’ll simply want to select C: (checked by default) and any other lettered drives before clicking Next.

At the end of the install process, you’ll need to reboot.

Pretty painless, right? Well, there is a bit more to it than that. First, you’ll want to take steps to prevent your more savvy and mischievous patrons from disabling it. To ensure that the following changes will stick, we want to disable Reboot Restore Rx from the Shield Tray. Right click the following icon from your icon tray:

shieldTrayIcon

Then uncheck Restore on Reboot. Excellent! Now we need to prevent Shield Tray from loading at startup. An easy way to do this is using autoruns (previously discussed here). You’ll want to run Autoruns as administrator (right click it then select Run as administrator). Next, click on the binoculars and search for shield tray (or scroll through the list until you find it). Uncheck the box next to Shield Tray and then close out of Autoruns.

uncheckShieldTray

Now there won’t be a tantalizing switch for miscreant or curious patrons to toggle.

The path to the switch will still be open to them, though, so you’ll have to take extra precautions against the particularly tenacious (or those who’ve read this article). What we want to do next is lock off the Guest account’s access to the RestoreRebootRx folder. Here’s how to proceed (note: you should be signed in as an administrator). Here’s how to proceed:

  1. Open up your file tree (click the folder icon; if you don’t have one, click the Start orb, then documents)
  2. Navigate to Computer -> Local Disk (C:)
  3. Right click the RebootRestoreRx folder (you may have to scroll down to find it) then click Properties
  4. Click on the Security tabsecurityTab
  5. Click Edit
  6. Click Add
  7. In the Enter the object names to select text box, type in guest and then click Check NamescheckNames
  8. You should now see the proper path for the guest user account in the text box (something like COMPUTER-NAME\Guest); click OK
  9. Now, select the Guest account on the Permissions for RebootRestoreRx screen
  10. Check Read & execute in the Deny column (this will automatically deny List folder contents and Read, as well) guestPermissions
  11. Double check that it says Permissions for Guest above the selection box before proceeding, then click Apply
  12. Click Yes
  13. Click OK

Voila! The guest account can no longer deactivate Reboot Restore Rx without an administrative password. Good stuff. Finally, we want to reactivate Reboot Restore Rx. This is a bit trickier, since we likely no longer have Shield Tray in our icon tray (it will still be there if you haven’t rebooted since changing the autoruns. To get it back (for the current session), click on the Start orb, then type shieldtray into the search box. Execute the shieldtray program this discovers and it will be back in the tray. Now simply right click its icon from the tray, and click Restore on Reboot. This will give you the following notification:

updatedBaseline

Click OK (as though you had a choice). That’s it! I do wish you had the option to reject changes at this point, but presently you’ll have to rely on a system restore point for that.

Now you also know how to make any future changes (re: software updates) stick, so that you won’t waste time restoring to an outdated state: load the Shield Tray, deactivate the service, make the changes, reactivate the service, reboot).

Reboot Restore Rx is not a bulletproof means of preventing computer tampering, but it will alleviate a huge percentage of your routine computer lab problems. Reboot Restore Rx is easy to install and manage, allows easy updates to other software and the restore baseline, and it’s freeware. Of the free solutions I’ve tested, this is by far the most user-friendly and the least prone to crashing (I never managed to break it). Hat tip to the How To Geek for his excellent article on this program.

Spring Cleaning Computers (of Malware)

If you’re like me, when you visit (or are visited by relatives), you’re asked about computer problems. If you’re like me, this can be ridiculously fun and entertaining for you. As luck would have it, family visited this past weekend and brought with them two machines profoundly besieged by malware, hoping I might restore them to proper working order. One of the machines would crash dump into the fabled blue screen of death within five minutes of boot up, the other had well over 4,000 infections and was unable to function at a super-glacial pace. Good times.

win8BSoD

Why bring this up here? If your public access computers aren’t well secured, you will inevitably need to go through a similar process, so I thought I’d share it with you (also: once they are clean, take steps to secure them and your patrons, by gum!) While the following routine will only be necessary in its entirety for deeply compromised machines, you may find parts of it useful for handling more mundane encounters with software malfeasance.

