Before making a decision there are certainly things to evaluate, and I definitely want to get my hands on an NSA box for a while to test first. I like the ISA 2004 firewall interface that we’re currently running and I want to make sure I’m comfortable managing SonicWALL if we go that route.

So far it’s holding up to the abuse and none of the systems have been hacked that I know of! At our recent Volunteer Dinner, the workstations served double-duty as aquariums. Well, I put an ocean-with-fish screensaver on each system to help complement the overall ocean party theme. It worked pretty well! I didn’t take any photos, but the screensavers are still installed. So you can expect pictures of a re-creation in the next ten years, unless the computers are replaced before that. Ha ha.

One tool mentioned in the podcast this time is called Remote Task Manager, which is a remote control (at a granular level, not just a remote desktop viewer tool) for networked PCs. It sounds very useful and worth checking out the demo when I have the time!

I ran into a small issue with the SteadyState/Firefox setup that was a relatively easy fix: Firefox tried to update itself and the theme when new versions came out. Why it does this as a limited user when it can’t run the upgrade (for the program itself; the theme should work if it weren’t locked down) is beyond me, maybe I’ll file a bug report or something. Anyway, to get rid of the upgrade reminder, I logged in as Administrator and installed the Firefox program upgrade. Then I unlocked the profile and disabled Disk Protection, logged in as the locked down user, not not locked down, and upgraded the theme. Then I changed the Options (Tools->Options->Advanced->Update) and unchecked all of the automatic update options. Now updates won’t automatically (try to) apply, and I don’t even have to worry about security holes much because of the Disk Protection feature. I also took the opportunity to install the Auto Reset Browser extension and disable the old auto-restart mechanism (see below for the reasons).

Accessing Firefox Settings

To get to the Firefox settings, because of the R-Kiosk extension disabling menu access, I had to use the Firefox (safe mode) option from the Start menu, tell the statup box to disable add-ons and restart, and then it came up with no theme and no extensions active. I made my settings changes, installed the Auto Reset Browser extension, re-enabled the theme and the R-Kiosk extension, and restarted. Back to normal, with all changes made!

Firefox Auto-Restart Method

Paul Marc left a comment on my original post asking about how I made Firefox auto-restart if closed and on idle. I was using a batch file called start.bat that I found online, but I can’t seem to locate it again with Google (I recall it took some searching to find originally as well). I’ll have to grab the bookmark off of one of the computers I set it up on when I am able.

It seemed like it was a great solution when I set it up. However, I had several issues crop up in actual use. Sometimes it would get “stuck” in a loop of starting unending new Firefox windows as fast as the computer would open them. The only solution was to log off or restart (or kill the script, but the Task Manager won’t open under lockdown!). This only happens sometimes, and I’m not exactly sure why, but it makes the system unusable when it does happen.

I have made the above changes on three of the four computers (the last one isn’t switched yet because I ran out of time), setting them to not use the start.bat file, and instead installing the Auto Reset Browser extension in Firefox. It restarts the browser after every five minutes idle. The downside is, if a user closes the browser manually, it doesn’t reopen automatically. There is one icon on the desktop though, to open Firefox, so I don’t think this will be an issue, although it’s not as nice as the original solution when it worked correctly. And either way, closing manually or on idle, Firefox still runs the Clear Private Data option I had set up (per my original post) to get rid of the prior user’s cookies or other saved information.

Network Connection Details

In my original post, I neglected to include details of the network connections for the locked down systems. It’s pretty simple: stick the computers on the same VLAN (wired) as the free Wi-Fi internet access. I added each system’s MAC address into the Nomadix gateway so it doesn’t ask for a username or password, and I can control bandwidth on a per-computer basis (they don’t have much). The free Wi-Fi is firewalled so only OpenDNS can be contacted over the DNS ports, so they are subject to the OpenDNS adult site blocking we have in place, just like everyone else.

