(no subject)

[kuangning]

Question for those of you with any experience with networks and lab environments.

Is there a (simple?) way to fix it so that a machine or network of machines gets reset to a predetermined state upon boot? IE, wiping out all user changes during the session? If so, how, and would someone be willing to walk me through doing so?

Here's the problem: I've been hired part-time to care for Melrose Apartments' computer lab. The apartments' tenants are college students. The machines run Win98. There is no on-site tech for the lab -- which translates to the students doing whatever they want, and infecting the computers, among other things like removing vital bits of software (Novell Netware leaps immediately to mind.)

They have to have Internet access. They need to be able to download whatever they like.

I need to have the computers stay pretty much the way I left them, in running order, without being able to be there to babysit them.

I have no idea if it's even possible. Help?

Comments

[ttocs.livejournal.com]

Umm, a solution that looms from my past....

Ghost the drives, so that they can re-format/re-install via script. Create a seperate drive partition, (or network drive) with the images.

All users run through a log-on/log-off.

The log off re-formats and re-installs.

This won't neccessarily protect against a boot-sector virus, but it should cover just about anything else.

[kuangning]

Thank you. :) Would it be possible for you to walk me through this? I've never had to deal with anything even close to this before, so while I understand the principle, how to go about it is a different matter.

[kaolinfire.livejournal.com]

I'm curious, myself. :) I started saying what I would do, then deleted it, realizing there would probably be conflicts when trying to do it during the boot process... don't want to wipe temporary files like the pagefile and whatnot during boot, I'd guess...

[zorbathut.livejournal.com]

Do it during autoexec, and just be very careful to make sure you're not replacing important files with different versions . . .

[cjdoyle.livejournal.com]

A question from me: how "part time" is part time? If you're there daily (for an hour or two or whatever) you could just do the re-ghost routine that others have been talking about when you get there, and not have to worry about a botched rebuild catching a user in the middle of the day. (Another concern I had about that: speed. If you're not just replacing registry/ini's/whathaveyou and are acutally ghosting the entire drive, how many users are going to get frustrated and turn the machine off half way through the rebuild, totally schwucking things?)

My personal recommendation:

Have a ghost of a "clean" drive available
Make sure all workstations have the latest AV with a scheduled update every boot/login (assumes always-on internet, tho)
In win98 you can't really lock down user privledges (as if you were running NT or 2000) but could you put a *policy* in place that the IT help (you) has to install new software? It won't stop the people who are just determined to destroy things (or who *shudder* "know enough to do it themselves") but it would stop the causual (un)install of conflicting/critical components...

There are also some commercial products to handle this sort of thing. (Rollback to prior configuration) Can't say any brand names are leaping to mind, but I know they're out there. Does the job come with any budget to improve things? Or you just stuck with whatever routines you can build yourself?

[kuangning]

As things stand, I get called in whenever something is so broken that the students complain -- I'd say once every couple of weeks is when things grind to a halt. They really ought to have someone who's there daily, but convincing them of that is difficult. And, well, as for budget. The printer was "offline" when they called me in a month ago. I looked at it -- someone had taken out the ink cartridge. They still have not replaced it. I can request things, but there's no guarantee it will be supplied when I need it or at all. And unfortunately, the prevalent attitude among the students is that the computers are their own personal computers, used for everything from storing 2-GB caches of porn to each machine having been configured with a different person's information when it comes to things like Outlook. There's no way a usage policy with no-one to enforce it is going to accomplish anything.

Re:

[cjdoyle.livejournal.com]

Ugh. Not fun. Not fun at all...I've had to do that sort of "only when it's really busted" repair work before.

I think I'd just keep that ghosted "master" handy and replace as needed - from the situation you describe, re-formatting at every boot is just going to cause more headaches for you than it would solve. (Or it might chase the folks who think the machines are "theirs" away.)

[kuangning]

Driving them away wouldn't cause me to shed any tears. ;) I'm looking at Bardon's Full Control software, though -- I think that might actually suffice.

[cathexis.livejournal.com]

How big are the drives? If they aren't too huge, you could just do a ghost multi-cast at a schedualed time every week and fix all the drives in the same amount of time that it would take to do one drive.

