The Standard Model for Small Library IT Management

I help maintain the IT infrastructure at the Missoula Public Library, but I have also been able to work with a number of small libraries across western Montana for more than 15 years now. These small libraries often have 10 to 25 PCs they have to keep running.

The Standard Model is simply my best guess at any given time for how these small library IT environments should be deployed and managed. With this post I am going to describe the Standard Model, hoping this will give small library directors, and their IT help, direction for how to deploy an environment that works.

This is not to say it's the only way to do it. There are many ways. I will simply be describing the model that is working for me. Note that this model is always in flux, particularly so now because of the BTOP deployments and several of my clients have purchased new servers this past year. But equipment, and software, and user needs are always changing so the infrastructure needs to continually adapt.

These comments are written for someone pretty skilled with PCs and small networks. I encourage any librarian who reads this to pass it on to their tech support and to share this with any interested person. Folks with questions should please post them here as comments so that we can all share in the responses. I would also appreciate anyone with alternative techniques to post those as well.

I'll break the environment up into areas of management, because each of these areas are managed differently. The three areas are the staff PCs, the public PCs, and the hotspot. All these comments assume a Microsoft Domain environment. I am currently using Server 2008 or Server 2008R2.

The staff PCs are managed just like any other business user PC. It has to print, run apps, stay uninfected, store documents, etc. There is nothing particularly unusual in supporting staff PCs so I won't take space for that.

The hotspot is not particularly unusual either except that access is available to all. The important features about the hotspot are that, first, no traffic from it should be allowed to any wired PC, and second, bandwidth must be limited so that there is always sufficient bandwidth available for the staff PCs.

Hotspot Tips:

• Librarians want stats. It is how they justify expenditures. A good stat to get from the hotspot is the number of logons to that hotspot. Do this by logging logons at the Access Point and archiving that data on a syslog server. Make this data available to the librarian so she/he can tally up stats daily, weekly, or monthly. I use Mikrotik hardware for APs, firewalls, and routers and will describe how I collect stats from it in a separate post describing the features of the Mikrotik platform.
• Some of my sites do not leave the hotspot on around the clock. The Mikrotik platform has a scheduler that can turn the hotspot on and off as desired.
• Security dictates that hotspot users cannot have access to any of the staff or public PCs so filter packets from hotspot users so that they have access only to the gateway and not to any resources in the building. One possible exception to this is to allow access to a printer on the wired network. I'm not doing this anywhere because the problems with excessive after-hours printing and with troubleshooting user's printing problems make it appear not worth the effort.

The public PC is a beast that even skilled system and network technicians often have trouble with. The trouble is that they do not understand what the library really wants regarding the configuration of the PC or the management of the public side. Furthermore, librarians often have difficulty articulating what they want in sufficient detail. Thus, there is a gap filled in with tech speculation and librarian dissatisfaction.

Public side management guidelines:

• The fundamental problem libraries have is that they invite people with absolutely no inhibitions to come in and use their computers. A patron told one of my directors that they always come to the library to visit a certain web site, because they always get infected when they go there.
• Assume all public PCs are infected as soon as a patron touches it.
• Focus primary efforts on area segregation and PC recovery, rather than restrictive or blocking techniques. Make sure that public PC's cannot communicate with staff PCs to as low a level as possible. I do the blocking at layer 2.
• Library staff typically are not sufficiently skilled to be able to troubleshoot public PC problems, so the tech's job is to configure the PC so as to create as few questions as possible during its use. Even when they are sufficiently skilled, librarians often have many other things they should be working on.
• Automate the environment as much as possible. For example, automate the turning on and then off of the public PCs. This is easily accomplished with most PCs. There are many other tasks that can be automated. Actively look for ways to minimize staff interaction with public PCs. Also minimize staff/patron interaction over computer management issues.

Deep Freeze is a product from faronics.com that I have long held is the best PC management money a library can spend. There are a number of products similar to Deep Freeze but I have only used this product so will only comment its use. The use of Deep Freeze dictates much about how the public side is managed, so its use will be described in some detail.

