If a laptop user establishes a VPN connection to your corporate VPN server, and doesn’t use split tunneling (in other words, from the time they’re connected, all traffic goes through the VPN as its default gateway no matter what), assuming that you’re using a VPN client that verifies the identity of the server (rather than blindly trusting DNS, which is easily spoofable on a wireless network), the user moves from the realm of insecurity into a much more secure environment, similar to being plugged into your wired network at the office. Of course, then your office WAN connection has to support everything they do, including web browsing!

However, using a free or paid “VPN” service from a company that just turns your wireless connection into a VPN-enabled “wired” connection is only going to help thwart unencrypted wifi sniffing and other such attacks. Unless you also use SSL and other encryption technologies, those services are just giving you a wired internet connection just like your home connection rather than the easier-to-sniff unencrypted wireless. It’s better than nothing, but it’s not like an encrypted pipe into your own network.

Don’t discount unencrypted wireless attacks. It’s never happened to me, but if you hop over and read some of Security Monkey’s case files at you’ll discover that there’s a lot of bad stuff going on in the world on computers :-) Those case files are slightly modified true stories from this guy’s career! His old 2005-2007 podcast episodes are worth listening to for some cool security tips and tools as well, to digress for a moment!

I don’t have a good answer; VPN connections to the office make internet run very slowly unless you have the WAN bandwidth to support fast throughput to and from all your remote users including web browsing! But that’s a much more secure way to operate. The number of ways wireless can be hijacked, sniffed, spoofed, and hacked, especially if it’s unencrypted to begin with, is downright scary! At the very least use SSL with verified certificates for anything you do of any importance (or if passwords are transmitted) on an encrypted wireless connection. As an IT guy, I can tell you (or myself) whether a particular session (POP3, IMAP, RPC over HTTP, HTTPS, etc.) is happening over an encrypted connection or not and can be careful. However, the average user is, obviously, not going to know or even care necessarily if Outlook is using POP3 unencrypted or via SSL, or using RPC over HTTPS securely. And if they log into Gmail, they’re not likely to know that although their password is always encrypted on login, their email is transmitted in the clear unless they initiate the session using SSL from the start (using https://mail.google.com/ rather than http://mail.google.com)./ Even if their email contains passwords and confirmations for other accounts!

Stuart mentioned WiTopia on his comment to Tony’s original post. I’d never heard of them before, but I’ve seen similar services to their personalVPN product. That service appears to be, like I mentioned above, just a way to get a “wired quality” connection to the internet over unsecured wireless. An admirable service and a worthy goal even with its limitations, but what caught my eye even more was their SecureMyWifi service. It’s still a wireless service but it has to do with your own on-campus wireless access. It lets you move away from using WPA with a Pre-Shared Key (PSK), also known as WPA-Personal, and use their RADIUS services to authenticate users individually to your encrypted wireless access points. It seems a bit pricey (to me–it’s currently a $99 setup fee, $99/year for one access point, and $14.95/year for each additional access point), but we have the same thing set up using Microsoft’s free (built-in on Windows Server 2003) IAS RADIUS server in-house. If you aren’t familiar with how to set it all up, the WiTopia service could be quite beneficial! They charge per access point, but at Lakeview we have a centrally-managed access points system with one controller that takes care of authentication. I assume that the WiTopia service is based on unique RADIUS keys for each access point client; since the central controller (currently running 12 access points) acts as a single client, it should look like “one” access point to the service. Whether or not this is allowed with their terms of service I have no idea; we are not likely going to use the service since I already do this in-house for free, but I would recommend reading the terms and/or contacting them if you plan on doing something similar to remain in the spirit of their offering.

This is just one more step in the growth of identify theft, which is becoming more and more of a problem (I won’t bore you with the details of other theft cases, if you’re in the IT field I you probably know about them already!). I hope they figure out a better way to protect this stuff before it gets as common as spam as gotten. But I know the technical sophistication required by every single business to make that a reality, and I don’t think the problem is going away any time soon.

On the personal front, I’m in Ohio this weekend for my brother-in-law’s wedding, and I only have one week of schoolwork left for this semester before being freed to spend some more time blogging; I’m looking forward to getting back into the swing of things! I have managed to stick around the #citrt Freenode IRC channel on a consistent basis, and I’ve stayed reasonably active on Twitter since MinistryTECH and the Roundtable, which I’m still catching up from at work (but getting close to the normal level of “behind” :-)

Before making a decision there are certainly things to evaluate, and I definitely want to get my hands on an NSA box for a while to test first. I like the ISA 2004 firewall interface that we’re currently running and I want to make sure I’m comfortable managing SonicWALL if we go that route.

So far this morning, I’ve tried hibernating three or four times, and as promised, TrueCrypt does not block me from hibernating any more. However, my experience resuming from hibernation has been, well…non-existent! After appearing to hibernate normally, when I try to resume I am prompted for my decryption boot password and then Windows boots normally. From scratch. No traces of hibernation present.

