PDA

View Full Version : Server Setup Suggestions


keeperofthecode
03-16-2011, 01:21 AM
A library has contacted me wanting me to take over a job that another tech started. He has dropped the ball and they have been waiting on him since last august. They have 8 public access computers and are tired of settings being changed all the time. At the same time, they do not want to deal with the computers being so locked down that the users can't hardly do anything but open an office document. I know these two requests kind of go against each other. The other tech had them order a new PowerEdge running server 2008 along with licenses for 8 systems as well as office '10 to run as well. He told her he was planning to setup terminal services. I told her for her requests I would recommend ditching the server and just deep freezing the public computers and save thousands of dollars. She said she tried deep freeze before and had problems. I've been running it for years without problems but I guess that it doesn't matter at this point because the money is spent either way. As I've said on here before servers are not my specialty but she feels I'm her only hope at getting this worked out so I told her I would figure it out one way or another. Basically I'm just looking for any advice on a direction to head with the equipment at hand. I have a server running server 2008 and authorization to order her 8 new PCs or 8 new thin clients. Where would you server experts head with this? The only thing the client computers will need to do is access the web and office 2010 from the server. I only have one unkown at this point and that is she has already purchased a time management software to run as well but she couldn't recall the name. She's supposed to let me know tomorrow. Thanks for any advice.

dbdawn
03-16-2011, 01:31 AM
I would stick with Deep Freeze. It is pretty inexpensive for libraries and educational institutions etc.
I think it would be cheaper and less complicated than using a server setup.

NETWizz
03-16-2011, 02:55 AM
If they already have the server, use it.

Just make it a Domain controller and lock people down to where they can use the computer but not install software they shouldn't or anything like that.

The problem I have with Deep Freeze (and the like) is they undo Windows updates and AntiVirus definitions.

keeperofthecode
03-16-2011, 03:04 AM
The problem I have with Deep Freeze (and the like) is they undo Windows updates and AntiVirus definitions.

That's the best part of deep freeze, no virus protection needed. We thaw our systems once every couple months and hit updates then freeze them again.

Thanks for the recomendations.

NETWizz
03-16-2011, 07:17 AM
That's the best part of deep freeze, no virus protection needed. We thaw our systems once every couple months and hit updates then freeze them again.

Thanks for the recomendations.

You are absolutely wrong! What about things like Code Red that only remain in RAM and only live on active, powered-on machines?

I have 2000+ machines at work. If I Freeze them all with no antivirus, things could get out of hand.

Frankie0566
03-16-2011, 07:53 AM
I’m not an expert, but I was working at a public library until recently which closed last February due to budget constrains, but that’s another story.
Almost 10 years ago, I “Accidentally” became the Network Manager when the previous guy left. I was the only guy on staff who knew enough about computers. I’m not an expert but I know enough to be dangerous.

Anyways, we had a Server running Windows 2003 Server that I had to learn the basics as I went along. We had user names for each staff member, but for the public we had a profile that all library patrons used. It was a network user name and not a local machine user so they couldn’t do too much. All patrons used the same user name witch had a specific printer assigned to them. We used “con2print” and a login script to set the right printer for the user.

All the Public computers were running Windows XP SP3 had Office 2003 on them and were primarily used for typing or Internet Browsing. Since patrons weren’t logging on with a local machine, they couldn’t really do much.

At another branch, we used Deep Freeze on the public computers. The only problem we had with that was that at least once a month we had to thaw all of them out to apply all Norton Antivirus (Live Updates), Windows, Adobe Reader and Flash Updates. And then refreeze them. Other than that, it worked fine.

I learned a lot from WebJunction.org Check out Webjunction - "Manage Public Access Computing" and search around on this topic as they have input from lots of libraries and what and how they are dealing with PAC (Public Access Computers)

On WebJunction I learned about Poweroff 3.0 (that combined with scripts) helped big time with controlling time on the PAC. I love Poweroff.

Another thing that will be mentioned a lot when it comes to Computers in Libraries is TechAtlas.
You should use the server because you could control all the PCs from it without having to go PC by PC to perfom tasks.
Dealing with Public Library Computers I’ve seen lots of problems, viruses, spyware, malware, hardware and software situations to write a book. Maybe one day, but not today.

Check out Podnutz Daily #280 Why a Server - podnutz.com/pnd280

uberjew
03-16-2011, 07:57 AM
If your client wants to make use of the server, you may want to create an active directory domain and use group policies to lock down the accounts to the degree that they need.

NETWizz
03-16-2011, 08:24 AM
Anyways, we had a Server running Windows 2003 Server that I had to learn the basics as I went along. We had user names for each staff member, but for the public we had a profile that all library patrons used. It was a network user name and not a local machine user so they couldn’t do too much. All patrons used the same user name witch had a specific printer assigned to them. We used “con2print” and a login script to set the right printer for the user.


It is called Active Directory services and is usually hosted by more than one server or servers... known as Domain Controllers.


All the Public computers were running Windows XP SP3 had Office 2003 on them and were primarily used for typing or Internet Browsing. Since patrons weren’t logging on with a local machine, they couldn’t really do much.


It has nothing to do with whether the patrons logon with a domain account or a local account. Instead, it has to do with group memberships. Various Active Directory group memberships can provide access to network resources such as file and printer shares. These Domain Groups i.e. [LibraryDomain]\Computer Administrators can be members of Local Security groups such as [SystemName]\Administrators in which case anyone a member of the Domain Group, Computer Administrators would be an Administrator of ALL the library computers... at least all that this domain group a member of their local admin group.


