Carson Block shows harried librarians how to save hours spent on public access terminal reboots
By Carson Block January 1, 2001System lockups getting you down? Tired of rebooting? Who isn't!? Operating system instability seems to be one of those unavoidable quirks of library life, but it's one that no one has time to live with. And it's one of those technical things that creeps up on you over time: initially, many systems need the occasional reboot to bring stability back to the operating system, but more than one reboot a day? Who has time for that? It's difficult to pinpoint the exact cause of system instability, but it can come from a number of sources, which can contribute to poor performance over time. Sometimes, it's something as simple as poor system design, installation of troublesome software, patron and staff 'hacking,' or just plain old file corruption. When that corruption affects important system files, stability can start to erode.
For larger libraries and library districts, a well-equipped information technology department can keep workstations secure using a variety of techniques that are easy for technicians to implement and maintain. These techniques can range from simple to sophisticated (by using the system policy editor and permissions in the various flavors of Windows). But what's a small library to do?
A few fairly straightforward strategies can help you increase your workstation uptime so you can spend less time fumbling for the control-alt-delete keys. The central philosophy is to 'start clean and stay clean,' i.e., start with a system that you know to be stable and then use a variety of techniques to keep it that way. Although these tips can apply to a variety of environments, this article is aimed at keeping a public Internet workstation as trouble-free as possible.
| Link List
|
Starting from scratch
If you're in the enviable position of purchasing new hardware, there are a few things you can do from the start that can make your life easier down the road. Although some of these tips may initially cost a few more dollars than purchasing from your friendly neighborhood discount computer retailer, over time the extra cost can be more than made up for in saved staff time.
Stick to name-brand 'professional' or 'business-class' machines. These include, but are certainly not limited to, brands such as Hewlett-Packard (HP), Dell, IBM, etc. Machines in this class are marketed to companies with fair-size IT/MIS (information technology/management of information services) departments that have a lot of PCs to manage and need equipment that has a minimum of problems throughout its operational life. These machines generally have rock-solid components and a thoughtful design that incorporates ease of use, ease of maintenance, physical security, and other features that are attractive to anyone using a computer. As well, a great deal of thought is put into the design of everything from the method used to connect the case to the chassis to how well the hardware components behave together. Anyone who has tried to install RAM or troubleshoot IRQ conflicts on a cobbled-together machine can tell you good design work is not a trivial aspect.
There are some tremendous bargains in so-called 'off-brands' and the more consumer-oriented versions offered by the major manufacturers--and some folks have had much success with these. But in my experience, the cash savings is offset by the amount of management and tweaking the user may be required to do. If you like getting under the hood of your hardware and software to configure systems, then the savings may be very attractive to you. Some even enjoy the learning experience, and there is a lot to be said for intimately understanding the details of your computer. But most of the librarians I work with are not that adventurous and simply want systems that work with as little attention as possible.
Pick a machine with hardware that is easy to configure, upgrade, and repair. Is it easy to open and close the computer case? Can you see key components on the motherboard (e.g., RAM slots and PCI slots) without having to move masses of wires or internal components? If so, you have a machine that will be easier to attend to when it comes time to upgrade, repair, or troubleshoot. In the past several years, case design has improved dramatically, but there remain machines that are a bear to work on. If you're likely to get your hands dirty under the hood of your machines, ease of hardware access is an important consideration.
With a business-class system, the typical upgrade functions are identified during the manufacturer's design process and incorporated into the physical layout so that common tasks are downright simple to perform. Detailed support for these tasks should be available in the manual or on the company's web site.
A good machine will come with disks that will restore your entire system. Not just a copy of the operating system and a driver disc, but the whole works. The time may come in the life of your computer that a rebuild of the operating system is necessary. This could be due to a catastrophic failure of the hard drive, a nasty (and unrecoverable) virus attack, or simple instability of the system over time. There's nothing like a fresh start.
There's also nothing quite like the time-consuming process of installing Windows from scratch, especially if you need to add custom drivers for hardware components that are not quite plug-and-play. Although modern (and speedy) CD-ROM drives and improvements to the Windows system installer have made the process faster than in the past, there are better ways to start fresh.
Most computers ship with a Windows installation disk, and perhaps a second disk with special drivers for various hardware components. In my experience with such systems, the 'drivers' disk can contain either outdated or incorrect drivers--in either case, no help at all in the recovery process. Such discs may contain a wide range of similar drivers but only vague 'readme' files that do little to help you choose the correct driver. Additionally, if a system rebuild is required, it will be a long and arduous process, starting with reinstalling Windows from the installation disk, then tracking down and installing any necessary additional drivers.