My only thought as to why this is happening is perhaps it’s because I decided to use Whole Drive encryption this time, as opposed to System Partition encryption. I didn’t realize when I started the encryption process that the version history was so specific, but it does say that one of the new features is, “Support for hibernation on computers where the system partition is encrypted (previous versions of TrueCrypt prevented the system from hibernating when the system partition was encrypted).” It specifically mentions encryption of the system partition!

I started the decryption process (estimated to complete in 6 hours, much slower than encryption) this morning and when complete, I will attempt re-encrypting just the system partition and see if that fixes the issue. I’ll update this post with information as I discover it!

UPDATE Saturday, March 15th, early morning: Yesterday, I re-encrypted just the system partition with TrueCrypt, but the same problem still occurs. I did discover (thanks to referrer logs) that someone had a similar problem and posted a thread to the official TrueCrypt Forums, linking to this post. Apparently, while the problem does not appear to be widespread, it does seem to still happen for others. I did not get a chance to try any of the suggested workarounds, but I did post an update to that thread with a few more details of my experience in case it helps resolve the issue. About a day after I posted my details, the developers posted a fix in the form of 5.1a Beta, which they requested be tested to see if the problem is fixed. I have installed the beta, but it requires a reboot before taking effect. Update coming later.

UPDATE later Saturday: The beta of 5.1a fixed the problem, and hibernation works now. Happy ending! Apparently there is still a problem with a couple of versions of Vista that are fixed but won’t be released in a beta, per Vertex on the forums:

This is a known issue in Beta 1 that affects users running Windows
Vista Ultimate and Enterprise. According to the developers, it was
discovered and fixed shortly after Beta 1 was released. Beta 2 is
currently unlikely to be released so if you use one of those systems,
you will need to wait for TrueCrypt 5.1a final/stable.

The main reason was the lack of hibernation support. I tried using standby, which seemed to work sometimes. I would verify that standby mode had been entered, and put the latpop in my bag. Less than 12 hours later, more often than not, the battery was dead and the laptop was off. Even within shorter time periods, I would sometimes take the laptop out of my bag and it would be running! This is dangerous, as carrying around a laptop when it’s off can be done much less gently than should be done when it’s on. And running in my bag prevents good heat dissipation, so it would be practically burning hot in this case (pun intended :-)

So, now hibernation works again. Which has worked well for me 99% of the time since I purchased the laptop. And it’s not encrypted, but it wasn’t in the past either. If they can make whole-disk encryption work with hibernation, and I’m not enthusiastic about the chances of this given the security implications that I think I understand but probably need to read more carefully, I’ll give it another try.

Note: I’m running Windows XP Pro on my laptop. At some point I may try Vista Ultimate, and may perhaps test Vista’s Bitlocker. I’ve heard it’s more complicated. I don’t know if it allows for hibernation or not. There’s an excellent overview of the two together at 4sysops, a blog I highly recommend overall.

UPDATE on March 15th: The problem with hibernation support has been fixed in TrueCrypt’s beta and soon the final release of version 5.1a. I am back to running an encrypted system for now!

In the Windows and Linux versions a special bootloader is available that lets you encrypt your entire system drive. It doesn’t look like that option is available in the OS X version.

What? Whole-drive encryption of the system drive is now available in Windows and/or Linux? (Clarification: Only Windows is supported right now.) This I’ve gotta see. I’ve looked at some laptop disk encryption tools in the past, and they’re nice but generally not cheap (whether software or specialized hardware). But open source is better than cheap, and TrueCrypt is already considered to be high quality. It’s written well (important where security software is concerned) and is in active development. The new version also promises significant speed increases.

I’ve installed the new version on my laptop. Do I dare try out the encryption feature? I do have most (not all) of my data backed up, the important stuff at least. Maybe I’ll investigate this through the weekend, make a decision, and possibly try it out. Possibly. Fire is fun to play with and very powerful, but you have to know what you’re doing!

UPDATED after a night’s sleep: Yes, I dared. Before going to bed I started the process to encrypt the entire system partition on my laptop. I don’t know precisely how long it took; it was projecting 2-3 hours left when I went to bed (shortly after starting it) and was done when I got up. The process is slick, I’ll give them credit for that. They require that you burn a recovery disc (and verify it) before you can continue, just in case, and they also verify that the bootloader works before allowing the encryption process to begin. I haven’t used the system enough to know whether there is a significant speed penalty when the partition is encrypted. It seems a touch sluggish but still responsive, but within the normal operating parameters depending on the day! The biggest downside: hibernation is no longer supported. Standby is an option, but the system will not hibernate (if you try, TrueCrypt stops you and provides a helpful message about why it won’t work). I generally hibernate all the time when not using my laptop. I’ll try using Standby for a while and see how happy I am with it. Not sure if it’s a deal-breaker yet.

