Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!yale!mintaka!ogicse!milton!allyn From: allyn@milton.u.washington.edu (Allyn Weaks) Newsgroups: comp.sys.mac.system Subject: Mac lab security SUMMARY Message-ID: <8052@milton.u.washington.edu> Date: 24 Sep 90 20:58:31 GMT Organization: University of Washington, Seattle Lines: 224 A couple of weeks ago I asked for advice on Mac lab security, and particularly about various commercial packages listed in the Mac Buyer's Guide. Many thanks to those who responded, with special thanks to Tom Johnson of UCLA, who was willing to spend an hour on the phone with me to explain their set-up. Based on what I've heard (both from the net and other sources), we will keep things as simple as possible, with locked partitions to keep the applications and assignment files from being changed by accident or intent, and hope that Hypercard 2.0 comes out soon enough that we can lock the System partition as well. (The TAs are planning a Hypercard tutorial/easy interface for the novices.) If there are problems, we may try to dig up enough money for an SE/30 to act as an Appleshare server. As for keeping people from printing 300 page term papers, we'll try out a product called NetCounter which was pointed out to me by it's author, Herb Weiner. (see below) I'll report back after we've had a chance to test it. Several responders had good solutions that were based on a bigger budget than we have - routing through ether and Gatorboxes and unix machines is currently beyond our means, unfortunately. The responses: ======================== From: tj@CS.UCLA.EDU (Tom Johnson) [Here's a summary of our phone conversation. Any inaccuracies are entirely my fault. LaserWriter banners: it's easy to modify the saved LaserPrep file (command-K to write it to a file), but harder to get it to auto-load when the printer is reset. They renamed the laser driver, and have their AUX box ask the printer what's loaded in, and if it sees the normal LaserPrep, resets and sends the modified one. As for the banner itself, light grey is too hard to read through, so they use a thin outline font. If at all possible, run from an Appleshare server so you can use the protections. You can keep people from copying the commercial software this way too. Physical security: Anchor Pads work well, but make sure you either add, or buy the version with, a metal bar that locks over the mac case, so people can't get in and steal the hard drive, mother board, etc. Also, bolt the pad down as well as using the adhesive. The adhesive attachment alone is good enough for the cable that runs to the monitor. Treat keyboards and mice as disposable - they haven't had any disappear yet. 'Ugly write' over everything - don't just engrave the department name, but scrawl it everywhere in bad handwriting then run bright ink into it. Expect one or two people per quarter to try to upset things as a challenge. Partition the drives and write lock as much as possible. If really worried about people stealing commercial software and/or running their own programs (such as Resedit), remove the floppies completely. If you have a mail system installed, that can be a loophole for file transfers. As for commercial programs such as Fileguard: most or all of them work by altering the disk drivers, so if you use them, you can expect to have to rebuild the disks occaisionally. Also, a knowledgable Resedit user can get through them anyway.] ======================== From: hedstrom@sirius.UVic.CA (Brad Hedstrom) We have a similar system here. We have a number of Macs connected to a laserwriter via a GatorBox running CAP. The laserwriter hangs off a serial port of a Sun 3/50 which takes care of spooling and accounting. In order to print, a user must mount an appleshare volume using aufs (CAPs equivalent to appleshare) which requires them to "log on" to the spooler. This way we can guarantee that only specified people can print to the printer and we also have an account of who printed how many pages. With regard to the file and application sharing, we use a MacJANET server. This allows students access to files without being able to write to them. They can copy them to a local disk if necessary and change them all day long, but the original file is safe. MacJANET also allows only a particular number of applications to be launched at any time, thus living up to licensing agreements and piracy prevention. If you want more info, talk to our sys admin: mmcintos@sirius.uvic.ca. _____________________________________________________________________________ Brad Hedstrom, University of Victoria, ECE Dept. Internet: hedstrom@sirius.uvic.ca UUCP: ...!{uw-beaver,ubc-vision}!uvicctr!hedstrom ======================== From: Matthew Holiday I've just set up a similar lab for foreign languages here at the University of Colorado. Our network includes 3 Appletalk zones, separated by Shiva NetBridges, and connection to the campus Ethernet with a GatorBox. We have two AppleShare servers. 