As a matter of self-preservation, it is common for malware to disable anti-virus software and your ability to download or update it. Subsequently, I use a portable toolkit (executable from a USB stick) to mitigate infections of this nature. Obviously, you’ll have to build and update this kit using a clean machine. Here’s the part of my kit I made use of for this round of cleaning and the order I employed it in:

1. SUPER AntiSpyware (can be run in Safe Mode) – A few notes about this gem of a program before I begin. One: it finds spyware like nobody’s business. Two: it has an embarrassingly stupid name. Three: it is portable, but it tries hard not to be–here’s what you have to do in order to have a USB-executable version of it: download the installer from the link above (do this on a clean machine shortly before you need it, as you won’t be able to use the native updater without rendering it non-portable) and save it to your USB-drive. Run the installer and select a folder on the USB-drive as the install destination (this is not the default behavior). Do not agree to update it at any time or it will senselessly install itself in non-portable fashion. Admittedly obnoxious, but this program rooted out some hardcore infections, improving machine performance all on it’s lonesome, so it is definitely worth the extra effort (it removed over 3,000 infections from one of the computers).

SAS

If you’re at the point where you’re running anti-malware programs from a USB-drive, you’ll probably want to select Complete Scan and Enable Rescue Scan, as shown above. Then click Scan Your Computer and start catching up with your relatives (it will take some time to complete). Note that you may want to change Windows’ power settings so that the computer won’t go to sleep on you while the scan was running…

2. Emisoft Emergency Kit (can be run in Safe Mode) – The Emergency Kit Scanner bundled here is a robust seeker of all manner of nastiness.

emisoft

Before running a Deep Scan (this is another time consuming operation) I changed the On scan end setting to Quarantine detected objects (note that if you plan on kipping out after you start the scan, you may as well check Shut down PC, too).

emisoftConfig

Once SAS and EEK had done their thing, a handful of critical infections had been removed from each machines as had hundreds to thousands of less serious ones. Great headway had been made, but I believe in being thorough, so…

3. Bitdefender Rootkit Remover – This scan only takes a few seconds and will snag known Rootkit/Boot-kit infections that persistently reinstall themselves from the Master Boot Record during start up. Note that I was unable to run this program from Safe Mode.

rootkitRemover

I didn’t find anything with it, but I can’t say those scant seconds were ill-spent.

4. Autoruns – Autoruns is a great little program from Microsoft technicians that lets you see EVERYTHING that gets run during your computer’s start up and log in cycle and allows you to toggle off any you wish to remove from these proceedings.

autoruns

If you know what you’re doing, you can both speed up your boot process and identify nefarious programs, preventing them from running automatically.

5. Geek Uninstaller – Geek is a brilliant little program that truly works wonders. It’s the best uninstaller I’ve ever encountered and I’m yet to meet a program it can’t remove.

geek

Geek also does some nice tidying up after each uninstall completes. You may be asking yourself, “why did he need an uninstaller?” Well, sometimes someone you love will download a free games platform that happens to be a notorious browser-hijacking malware delivery service (here are 39 million articles about one of the programs I removed in seconds with Geek). Sometimes people won’t pay attention while installing things and will inadvertently install additional bloatware that they never intended to and really don’t want or need. Sometimes you just want to ensure that Java isn’t installed. Another thing to be aware of: you really do not want to have more than one active Anti-virus program on any given machine, as they’ll often get into conflicts, degrading performance and security. If you have more than one, uninstall all but your favorite and most trusted (definitely uninstall any trial versions). I’m partial to Microsoft Security Essentials, but there are other fine free options out there. Note that you may need to restart your computer after some uninstalls.

6. Avast! Browser Cleanup – Many of your browser-based woes should already be hashed out, but those that remain can likely be remedied with this tool.

avastBC

Avast!’s Browser Cleanup will allow you to reset browser homepages and search providers (these are frequently hijacked) and will also help identify malicious toolbars and extensions, enabling you to remove them. Keep in mind that not everything it identifies is dangerous or undesirable, some may simply be unknown or uncommon.

