[MACEP] Deep Freeze or other security solutions

[Larry Francis]

We use DeepFreeze in our labs and are quite pleased. A number of programs to work properly need users to have administrative rights. Using DeepFreeze solves this problem elegantly. Moreover, Faronics (DeepFreeze's parent company) provides ample tech support to help us configure it (with the proper "thaw" spaces for routine file saving, Norton Anti-Virus, and so forth) so things work the way we want 'em to.
--Larry 

Larry Francis
Southern Oregon ESD
541.858.6748 or 800.636.7453
larry_francis at soesd.k12.or.us
http://www2.soesd.k12.or.us/it/staff/lf 

>>> qhartman at lane.k12.or.us 12/01/04 02:01PM >>>
On Wed, 2004-12-01 at 13:38 -0800, Roseanna_Juhola at Santiam.k12.or.us 
wrote:
> Hi There,
> 
> I'm looking at purchasing a desktop security program to lock down student
> workstations. "Deep Freeze", by Faronics, has been recommended as a good
> choice.
> 
> Anyone have any experience with this, or with other products they like?

For what it does, Deep Freeze works well in my experience. However, I
disagree with it's "lock-down" theory. It doesn't really lock-down the
machine at all. IMHO, there are two things you are trying to do when
locking down a machine, prevent abuse and protect the configuration.
This software only solves half the problem, it protects the
configuration. Because of it's "allow changes but undo them at reboot"
philosophy, your machines are still open to abuse until someone detects
the problem and reboots the machine, or your idle timeout in deep freeze
kicks in and forces a reboot. For example, someone can still download
and install a P2P app and hammer your bandwidth all day. Because of this
"race condition" (for lack of a better phrase) I don't like using this
kind of tool for securing general access machines. It's good for techy
labs where open experimentation is needed and encouraged, but the
machines need to be protected from being destroyed by inexperienced
students. In cases when you are trying to actually protect machines from
abuse, something like system policies and/or Fortress 101 would be a
better choice. They solve both problems by not allowing the changes to
be made in the first place. An ideal solution would be a combination of
the two, it attempts to not allow changes to be made, but if they are
somehow made, they are reverted at a reboot. Perhaps Deep Freeze +
system policies would meet your needs and not cost more money than what
you are already considering and provide a more complete solution.
Security works best in layers.

-- 
-Best Regards-

-Quentin Hartman-
Technology Coordinator
South Lane School District 45j3
Cottage Grove, Oregon
(541)767-3778
http://www.slane.k12.or.us 

_______________________________________________
MACEP mailing list
MACEP at macep.net 
http://macep.net/mailman/listinfo/macep