Overview

Our new youth facility now has a four-computer internet café. I’ve already written twice about my plans and research leading up to implementation, specifically about computer lockdown software. A couple of weeks ago, I mentioned briefly that we had changed course and decided to use Microsoft Windows SteadyState as our lockdown software of choice, mainly due to the price (free!).

We (Dutch volunteer Jeroen and I) were physically installing the computers/monitors/etc. in the youth lobby area when I thought, “hey, Microsoft just released some updated lockdown software, let’s try it out.” We hadn’t yet purchased the Fortres Grand software, although I had it approved. So I downloaded SteadyState, installed it, and messed around for a few minutes. It was so easy, even my mom could do it! Well, okay, I’ve been teaching her computers for a while and I might still have to walk her through this one over the phone, but I have no doubt she’d make it work :-) The installation went smoothly, the lockdown options (we wanted pretty much the tightest lockdown possible) were easy to select, and the hard disk protection (which discards changes on reboot) was easy to enable and control from within the main SteadyState console. I haven’t had experience with Microsoft’s old Shared Computer Toolkit, but from what I understand it was more difficult to combine all the options together into one functional system, and they appear to have fixed all of this in SteadyState.

Lockdown Features

In the SteadyState console, there are three items under Global Computer Settings: Set Computer Restrictions, Schedule Software Updates, and Protect the Hard Disk. The Set Computer Restrictions option lets you change things such as whether to display the last username in the logon screen, prevent users from writing to USB drives, turn the Welcome Screen on and off, and other miscellaneous things that affect the whole computer, not just particular user(s). I turned most of these on. I’m not writing this with access to the computers I set up, so I’m going from memory on this (and everything else) but if you have any questions about specifics please leave a comment!

You can create or import users/profiles that SteadyState can then manage with a selection of lockdown options going from low to high security, but at each level it just selects a more restricted subset of the detailed options and lets you customize away. This is similar to the functionality of the Fortres 101 software. All we tested was the highest security possible, locking down almost everything and only allowing the Mozilla Firefox executable to run. However, we did have to allow command prompt access to get the Firefox auto-restart trick below to work, although with the GUI and keyboard shortcuts this locked down, no one should be able to access the command line except through the batch file the Firefox shortcut links to for this trick to work.

Testing the lockdown settings to find the right mix can be a bit tricky because you must save the settings, log out, log in as the limited user, test, log out, and log back on to the administrative account again. It’s tedious, but once you have what you want, you can duplicate the settings more easily on other systems. The Export/Import Profile function works, but it imports a default user profile with the lockdown settings. Be careful with this, because it means you must wait until after you import a user into SteadyState from an exported profile before logging in and doing any customization to their desktop (display options, Start Menu positioning, etc.) as any customization you’ve done will be deleted if you import a user over top of your existing user! Found this out the hard way — once :-)

Firefox Does Its Own Privacy Work

Firefox has some great options for “Clearing Private Data” such as cache, cookies, history, saved passwords, authenticated sessions, etc., which for most Firefox users is either a manual option or something it prompts you to do when you close Firefox. Because of the multi-user environment, we instead set the options, available through the Firefox Tools->Options panel, to automatically clear private data when the browser was closed, with no prompting. That way someone logged into Gmail, Hotmail, Facebook, or lets face it, MySpace (one site I still refuse to sign up for :-) will be logged out when Firefox closes, safe for the next person to use. Let’s face it, these are teenagers we’re talking about here — do you think they’re going to remember to log off? Not likely in the vast majority of cases.

I found a batch file with some Google searching (I’ll have to re-locate it and post an update if anyone is interested) that, when run via a command line or a shortcut and passed the path to a .exe file, runs the file but monitors it and if the process ends, it restarts it automatically. So Firefox is in the Startup folder in the Start Menu, but run with this batch script. When someone closes Firefox, it clears their data, is automatically restarted, and goes back to the youth homepage automatically, ready for the next user!

