The 9 Suggestions

At MLA 2011, I presented on what a small library should be doing to keep its PCs running. I gave 9 suggestions for what a library should do. Here they are.

1. Microsoft Updates: Do Microsoft updates, not just Windows updates. The second Tuesday of the month is when Microsoft releases many updates, but they also occasionally come at other times of the month too.
2. Also keep your other applications current. Pay particular attention to Firefox, and Adobe Reader and Flash. But try to keep all your applications up to date. I agree with you though that it is a royal pain in the neck. Larry, our new IT guy at the Missoula Public Library, has some good ideas on that front. I hope to be posting about how to make this easier in a couple months.
3. Use Firewalls. XP, ME, Vista, Windows 7 all have firewalls built in. Use them. Also use a firewall at your perimeter device. That's the device in the phone closet that connects to your ISP.
4. Block SPAM. If a malicious email never shows up in your mailbox, it can't infect you. Most email clients have some kind of SPAM blocking feature. Also many ISP's provide a SPAM blocking service that will usually cost a little bit but will keep your mailbox cleaner.
5. Protect your Browser: Al the major browsers have a variety of tools built into the application to protect you from a variety of malicious activities. For example, IE has the pop-up and active-x blockers, protected mode, and a variety of other things. Another useful tool is something called the WOT. It's a 3rd party app. Find it by googling "web-of-trust".
6. PC Restrictions: This is something you would consider mostly for your public PCs. The primary product for this is Group Policies. It you had a week long class on this product you would just be scratching the surface. But there are much more user-friendly products such as SteadyState from Microsoft (It's free but it doesn't work on Windows 7) or Winselect from Faronics.
7. Antivirus and antispyware: As time goes by, this genre of tools becomes less and less useful because the malware is getting too clever. But they are still useful. Use them. Keep them updated.
8. Separate Public, Staff, and Hotspot PCs: Your staff will at least try to not get infected. The public doesn't care and so you can assume the public PCs are infected not long after a patron touches it. On the hotspot, patrons can use their own tools to hack into your environment. Stop all this by disallowing any communication between your staff, public, and hotspot users. See a previous post on ARP poisoning to learn how to do this easily.
9. Passwords: Never leave a device with its default password, or no password, or "password", or any of dozens of silly selections. You have good locks on your doors? You should also have good locks on your software. This applies to both your vocation and your personal life. Don't always use the same password. Can someone watch you logon to your PC every morning and then know how to get into your online banking?

So there is a lot of stuff here. You are not going to go home and do all this right away, if at all. So people ask me for the short list. What three things from this list should they do?

If I had to say only three, I would say 1&2 first. Do the Microsoft and application updates regularly. Then 8, because you can always safely assume that your public PCs are infected, and you don't want that to spread to your staff PCs. Finally 9, passwords are locks, use good ones and use them correctly. There is a lot of good info about how to use passwords well.

But I would also put antivirus and antispyware in the top 3 as well. I know there are 4 items in the top 3 but they all need to be there. AV and AS are less important on public PCs if they are using Deep Freeze, but definitely important on PCs not running Deep Freeze.

Be careful out there.

Deep Freeze on Public PCs

You spend a lot of time and money setting up a PC for the public to use. But soon everything is running slow on it, or you keep getting infected warnings from your anti-virus, or you keep getting unwanted pop-ups. What do you do?

Unfortunately, the first thing you have to do is completely wipe the hard drive on the PC and start over again. But this time, before you give the PC to the public, you install Deep Freeze on it.

Deep Freeze is a product that completely rolls back any changes made to a PC every time it reboots. This is good for when a patron makes unwanted changes to the PC, like changing the background, or for when a PC gets infected. It is not so good for when you need to update the PC, because that will be removed too.

Deep Freeze runs in two modes: frozen and thawed. When its frozen, any changes made are removed at the next reboot. When its thawed, you can do your updates and they will stick.

I have been using Deep Freeze for more than a decade and am very impressed with it. I think you should use it too, or a product like it, to keep your public PCs running well.

Windows Steady State has a similar component but Microsoft does not make a version of Steady State for Windows 7. There are other paid products as well such as DriveShield and Centurion Guard, but I haven't used those so cannot comment on them.

