ICT Management. > Making Policies & Best Practice

Giving your service users access to your computers

By Lasa Information Systems Team

If you have service users (which can include clients and trainees) who are entitled to use computing and other facilities in your offices, it is essential that you consider how secure your systems are. This article describes the precautions that can be taken to make sure your IT systems are used and not abused.

Draw up an Acceptable Use Policy

Service users, like all other users of your systems, should be subject to the clauses laid down in your Acceptable Use Policy (AUP) . It may be that you’ll need to amend your AUP for public consumption and ensure that all service users are either given a copy of it or made aware that it exists and where it can be read. You might also want to have users sign an agreement to say that they’ve read the AUP and understand it. A disciplinary policy should be adopted which makes it clear what the course of action is should the AUP be abused.  For more info on this view the knowledge base article ICT Acceptable Use Policies.

Be very clear about what the PCs are available for – things that you may want to define are:

• Appropriate PC use
• Use of peripherals including printers and any costs involved
• Internet use, acceptable websites
• Downloading files (especially music and video which can use up your Internet bandwidth and hard disk space)
• Email accounts (use of Hotmail, Yahoo etc.)
• Health and safety including eating and drinking around PCs
• Messaging/chat
• Disciplinary policy

You might want to have the pertinent points displayed on posters next to the public PCs. They could also be set up as the home web page when the user opens an Internet browser, with an “I Accept” button to acknowledge that they’ve read them.

Provide Induction

New users should undergo a brief induction if possible. This will not only allow you to run through the AUP along with telling them how to log on to the machine or network but give you an opportunity to see how IT-literate they are, whether they will need any training and what their support needs are likely to be. Depending on what use your facilities are to be put to, you may wish to set a minimum level of IT literacy before allowing access. If you can, be prepared to provide information about where basic training can be obtained locally. Provide users with a short induction manual which explains the AUP, and gives information such as their user name, where to store files etc. if appropriate.

Positioning of PCs

You will need to carefully consider where the client PCs will be situated. This will obviously depend on the office environment - consider things like:

• confidentiality - not having users in positions where general office conversations, telephone calls, advice service etc. can be overheard or PCs overlooked
• avoiding having clients walk through staff-only areas in order to reach facilities such as refreshment areas, toilets etc.
• adequate space, light, heat and ventilation.

Secure your network and workstations

If you are having a new network put in, make sure that your requirements specification includes information on service use by the public so the contractor is able to design security in. Your network contractor will be able to advise on this.

There are a number of things which can be done – for example, the network cabling can be split into two networks so that service users cannot access the network which the staff are using and therefore have no way of seeing or accessing other PCs or servers on the network.

If you are running a training suite that uses centralised training resources and can afford the expense, it is more secure to run a dedicated server for the suite. If you can’t afford this, then consult the engineer who sets up your server for the easiest and most secure way of setting up logins for users.

Check that permissions on folders which the organisation’s staff are using don’t include service users or the very insecure “Everyone” account. Also ensure that you have password policy in place and that it is functioning effectively in your office.

Workstations on a server-based network can be locked down using system policies and software such as TweakUI so that users cannot change key settings or see certain menus. For example, you can stop people saving work onto the local drive, seeing the control panel or printers and so on.PCs on a peer-to-peer based network are inherently less secure than one controlled by a server but there are things which can be done – only share the minimum amount of PCs and folders (never share the whole of the C: drive as system files will be visible to all) and consider password protecting those which are shared and, if the operating system allows for it – e.g. Windows 2000/XP – only give certain users access. If the PCs for client use are dedicated only for their use then consider putting them in a different workgroup. Again, your support company should be able to advise and act on this.

Lock 'em up

Public areas are notorious for the ease in which equipment can “go missing”. In addition to having up-to-date inventories, adequate insurance and indelible security marking, PCs and monitors should be secured either to the desk on which they sit or an adjacent wall using an appropriate device which doesn’t damage the casing such as a cable lock. Your local supplier may have such devices, otherwise check out specialist suppliers such as PC Guardian You could also consider housing the PC workstation in a lockable cupboard.If you are running an outreach service or mobile training suite using laptops then the same principles apply only more so. This is dealt with more in the Safe and Sound knowledgebase article.

Keep viruses at bay

It cannot be stressed strongly enough how important it is to install and keep antivirus software up to date on all PCs. This is especially important when users or trainees are bringing in floppy disks or other removable media. In any case make sure that the antivirus software is set for “on-access demand”, i.e. that any file is scanned as it is opened.

Some organisations use a “foot bath” where a PC is set up to scan disks for viruses before they are allowed into a computer suite.Anti spyware and adware programs such as Ad Aware and SpyBot should also be run and updated on a regular basis – see the Knowledgebase article Removing Spyware, Viruses and Other Malware from Windows.

Standardisation

It is helpful to users – and support and administrative staff - if the PCs are set up in the same way, are of similar specification and operating system, have the same (licensed!) software loaded etc. Otherwise you may have users favouring a PC to the detriment of the service offered.

About storing documents

There are various approaches that can be taken to storing documents. You could dictate to users that they can only store documents on floppy disks – there should also be rules regarding using these on home systems which might not be as well protected against viruses as your own or you might insist that floppies are not taken out of the building which is common in some training centres.

If users need to have space on the server to store documents then they will need to be issued with their own log-on and given a “home” drive on the server. This can be advised as part of the induction session. Another approach might be to use online and offsite storage – for example users could set up Hotmail or Yahoo accounts and mail their work to their accounts.

Consider Website blocking

Whilst having an AUP will make people aware of their obligations regarding the use of the PCs and inappropriate behaviour whilst web browsing you may wish to back this up with software. A product like Net Nanny may be sufficient if you only have a couple of PCs. If you are running a larger network or training suite and you have a firewall then you could consider a service (such as Watchguard's WebBlocker) which is configured through the firewall (for more on firewalls see the knowledgebase article Firewalls.

Checking in… and out

To avoid users queuing up to get on a PC, you may need to initiate some form of booking system. This could be done using a diary in which slots are allocated or something more advanced such as a public calendar in Outlook set up for bookings or perhaps a spreadsheet.

Think about how long users can use a PC for – perhaps an hour is sufficient. You’ll also need to think about when PCs are available for public access e.g. at all times when the premises are open? Only between certain hours? Every day?  Software used by internet cafes, such as TimeWatcher, can help enforce time limits by locking the computer after a given time.

It is good practice to record who is in the building at any time for health and safety and security purposes – a loose leaf book in reception recording names and in and out times will be sufficient.You’ll want to know who is using the PC and at which time – if you have more than one PC then make sure you know which PC has been used and by who in case of problems or abuses arising. For a small office a simple spreadsheet or database should suffice; if you have a large number of PCs then it may be worth investing in specialist software to manage the time used.

Supervision and administration

Depending on the situation, you will need to make sure that users are supervised. Whilst you don’t want to make users feel like they are being watched at all times, it is necessary to be able to check that PCs are not being abused.

Having external users on your site may also increase the amount of administration required on the machines. It is also important to make sure that they are supported by your support company so you can minimise downtime (and hold off potentially disgruntled users). Ensure that users know what procedure to follow and who to call should problems arise.