allyn@milton.u.washington.edu (Allyn Weaks) (09/25/90)
A couple of weeks ago I asked for advice on Mac lab security, and particularly about various commercial packages listed in the Mac Buyer's Guide. Many thanks to those who responded, with special thanks to Tom Johnson of UCLA, who was willing to spend an hour on the phone with me to explain their set-up. Based on what I've heard (both from the net and other sources), we will keep things as simple as possible, with locked partitions to keep the applications and assignment files from being changed by accident or intent, and hope that Hypercard 2.0 comes out soon enough that we can lock the System partition as well. (The TAs are planning a Hypercard tutorial/easy interface for the novices.) If there are problems, we may try to dig up enough money for an SE/30 to act as an Appleshare server. As for keeping people from printing 300 page term papers, we'll try out a product called NetCounter which was pointed out to me by it's author, Herb Weiner. (see below) I'll report back after we've had a chance to test it. Several responders had good solutions that were based on a bigger budget than we have - routing through ether and Gatorboxes and unix machines is currently beyond our means, unfortunately. The responses: ======================== From: tj@CS.UCLA.EDU (Tom Johnson) [Here's a summary of our phone conversation. Any inaccuracies are entirely my fault. LaserWriter banners: it's easy to modify the saved LaserPrep file (command-K to write it to a file), but harder to get it to auto-load when the printer is reset. They renamed the laser driver, and have their AUX box ask the printer what's loaded in, and if it sees the normal LaserPrep, resets and sends the modified one. As for the banner itself, light grey is too hard to read through, so they use a thin outline font. If at all possible, run from an Appleshare server so you can use the protections. You can keep people from copying the commercial software this way too. Physical security: Anchor Pads work well, but make sure you either add, or buy the version with, a metal bar that locks over the mac case, so people can't get in and steal the hard drive, mother board, etc. Also, bolt the pad down as well as using the adhesive. The adhesive attachment alone is good enough for the cable that runs to the monitor. Treat keyboards and mice as disposable - they haven't had any disappear yet. 'Ugly write' over everything - don't just engrave the department name, but scrawl it everywhere in bad handwriting then run bright ink into it. Expect one or two people per quarter to try to upset things as a challenge. Partition the drives and write lock as much as possible. If really worried about people stealing commercial software and/or running their own programs (such as Resedit), remove the floppies completely. If you have a mail system installed, that can be a loophole for file transfers. As for commercial programs such as Fileguard: most or all of them work by altering the disk drivers, so if you use them, you can expect to have to rebuild the disks occaisionally. Also, a knowledgable Resedit user can get through them anyway.] ======================== From: hedstrom@sirius.UVic.CA (Brad Hedstrom) We have a similar system here. We have a number of Macs connected to a laserwriter via a GatorBox running CAP. The laserwriter hangs off a serial port of a Sun 3/50 which takes care of spooling and accounting. In order to print, a user must mount an appleshare volume using aufs (CAPs equivalent to appleshare) which requires them to "log on" to the spooler. This way we can guarantee that only specified people can print to the printer and we also have an account of who printed how many pages. With regard to the file and application sharing, we use a MacJANET server. This allows students access to files without being able to write to them. They can copy them to a local disk if necessary and change them all day long, but the original file is safe. MacJANET also allows only a particular number of applications to be launched at any time, thus living up to licensing agreements and piracy prevention. If you want more info, talk to our sys admin: mmcintos@sirius.uvic.ca. _____________________________________________________________________________ Brad Hedstrom, University of Victoria, ECE Dept. Internet: hedstrom@sirius.uvic.ca UUCP: ...!{uw-beaver,ubc-vision}!uvicctr!hedstrom ======================== From: Matthew Holiday <holiday@boulder.Colorado.EDU> I've just set up a similar lab for foreign languages here at the University of Colorado. Our network includes 3 Appletalk zones, separated by Shiva NetBridges, and connection to the campus Ethernet with a GatorBox. We have two AppleShare servers. 1. You can ensure that students all have a clean copy of the software by partitioning the local hard disk (try SilverLining), then placing the master copies in a locked partition. Students can then copy the master to an unlocked work partition on the same local disk to use your software. We do this, plus we have a separate boot partition for the system software, and a locked, unmounted restore partition to backup the system software. This approach seems to be the cheapest and most fool-proof to date. Our IIci's are 5/40 -- put 1 meg in bank A and 4 in bank B for improved performance with internal video -- and we have a 4 meg startup partition, 4 meg backup partition, 10 meg work partition, and 22 megs of software in a locked partition. Note that we don't leave the SilverLining DA on the machine -- we have a separate startup disk for lab attendants which allows them to mount the backup partition and thus restore a clean copy of the system software. 