Setting up Windows PCs in Hostels
When having Windows PCs in hostels for use by guests you should:
General Best Practices:
- Prevent the users from installing software and messing up the system.
- Prevent viruses from user's devices to spread onto the system
- Keep the operating system and software up to date to prevent malicious software from taken over the system.
What does the user want to do?
- Give the user as little permissions as possible. They are guests here, they are not suppose to be able to do much to the computer.
- Install as few third party software packages as possible. With every piece of software comes the possibility that it contains bugs and flaws (they all have them) which can be exploited by an attacker or a normal user. It also means you have to update more software.
- Keep all Software up to date, especially Windows and your Anti Virus definitions.
- Clean up the files and changes a user left on the computer.
- Surf the Internet
- Use Skype
- Use Office
- Copy photos from a camera to another USB device or upload them to the Internet.
- Burn files onto CD or DVD
- Download free music or podcasts and put it on a iPod or another player.
- View PDF documents
- Use Chat/Instant Messaging applications
You can decide whether you allow all this, or just browsing.
Many hostels use a software packages like DeepFreeze. On every reboot this software discards all changes and therefor always keeps the computer in a clean state. The big problem here is that unless you go back and update the frozen system state regularly, the software gets out of date. During the operation between reboots, viruses and attacks can take over the computer.
My current recommendation:
is to used Microsoft's Windows SteadyState, a software package written especially for sharing PCs in a public place.
From the help file of SteadyState:
A unique challenge exists for shared computer environments. Microsoft software is designed to offer users a great degree of flexibility in their ability to customize their experience and to make changes to their computer settings. However, in a shared computer environment, administrators will typically not want to provide the full set of customization and change capabilities because doing so could allow changes to be made that affect the health of the computer and the experience for other users. On a shared computer, privacy and uniformity are very important elements of the maintenance and use of the system. Windows SteadyState helps an administrator protect a shared computer against unwanted changes.
The software offers different options, but the simplest and reasonably effective option is to enable locked user accounts. Every time the user logs off, all changes are discarded. However updates to the operation system and Virus definitions are happening in the background. Also it is very easy for an administrator to make changes to the system or the user's settings.
Windows Updates are set to be downloaded and installed automatically, usually this will happen when the computer is rebooted or shut down.
The AntiVirus software which should be installed on all computers should also update itself automatically.
For updates to other software, you need to log into as administrator and perform the updates. E.g. Open Firefox and 'check for updates' under the Help menu.
If you want to install new software you also need to do this as an administrator.
If you want to change any settings for the public user, open SteadyState and click on the 'public' user.
On the 'General' tab, you need to untick 'Lock profile to prevent the user from making permanent changes', click OK, then log on as the public user and make any changes. Log off and return to SteadyState and tick the 'Lock profile' checkbox.
Problem: When logging in the user, an error occurs stating that the user profile can not be loaded because a file is too long or corrupt.
Solution: Cancel the logon process by pressing ESC or reboot and hold the shift key down while Windows is starting, then log on as an administrator and delete the file that causes the problem. You may have to stop Windows from hiding hidden files.