As a precaution, the boot loader offers the option to, with the correct password, decrypt the entire disk without needing to boot into Windows, if Windows gets corrupted. There are several other handy “rescue” methods in the boot loader (on the hard drive and on the bootable rescue disc). I am extremely impressed with the quality of the thought and effort put into this whole-disk encryption feature, and although I haven’t tried the Vista Bitlocker method, TrueCrypt certainly sounds a bit easier (but it doesn’t integrate with the TPM chip, if one exists). There are options in the setup to set up encryption to work with multi-boot systems, but it warns that this requires advanced knowledge to set up. And, of course, you need a dual-boot system, which I don’t have at the moment.

UPDATE: The new version 5.1 has hibernation support, and version 5.1a Beta actually makes it work on my laptop. I’m back encrypted!

Something interesting to note is that while inbound traffic from the internet appeared to be blocked before the restart, I was able to use Remote Desktop from another server on the internal network to remotely instruct ISA to reboot. So it had not locked down all network access, just external. Good to know if you administer the box primarily via remote control! In fact, due to a lack of KVM switch ports, I have to manually plug the keyboard/monitor/mouse back in to ISA physically if I want to work on the console.

Although everything appeared to be functioning normally, today I got a report from a user who was getting a network error when attempting to connect to the iTunes Store from within iTunes. I tried it on my desktop, and got the same error. Fortunately, I remembered that back when I installed a prior ISA service pack (I don’t recall if it was 1 or 2), I had a similar problem and was able to track down the issue to the Compression Filter in ISA. If you go in the ISA Management Console to Configuration->Add-ins and check the Web Filters tab, by default there is a “Compression Filter” enabled (the description: “Enables HTTP/HTTPS compression”). Disabling this filter allowed iTunes Store to work just fine!

However, the reverse is true in ISA 2004 Service Pack 3. If you have disabled the Compression Filter, you must re-enable it for the iTunes Store to work in Service Pack 3! This is very useful information, so I thought I’d share! If you don’t know why iTunes Store doesn’t work, it can take a bit of Googling to determine the problem, at least it did for me originally. Perhaps the issue is more widely known by now.

So far it’s holding up to the abuse and none of the systems have been hacked that I know of! At our recent Volunteer Dinner, the workstations served double-duty as aquariums. Well, I put an ocean-with-fish screensaver on each system to help complement the overall ocean party theme. It worked pretty well! I didn’t take any photos, but the screensavers are still installed. So you can expect pictures of a re-creation in the next ten years, unless the computers are replaced before that. Ha ha.

I ran into a small issue with the SteadyState/Firefox setup that was a relatively easy fix: Firefox tried to update itself and the theme when new versions came out. Why it does this as a limited user when it can’t run the upgrade (for the program itself; the theme should work if it weren’t locked down) is beyond me, maybe I’ll file a bug report or something. Anyway, to get rid of the upgrade reminder, I logged in as Administrator and installed the Firefox program upgrade. Then I unlocked the profile and disabled Disk Protection, logged in as the locked down user, not not locked down, and upgraded the theme. Then I changed the Options (Tools->Options->Advanced->Update) and unchecked all of the automatic update options. Now updates won’t automatically (try to) apply, and I don’t even have to worry about security holes much because of the Disk Protection feature. I also took the opportunity to install the Auto Reset Browser extension and disable the old auto-restart mechanism (see below for the reasons).

Accessing Firefox Settings

To get to the Firefox settings, because of the R-Kiosk extension disabling menu access, I had to use the Firefox (safe mode) option from the Start menu, tell the statup box to disable add-ons and restart, and then it came up with no theme and no extensions active. I made my settings changes, installed the Auto Reset Browser extension, re-enabled the theme and the R-Kiosk extension, and restarted. Back to normal, with all changes made!

Firefox Auto-Restart Method

Paul Marc left a comment on my original post asking about how I made Firefox auto-restart if closed and on idle. I was using a batch file called start.bat that I found online, but I can’t seem to locate it again with Google (I recall it took some searching to find originally as well). I’ll have to grab the bookmark off of one of the computers I set it up on when I am able.

It seemed like it was a great solution when I set it up. However, I had several issues crop up in actual use. Sometimes it would get “stuck” in a loop of starting unending new Firefox windows as fast as the computer would open them. The only solution was to log off or restart (or kill the script, but the Task Manager won’t open under lockdown!). This only happens sometimes, and I’m not exactly sure why, but it makes the system unusable when it does happen.

I have made the above changes on three of the four computers (the last one isn’t switched yet because I ran out of time), setting them to not use the start.bat file, and instead installing the Auto Reset Browser extension in Firefox. It restarts the browser after every five minutes idle. The downside is, if a user closes the browser manually, it doesn’t reopen automatically. There is one icon on the desktop though, to open Firefox, so I don’t think this will be an issue, although it’s not as nice as the original solution when it worked correctly. And either way, closing manually or on idle, Firefox still runs the Clear Private Data option I had set up (per my original post) to get rid of the prior user’s cookies or other saved information.