1. You can ensure that students all have a clean copy of the software by partitioning the local hard disk (try SilverLining), then placing the master copies in a locked partition. Students can then copy the master to an unlocked work partition on the same local disk to use your software. We do this, plus we have a separate boot partition for the system software, and a locked, unmounted restore partition to backup the system software. This approach seems to be the cheapest and most fool-proof to date. Our IIci's are 5/40 -- put 1 meg in bank A and 4 in bank B for improved performance with internal video -- and we have a 4 meg startup partition, 4 meg backup partition, 10 meg work partition, and 22 megs of software in a locked partition. Note that we don't leave the SilverLining DA on the machine -- we have a separate startup disk for lab attendants which allows them to mount the backup partition and thus restore a clean copy of the system software. 2. If your network (assuming you are networked) connects to Appletalk/Ethernet outside your lab, you can use the bridges to prevent machines outside your lab from looking in and using the LaserWriter. 3. Seems like the easiest way to keep the lab available to Physics students is to issue ID card stickers to students who should have access, or at least first-priority access, to your lab. 4. As far as not copying commercial software (e.g. a word pro- cessor), you should put it on an AppleShare server. The Apple- Share software can prevent files from being copied. 5. Applications are good candidates for running from a locked partition on a server. HyperCard/SuperCard projects should run from an unlocked partition, using the copy-to-workspace idea. Note that HyperCard and the Home stack should be on an unlocked partition also -- we keep them on the partition with the system software. Data files for animation, like MacroMind Director, will fit into one of the two categories above. 6. I don't recommend having students copy the software from the server, because of the poor performance. That's why we partitioned the local hard disks. 7. Don't forget virus protection -- Virex or Disinfectant's INIT! 8. Depending on how you feel, you may want to remove the Control Panel and Chooser DAs after configuring the system. The Control Panel information resides in PRAM or in the individual INITs; the Chooser info is stored somewhere in the System file. I have a master disk with a complete System Folder, configured exactly as the System on a local hard disk -- Chooser devices, AppleShare login, etc. -- which can be used to build or restore each individual machine. Just boot from the floppy, erase the system partition, and copy the one folder to the hard disk. (If you have HyperCard there, then copy it off another disk.) Then reboot. I have found that the more things there are to play with (Chooser, Control Panel, Pyro!, etc.), the more things people will play with, until you have ten machines with completely different configurations; and then someone will report a problem that requires some troubleshooting. Not a nice scenario. Plan to restore the system partition at least once a week. 9. Good luck! Nothing beats a Mac lab. Matt ============================ From: UF749@cc.usu.edu you need a pd package called launchbreak that is available form the u of michigan (?) i don't have the address handy, but it does cover most of what you want if no one else gives you the scoop please e-mail me and i'll put in some effort to locate their address ewtc ================================== From: Herb Weiner For controlling access to the LaserWriter(s) you probably want NetCounter (TM). This software will allow you to restrict access to the printers, and it will automatically reload itself (if you install a patched LaserPrep on all machines). In addition, it will keep track of the number of pages printed by each user (but this count will NOT be saved if the power fails, unless you have a hard disk on the printer). Also, it will protect your printer from the Trojan Horse that changes the password. NetCounter is distributed by Prism Enterprises (301) 604-6611. If you have any further questions that Prism can not answer for you, feel free to contact me. Disclaimer: I am the author of NetCounter. Herb Weiner (herbw@midas.WR.TEK.COM) ====================================== From: Jim Bruyn You might want to look at MacJANET. Talk to Bonnie Mitchell at U. of Oregon, for a demo 503-346-4404, or contact Mike Paola at Watcom Products (519)-886-3700 Jim Bruyn ======================================= From: jjwcmp@ultb.isc.rit.edu (Jeff Wasilko) You can change the the type of the printer from Laserwriter to something else, then create a custom chooser icon. There's a contact person on the net for this procedure (to insure only authorized people get it), but I don't have his name with me. Jeff ==================================== ----- Allyn Weaks allyn@milton.u.washington.edu sweaks@phast.phys.washington.edu {backbone}!uw-beaver!milton!allyn sweaks@uwaphast (bitnet) If you want sense, you'll have to make it yourself. -- Norton Juster