We are placing four computers in our new youth facility for web browsing, homework help, etc., and I’m looking at options for securing the computers. The software I know of (but have never used) is called Faronics DeepFreeze. I thought I heard about a better alternative to this software on the Casting From the Server Room podcast last Fall, but I can’t seem to locate that information. I’m not sure if this is even the best way to lock down the systems. I’ve considered lock-down via Group Policy, which I’ve done before and may still do to limit actual actions on the computer, but it’s not foolproof and it takes a lot of detail to lock down “just enough” but not “too much.” And I don’t necessarily want these systems joined to the domain, either.
Any options anyone has successfully used to implement this functionality? Anything I should be aware of or stay away from? I’ve considered using thin clients and a terminal server, but I don’t have the time to research cost comparisons (computer and support cost vs. server cost…I may be getting some thin clients for free soon and if so, I have plenty of other uses for them anyway) and such (will audio work, will all possible future applications run in Terminal Services, and so on). I’m probably going to grab some off-lease IBM NetVista machines for about $275 and add some RAM.
Hey I am the director of IT at Calvary Chapel of Melbourne, and I completely cheated on this one. We have 8 “computers” running in our youth center. To ease the burden and save some cash I used HP thin clients and terminated them to a Win2k3 terminal server. I have successfully locked them down so they can’t break anything, believe me – they have tried, and I have found the thin client solution to be really great. We aren’t using a real server, but a glorified desktop computer to be their terminal server. The nice thing about it is, our youth department can review and see everything they are doing and have done from one location. The other great thing is that I can very rapidly wipe out anything they “find” a way to do on the computers. I have even scripted some failsafes to periodically wipe out the thin client profiles. The other great thing is that the thin clients have no moving parts and can’t be damaged / destroyed by someone turning on / off in rapid succession. Hope it helps…
2 HUGE thumbs up for Deep Freeze from me. I implemented DF in the high school computer labs in my prior job and it was amazing the difference it made. Try as they might, kids couldn’t hose up the PC’s :-)
Microsoft’s Shared Computer Kit is another option though I’ve not tried it yet.
Jason: Did you use the Standard or Enterprise edition, do you know the difference between the two, and can you recommend one over the other on any basis other than price? Right now this is for four stations but I can see making use of it in other areas in the future; ten licenses is the minimum to get volume pricing so we’d have extra left over anyway. I think the MS Shared Computer Kit is basically a set of pre-made group policy templates if I remember correctly, but it’s been a while. I used to run a lab of 24 computers when we ran a daycare and they were locked down with Group Policies…but the kids managed to do plenty to them anyway! I spent hours on those darn things :-)
Chris: Are you locking down with group policies or any additional software? What specs are you using on the server computer to get good performance for that many clients, and what are the students doing on the computers? Do you have sound capabilities? Printing? I do like the thin client concept but we only have one terminal server in the office now and it gets limited use over VPN and such for users that don’t need a computer. It’s definitely not locked down too tightly. Are you using separate user names for each computer or do they share a login/profile?
We used the enterprise version because we needed the flexiblility that it brought to deployment and management of several hundred PC’s. Difference between the versions here http://www.faronics.com/htmldocs/compare.asp
A big reason we did enterprise was the ability to schedule in maintenance windows when the PC’s would un-freeze and updates/installs could be pushed them then they would refreeze. In a large environment that’s pretty key. In a small lab prob not so much.
Another option you might consider is a winterm http://www.wyse.com/products/winterm/V90/index.asp … they run embedded XP so a simple power cycle and the unit is back to base image.
I teach at a community college with multiple buildings located on 4 campuses. Our IT department uses Deep Freeze and I have the admin console loaded on my office PC to control all the computers in our building.
My experience with it has been a good one. The console allows you to view all computers (with deepfreeze installed) on the network and tells you what state they are in: on, off, frozen or thawed. It also shows you the IP address which I find helpful because I also use RealVNC to remotely control the PC’s at times.