Network Connection Details

In my original post, I neglected to include details of the network connections for the locked down systems. It’s pretty simple: stick the computers on the same VLAN (wired) as the free Wi-Fi internet access. I added each system’s MAC address into the Nomadix gateway so it doesn’t ask for a username or password, and I can control bandwidth on a per-computer basis (they don’t have much). The free Wi-Fi is firewalled so only OpenDNS can be contacted over the DNS ports, so they are subject to the OpenDNS adult site blocking we have in place, just like everyone else.

PassPack gives you a free account (did I mention it was free?). You create a user ID, a passphrase, and a Packing Key, all distinct. PassPack creates an encrypted container using your Packing Key, which is encrypted on your web browser using JavaScript and standards-based encryption. Only this encrypted “bundle,” without your Packing Key, is then stored on the PassPack servers. Want a password? Log in, enter your Packing Key if it’s timed out (5 minutes by default, up to 15 minutes), find the relevant account alphabetically, by tag, or search (all very Web 2.0 and AJAXy-smooth), and click it to…reveal your login name and a scrambled-looking (unreadable) password field. Click in this field and use the Ctrl+C keyboard shortcut to copy the password, and paste in to the site in question (URL also saved as an option to make it easy). This means the password never appears on the screen, it’s just stored directly in your clipboard, and you don’t have to retype it.

So you can copy and paste the password, so what? Well, they also have an auto-login bookmarklet you can save in your browser. Save the URL of the login page along with the password at PassPack, and then just click the Open and Login link within PassPack to open the website in a new window. Then, click the “PasssPack It!” bookmarklet you previously set up. If the site has been “trained” before (even by another user), it fills in the username and password fields and clicks Login to get you into the site! If it’s not been trained for this site, you are walked through a very simple process of clicking the bookmarklet, clicking the username field, then the password field, then the Login button to train the system. So far out of about twenty sites, only two have had issues and not been trained successfully (a Plesk 7.5 dedicated server control panel and the ZoHo group of sites, including the Church IT Podcast Wiki, were the malfunctioning sites, which have been reported to PassPack); these can still have their login information memorized like any other account, on- or off-line, they just won’t auto-login with the bookmarklet.

The folks at PassPack have implemented a few other nice features besides the slick and speedy interface and somewhat novel readable-only-by-you encryption scheme:

• They have a nice anti-phishing setup in place to prevent your PassPack credentials from being phished easily.
• If you keep the site open, it functions offline and can be saved to their server the next time you connect (it also auto-saves if you don’t disable this option).
• One-time keys are available for you to print out and carry with you. If using a public internet terminal, log in to PassPack with one of these one-time-use keys, and copy-and-paste the scrambled password you need. Then you never have to type a usable password into the insecure computer (for PassPack or the target site).
• Export and Import of your data, in unencrypted format, if you wish to switch between other password-saving applications that also give you access to your data in text format.
• Backup and Restore of your encrypted data, so you have a copy on your computer in addition to on their server (you choose whether the backup will use your regular Packing Key or a unique one).
• They will generate a unique password for you to use when registering a new account somewhere, which they will of course remember for you.

You may be wondering where this Packing Key thingy comes from. (I can hear you now, “David, this thing is awesome, sign me up, but what the heck is a Packing Key anyway?!”) PassPack has some of the best help I’ve ever read, which is even available contextually when you click Help within the site. They handily have an answer about Packing Keys and why they’re so handy. They do a much better job of explaining that and just about everything else about the service than I could, given that they wrote it and I’ve just used it for a day. But I’ve found it to be exciting, apparently secure, well-designed, and actually fun.

It should go without saying that besides the great interface, being able to access your passwords from any web browser very easily, along with the off-site storage, is probably the single biggest benefit to using PassPack over a Windows utility. Even the auto-login bookmarklet it cross-platform, cross-browser code and is a simple JavaScript bookmark — no need to install a Firefox Extension, IE Add-In, or any other code running on your machine outside of JavaScript.

I do see one potential downside: their Terms of Service contain several limitations (yes I read it! Well, the parts they highlighted at least…):

1. You are not allowed to store information about financial accounts (banks, etc.), although this may be legal CYA considering I don’t know how they could possibly enforce this given they don’t have access to your data.
2. If you don’t login at least once every six months, your account is “inactive” and they delete everything.
3. You only get 32k of storage per account (they estimate 75-100 entries worth of entries), with no upgrades available yet. Accounts active before August 1st (missed it by less than two weeks, darn!) got 128k of storage (150-200 estimated entries).

