allyn@milton.u.washington.edu (Allyn Weaks) (09/25/90)
A couple of weeks ago I asked for advice on Mac lab security, and particularly
about various commercial packages listed in the Mac Buyer's Guide.
Many thanks to those who responded, with special thanks to Tom Johnson of
UCLA, who was willing to spend an hour on the phone with me to explain their
set-up.
Based on what I've heard (both from the net and other sources), we will keep
things as simple as possible, with locked partitions to keep the applications
and assignment files from being changed by accident or intent, and hope that
Hypercard 2.0 comes out soon enough that we can lock the System partition as
well. (The TAs are planning a Hypercard tutorial/easy interface for the
novices.) If there are problems, we may try to dig up enough money for an
SE/30 to act as an Appleshare server. As for keeping people from printing 300
page term papers, we'll try out a product called NetCounter which was pointed
out to me by it's author, Herb Weiner. (see below) I'll report back after
we've had a chance to test it.
Several responders had good solutions that were based on a bigger budget than
we have - routing through ether and Gatorboxes and unix machines is currently
beyond our means, unfortunately.
The responses:
========================
From: tj@CS.UCLA.EDU (Tom Johnson)
[Here's a summary of our phone conversation. Any inaccuracies are entirely my
fault.
LaserWriter banners: it's easy to modify the saved LaserPrep file (command-K
to write it to a file), but harder to get it to auto-load when the printer is
reset. They renamed the laser driver, and have their AUX box ask the printer
what's loaded in, and if it sees the normal LaserPrep, resets and sends the
modified one. As for the banner itself, light grey is too hard to read
through, so they use a thin outline font.
If at all possible, run from an Appleshare server so you can use the
protections. You can keep people from copying the commercial software this
way too.
Physical security: Anchor Pads work well, but make sure you either add, or
buy the version with, a metal bar that locks over the mac case, so people
can't get in and steal the hard drive, mother board, etc. Also, bolt the pad
down as well as using the adhesive. The adhesive attachment alone is good
enough for the cable that runs to the monitor. Treat keyboards and mice as
disposable - they haven't had any disappear yet. 'Ugly write' over everything
- don't just engrave the department name, but scrawl it everywhere in bad
handwriting then run bright ink into it.
Expect one or two people per quarter to try to upset things as a challenge.
Partition the drives and write lock as much as possible.
If really worried about people stealing commercial software and/or running
their own programs (such as Resedit), remove the floppies completely. If you
have a mail system installed, that can be a loophole for file transfers.
As for commercial programs such as Fileguard: most or all of them work by
altering the disk drivers, so if you use them, you can expect to have to
rebuild the disks occaisionally. Also, a knowledgable Resedit user can get
through them anyway.]
========================
From: hedstrom@sirius.UVic.CA (Brad Hedstrom)
We have a similar system here. We have a number of Macs connected to a
laserwriter via a GatorBox running CAP. The laserwriter hangs off a
serial port of a Sun 3/50 which takes care of spooling and accounting.
In order to print, a user must mount an appleshare volume using aufs
(CAPs equivalent to appleshare) which requires them to "log on" to the
spooler. This way we can guarantee that only specified people can
print to the printer and we also have an account of who printed how
many pages.
With regard to the file and application sharing, we use a MacJANET
server. This allows students access to files without being able to
write to them. They can copy them to a local disk if necessary and
change them all day long, but the original file is safe. MacJANET also
allows only a particular number of applications to be launched at any
time, thus living up to licensing agreements and piracy prevention.
If you want more info, talk to our sys admin: mmcintos@sirius.uvic.ca.
_____________________________________________________________________________
Brad Hedstrom, University of Victoria, ECE Dept.
Internet: hedstrom@sirius.uvic.ca
UUCP: ...!{uw-beaver,ubc-vision}!uvicctr!hedstrom
========================
From: Matthew Holiday <holiday@boulder.Colorado.EDU>
I've just set up a similar lab for foreign languages here at
the University of Colorado. Our network includes 3 Appletalk
zones, separated by Shiva NetBridges, and connection to the
campus Ethernet with a GatorBox. We have two AppleShare
servers.
1. You can ensure that students all have a clean copy of the
software by partitioning the local hard disk (try SilverLining),
then placing the master copies in a locked partition. Students
can then copy the master to an unlocked work partition on the
same local disk to use your software. We do this, plus we have
a separate boot partition for the system software, and a locked,
unmounted restore partition to backup the system software.
This approach seems to be the cheapest and most fool-proof to
date. Our IIci's are 5/40 -- put 1 meg in bank A and 4 in bank
B for improved performance with internal video -- and we have
a 4 meg startup partition, 4 meg backup partition, 10 meg work
partition, and 22 megs of software in a locked partition. Note
that we don't leave the SilverLining DA on the machine -- we
have a separate startup disk for lab attendants which allows
them to mount the backup partition and thus restore a clean
copy of the system software.
2. If your network (assuming you are networked) connects to
Appletalk/Ethernet outside your lab, you can use the bridges to
prevent machines outside your lab from looking in and using the
LaserWriter.