Good companies ship their computers with a disk or disk set that has an image, or digital snapshot, of the operating system as it was delivered from the factory, including specific drivers and configuration settings for the hardware. By using the restore disk, you can essentially re-create your system build the way it was the day it was unpacked from the box. And recovery time? Usually just a matter of ten or so unattended minutes, and you're factory fresh! (Another method some companies use is shipping a computer with no support disks of any kind. For a strategy to support such machines--and make your own disk images--see the 'Advanced Measures' section below. )
Online, e-mail, and telephone support should be included. With the current rate of change in the computer industry, good product support on the web is essential to maintaining the health of a computer. As operating systems and other components change over time, good companies continue to support even older models with BIOS (basic input-output system) updates, model-specific device driver updates, downloadable manuals, frequently asked questions files (FAQs), and more. Some even have links to customized support pages or special software that checks the health of your machine, and automated software that performs periodic backups of the all-important Windows registry file. Other features include programs configured to check the company's web site automatically for driver updates and then alert you that a new driver or other software component is available. Many times good online support can turn what could have been a long, painful day of troubleshooting and repair into a quick solution.
Online support should also work both ways and allow you to e-mail nonemergency questions (you can save the emergency questions for the phone) and receive a response in a timely manner. I've had particularly good experiences with HP e-mail support asking fairly complex questions about processor upgrade paths not covered in the FAQ and got quick responses.
An additional area of importance is telephone support. Is it offered at all? For free during the warranty period? And how long is the typical hold time? If you anticipate using the telephone for support from the manufacturer, those are important questions to consider. If possible, try calling the support number before you buy to experience the hold time and the expertise of the tech support staff on the other end of the line.
Workstation nuts and bolts
Whether you're buying new or just trying to wrangle existing machines into shape, there are a few steps you can take that can lower your maintenance time and make you and your patrons happier. The philosophy behind this section is to identify the existing security holes in a typical PC and then plug them in some fashion.
Know your BIOS. Your first line of defense is the computer's basic input-output system. Essentially, it takes attendance of different hardware components of your system--such as RAM, the processor, the hard drive--and also makes sure different parts of the system are able to communicate with each other prior to looking for an operating system to load. The BIOS also controls some very important basic system security, such as in which devices, and in what order, it will look for the operating system. Since infecting a machine with a virus or trojan can be as simple as booting the computer from a floppy, it's important to configure the computer to boot only from the drive you want and to prevent users from changing that configuration. Usually, that drive will be the c:\ drive.
Setup is where you can configure the way you want the basic hardware components of your system to behave, lock them in place, and then protect the settings from being changed by requiring a password. It's not hard to get into setup--when you first boot your computer, the screen generally shows the BIOS checking hardware components and also displays a message indicating which key to hit (sometime the Delete or F10 key) to enter the BIOS setup program.
One word of caution: while it is safe to make the simple changes specified below, you should treat most aspects of the BIOS as untouchable. Incorrect settings can hobble your system, making it inoperable until a knowledgeable technician can take a look. If in doubt, call in a professional to help you set up the BIOS.
Among the few settings you'll likely want to change is what device the computer boots from. In most cases, your best bet is to allow the machine to boot only from the c:\ drive, and disable boot from the floppy (usually the a:\ drive) and the CD/DVD-ROM drive.
After you've set the BIOS up to make the boot sequence behave as you like, it will be important to prevent users from changing the settings. To do this, you'll want to use a password to protect the 'administration' function of the BIOS, which is not to be confused with the 'startup' password. Enabling the startup password would require a password every time the computer boots up--something you're not likely to want. The administration password specifically protects against changes to the BIOS and will only be required when entering the BIOS setup. Since incorrect BIOS settings can possibly bench your computer, it's a good idea to password protect the admin function even if you are not going to make any other changes. If you forget the password and need to make changes to the BIOS (which is likely in the event of needing to boot from a floppy or CD during a system recovery), your options are severely limited. Generally, the only solution will be to find the reset jumpers on the system board (as specified according to the manufacturer's instructions) to restore the BIOS to its default settings.
When you've made changes to your BIOS, be sure to follow the instructions to save the changes before moving on to the next step. Congratulations! You've just deployed your first line of defense!
Keep the operating system simple. Simply put, PC operating systems are generally designed with a single user in mind. Although many systems can support multiple users with customized profiles and settings, the most common operating system for public computers, Windows 95/98, is really not designed for the large range of users it sees in a given day. Here are a couple of simple steps that can help seal the most obvious holes.