I’m sure PassPack intends on offering upgraded service with more storage at some point, but those three conditions may limit my use of their service, and possibly yours. I know I have 23 entries already saved, and I’ve barely scratched the surface with the quantity of online accounts I maintain. It’s at least worth a shot in my opinion. If you like the concept and want an alternative, Clipperz is worth a look, it’s also free and PassPack even has a comparison of their two services. It doesn’t do the anti-phishing stuff like PassPack but it does have many other similar features, which I have not tested extensively. They also do not prohibit the storage of financial details and actually provide a template to hold credit card and bank account information. They also keep the data from leaving your browser unless it’s encrypted so they have no access when it’s on their servers.

To the (sparse) details already: PaulDotCom has an article discussing a program that runs on a VMware virtual machine, and in about a minute crashes the machine and then runs a program on the host machine. Whether this was an ESX Server or a VMware Server install is not clear, and neither are most of the other details. It does seem that running VMware Tools on the virtual server might be the attack vector and you would be safe if not running them, but again, the details are sketchy. Cutaway also has some commentary on the new security hole. Originally via Martin McKeay’s blog.

Overview

Our new youth facility now has a four-computer internet café. I’ve already written twice about my plans and research leading up to implementation, specifically about computer lockdown software. A couple of weeks ago, I mentioned briefly that we had changed course and decided to use Microsoft Windows SteadyState as our lockdown software of choice, mainly due to the price (free!).

We (Dutch volunteer Jeroen and I) were physically installing the computers/monitors/etc. in the youth lobby area when I thought, “hey, Microsoft just released some updated lockdown software, let’s try it out.” We hadn’t yet purchased the Fortres Grand software, although I had it approved. So I downloaded SteadyState, installed it, and messed around for a few minutes. It was so easy, even my mom could do it! Well, okay, I’ve been teaching her computers for a while and I might still have to walk her through this one over the phone, but I have no doubt she’d make it work :-) The installation went smoothly, the lockdown options (we wanted pretty much the tightest lockdown possible) were easy to select, and the hard disk protection (which discards changes on reboot) was easy to enable and control from within the main SteadyState console. I haven’t had experience with Microsoft’s old Shared Computer Toolkit, but from what I understand it was more difficult to combine all the options together into one functional system, and they appear to have fixed all of this in SteadyState.

Lockdown Features

In the SteadyState console, there are three items under Global Computer Settings: Set Computer Restrictions, Schedule Software Updates, and Protect the Hard Disk. The Set Computer Restrictions option lets you change things such as whether to display the last username in the logon screen, prevent users from writing to USB drives, turn the Welcome Screen on and off, and other miscellaneous things that affect the whole computer, not just particular user(s). I turned most of these on. I’m not writing this with access to the computers I set up, so I’m going from memory on this (and everything else) but if you have any questions about specifics please leave a comment!

You can create or import users/profiles that SteadyState can then manage with a selection of lockdown options going from low to high security, but at each level it just selects a more restricted subset of the detailed options and lets you customize away. This is similar to the functionality of the Fortres 101 software. All we tested was the highest security possible, locking down almost everything and only allowing the Mozilla Firefox executable to run. However, we did have to allow command prompt access to get the Firefox auto-restart trick below to work, although with the GUI and keyboard shortcuts this locked down, no one should be able to access the command line except through the batch file the Firefox shortcut links to for this trick to work.

Testing the lockdown settings to find the right mix can be a bit tricky because you must save the settings, log out, log in as the limited user, test, log out, and log back on to the administrative account again. It’s tedious, but once you have what you want, you can duplicate the settings more easily on other systems. The Export/Import Profile function works, but it imports a default user profile with the lockdown settings. Be careful with this, because it means you must wait until after you import a user into SteadyState from an exported profile before logging in and doing any customization to their desktop (display options, Start Menu positioning, etc.) as any customization you’ve done will be deleted if you import a user over top of your existing user! Found this out the hard way — once :-)

Firefox Does Its Own Privacy Work

Firefox has some great options for “Clearing Private Data” such as cache, cookies, history, saved passwords, authenticated sessions, etc., which for most Firefox users is either a manual option or something it prompts you to do when you close Firefox. Because of the multi-user environment, we instead set the options, available through the Firefox Tools->Options panel, to automatically clear private data when the browser was closed, with no prompting. That way someone logged into Gmail, Hotmail, Facebook, or lets face it, MySpace (one site I still refuse to sign up for :-) will be logged out when Firefox closes, safe for the next person to use. Let’s face it, these are teenagers we’re talking about here — do you think they’re going to remember to log off? Not likely in the vast majority of cases.

I found a batch file with some Google searching (I’ll have to re-locate it and post an update if anyone is interested) that, when run via a command line or a shortcut and passed the path to a .exe file, runs the file but monitors it and if the process ends, it restarts it automatically. So Firefox is in the Startup folder in the Start Menu, but run with this batch script. When someone closes Firefox, it clears their data, is automatically restarted, and goes back to the youth homepage automatically, ready for the next user!