3. Seems like the easiest way to keep the lab available to
Physics students is to issue ID card stickers to students who
should have access, or at least first-priority access, to
your lab.
4. As far as not copying commercial software (e.g. a word pro-
cessor), you should put it on an AppleShare server. The Apple-
Share software can prevent files from being copied.
5. Applications are good candidates for running from a locked
partition on a server. HyperCard/SuperCard projects should run
from an unlocked partition, using the copy-to-workspace idea.
Note that HyperCard and the Home stack should be on an unlocked
partition also -- we keep them on the partition with the system
software. Data files for animation, like MacroMind Director,
will fit into one of the two categories above.
6. I don't recommend having students copy the software from the
server, because of the poor performance. That's why we partitioned
the local hard disks.
7. Don't forget virus protection -- Virex or Disinfectant's INIT!
8. Depending on how you feel, you may want to remove the Control
Panel and Chooser DAs after configuring the system. The Control
Panel information resides in PRAM or in the individual INITs; the
Chooser info is stored somewhere in the System file. I have a
master disk with a complete System Folder, configured exactly as
the System on a local hard disk -- Chooser devices, AppleShare
login, etc. -- which can be used to build or restore each individual
machine. Just boot from the floppy, erase the system partition,
and copy the one folder to the hard disk. (If you have HyperCard
there, then copy it off another disk.) Then reboot. I have found
that the more things there are to play with (Chooser, Control Panel,
Pyro!, etc.), the more things people will play with, until you
have ten machines with completely different configurations; and
then someone will report a problem that requires some troubleshooting.
Not a nice scenario. Plan to restore the system partition at least
once a week.
9. Good luck! Nothing beats a Mac lab.
Matt
============================
From: UF749@cc.usu.edu
you need a pd package called
launchbreak that is available form the u of michigan (?)
i don't have the address handy, but it does cover most
of what you want
if no one else gives you the scoop please e-mail me
and i'll put in some effort to locate their address ewtc
==================================
From: Herb Weiner <herbw%midas.wr.tek.com@RELAY.CS.NET>
For controlling access to the LaserWriter(s) you probably want
NetCounter (TM). This software will allow you to restrict access
to the printers, and it will automatically reload itself (if you
install a patched LaserPrep on all machines). In addition, it
will keep track of the number of pages printed by each user (but
this count will NOT be saved if the power fails, unless you have
a hard disk on the printer). Also, it will protect your printer
from the Trojan Horse that changes the password.
NetCounter is distributed by Prism Enterprises (301) 604-6611.
If you have any further questions that Prism can not answer for
you, feel free to contact me.
Disclaimer: I am the author of NetCounter.
Herb Weiner (herbw@midas.WR.TEK.COM)
======================================
From: Jim Bruyn <jb@csg.uwaterloo.ca>
You might want to look at MacJANET. Talk to Bonnie Mitchell at U. of Oregon,
for a demo 503-346-4404, or contact Mike Paola at Watcom Products
(519)-886-3700
Jim Bruyn
=======================================
From: jjwcmp@ultb.isc.rit.edu (Jeff Wasilko)
You can change the the type of the printer from Laserwriter to something
else, then create a custom chooser icon. There's a contact person on the
net for this procedure (to insure only authorized people get it), but I
don't have his name with me.
Jeff
====================================
-----
Allyn Weaks
allyn@milton.u.washington.edu sweaks@phast.phys.washington.edu
{backbone}!uw-beaver!milton!allyn sweaks@uwaphast (bitnet)
If you want sense, you'll have to make it yourself. -- Norton Justeralexis@panix.UUCP (Alexis Rosen) (09/26/90)
As far as I know, the assertion that AppleShare can prevent an application from being copied is bogus. (The implication was that the app could still be launched. Of course, AppleShare can hide an app completely so it can be neither copied nor used.) --- Alexis Rosen cmcl2!panix!alexis
clarson@ux.acs.umn.edu (Chaz Larson) (09/27/90)
In article <10508@panix.UUCP> alexis@panix.UUCP (Alexis Rosen) writes: >As far as I know, the assertion that AppleShare can prevent an >application from being copied is bogus. (The implication was that >the app could still be launched. Of course, AppleShare can hide an >app completely so it can be neither copied nor used.) From the AppleShare 2.0 Administrator's Guide: Using AppleShare Admin, you can copy-protect a file so it can't be copied or duplicated in the Finder at a Macintosh workstation. (AppleShare's copy-protection feature may have no effect on files being used at Apple II or PC workstations.) You copy-protect a file in the file information window. Copy-protecting a file does not prevent a Macintosh user from opening it and saving it with a different name. Any user can rename, discard, or save changes to a copy-protected file or move it somewhere else on the same volume. Copy-protection makes the most sense when used with applications whose copyrights or licensing agreements prohibit your making copies. Then a Macintosh user can't copy the application to another volume or workstation disk. I don't know for sure if DiskTop or similar utilities are foiled by this copy-protection scheme or not. I don't use this system at the lab; instead we use LaunchBreak, so if a felonious user copies MS Word and takes it home, the copy they get is useless outside of the lab. chaz -- -- "I Am The Reincarnation of Abraham Lincoln", Insists Prince. -spew clarson@ux.acs.umn.edu AOL:Crowbone