But what if people don’t close the browser? We set up a Scheduled Task to kill the firefox.exe process after 5 minutes of the computer being idle. Same effect as the user closing the browser, and it automatically reopens still. This is a touch buggy, as occasionally Firefox will instead of reopening once, reopen window after window after window after window…and of course the computer is so locked down you can’t kill the process manually. It requires a logout or restart to fix. This is still on my “to track down” list, but it’s the last little piece of the puzzle, and generally it works fine. I’m sure it’s an issue with either the batch file, the scheduled task, or both interacting somehow.

Thematic Full Screen

The theme we chose for Firefox is called NASA Night Launch. It’s a beautiful theme, which shows an awesome shuttle launch shot as the blank background before a tab finishes rendering, and has equally nice toolbar backgrounds and a custom throbber (the top-right icon that moves while a page is loading, if you didn’t know). The grays and blacks in this theme look wonderful with our current homepage, www.infusionstudents.com, as well as the black LCD monitors mounted to the wall (pictures to follow later). A new version of this theme was released on July 22nd, after we set up the computers, so I will consider upgrading the theme at some point soon.

To make the slickest looking interface possible, we applied the R-Kiosk extension to Firefox to force it into fullscreen mode when it starts, getting rid of the title bar and any non-themed borders. We did apply the change to user.js that provides the navigation menu so the address bar and back/forward function. It looks really good with this extension combined with the theme!

While looking to see what the theme and extension we used are called, I just ran into an extension called Auto Reset Browser that for some reason I’ve never seen before. It looks like it might be a more elegant solution to my earlier problem, but I don’t know if it will help keep Firefox open if someone manually closes it. I will have to investigate further as time allows.

Disk Protection

SteadyState’s disk protection option, which you must enable separately from the policy lockdown settings, basically makes the hard drive immutable for most purposes. Do anything, reboot, and you’re back where you started last time. Fortres Grand’s Clean Slate product has similar functionality. Microsoft has made what I hear are improvements (compared to the Shared Computer Toolkit) in this functionality in that you enable and disable this option from the SteadyState control console just like all the policy options. Give it some time to make a cache file for the temporary disk changes, reboot, and the disk is protected.

The nicest thing is, if you’re an Adminstrator running SteadyState, and you log in, install a new program, and reboot — oops, if the disk protection was on you’d lose all your changes! You can unlock the disk for a time in the console, however. But the best option Microsoft added was a modification to the Log Off screen, prompting you that disk protection is on and giving you the option to discard all changes — or, keep the changes, restarting to merge the cache onto the hard drive automatically. That’s a no-brainer option that will continue to save my behind as I update these systems in the future I’m sure, long past initial setup! I’ve already used it for a few tweaks here and there.

No Manual Needed

SteadyState scores high marks for ease of use; I’ve still not read the manual and only referenced the help file (which opens automatically with the console) a few times. (Well, I did use the manual to refresh my memory while writing this post, but only because I don’t have access to the real systems at the moment. And this is the first time I’ve even opened it.)

Physical Installation

I don’t currently have any pictures of the computers handy, so I will leave photos and a description of the mounting process (which comprised more than 50% of the entire operation) to a future post.

Yet Another Alternate Option

In very related news, I did received a reply, although a bit late for me and not really a fit anyway at this point (due to the cost), from when I emailed and asked the guys at the Casting From The Server Room podcast for a reminder of what software they had run across as a Deep Freeze competitor. They mentioned it (CompuGuard CornerStone) in an old episode which I couldn’t remember, and their “show notes wiki” had been lost without a backup. Thanks for the response, guys! Always good to check out alternative options and at least keep abreast of what’s available in the future. They replied to my question back in March on the air, but I missed three episodes in an otherwise unbroken string of probably 30-40 of their episodes I’ve listened to without skipping (wouldn’t you know it was in one of those!), and when I grabbed the back-episode to check out I heard my name again (they’ve mentioned my comments twice in more recent shows since — and inspired the new last name pronunciation guide in my About David page)!

