The Travelin' Librarian

A recent comment on my post about how to configure some public laptops reminded me and I’d not blogged the results.

First, in response to Scuba Steve who said "Giving public users administrator access is just stupid," I’ll respond by saying that there needs to be a balance between security and usability. I’ve been in plenty of labs and on plenty of public computers where they’re so locked down that I can’t do the simplest of actions on that computer. When you sacrifice usability for security, you end up loosing in the end.

Granted, on its face, giving the public admin rights does seem risky. However, especially in Vista, when you don’t have admin rights, there are a whole list of things that can seriously degrade your patron’s experience. Remember, this isn’t an office situation here, these are public-access computers. I think Steve would respond that this fact actually increases the risk more than in an office environment and I might tend to agree but it also changes the nature of the user. In an office, users are expected to do a certain list of things and therefore IT can anticipate how the computer will be used. Give access to the public and who know what they’ll want to do.

Lastly, these computers are mostly going to small rural libraries who have minimal to no technical expertise on staff. Therefore, what security is installed needs to be manageable by non-IT professionals.

So, I’ll stress again, there needs to be a balance. Here’s the balance I believe I’ve found:

There are two accounts, one for staff which is password protected, and one for the public which is not. (Don’t librarians just love handing out passwords to people?) Both accounts have full rights to the computer as far as Windows is concerned. I’ve also installed Steady State with the following two restrictions:

1. The public account is "locked". This means that no matter what the user does to the computer, upon logout (or reboot) the changes are immediately removed.
2. Access to Steady State has been blocked for the public account. This addresses Steve’s question "What would stop them from uninstalling/deleting SteadyState, Deep Freeze or any other restoring software you install?" In other words, in order to change or uninstall Steady State you must be logged in as the administrator.

As a result, staff can log in as staff and make any needed changes, install/remove software or run updates to the system as a whole without needing to touch Steady State at all. To make a permanent change specific to the public profile (i.e. add or remove desktop icons) they’ll just need to log in as staff, unlock the public account, log in as the public, make the changes, then log back in as staff and relock the public account. (That may sound complex but it doesn’t involve multiple reboots like Deep Freeze or Centurion Guard do.)

In the end I believe that I’ve found the balance that fits our needs. I’ve been running this setup in our lab for the past month and will be doing so for the next month before I actually set up the laptops in question. So far, this setup is working as needed.

Let me stress again: this solution fits our needs. Blanket statements such as it’s "stupid" to do something in every situation just shows that your thinking is locked and unfortunately rules out the flexibility that’s required to solve certain problems.