2. If your network (assuming you are networked) connects to Appletalk/Ethernet outside your lab, you can use the bridges to prevent machines outside your lab from looking in and using the LaserWriter. 3. Seems like the easiest way to keep the lab available to Physics students is to issue ID card stickers to students who should have access, or at least first-priority access, to your lab. 4. As far as not copying commercial software (e.g. a word pro- cessor), you should put it on an AppleShare server. The Apple- Share software can prevent files from being copied. 5. Applications are good candidates for running from a locked partition on a server. HyperCard/SuperCard projects should run from an unlocked partition, using the copy-to-workspace idea. Note that HyperCard and the Home stack should be on an unlocked partition also -- we keep them on the partition with the system software. Data files for animation, like MacroMind Director, will fit into one of the two categories above. 6. I don't recommend having students copy the software from the server, because of the poor performance. That's why we partitioned the local hard disks. 7. Don't forget virus protection -- Virex or Disinfectant's INIT! 8. Depending on how you feel, you may want to remove the Control Panel and Chooser DAs after configuring the system. The Control Panel information resides in PRAM or in the individual INITs; the Chooser info is stored somewhere in the System file. I have a master disk with a complete System Folder, configured exactly as the System on a local hard disk -- Chooser devices, AppleShare login, etc. -- which can be used to build or restore each individual machine. Just boot from the floppy, erase the system partition, and copy the one folder to the hard disk. (If you have HyperCard there, then copy it off another disk.) Then reboot. I have found that the more things there are to play with (Chooser, Control Panel, Pyro!, etc.), the more things people will play with, until you have ten machines with completely different configurations; and then someone will report a problem that requires some troubleshooting. Not a nice scenario. Plan to restore the system partition at least once a week. 9. Good luck! Nothing beats a Mac lab. Matt ============================ From: UF749@cc.usu.edu you need a pd package called launchbreak that is available form the u of michigan (?) i don't have the address handy, but it does cover most of what you want if no one else gives you the scoop please e-mail me and i'll put in some effort to locate their address ewtc ================================== From: Herb Weiner <herbw%midas.wr.tek.com@RELAY.CS.NET> For controlling access to the LaserWriter(s) you probably want NetCounter (TM). This software will allow you to restrict access to the printers, and it will automatically reload itself (if you install a patched LaserPrep on all machines). In addition, it will keep track of the number of pages printed by each user (but this count will NOT be saved if the power fails, unless you have a hard disk on the printer). Also, it will protect your printer from the Trojan Horse that changes the password. NetCounter is distributed by Prism Enterprises (301) 604-6611. If you have any further questions that Prism can not answer for you, feel free to contact me. Disclaimer: I am the author of NetCounter. Herb Weiner (herbw@midas.WR.TEK.COM) ====================================== From: Jim Bruyn <jb@csg.uwaterloo.ca> You might want to look at MacJANET. Talk to Bonnie Mitchell at U. of Oregon, for a demo 503-346-4404, or contact Mike Paola at Watcom Products (519)-886-3700 Jim Bruyn ======================================= From: jjwcmp@ultb.isc.rit.edu (Jeff Wasilko) You can change the the type of the printer from Laserwriter to something else, then create a custom chooser icon. There's a contact person on the net for this procedure (to insure only authorized people get it), but I don't have his name with me. Jeff ==================================== ----- Allyn Weaks allyn@milton.u.washington.edu sweaks@phast.phys.washington.edu {backbone}!uw-beaver!milton!allyn sweaks@uwaphast (bitnet) If you want sense, you'll have to make it yourself. -- Norton Juster
alexis@panix.UUCP (Alexis Rosen) (09/26/90)
As far as I know, the assertion that AppleShare can prevent an application from being copied is bogus. (The implication was that the app could still be launched. Of course, AppleShare can hide an app completely so it can be neither copied nor used.) --- Alexis Rosen cmcl2!panix!alexis
clarson@ux.acs.umn.edu (Chaz Larson) (09/27/90)
In article <10508@panix.UUCP> alexis@panix.UUCP (Alexis Rosen) writes: >As far as I know, the assertion that AppleShare can prevent an >application from being copied is bogus. (The implication was that >the app could still be launched. Of course, AppleShare can hide an >app completely so it can be neither copied nor used.) From the AppleShare 2.0 Administrator's Guide: Using AppleShare Admin, you can copy-protect a file so it can't be copied or duplicated in the Finder at a Macintosh workstation. (AppleShare's copy-protection feature may have no effect on files being used at Apple II or PC workstations.) You copy-protect a file in the file information window. Copy-protecting a file does not prevent a Macintosh user from opening it and saving it with a different name. Any user can rename, discard, or save changes to a copy-protected file or move it somewhere else on the same volume. Copy-protection makes the most sense when used with applications whose copyrights or licensing agreements prohibit your making copies. Then a Macintosh user can't copy the application to another volume or workstation disk. I don't know for sure if DiskTop or similar utilities are foiled by this copy-protection scheme or not. I don't use this system at the lab; instead we use LaunchBreak, so if a felonious user copies MS Word and takes it home, the copy they get is useless outside of the lab. chaz -- -- "I Am The Reincarnation of Abraham Lincoln", Insists Prince. -spew clarson@ux.acs.umn.edu AOL:Crowbone