Deep Freeze is an application that will allow you to roll back any and all changes to the file system on a PC when it is rebooted. It is switched between frozen and thawed with a reboot. If it comes up thawed, you can make changes and have them stick. If it comes up frozen, all changes are removed at the next boot. So as long as a PC stays frozen, it remains unchanged.

Public PC and environment configuration:

• The tech's primary goal regarding the public side is to limit damage, and facilitate recovery. In a previous post about ARP poisoning, I describe a relatively easy technique for disabling communication between groups of PCs sharing a subnet. That is one way to do it, but however it is done, it must be done.
• Easy recovery is accomplished with Deep Freeze.
• Damage is limited through the use of antivirus and antispyware, local and perimeter firewalls, and restrictions on the PCs functionality while in the patron's hands.
• I use F-prot antivirus because it is lean, good enough, and $3.75/PC/year. I also use Spybot anti-spyware, predominately for the host file it provides. There are other ways to get useful host files to block access to unwanted sites (for example mvps.org), but I find Spybot useful.
• Run the Microsoft firewall at each PC and have a firewall at the perimeter device.
• Restrictions are provided via Group Policy at most of my sites, but at some sites without servers I use a product called WinSelect, also from Faronics.
• I allow three kinds of access to a PC to support centralized and remote management: File and print sharing to allow access to the file system, Remote Registry service to allow manipulation of the registry, and Remote Desktop sharing to support Terminal Services.
• Limit patron logons to only those PCs that patrons use. This is can be done easily in Active Directory Users and Computers in User Properties.

As I have mentioned, Deep Freeze determines much about the way the public side is managed, so I will describe in some detail how I use it.

• Deep Freeze has an Enterprise version that allows central management of Deep Freeze clients. All PCs can be changed to frozen or thawed with a few clicks.
• Deep Freeze has what it calls a thawspace. This is a separate drive where patrons can store documents that will survive a reboot. I use this only for short term storage. I run an automated process that will delete thawspace on all patron PCs on a daily basis.
• I use Imagex, the Microsoft product, to create a disk image that will be copied to many PCs. Do not install Deep Freeze as part of this image.
• Once a month, I go in during library closed hours to thaw all the PCs and run Microsoft updates, as well as updates for a number of applications. Much of this process has been automated, but I still spend too much time on updates.
• Never let any patron touch a PC that is not frozen.
• If you need to thaw a public PC during open hours, make sure that its firewall is set to block all incoming connections.
• Do not do any general surfing on any thawed public PC. Access your update sites only.

Finally, the server is a component available to both the public and staff side. A server does three things. It is my platform for remote support. It is where documents are stored. And it is the platform providing a variety services to the LAN.

• I configure the perimeter device to forward port 3389 packets to the server, and I access it via Terminal Services.
• All critical documents are kept at the server in shared folders which are regularly backed up to external drives and removed offsite. Appropriate permissions are also applied to shared folders. I actively deny access by patron side logons to staff shared folders.
• The server is then used to access all the PCs on site via Terminal Services. It runs the Deep Freeze console. It collects updated antivirus signature files to be disseminated on the LAN. It runs the Active Directory tools such as Users & Computers, and Group Policies. It runs various automated processes with the Task Scheduler. And more.

Excuse the length of this document, but there is a lot of material, even when covered superficially. I have posted documents recently on ARP poisoning and on configuring a public PC. I will soon post a document on the Mikrotik platform and another on the 10 suggestions I have for small library security. These should cover all the issues I discussed at the presentation at MLA.

Good luck configuring and maintaining your IT environment. Share these comments as you wish. Post your questions as comments here at the Montana Bibliotechies, or send me an email at [email protected].

Deep Freeze on Public PCs

You spend a lot of time and money setting up a PC for the public to use. But soon everything is running slow on it, or you keep getting infected warnings from your anti-virus, or you keep getting unwanted pop-ups. What do you do?

Unfortunately, the first thing you have to do is completely wipe the hard drive on the PC and start over again. But this time, before you give the PC to the public, you install Deep Freeze on it.