But what if people don’t close the browser? We set up a Scheduled Task to kill the firefox.exe process after 5 minutes of the computer being idle. Same effect as the user closing the browser, and it automatically reopens still. This is a touch buggy, as occasionally Firefox will instead of reopening once, reopen window after window after window after window…and of course the computer is so locked down you can’t kill the process manually. It requires a logout or restart to fix. This is still on my “to track down” list, but it’s the last little piece of the puzzle, and generally it works fine. I’m sure it’s an issue with either the batch file, the scheduled task, or both interacting somehow.

Thematic Full Screen

The theme we chose for Firefox is called NASA Night Launch. It’s a beautiful theme, which shows an awesome shuttle launch shot as the blank background before a tab finishes rendering, and has equally nice toolbar backgrounds and a custom throbber (the top-right icon that moves while a page is loading, if you didn’t know). The grays and blacks in this theme look wonderful with our current homepage, www.infusionstudents.com, as well as the black LCD monitors mounted to the wall (pictures to follow later). A new version of this theme was released on July 22nd, after we set up the computers, so I will consider upgrading the theme at some point soon.

To make the slickest looking interface possible, we applied the R-Kiosk extension to Firefox to force it into fullscreen mode when it starts, getting rid of the title bar and any non-themed borders. We did apply the change to user.js that provides the navigation menu so the address bar and back/forward function. It looks really good with this extension combined with the theme!

While looking to see what the theme and extension we used are called, I just ran into an extension called Auto Reset Browser that for some reason I’ve never seen before. It looks like it might be a more elegant solution to my earlier problem, but I don’t know if it will help keep Firefox open if someone manually closes it. I will have to investigate further as time allows.

Disk Protection

SteadyState’s disk protection option, which you must enable separately from the policy lockdown settings, basically makes the hard drive immutable for most purposes. Do anything, reboot, and you’re back where you started last time. Fortres Grand’s Clean Slate product has similar functionality. Microsoft has made what I hear are improvements (compared to the Shared Computer Toolkit) in this functionality in that you enable and disable this option from the SteadyState control console just like all the policy options. Give it some time to make a cache file for the temporary disk changes, reboot, and the disk is protected.

The nicest thing is, if you’re an Adminstrator running SteadyState, and you log in, install a new program, and reboot — oops, if the disk protection was on you’d lose all your changes! You can unlock the disk for a time in the console, however. But the best option Microsoft added was a modification to the Log Off screen, prompting you that disk protection is on and giving you the option to discard all changes — or, keep the changes, restarting to merge the cache onto the hard drive automatically. That’s a no-brainer option that will continue to save my behind as I update these systems in the future I’m sure, long past initial setup! I’ve already used it for a few tweaks here and there.

No Manual Needed

SteadyState scores high marks for ease of use; I’ve still not read the manual and only referenced the help file (which opens automatically with the console) a few times. (Well, I did use the manual to refresh my memory while writing this post, but only because I don’t have access to the real systems at the moment. And this is the first time I’ve even opened it.)

Physical Installation

I don’t currently have any pictures of the computers handy, so I will leave photos and a description of the mounting process (which comprised more than 50% of the entire operation) to a future post.

Yet Another Alternate Option

In very related news, I did received a reply, although a bit late for me and not really a fit anyway at this point (due to the cost), from when I emailed and asked the guys at the Casting From The Server Room podcast for a reminder of what software they had run across as a Deep Freeze competitor. They mentioned it (CompuGuard CornerStone) in an old episode which I couldn’t remember, and their “show notes wiki” had been lost without a backup. Thanks for the response, guys! Always good to check out alternative options and at least keep abreast of what’s available in the future. They replied to my question back in March on the air, but I missed three episodes in an otherwise unbroken string of probably 30-40 of their episodes I’ve listened to without skipping (wouldn’t you know it was in one of those!), and when I grabbed the back-episode to check out I heard my name again (they’ve mentioned my comments twice in more recent shows since — and inspired the new last name pronunciation guide in my About David page)!

Basically, because we have ISA, I can limit what particular user groups are able to do over their VPN connection, just like any other firewall rules. Very few people get file server access at all (actually, me and one guy who connects from his church laptop) over VPN. The rest are limited to Exchange server connectivity or Remote Desktop primarily, although now that we have RPC over HTTPS in place, it’s much simpler than VPN for the user and so that’s used almost exclusively for remote Outlook access now, and is as much as most people need (if they have a laptop they have an offline copy of most of their files anyway).

For those that still require remote access to their desktop at work (especially if they don’t have a church-owned laptop), I’ve been moving from VPN with Remote Desktop access (complicated to train someone to use since the connection is separate from the RDP client) to LogMeIn.com for remote access. There’s a free version and a Pro version, with remote printing and file transfer being the main additional features of Pro. The main benefit? It’s easy and just requires a web browser, it’s fast, and not very expensive (with the special we got anyway, or the free version is of course free!). I have run into an issue with a new remote user that hasn’t gotten LogMeIn to work on their own but I haven’t had a chance to troubleshoot this yet (I’m sure it relates to the steps to get the ActiveX or Firefox plugin installed for LogMeIn initially).