jw3z+@andrew.cmu.edu (Judith H. White) (09/27/90)
On 26-Sep-90 in Re: Mac lab security SUMMARY user Alexis Rosen@panix.UUCP writes: >As far as I know, the assertion that AppleShare can prevent an >application from being copied is bogus. (The implication was that >the app could still be launched. Of course, AppleShare can hide an >app completely so it can be neither copied nor used.) > You can set the protection to keep applications from being copied from the server as server administrator. You have to do it on the server itself, you can't set copy protection from a workstation. Just do a get info on the file, and click on the copy protected check box. It really does work. And the application can still be run. Judy White jw3z@andrew.cmu.edu
nf0i+@andrew.cmu.edu (Norman William Franke, III) (09/27/90)
On 26-Sep-90 in Re: Mac lab security SUMMARY user "Judith H. White"@andrew writes: >You can set the protection to keep applications from being copied from >the server as server administrator. You have to do it on the server >itself, you can't set copy protection from a workstation. > >Just do a get info on the file, and click on the copy protected check >box. It really does work. And the application can still be run. > >Judy White >jw3z@andrew.cmu.edu No it doesn't work. Anyone with a program which doesn't recgonize the don't copy bit will copy it. Some examples: DiskTop, DiskTools. Works like a charm. It's just the Finder that will not let you copy the file. Granted, for the average user this is enough. ............................................................ : : : Norman Franke, III nf0i+@andrew.cmu.edu : : Special Projects Carnegie Mellon University : : Macintosh Users Group, VP Pittsburgh, PA : :..........................................................: "Why can't I get more quota?"
kanefsky@cs.umn.edu (Steve Kanefsky) (09/28/90)
In article <gb0DdPy00WBMI30V1v@andrew.cmu.edu> jw3z+@andrew.cmu.edu (Judith H. White) writes: >On 26-Sep-90 in Re: Mac lab security SUMMARY >user Alexis Rosen@panix.UUCP writes: >>As far as I know, the assertion that AppleShare can prevent an >>application from being copied is bogus. (The implication was that >>the app could still be launched. Of course, AppleShare can hide an >>app completely so it can be neither copied nor used.) >> > >You can set the protection to keep applications from being copied from >the server as server administrator. You have to do it on the server >itself, you can't set copy protection from a workstation. > >Just do a get info on the file, and click on the copy protected check >box. It really does work. And the application can still be run. Take an application that has been copy protected with AppleShare File Server and make a Stuffit archive out of it. Then unstuff the archive somewhere else. Presto! The application has been copied. I'm not trying to tell people how to get around copy protection, I'm just sure that a lot of people know this trick and I don't think AppleShare File Server administrators should have a false sense of security. Like a previous poster mentioned, LaunchBreak is a good way to copy protect applications (and it's free for educational institutions). Users can freely copy applications, but can only use them in the lab where they belong. Until version 2.0 comes out, there are ways around this too, but it requires the thief to have an AppleTalk network and dedicate a machine as a LaunchBreak caterer anywhere he or she wants to use the stolen software. -- Steve Kanefsky kanefsky@cs.umn.edu
alexis@panix.uucp (Alexis Rosen) (10/02/90)
In the referenced article, jw3z+@andrew.cmu.edu (Judith H. White) writes: >On 26-Sep-90 in Re: Mac lab security SUMMARY >user Alexis Rosen@panix.UUCP writes: >>As far as I know, the assertion that AppleShare can prevent an >>application from being copied is bogus. (The implication was that >>the app could still be launched. Of course, AppleShare can hide an >>app completely so it can be neither copied nor used.) > >You can set the protection to keep applications from being copied from >the server as server administrator. You have to do it on the server >itself, you can't set copy protection from a workstation. > >Just do a get info on the file, and click on the copy protected check >box. It really does work. And the application can still be run. Problem is, this is useless for all but the most inexperienced users, unless you have extremely strict controll over what floppies go in and out of the macs (in which case, you wouldn't need this 'feature' anyway). To Clarify: 1) Hide the app in a folder without "see files" privs. It works, but the app is unavailable. Not useful. 2) Instead, check off the 'copy-protected' box in appleshare. Great. The app works, and the Finder won't copy the file. Trouble is, everything else will. Not useful. This is why lots of other programs, like doppleganger and launchbreaker, were written. (I think I've got the names right. I haven't looked into this in a while.) --- Alexis Rosen {cmcl2,apple}!panix!alexis alexis@panix.uucp
ml27192@uxa.cso.uiuc.edu (10/06/90)
The copy protection you describe sounds alot like the "Protect" bit being set. Of course only the Finder checks this, so only the finder prevents copies. MacTools/DiskTop/DeskZap eat Protect bits for lunch.