You can schedule them to automatically reboot after a set time of inactivity which brings them back to an original state. I have not had much luck with the scheduling of windows updates though, perhaps I’m missing something on that side of things.
I haven’t look at deepfreeze, so I have no method of comparison… I am using group policy to lock down the desktops in the thin client environment. It has worked really well for us. At the moment our terminal server for the “kids” is standalone. We are using a glorified desktop. Dell optiplex gx280 with a dual core proc / 2 gb of ram. It handles 8 thin clients with out sweating at all. The kids play internet games / use office products / surf the web, etc without problem. The only area of the thin client that is a drag is video. Video is slow and choppy, but sound works fine, everything is geat. You can definitely print.
It took about a day to setup and configure correctly the terminal server computer, (getting it locked down completely)…
CK
[…] the end of last month, I posted about locking down the public computers in our new youth lobby. I’ve found a new possible software solution, that seems to be […]
I have difficulties reading the “7 coments” because the RECENT POSTS and the CATAGORIES on right-hand side overlap the left panel. We have several Senior Centers using/have used Deep Freeze. One Center has used Clean Slate for two years – currently have 11 PCs with Clean Slate 4.0. Another Center recently installed 12 PCs with Clean Slate 4.0. Clean Slate is difficult to adminster but it works perfectly.
I recently setup CleanSlateUser@YahooGroups. I can add more details – but as I said I have difficulties with your screen format.
G.C.Hollowwa
I apologize for the formatting issues; this is the first I’ve heard of anyone having problems. May I ask what browser and browser version you are using? From a small to large browser window, I have never had any issues with viewing my site design on Windows XP using Internet Explorer 7 and Firefox 2. I have not had the opportunity to view the site with Safari on the Macintosh but I haven’t had any complaints. Those three browsers tend to be the majority of the ones used by my visitors according to Google Analytics anyway. I haven’t specifically tested using IE 6, but I should.
You might find it easier to read using the FeedBurner list of my posts, at http://feeds.feedburner.com/LakeviewInfoTech (as a webpage or in a feed reader should both work). You can also read comments posted to the site in the Comments feed on FeedBurner: http://feeds.feedburner.com/CommentsForLakeviewInfoTech
If you would prefer, I can email you this article and any others if you are interested in reading/commenting further. Thanks for taking the time to reply! What is hard about Clean Slate administration?
[…] written twice about my plans and research leading up to implementation, specifically about computer lockdown software. A couple of weeks ago, I mentioned briefly that we had changed course and decided to use […]
I wouldn’t suggest Deep Freeze in a large enviroment, only where you can keep track of the computers. I worked at one school district and what worked better than that was using Group Policy, Limited Accounts, Updated AV Software. This method is better in the long run anyways, plus no need for Deep Freeze Software.
Todd
Thanks for your comment, Todd. I didn’t want to use Deep Freeze due to the cost, but I did want something more automatic to configure than Group Policy, and I only have four computers in this case. I do agree that there are a lot of cases where Group Policy, Limited Accounts and AntiVirus are best, and I have a decent amount of experience setting all of these up (we’re using all of those to some extent on our general employee desktops, although Limited Accounts are something we’re only slowly transitioning to, and Group Policy is not very strict but used for some common settings).
However, the disk protection feature of the products that prevent any hard drive changes is attractive for a situation where the public will be banging away on the systems without supervision and I don’t want to have to do much maintenance. Thus my research into products from Fortres Grand. The Casting From the Server Room guys also replied to my question with another package (I mention it in the first SteadyState post linked below).
I ended up going with a combination of your suggestion and my research: Windows SteadyState, similar but free software from Microsoft, which provides a simple interface to what are really Group Policy (really Local Policy in this case) settings along with disk protection (anti-hard-drive-modification) and some other handy features. Best part is ease-of-use. I have a whole post about it, as well as a follow-up posted today.
Cool, Thanks for the info will have to check it.