[nickm.livejournal.com]

I really wouldn't make it do an every-boot thing. Maybe weekly, or even daily, but not on boot. It will likely, as other people have pointed out, annoy users to the point where they'll turn machines off and/or press reset in disgust, thinking the machine has locked. There are probably some programs (that might even be open source / free) out there that will mount something off a share and pave over whatever's on the machine with that sharedstuff. Intervention would only be required if baka decided that he wanted to erase random files out of C:\.

My suggestion is to repartition so that C: is on the small side of 650 megs (and D: being the rest), and then use a shared, CD-based image off the server (you mentioned netware, so there must be one of them ;) and the type of program I talked about above to have the machines run a wipecycle every day/week at a predetermined time. Setting up something in Task Scheduler to periodically delete every file on D: wouldn't be too hard to do ... I don't think, anyway.

Someone better at these kinds of things than me could probably recommend a good net-wipe program to use for this task. If ya don't have access to a burner, hard drive space on the server could substitute for the CD image ^^;

[nickm.livejournal.com]

Oh yes -- and USE POLICY EDITOR (poledit.exe). But do not keep it on the hard drive of the workstations. Keep in locked away somewhere, like in a secure spot on the server. Good, current antivirus is also useful in locking out the myriad worms and trojans that lusers are wont to accidently install.

[kuangning]

Well.. they would not then be able to install much of anything on C:\. However, when they do install something on D:\ and then that's just wiped and the programs aren't properly uninstalled, what kind of headaches is that going to produce?

[zorbathut.livejournal.com]

Probably none - D: isn't alive. It's dead data. It's only alive if there are living things in C: that link to it, and since you'll be thrashing C: on a regular basis, D: will never be alive.

If that makes any sense at all. Computers as philosophy :P

[kuangning]

It does make sense, but that doesn't strike me as much better than what I'm doing now. I mean, I'm already coming in and cleaning everything up every couple of weeks. That's just stretching the time between visits, it sounds like... putting off the inevitable.

[zorbathut.livejournal.com]

*nods* true. the underlying idea I don't think is a lot better than what you've got, you want something automated. however, splitting C and D would be a reasonable idea. If you put a good virus scanner on, you could have D open for people to install (or delete :P) what they want. Which IMHO is a very good thing for a lab to have.

[kuangning]

Well, the whole thing with Deep Freeze is that they can still install, run and delete whatever they like, they can keep doing whatever they're doing now. Their changes just aren't going to be permanent, the machine is going to be reset so the next user gets the same clean slate the first one did. Set your preferences, by all means, during your time on the machine. But this isn't your personal machine, so you can't use it as such and expect all your personal stuff to stay there indefinitely. I think that's eminently fair. Like, I keep getting complaints now of "I can't use Outlook on this machine, someone else already has it." I think that's stupid and presumptuous. And I'm tired of having to referee the arguments, to boot, since I work there as security also and they come to me while I'm on duty.

[gurath.livejournal.com]

DeepFreeze is not compatible with most installs they could do. Most install require a reboot, and when it reboots, BLAMMO... it's gone again, as if it had never been tried.

Re:

[kuangning]

Meh. most installs of the sort they're doing won't require a reboot. ie, their messaging programs and game downloads. Most of the things that require a reboot seem to be things they could ask at the office to be allowed to run. Paint Shop Pro comes to mind.

Re:

[nickm.livejournal.com]

Not much if the C: drive gets daily/weekly paved over with a fresh image (which you'll want to be doing anyway if you have chronic problems with lusers deleting drivers, etc.). ^_^

[targaff.livejournal.com]

I always thought this was what ramdrives were primarily used for, though if that is the case I wouldn't know how, and even if it were, it's possible that what you're wanting to do would be too bulky to achieve that way..