We have a Terminal Services server with a handful of user licenses that we use for some volunteers that need remote access from their home computer but don’t have a dedicated desktop at work. I haven’t attempted LogMeIn through Terminal Services, but I assume it wouldn’t work properly with the multiple sessions that make Terminal Services useful, and would only allow access to the console session. For this, we still use VPN, with a CD created from the CMAK along with an auto-running tutorial created with Wink that walks users through installing the VPN connectoid (which has all of the settings preset) and starting a VPN connection. Using custom commands in the CMAK connectoid, I’ve included a Remote Desktop settings file that automatically runs upon connection, automatically opening and connecting to the Terminal Server inside the VPN once it’s connected. When Remote Desktop is closed, the connectoid logs off the VPN. The integration of VPN and Remote Desktop isn’t perfect, but it’s a lot easier this way (most of the time) than trying to get people to understand connecting to the VPN first, then connecting with Remote Desktop manually, and disconnecting in reverse. The more automated the better! These VPN connections are of course limited through ISA to be allowed to connect only to the Terminal Server, and only through the RDP protocol.

One thing’s for sure: when allowing an unmanaged computer on the network, especially as unsupervised as a remote connection is, it pays from a security standpoint to keep the leash as tight as possible! And it’s the unintentional risks (spyware, viruses, etc.) more often than malicious users that cause a problem. The best part is, protecting from one helps to protect from the other (in general).

I’m using the built-into-Windows-Server IAS, which is the Microsoft implementation of a RADIUS server. Basically, I set up a profile in the IAS configuration to allow specific Windows Active Directory groups to be allowed “dial-up” access through a Wireless port type. Then I created a new client in IAS with its IP address and a secret key that I also enter in the wireless access point (AP) where it asks for a RADIUS server (while setting up WPA/WPA2 authentication, not the Pre-Shared Key (PSK) kind). If I did everything right (insert hours of testing and learning here), I can connect to the wireless SSID I configured by specifying a username and password (or to use the Windows logon credentials) in the settings, rather than needing a pre-shared key that’s the same for everyone.

If I go a step further and put a certificate on the server that the clients trust, I can also authenticate with the certificates rather than the username/password credentials, which is actually more secure due to the certificate being longer, more random, and harder to obtain than a username and password (this is why I limit access for now to users in the Active Directory group I specify, creating fewer users with wireless login privileges). I haven’t completed the certificate step of the process, and I’m still running a WPA-PSK SSID as an alternate connection method until I’m sure I have everyone switched over to the RADIUS-based SSID. But once I deactivate the WPA-PSK network, security should go up because now you can’t just share the PSK key, which has a way of getting out no matter how hard you try and protect it (having free wi-fi now helps this as well, since if someone just wants internet access, they don’t need the internal network key!). And your keys get changed every time your passwords change, rather than coordinating updating the PSK and then making sure everyone needing wireless access has the new key (if they don’t, expect cell phone calls asking for it pretty quickly).

That’s the high level why and how. I sleep now :-)

Right now, content filtering on the public wireless is being provided by ScrubIT, a free DNS-based filtering service. Not bad but not as much control or information as I want; it’s a temporary solution (and I haven’t been given an account at ScrubIT yet, so I have no control at all). Matthew Irvine has a couple of excellent posts on his new blog, techlesia, talking about the open source SmoothWall Express firewall and DansGuardian content filter. I have a bit of Linux experience, dabbling at best, but not anything extensive enough for me to set up DansGuardian on a production machine, although I might play with it virtually (SmoothWall Express, if we needed a firewall, might be an option since it is plug-and-play, but we already have ISA 2004). The company SmoothWall has a commercial version of both products, with the content filter called Corporate Guardian, and from the preliminary pricing I’ve found it appears to be much, much less expensive than most of the commercial filtering boxes I’ve researched so far, which translates into “actually affordable.”

I think the Corporate Guardian looks the most promising, since they turn DansGuardian into a commercially-supported product, with the main benefit being that it’s plug-and-play, in addition to blacklist and updates subscriptions. Everyone wins. However, their evaluation terms concern me a bit. The terms state, in part, “You may not communicate the results of your evaluation with other companies, organizations or persons not employed by your company or organization, unless this has been agreed in writing beforehand with SmoothWall.” They also state that after the evaluation, you will “Not make public any notes, analyses, computations, studies or other documents prepared as part of this evaluation unless this has been agreed in writing beforehand with SmoothWall.”