jw3z+@andrew.cmu.edu (Judith H. White) (09/27/90)
On 26-Sep-90 in Re: Mac lab security SUMMARY user Alexis Rosen@panix.UUCP writes: >As far as I know, the assertion that AppleShare can prevent an >application from being copied is bogus. (The implication was that >the app could still be launched. Of course, AppleShare can hide an >app completely so it can be neither copied nor used.) > You can set the protection to keep applications from being copied from the server as server administrator. You have to do it on the server itself, you can't set copy protection from a workstation. Just do a get info on the file, and click on the copy protected check box. It really does work. And the application can still be run. Judy White jw3z@andrew.cmu.edu
nf0i+@andrew.cmu.edu (Norman William Franke, III) (09/27/90)
On 26-Sep-90 in Re: Mac lab security SUMMARY user "Judith H. White"@andrew writes: >You can set the protection to keep applications from being copied from >the server as server administrator. You have to do it on the server >itself, you can't set copy protection from a workstation. > >Just do a get info on the file, and click on the copy protected check >box. It really does work. And the application can still be run. > >Judy White >jw3z@andrew.cmu.edu No it doesn't work. Anyone with a program which doesn't recgonize the don't copy bit will copy it. Some examples: DiskTop, DiskTools. Works like a charm. It's just the Finder that will not let you copy the file. Granted, for the average user this is enough. ............................................................ : : : Norman Franke, III nf0i+@andrew.cmu.edu : : Special Projects Carnegie Mellon University : : Macintosh Users Group, VP Pittsburgh, PA : :..........................................................: "Why can't I get more quota?"
kanefsky@cs.umn.edu (Steve Kanefsky) (09/28/90)
In article <gb0DdPy00WBMI30V1v@andrew.cmu.edu> jw3z+@andrew.cmu.edu (Judith H. White) writes: >On 26-Sep-90 in Re: Mac lab security SUMMARY >user Alexis Rosen@panix.UUCP writes: >>As far as I know, the assertion that AppleShare can prevent an >>application from being copied is bogus. (The implication was that >>the app could still be launched. Of course, AppleShare can hide an >>app completely so it can be neither copied nor used.) >> > >You can set the protection to keep applications from being copied from >the server as server administrator. You have to do it on the server >itself, you can't set copy protection from a workstation. > >Just do a get info on the file, and click on the copy protected check >box. It really does work. And the application can still be run. Take an application that has been copy protected with AppleShare File Server and make a Stuffit archive out of it. Then unstuff the archive somewhere else. Presto! The application has been copied. I'm not trying to tell people how to get around copy protection, I'm just sure that a lot of people know this trick and I don't think AppleShare File Server administrators should have a false sense of security. Like a previous poster mentioned, LaunchBreak is a good way to copy protect applications (and it's free for educational institutions). Users can freely copy applications, but can only use them in the lab where they belong. Until version 2.0 comes out, there are ways around this too, but it requires the thief to have an AppleTalk network and dedicate a machine as a LaunchBreak caterer anywhere he or she wants to use the stolen software. -- Steve Kanefsky kanefsky@cs.umn.edu
alexis@panix.uucp (Alexis Rosen) (10/02/90)
In the referenced article, jw3z+@andrew.cmu.edu (Judith H. White) writes: >On 26-Sep-90 in Re: Mac lab security SUMMARY >user Alexis Rosen@panix.UUCP writes: >>As far as I know, the assertion that AppleShare can prevent an >>application from being copied is bogus. (The implication was that >>the app could still be launched. Of course, AppleShare can hide an >>app completely so it can be neither copied nor used.) > >You can set the protection to keep applications from being copied from >the server as server administrator. You have to do it on the server >itself, you can't set copy protection from a workstation. > >Just do a get info on the file, and click on the copy protected check >box. It really does work. And the application can still be run. Problem is, this is useless for all but the most inexperienced users, unless you have extremely strict controll over what floppies go in and out of the macs (in which case, you wouldn't need this 'feature' anyway). To Clarify: 1) Hide the app in a folder without "see files" privs. It works, but the app is unavailable. Not useful. 2) Instead, check off the 'copy-protected' box in appleshare. Great. The app works, and the Finder won't copy the file. Trouble is, everything else will. Not useful. This is why lots of other programs, like doppleganger and launchbreaker, were written. (I think I've got the names right. I haven't looked into this in a while.) --- Alexis Rosen {cmcl2,apple}!panix!alexis alexis@panix.uucp
ml27192@uxa.cso.uiuc.edu (10/06/90)
The copy protection you describe sounds alot like the "Protect" bit being set. Of course only the Finder checks this, so only the finder prevents copies. MacTools/DiskTop/DeskZap eat Protect bits for lunch.