[gurath.livejournal.com]

There is one perfect solution to your problem: Hypertechnologies "Deep Freeze" program. We use it in school computer labs where we face the identical situation, here in North America's most internet-intensive school district (Edmonton Public (http://www.epsb.ca)). It must be taken down with a password BEFORE changes are made, else when Windows is rebooted the HD is set to exactly what it was last time. It is so effective, we do not even use virus checkers in any school Windows labs anymore. It has the additional advantage that if the machine hangs you just power it down and on again. Since the HD is reset it doesn't even know it was shut down the wrong way and doesn't demand a Scan Disk! Here is the link:

http://www.winselect.com/

It's simple to use:
- install it.
- give it a password.
- you are locked!

Make sure you password protect the BIOS as well, although admittedly, BIOS cracking programs are simple enough for even me to use.

; )

Ghost is a great program, and we use it to set up labs all the time. If you are going to use it in combination with Deep Freeze, you MUST create the original ghost image in the thawed state. The current version of Deep Freeze allows you to specify that, say, "the next 3 reboots are thawed". Do so. Even then, there is a weird problem with DHCP and W9x that arises, forcing you to put a line in run= of win.ini that tells it to renew a DCHP lease if you are contacting a DHCP server at boot time. Assigning IP addresses (when the machines are thawed, of course) eliminates this requirement, but is not always practical.

There is one other issue with Ghost: The machines must be absolutely identical in hardware if you are going to use the images to master a group of computers. Sometimes even a bunch of the same model of computers are not; it's finicky.

Let me know if you need help or have questions...

[kuangning]

That's it exactly. Thank you so much.

[gurath.livejournal.com]

You're welcome. : )

Been there... done that... gone crazy.

One other alternative exists, by the way: FoolProof, but it is not virus-proof. It allows changes to specified folders, preferences, cookies, favorites, etc... very configurable; however you want it. We use it on all Mac labs, to avoid tearing our hair out. It is also available for Windows. I believe it is possible to get around it, though.

[virtual256.livejournal.com]

foolproof (win) is so riddled with holes that we, at nathan hale, are looking for alternates. that might be just what we need ^_^

[gurath.livejournal.com]

Of course, you need to remember some implications of having the entire HD reset IDENTICALLY to how it was before:

- anything saved on C: is gone (solution: save ONLY on the server, and leave empty folders in MyDocuments named: "DO NOT SAVE HERE", "OR YOUR STUFF WILL DISAPPEAR" "USE THE F: DRIVE" or whatever you call their space on the server. Point out the backup advantages of saving on the server... they will appreciate that, and that no one else can erase their work without their password.)
- any changes to, say, MS Word preferences are gone (this CAN be a good thing, though....)
- cookies and history are gone
- any new bookmarks or favourite sites are gone (there is a way to store favorites, cookies, history, etc. on the server, at least under NT... probably under Novell too.)

[kuangning]

Implications? Those are the features I was looking for! A sign on the wall proclaiming the new software should suffice. ;)

As I said elsewhere a minute ago:

I'm going to enjoy the uproar when they find out what deep freeze does.
"but I can't SAVE anything!" "sure you can. buy a floppy."
"my wallpaper's gone! and my icons!" "this is not your personal machine."
... my sadistic little heart is warm with anticipation.

[cathexis.livejournal.com]

If the machines can handle it (and if you've got the freedom/liscences) you could install 2k pro on all of them, and then set the permissions so that they can only save in certain places (or at all) and so they can only run certain programs. Ahh, the joys of NTFS, and its all much less finicky then the windows implementation of fool-proof (or at least it is better then the fool-proof of four years ago).

I set all the computers at the Hampshire Library computer lab up with win2k and very well thought-out security settings a year ago, and I don't think that they have needed any serious work done on them (well, unless one of the lab monitors does something stupid like leaving them logged in as admin or something). And even though we have a lab monitor, it didn't help to keep all the crap off of them.

[gurath.livejournal.com]

While I really like W2K, it is not virus proof. Deep Freeze is quite a problem to get around, apparently. Fdisk will do it, but of course you have to boot with a floppy first, and if that is disabled in the BIOS, you're doing not too bad.

Re:

[kuangning]

I can't change the OS. Even if I could, I wouldn't be able to (or want the job of) restrict which programs they can use. As sure as I did that, there would be a flood of protests "but I NEED $program!" and I would be forever changing what was allowed. I think Deep Freeze is going to be just the answer I need, though. :)