Why does this concern me? Well, I want to share my findings with you on this blog, and these terms say I have to get their permission first. This seems to run counter to the company’s open source products philosophy, and makes me think they are scared of how their product compares to other similar products if someone were to write a review on their blog, for instance. Sure, I could ask for permission to write a review, but if it’s not positive, why would they let me post it? They can do what they want, but I’m not very happy with these particular terms and I’m seriously debating whether or not it’s worth giving up my ability to comment on my findings in order to evaluate the software beyond the claims they make on their website. Is anyone else using SmoothWall’s commercial products, and if so, are you limited in your ability to comment on your company’s use of the products similar to the terms of the evaluation terms, or does that clause go away after you’ve made the purchase?

Thanks Matthew for getting me started on this particular content filter! If I can get past the terms above I’m willing to give it a shot and maybe save some serious money in the process. Or I may find that the open source versions are functional enough and easy enough to set up for my needs; now I just have to find the time to test it.

But, with 802.1x, there’s the possibility of making the ports automatically members of the public VLAN for free access. But when a computer connects that can authenticate via 802.1x, it can bump them onto the employee VLAN. Sweet. But I need to do some manual-reading and testing on our ProCurve switches. Is it worth the effort? Is the Windows XP SP2 802.1x supplicant good enough, or would we need to pay for a third party supplicant? I’ve noticed that for wireless, the Windows 802.1x supplicant seems to be much better that it was originally, and most laptops are coming with even better software built-in from the manufacturer. A year or two ago, I wouldn’t implement an 802.1x-based network with the Windows XP client if you paid me. Well, depends on how much, but it would hurt anyway…

We’re even protected from external SMTP exploits against our Exchange server, because we use DefenderSoft Email Threat Center (an MXLogic reseller) to accept our incoming (and outgoing, for that matter) email. Our Exchange server’s SMTP service can only accept connections from their email servers, and nowhere else, so it’s not truly open to exploit, since external servers can only get to us through them. This cuts down on spam as well (which could otherwise come through to our server, bypassing the spam filtering), which is a good side benefit.

If you don’t already keep your firewall locked down as tight as possible, keep your eye on the SANS ISC for a while. It’ll scare some sense into you :-)

• Clean Slate
  This appears to be comparable to Deep Freeze in its function, but from what I’ve read it gives you more flexibility about not having to lose all changes on reboot if you’re an administrator, rather than having to reboot to “unlock” the computer and then make changes that you want to keep. Fortres Grand also claims that Clean Slate will allow Windows Updates and anti-virus signatures to be updated while in a “locked-down” state, persisting across reboots.
• Fortres 101
  Rather than allowing all changes and discarding most of them during a reboot, Fortres 101 instead locks down the computer from having certain items changed in the first place. This would appear to be a complement to Clean Slate above if run together, but I don’t see an indication of whether this is a supported configuration on their site. I can see the benefits to this where a user might change the wallpaper to something inappropriate; with Deep Freeze or Clean Slate it would be there until a restart, but with Fortres 101 it could be prevented in the first place.
• Time Limit Manager (TLM)
  Fortres is promoting this heavily to libraries on their product pages, but I can see how it might be useful to us as well. It would keep students from using the computers for an extended period of time, displaying a countdown and enforcing log off at a certain time. That may not be enough reason to purchase it in and of itself, but I do like the ability to remotely view screen captures of what users are currently doing, see which computers are actively in use, and even send messages to users if needed to warn them about certain content or behavior. I also like the usage history logs and the auto-shutoff at the end of the day. It also integrates with Clean Slate to clear all traces of the prior user when a user logs off! My concerns are that we’d need to buy a printer for the “reservation tickets” and also that the solution might be overkill for our current setup, although the clear-prior-user functionality integrated with Clean Slate may make it a worthwhile solution.

This is just my first impression of this company’s programs. They offer demo versions of all three, and when time allows I will likely grab them and try them out now that the computers for this purpose have arrived. I still need to unbox and set them up, which will likely happen next week at some point. Fortres also offers a Central Control product to control their Fortres 101 and Clean Slate software remotely, which looks promising but is also probably overkill for our environment. Unlike Deep Freeze, which must be the Enterprise version to support central management, this solution appears to be an add-on purchase that we could buy down the road when we expand.

Do any readers have any past experience with Fortres Grand software to share?

Any options anyone has successfully used to implement this functionality?  Anything I should be aware of or stay away from?  I’ve considered using thin clients and a terminal server, but I don’t have the time to research cost comparisons (computer and support cost vs. server cost…I may be getting some thin clients for free soon and if so, I have plenty of other uses for them anyway) and such (will audio work, will all possible future applications run in Terminal Services, and so on).  I’m probably going to grab some off-lease IBM NetVista machines for about $275 and add some RAM.

I’ve considered a Wiki, which is still an option, but other than the lack of being web-based and multi-user accessible, I like OneNote’s UI better and it seems similar. Did I mention easy-to-use and flexible is my number one requirement?

I’m still without a good, long-term solution.