They are using St. Bernard for the block list, the company that makes the iPrism for corporate content filtering. I’ve had some contact with them recently (watched an online live demo and gotten some quotes — the demo was impressive but not worth the time given the price of the quote vs. our budget) and they seem to be a classy company, near the top of the choices for premiere content filtering.

OpenDNS also allows you to put your custom image on the block page (for their typo correction, not just the content filtering). Their service is already being put to use in several churches, but I can’t help thinking this will bump that trend right on up! Andrew Mitry at Anchorite switched from OpenDNS to ScrubIT in March (it sounds like he either used OpenDNS before or liked it, hard to tell from that post), while at the same time commenting that OpenDNS appeared to be more mature (an assessment I’d fully agree with). This is the first time OpenDNS has responded with a content filter on this level however. In my experience (and I’ve corresponded with several of the OpenDNS staff including owner David Ulevich), OpenDNS doesn’t do something unless it can be done right, and going with a large provider like St. Bernard for their list sounds just like something they’d do.

Now, to test extensively! Detailed reporting (especially at the user or internal IP level) is really the key component missing from this service, since you can add your own blocked domains as well. I also don’t see a way to override specific blocked pages if you run into a site categorized incorrectly (although OpenDNS is known for adding additional control features later on). And, while it will catch direct-access porn and other adult content, it can’t do much for direct-IP access sites, or a bigger threat, open proxies (possibly the most well-known being Google’s own English-to-English translator, among hundreds of others) since it’s not doing URL filtering or any content inspection, just DNS blocking. But it’s a good first line of defense, at an even better price. Our free wireless internet is getting switched over post haste!

Right now, content filtering on the public wireless is being provided by ScrubIT, a free DNS-based filtering service. Not bad but not as much control or information as I want; it’s a temporary solution (and I haven’t been given an account at ScrubIT yet, so I have no control at all). Matthew Irvine has a couple of excellent posts on his new blog, techlesia, talking about the open source SmoothWall Express firewall and DansGuardian content filter. I have a bit of Linux experience, dabbling at best, but not anything extensive enough for me to set up DansGuardian on a production machine, although I might play with it virtually (SmoothWall Express, if we needed a firewall, might be an option since it is plug-and-play, but we already have ISA 2004). The company SmoothWall has a commercial version of both products, with the content filter called Corporate Guardian, and from the preliminary pricing I’ve found it appears to be much, much less expensive than most of the commercial filtering boxes I’ve researched so far, which translates into “actually affordable.”

I think the Corporate Guardian looks the most promising, since they turn DansGuardian into a commercially-supported product, with the main benefit being that it’s plug-and-play, in addition to blacklist and updates subscriptions. Everyone wins. However, their evaluation terms concern me a bit. The terms state, in part, “You may not communicate the results of your evaluation with other companies, organizations or persons not employed by your company or organization, unless this has been agreed in writing beforehand with SmoothWall.” They also state that after the evaluation, you will “Not make public any notes, analyses, computations, studies or other documents prepared as part of this evaluation unless this has been agreed in writing beforehand with SmoothWall.”

Why does this concern me? Well, I want to share my findings with you on this blog, and these terms say I have to get their permission first. This seems to run counter to the company’s open source products philosophy, and makes me think they are scared of how their product compares to other similar products if someone were to write a review on their blog, for instance. Sure, I could ask for permission to write a review, but if it’s not positive, why would they let me post it? They can do what they want, but I’m not very happy with these particular terms and I’m seriously debating whether or not it’s worth giving up my ability to comment on my findings in order to evaluate the software beyond the claims they make on their website. Is anyone else using SmoothWall’s commercial products, and if so, are you limited in your ability to comment on your company’s use of the products similar to the terms of the evaluation terms, or does that clause go away after you’ve made the purchase?

Thanks Matthew for getting me started on this particular content filter! If I can get past the terms above I’m willing to give it a shot and maybe save some serious money in the process. Or I may find that the open source versions are functional enough and easy enough to set up for my needs; now I just have to find the time to test it.