Deep Freeze is a product that completely rolls back any changes made to a PC every time it reboots. This is good for when a patron makes unwanted changes to the PC, like changing the background, or for when a PC gets infected. It is not so good for when you need to update the PC, because that will be removed too.

Deep Freeze runs in two modes: frozen and thawed. When its frozen, any changes made are removed at the next reboot. When its thawed, you can do your updates and they will stick.

I have been using Deep Freeze for more than a decade and am very impressed with it. I think you should use it too, or a product like it, to keep your public PCs running well.

Windows Steady State has a similar component but Microsoft does not make a version of Steady State for Windows 7. There are other paid products as well such as DriveShield and Centurion Guard, but I haven't used those so cannot comment on them.

• I purchase the Enterprise version, which means I have a central console from which I can switch all my PCs from frozen to thawed with just a few clicks. This console also allows you to update the Deep Freeze configuration, to startup and shutdown the PCs, send screen messages to the PC, and more.
• Deep Freeze is also sold in a Standard edition, which installs on a lone PC and is managed only at that PC.
• When I get a PC configured for the public, the last thing I will do is install Deep Freeze on it. Then I let the public use it only in the frozen mode. When I have to do updates, I wait until the library is closed, boot the PCs in thawed mode, and do all the updates on each PC. Then I freeze the PC again before I let the public use it.
• Deep Freeze is not a restriction tool. It is a recovery tool. It doesn't stop patrons from doing bad things to your computer, it just allows you to recover easily when they do. You have to use something like Group Policy, or a Local Policy, or Winselect to impose restrictions.
• Deep Freeze has what is called a "Maintenance Mode" which is simply a configuration feature that will make the PC boot thawed if it is ever on at a certain time. For example, if you always do your updates after you close Tuesdays at 6 PM, you can set the PCs to automatically turn on and thaw themselves every Tuesday at 6 PM and then freeze again at 9 PM.
• Deep Freeze is not perfect. It does not protect against Master Boot Record infections, but these are rare anymore. I have had a few problems with it, mostly due to a PC getting turned off when it shouldn't during a windows update, but the company has a good fix for this and their tech support has been very helpful when I have called.

If you are having trouble keeping your PCs working, have a look at Deep Freeze to start making that effort less work.

Windows 7

Have you used Windows 7 yet? Are you planning to soon?

I was hesitant to jump into Windows 7 early on. I didn’t want to get too involved with it if we were going to have another distribution like Vista. Early last fall I had seen some statistics that 80% of IT managers at large firms were planning on waiting for quite a while to see how the release of this OS was going to play out. I fell into that camp.

But I had some clients that wanted Windows 7 on some PCs right away, so I thought it would be a good start and get some experience on someone else’s dime. Thanks Renee. It went pretty well. It was a public surfing PC, actually four of them, and I was able to install it on two of the four. Here is how it went.

All four PCs were Dell Optiplexes. I forget the model numbers, but two a little newer and two a little older. I did a fresh install on one of the newer ones, then installed all the standard Public PC software, which for me is MS Office, Itunes/Quicktime, Google Earth, Adobe Reader/Flash/Shockwave, Java, Picasa, and probably some other things. I should also point out that Windows 7 recognized all the hardware in the PC. All of it. I didn’t have to go to Dell Support to get any drivers.

The first glitch was with Deep Freeze, which I use on all public PCs I manage. Windows 7 needed the most recent version which is 6.61. Our maintenance contract was still live so I just downloaded and upgraded Deep Freeze to 6.61.

Then I imaged the install on the first PC and copied that image to one of the two older Dells. This brought the second glitch. It did not recognize the audio hardware and Dell said they did not have a Windows 7 driver for that hardware yet, but she thought they would at some point. You need audio on public stations so I had to pass those two up. The other two have been working fine for a few months now.

I have done several other installs and, with one glaring exception, it has gone very well. I even have some staff members running Workflows on Windows 7 and have not heard any complaints yet. Keep in mind that Sirsi still does not support Windows 7.

