RE: Internet Cafe

[Paul Baugher <paul.baugher () baker edu>]

This reply addresses workstation security and management 
only. It does not acknowledge the management of network 
traffic or security.

Whenever I’m in Toronto, Canada, I go to the Cyberland Cafe. 
Each station provides services from basic web browsing to 
high-end gaming.

For user access control, they are running a proprietary GUI 
over the OS. The GUI provides a full screen customizable 
menu with the Cyber Café logo and various buttons for 
programs installed on the station. In addition, customers 
can view and order from the café menu from any station. All 
components of the OS are completely masked from the users. 
It’s also very appealing to customers. This is similar to 
what you might see in Borders bookstores, some automated 
directories in malls, and ATM machines.

You could also go with additional software to lock down each 
station (ie. Centurion, Deepfreeze). If a user installs 
Kazaa, you can simply restart the station and the original 
software image is restored. If you are utilizing Norton 
Ghost, you can also disable/enable Deepfreeze via command 
line parameters over the network. This would allow you to 
remotely unlock a station to upload software packages.

Personally, I would go with WinXP for the OS. WinXP is 
faster, has the same administrative capabilities, and it may 
be more attractive to customers. If they don’t like it, you 
can always emulate the look and feel of previous operating 
systems. In addition, WinXP has remote administrative 
features built in. Users’ activities could be easily 
monitored to enforce computer use policies. Some companies 
can be held liable if a minor is exposed to adult content. 
But that's a totally different debate.

Good luck. It sounds like an entertaining challenge.


Paul




---- Original message ----
> Date: Wed, 15 Jan 2003 12:44:02 -0800
> From: "Nicko Demeter" <nicko () siterra com>  
> Subject: RE: Internet Cafe  
> To: "'Ferry van Steen'" <ferry.van.steen () InfoPart nl>, 
<security-basics () securityfocus com>
> Why Win2k on every station? You could run terminals that 
communicate
> with a Terminal Server or even a cluster of terminal 
servers and then
> simply restrict what the users can access over the 
terminals. 
> Nicko
>
> -----Original Message-----
> From: Ferry van Steen [mailto:ferry.van.steen () InfoPart nl] 
> Sent: Tuesday, January 14, 2003 11:38 PM
> To: security-basics () securityfocus com
> Subject: Internet Cafe
>
>
> Hey there,
>
> for the first time I have to setup an internet cafe. I want 
to use Win2k
> on the workstations and "cripple" it using the policies it 
has, then use
> linux as a firewall/proxy with squid. Having only a proxy 
and not a
> gateway should already narrow down a lot of security 
issues, but I
> believe kazaa and some others still work through proxies 
and I have
> hardly any idea on how secure the win2k policies are... 
Basically all I
> want to allow them is using IE on websites/ftp sites, they 
should be
> able to download, but only to a single folder and msn 
messenger should
> work.
>
> Anyways, anyone got any suggestions/comments on what I 
really have to
> look out for? I'm thinking it should be reasonably secure, 
but in places
> like this you always have the added risc of people wanting 
to damage the
> OS/system or use it as a place from which to attack others.
>
> Kind regards and TIA,
>
> Ferry van Steen