7. CCleaner Portable – CCleaner is a powerful and much beloved temporary file and registry cleaning utility (and so much more!) Some people use Task Scheduler to automate sweeps with its non-portable form, and I like those people just fine. For our purposes, we’ll want to do two things with it now:

Thing One: Cleaner.

CCleaner

This sweeps away all your temporary files. You may wish to look over everything that’s set to be wiped under both Windows and Applications to ensure you don’t accidentally toast something you fancy. If you’re cleaning Public Access Computers, I would encourage you to err on the side of thoroughness. Once you’re prepared, click Run Cleaner.

Thing Two: Registry.

CCleanerRegistry

Normally you don’t need to do much in the way of preventive registry maintenance, but if you’ve just mopped the floor with a bunch of malware, bloatware, and nogoodniks, you may have some malingering remnants that you’d be better off without (especially if you’ve been seeing crash dumps). Click on Registry and then click Scan for Issues. Next click Fix selected issues… When prompted, make sure you backup changes to the registry, just in case things go pants up (for the record, I’ve never had that happen, but I’m not one to take chances). Finally, click Fix All Selected Issues.

At this point, I was done with my portable apps and decided to move on to final precautionary measures: running the Microsoft Malware Fixit and then executing a full scan with Microsoft Security Essentials (or your AV of choice).

MSE managed to find a few more infections in one case and set my mind at ease that I’d steered the other clear from harm.

[In the unlikely event that malware has made changes to your system that the Malware Fixit cannot revert, Windows Medkit may provide the last bit of support you need. It’s capable of fixing an inability to view hidden or system files, folder options, and all drives in My Computer; it can enable Regedit, Taskmanager, Msconfig, CMD, Run, Control Panel, and Start Menu if you’ve been blocked from using them; it can fix Taskbar issues. It also has some management and system tools bundled with it.]

Once I purged my relatives’ computers of infection and tidied up, I took steps to help curtail risks of future infection. This involved making their default browser and one that self-updated (Firefox or Chrome are nice) and extending it with both Ghostery and Adblock Plus. I also removed shortcuts to other browsers and unpinned them from the Taskbar and Start Menu, to help remove the temptation to live dangerously.

Next, I ran Windows Update routine (tip: if you create a new shortcut and point it to cmd /c wuapp.exe you will have created a convenient shortcut to Windows Update!) An update was necessary as both machines had been unusable for a few weeks and infections may have been preventing security patches for much longer than that.

Finally, I generated a Ninite installer and set up Task Scheduler to automate 3rd party application updates with it, as I detailed here.

I’d love to hear your suggestions, questions, horror stories, and concerns in the comments!

Automating Updates

From a security standpoint, it is vital to keep the software on any internet-connected computer updated. Updates are routinely rolled out to patch vulnerabilities. If you’re in a Windows environment, updates for Microsoft will automatically come to you on the second Tuesday of every month and you’ll be able to go through the install with only a modicum of intervention. Modern browsers like Firefox and Chrome have become self-patching. A lot of software is not as predictable or forward-thinking, however, and requires due diligence from the user to monitor and patch it (and then there’s software like Java, which can’t be patched frequently enough to make it safe, and should not be installed on an internet-connected computer unless it absolutely has to be).

Fortunately, there’s an easy way to check and update more than 90 of the most popular programs all at once using an installer from Ninite.

Ninite prides themselves on being “The Easiest, Fastest Way to Update or Install Software” and I see no reason to quibble with them on this. It should be noted that they do offer both a Pro and a more feature-rich Updater option for modest fees if your needs exceed what I’m covering today.

The process is simple: go to their website, select all of the apps you’re interested in, and then click the big green Get Installer button.

niniteMenu

Ninite will then create a file for you to download. When executed, this file will install every application you selected, completely free from additional clicks, unwanted toolbars or bloatware, or any sort of signup process. If you already have any of the programs installed, it will check to make sure they’re up-to-date, and will automatically update them if they aren’t.