The glaring exception is OCLC’s Connexion. Now this is not really a Windows 7 problem. It is a 64-bit OS problem. The latest version Connexion will not run natively on a 64-bit operating system. So when I bought a bunch of new “latest and greatest” hardware for our Tech Services department and started installing all the apps they need, I hit a roadblock with Connexion. They MUST have Connexion and I had already put a lot of effort into using the 64-bit version of Windows 7, so I had to accommodate somehow. Now Connexion would have worked fine (I’m told) if I had used the 32-but version of Windows 7, but that is the old and I’m bringing in the new.

I complained vociferously to a number of folks at OCLC but they have limited resources, and we all know about that, and they’ll get to it when they get to it. They have a solution which I won’t go into here, except to say that you have to install a guest operating system. So I will have Connexion and my 64-bit OS on these boxes.

The anticipated release date for Windows 7 Service Pack 1 is this September. It looks like it’s not going to bring any big changes because Windows 7, so far, seems to be a pretty solid release. That is not to say that everyone is satisfied with all of it. Search on “Windows 7 annoyances” to see a sampling of current grumbling.

I think Windows XP released in October of 2001. I’m hoping I’ll be able to stick with Windows 7 as long as we have been using Windows XP. If I do, I’ll only have to go through one more OS upgrade before I retire. That sounds pretty good to me.

Public PC Restrictions - Part Two

So this is really part 2 of what I had described in an earlier blog. You should read the first part or this won’t really make much sense. It's called "Public PC Restrictions without Steady State".

OK, well there is one thing you do NOT do, and that is to enable the restriction called "Prevent access to Microsoft Management Console utilities". Remember that the Administrator account is what you use to make changes to your policies with the Group Policy Editor. The Exec account can’t make those changes because it does not have read access to the “User” folder that has the policy. The Group Policy Editor is one of the Microsoft Management Console utilities, so if you enable that restriction, you can no longer change your restrictions. This would be an unfortunate series of events indeed.

I list the policies I have used on a set of PCs running XP in a Workgroup and that have Deep Freeze installed on them. This list is just what I am using and in no way means it is just right for you. But you might usefully use this as a good starting point. I consider these restrictions to be mild to medium. Good luck and please let me know if you found this useful or not. Thanks.
This is the list of enabled policies.


General Settings
Set Internet Homepage (to whatever)
Prevent Access to Drives from My Computer - Restrict C drive only


Start Menu Restrictions
Allow only the Classic Start menu
Remove the Control Panel, Printer and Network Settings from the Classic Start menu
Remove the My Documents icon
Remove the My Recent Documents icon
Remove the My Pictures icon
Remove the My Music icon
Remove the My Network Places icon
Remove the Control Panel icon
Remove the Set Program Access and Defaults icon
Remove the Network Connections (Connect To) icon
Remove the Printers and Faxes icon
Remove the Run icon
Remove the Frequently Used Programs list

General Windows Restrictions (In this section DO !NOT! prevent access to the MMC)
Prevent right-click in Windows Explorer
Prevent Autoplay on CD, DVD, and USB drives
Prevent users from saving files to the desktop
Prevent access to Windows Explorer features: Folder Options, Customize Toolbar, and the notification Area
Prevent access to the command prompt
Prevent access to the registry editor
Prevent access to Task Manager
Prevent users from adding or removing printers
Prevent users from locking the computer
Prevent password changes (also requires the Control Panel icon to be removed)

Internet Explorer restrictions
Disable Autocomplete
Empty the Temporary Internet Files folder when Internet Explorer is closed
Prevent access to some Internet Explorer menu choices
Security Tab
Programs Tab
Privacy Tab
Advanced Tab
Connections Tab

Microsoft Office restrictions
Disable Add-Ins (both check boxes)

Additional Start Menu Restrictions
Prevent programs in the All Users folder from appearing

Additional General Windows Restrictions
Remove the Shared documents folder from My Computer

Additional Internet Explorer Restrictions
None