• I purchase the Enterprise version, which means I have a central console from which I can switch all my PCs from frozen to thawed with just a few clicks. This console also allows you to update the Deep Freeze configuration, to startup and shutdown the PCs, send screen messages to the PC, and more.
• Deep Freeze is also sold in a Standard edition, which installs on a lone PC and is managed only at that PC.
• When I get a PC configured for the public, the last thing I will do is install Deep Freeze on it. Then I let the public use it only in the frozen mode. When I have to do updates, I wait until the library is closed, boot the PCs in thawed mode, and do all the updates on each PC. Then I freeze the PC again before I let the public use it.
• Deep Freeze is not a restriction tool. It is a recovery tool. It doesn't stop patrons from doing bad things to your computer, it just allows you to recover easily when they do. You have to use something like Group Policy, or a Local Policy, or Winselect to impose restrictions.
• Deep Freeze has what is called a "Maintenance Mode" which is simply a configuration feature that will make the PC boot thawed if it is ever on at a certain time. For example, if you always do your updates after you close Tuesdays at 6 PM, you can set the PCs to automatically turn on and thaw themselves every Tuesday at 6 PM and then freeze again at 9 PM.
• Deep Freeze is not perfect. It does not protect against Master Boot Record infections, but these are rare anymore. I have had a few problems with it, mostly due to a PC getting turned off when it shouldn't during a windows update, but the company has a good fix for this and their tech support has been very helpful when I have called.

If you are having trouble keeping your PCs working, have a look at Deep Freeze to start making that effort less work.

Security Tip - Windows PE

Good job on the new look for your blog, Suzanne.

A couple weeks ago my sister-in-law brought me her PC that would no longer boot. These things get dumped on me from time to time with a request to recover all their documents, make it work, and tune it up so that it runs faster than it ever ran before. My sister-in law is a sweetheart, so I figured I would have a go at it.

I started by trying a variety of the boot options provided through the F8 boot menu. Mostly the boots just ended at the same blank screen, but one presented the BSOD, otherwise known as the Blue Screen of Death. The BSOD is an error screen that happens so frequently on MS operating systems that it has its own acronym. The error message on my sister-in-law’s machine suggested some sort of video problem.

So I’m figuring the PC is dead, I’m going to have to do a fresh install of Windows XP and maybe replace the video card, but I want to save whatever I can from the disk so she can get her documents back. So I pull out the Windows PE disk.

The windows PE disk is something I have just started using, but I can already see that it will be a common tool for a variety of tasks managing a Microsoft environment. Have a look at www.windowspe.com or just search “Windows PE” to find out more. It’s an operating system on a CD. You put it in your CD drive, you boot it, and you have a MS environment to work in. It’s just a command line, but there is a lot you can do with this. Here is what I did with this troublesome PC.

I intended just to copy the entire contents of the hard drive to an external drive. I booted Windows PE to the command prompt, plugged in the external drive, and copied the entire hard drive successfully to a folder on the external drive. I was then free to do a fresh install on the PC’s hard drive because I had captured all my sister-in-law’s documents.

But my sister-in-law has kids, and there is a general principle known to people who manage PCs that PCs don’t work for very long in households with kids in them. So I plugged the external drive into my own PC and ran a virus and spyware scan on the folder of files copied from the offending PC. I found a couple dozen hits. I then went back to my sister-in-law’s PC and, using Windows PE, manually deleted all the couple dozen files that my scanner had identified as malware on the external drive. When I booted her PC off the hard drive again, after deleting those couple dozen files, the PC booted just fine. I then updated her virus scanner, installed and ran the Spybot spyware scanner, and presto she has her PC back.

I have been doing some other things with the Windows PE disk as well. Most interesting is that the Windows PE disk has enabled me to stop using Ghost to image and deploy PCs. More on that later.

Security Tip - Renaming Tools

Some malware is smart enough to recognize its enemies. I ran across one of these this week cleaning up an infected PC. The PC had a recent version of the Spybot anti-spyware tool (www.safer-networking.org/en/index.html) on it so I started that up to run a scan. Nothing happened. I tried again but still nothing.

So then I downloaded Autoruns from Sysinternals (technet.microsoft.com/en-us/sysinternals/default.aspx). I started that up and again nothing happened. So what can you do when you can't even open your tools to try to get rid of some malware?

In this case, I renamed my tool and ran it under the new name and it worked. The executable at the core of the Spybot version I was using is a file called "spybotSD.exe". I renamed it to some arbitrarily chosen name. I called it "bobo.exe". Then when I double-clicked on that file I just renamed, it opened the Spybot program. I ran my scan. It found the malware and removed it.

So if it seems like one of your scanning tools isn't working, this is one thing to try. Be careful out there.