At another branch, we used Deep Freeze on the public computers. The only problem we had with that was that at least once a month we had to thaw all of them out to apply all Norton Antivirus (Live Updates), Windows, Adobe Reader and Flash Updates. And then refreeze them. Other than that, it worked fine.


This worked fine for your library because it is a small environment.... fine. Now, in my environment we have 2000 computers and there are a total of 2 IT people. Think we can each visit 1000 computers once a month??? :D



You should use the server because you could control all the PCs from it without having to go PC by PC to perfom tasks.


It is NOT the server that directly controls all the PCs. It is a distributed service that is usually hosted by multiple servers known as Active Directory, to which all these computers become "Member Computers." i.e. they Opt-In when you join the domain. Within ActiveDirectory, you get to leverage a vast array of tools. One of my favorites is the Group Policy Snap In.


Dealing with Public Library Computers I’ve seen lots of problems, viruses, spyware, malware, hardware and software situations to write a book. Maybe one day, but not today.

You should write a book, but really you should not have seen the viruses, spyware, and malware in a library that you have seen. In 2011, we have seen 2 (two) computers infected with a virus thus far... this is out of 2,000 computers.

What we do:

1. Have a web filter that disallows most dangerous websites in the first place including those with spyware and viruses.
2. Use McAfee Corporate with ePolicy and the AntiVirus/AntiSpyware. I don't like it much, but it reports centrally, updates centrally, and stays out of the way. We have it setup to be automatically installed when a system joins the domain thus ALL computers have this and it is up to date on each one.
3. None of our users have Local Admin rights to their system
4. They are locked down with Group Policies
5. Java and Flash are updated with KACE from Dell; since, viruses are more prominently coming via these vectors.
6. We are using WSUS to push out ALL Windows Updates, Service Packs, Office Updates, etc.
7. We have full auditing enabled to be able to answer questions such as where our thresholds are met for what constitutes a violation i.e. too many bad password attempts or attempting to access shares they don't have rights to.
8. Shares are setup, so users cannot even see things they do not have access too. I.e. If Sally is in a shared folder that other groups use and she is from Financing, she cannot even see the presence of a folder such as "HR" ... better than double-clicking on it and seeing "Access Denied"
9. All ports are secured via 802.1x on the switches with dynamic VLAN assignment
10. Wireless uses WPA2-AES/ with Enterprise RADIUS using a PEAP handshake and MSCHAPv2 Handshake. In other words... no keys yet full 256-bit AES wireless protection
11. We run Certificate services with our own self-signed certificate for all internal stuff
12. The Local Security policy rejects anything on our network that does not have our certificate. This includes an IPSEC policy back to the Domain Controllers and Kerberos.

For laptops that go offsite:

The Internal and external DNS point to WSUS.ourdns.edu. Only on the inside it resolves to the actual WSUS server. On the outside of the firewall, it gets sent to a WSUS replica, which is in our DMZ. In other words the servername of the replica is NOT WSUS.ourdns.edu on the inside. It is something like WUREPLICA.ourdns.edu and translated. We use a valid Level 2 certificate we bought from Digikey good for *.ourdns.edu to provide for encryption durring the WSUS update process.

This means that if a user brings his or her laptop home... it WILL get any and ALL updates directly via US whether they want them or not.



You probably did whatever you did on a shoestring budget is the big difference. In a single library, I think Deep Freeze would make more sense.

keeperofthecode
03-16-2011, 02:58 PM
You are absolutely wrong! What about things like Code Red that only remain in RAM and only live on active, powered-on machines?

I have 2000+ machines at work. If I Freeze them all with no antivirus, things could get out of hand.

Absolutely Wrong. I don't agree with that statement. Not looking to get into an argument about a ten year old virus but I hope any of us can realize the major difference in 8 and 2000 computers. I would never dream of running DF in that large of an environment just because it would eliminate your ability to roll changes out to all those systems via scripts etc. Although it could be funny going to your boss. Uhm sir, can we power cycle the entire building to flush out the virus in the DF computers. :D

Good info and greatly appreciated.

NETWizz
03-16-2011, 06:53 PM
Not wrong. A forzen computer can act like a carrier for a virus passing it on to other computes. IN fact, the virus can run just fine on a frozen computer.

Sure, when you reboot it is cured, but it can still infect other machines. In my example with 2000 computers, it is not feasible to reboot 2000 computers. Many (hundreds) would run months before their user restarted them.

This would create a problem with viruses circulating. I totally agree rebooting would resolve it on a case-by-case basis, but none the less it is not feasible outside a lab environment i.e. computer lab or library.

dbdawn
03-16-2011, 07:12 PM
You can use deep freeze with an antivirus and windows updates. All you do is script it to thaw and update at night along with any windows updates and then freeze it again. Deep freeze also has a admin console that makes all this real easy to remotely control the systems.

keeperofthecode
03-16-2011, 07:51 PM
You can use deep freeze with an antivirus and windows updates. All you do is script it to thaw and update at night along with any windows updates and then freeze it again. Deep freeze also has a admin console that makes all this real easy to remotely control the systems.

Very true. I use the standard version and always forget about the more advanced corp version. I've used it before but it has been a long time. Just went to their site and was checking the data igloo version, very nice. I like it.