Now that you’ve downloaded your installer, it’s time to use Windows Task Scheduler to automate your updates by following these simple steps:

  1. Open your Start menu by clicking on the Windows orb.
  2. Type task scheduler into the “Search programs and files” search box.
  3. Select Task Scheduler from the results list or simply hit Enter to open Task Scheduler.taskScheduler
  4. Under Actions click Create Basic Task… (rightmost column)
  5. You will now be prompted to name and describe your task; call it something informative like Ninite Updater. Click Next.
  6. Next you get to set a trigger. Weekly would be a good time-based trigger; if this is for a machine that’s administratively locked down for guest usage, you can set the trigger for whenever you log in with your administrative account. Click Next.
  7. If necessary, finish configuring the triggering event.
  8. Next you’ll get to select the action to be triggered. Choose Start a program from the list and click Next.
  9. The program you want to run is the Ninite installer you downloaded earlier (if you don’t recall the where you saved the file, Browse for Ninite. Ignore the optional items and click Next.
  10. Click Finish. You’re done!

(This article was adapted from an article I’d originally written for this issue of The Good Stuff – PDF).

Promising Practices for Public Access Computers

I’ve been wrestling for a while now with how best to tackle the manifold privacy and security concerns inherent in shared computer environments. It’s a complex issue pertinent not only to the sacred tenets of Intellectual Freedom and the legislated requirements for patron confidentiality (NDCC 40-38-12), but also for network security and the provision of a reliable and safe computing environment. To make it more challenging, so many libraries are constrained in terms of the resources, time, and technological proficiency they have at their disposal to address these challenges. There are many facets to this, and I intend to tackle them one by one–so begins an epic series of posts…

Before delving into today’s topic, it’s probably prudent to remind you that if you have publicly accessible computers, you should have an Internet Access Policy (word document template). In fact, if you’re filtering to comply with CIPA, you’re obligated to have one.

Okay, if you’re still with me that means your library has an Internet Access Policy and you’re interested in securing your lab and protecting your patrons’ privacy without spending another dime. Bully for you! Today’s lesson: configuring the privacy settings on your public computers’ internet browsers. Below you’ll find instructions for Firefox, Chrome, and Internet Explorer; you may not have all of these installed on your lab computers, but I recommend making  the following adjustments to whichever ones you do.

Firefox-logo.svg

1. Mozilla Firefox

It’s easy to configure Firefox to respect user privacy. First, you’ll need to open up the menu (orange logo-sporting area in the upper left corner of any open browser window). Select Options to pop open a new window with the settings options. Now click on Privacy so that you can make the necessary adjustments. Make sure the “Tell websites I do not want to be tracked” checkbox is ticked. Now select “Never remember history” from the “Firefox will:” dropdown menu under History, like so:

FFprivacy

Finally, click the OK button to instantiate your changes!

Google_Chrome_icon_(2011).svg2. Google Chrome

To change Chrome’s default behavior, you will have to make one minor edit to it’s shortcut. To do this, right click Chrome’s shortcut on your desktop, Start menu, or taskbar. Then click Properties to summon forth the Google Chrome Properties window. In the Shortcut tab, simply append ” -incognito” to the very end of the text in the “Target:” field (note: don’t key in the quotation marks!) Click OK and you will have successfully modified your shortcut! It is important to note that if you have more than one shortcut, you will need to modify all of them.

chromeIncog

Internet_Explorer_9_icon.svg

3. Internet Explorer

The process for tweaking Internet Explorer is very much like that for Chrome. Right click the IE shortcut on your desktop, Start Menu, or taskbar. Then click on Properties. Append ” -private” to the very end of the text in the “Target:” field (note: don’t key in the quotation marks!) Finally, click OK to finish it up. If you have more than one shortcut to IE, you will have to alter each of them in this fashion.

IEpriv

A final note: if you’re not currently using a program like Fortres Grand’s Clean Slate, Faronics’ Deep Freeze, or Complete Lock’s Install Guard, patrons will still be able to adjust these settings and undermine the protections you’ve put in place for them. More on locking changes like this down in a later post!