If you allow patron access to the CD-ROM drive, you'll want to disable the 'CD Auto Play' function. Disabling CD Auto Play will prevent users from easily installing software they might slip in on a CD-ROM drive.
A troublesome aspect of Windows 98/ME is the task scheduler. This application (which runs in the system tray next to the clock) can be easily configured to run a variety of programs automatically. Disabling the program is simple, and instructions to do so can be found in Windows online help. Just do a search for 'Task Scheduler,' and you'll find the instructions to turn it off if you wish.
Another hedge that's easy to employ is backing up your system registry every time you make a change to your system, or install new software. That way if your system starts behaving in odd ways, especially after a new piece of software is installed, you can restore an earlier version of your registry to help troubleshoot the problem. Tips for registry backup and other excellent suggestions for general computer health can be found in a document created by the Regional Library Service System in Colorado called Computer First Aid. Although the document was written several years ago, some of the general advice is timeless.
Pick your web browser carefully. Web browsing is probably the most popular application on a public workstation. Although you certainly can't live without a web browser, there are some that are easier to live with than others.
While a boon to the personal user, extra applications can be a headache in a public environment and are not the best choices for a public workstation. Microsoft's Internet Explorer, for instance, is bundled with personal e-mail clients and software fingers that reach into the operating system. Others, such as Netscape Communicator, integrate a full suite of features like personal e-mail, a newsgroup reader, a basic HTML composer, an instant messaging client, and support for multiple user profiles into the browser.
A browser that remains a favorite among libraries is the venerable Netscape Navigator 4.08 standalone. It has everything you need and nothing you don't. There are no troublesome fingers into your operating system, it isn't bundled with applications you don't want to offer to patrons, it does a great job, and it's still free. As long as the Navigator standalone is compatible with all of your needs (some libraries have had trouble accessing certain online databases with the standalone version), it's a great choice. [For a fuller discussion of web browsers, see netConnect, in LJ, 01/01/01]
There are also folks who have taken advantage of the open Netscape source code available through mozilla.org to create a version of the browser that is optimized for a public library environment. One such coder is Colorado Southwest Regional Library Service System technical consultant Jeff Bobicki, who has created Librowse, downloadable from his web site.
Even when using a standalone browser, you'll want to search for and destroy any personal e-mail clients on the hard drives of your public machines, including Microsoft's Outlook Express, which is part of the original Windows system build. You'll also want to check for certain Internet applications that you may not want to support, including Internet Relay Chat clients, ICQ clients, front ends for Internet gaming, and any other specialized communications software that doesn't fit into your library's service plan.
Antivirus software and firewalls belong in all environments. Installing antivirus programs on a public workstation should be a foregone conclusion. With the large number of viruses in the wild, and the new and improved ways of spreading other destructive code including backdoor programs, trojans, and software agents that can unwittingly turn your public machines into 'zombies,' you need a margin of protection. There are a number of good products on the market including Norton Antivirus and McAffe. Many products can be configured to update the virus definition files automatically. Be sure to configure the software to respond as you would like and password protect against users making changes.
Equally important these days is firewalling the PC from intruders. New viruses, worms, and exploits are increasingly taking advantage of the two-way nature of Internet connectivity, so it's just as important to block certain tcp/ip traffic leaving your computer as it is to control incoming connections. Depending on your network configuration, especially if you have an IT/MIS department, you may have firewalls in place somewhere. If you don't, there are other means to protect the workstations. This is especially important for libraries taking advantage of low-cost/high-speed connections such as xDSL and Cable. The IP address space allotted to the vendors seems to be under constant scan from others looking for vulnerabilities. Although there is little on a public machine in the way of information, sophisticated techniques used by hackers can be employed to use the machines unwittingly to attack others.
If your network is not firewalled by other means, there is good news. There are several high-quality personal firewalls that are available at no or low cost. Zone Alarm is a good program available as a free download; Black Ice Defender is a low-cost and highly rated personal firewall. Both programs are very effective, have easy-to-use interfaces, can be configured to alert the user when a scan or breach is detected, and can even help you trace an attacker.
Software backup should be routine. Backing up staff workstations is another item that should fall into the 'foregone conclusion' category. A good rule of thumb is that if you can't afford to lose it, back it up to tape, floppy, recordable CD, zip, jaz, or any other high-capacity media. Back up early, and back up often.
Public workstations are another matter. There is likely little (if any) data you need to save on public machines. But if you've put a lot of time into your system setup, it's worth protecting with a good backup. Complete system backups to tape (or if they're small enough, to other media) can help you recover from catastrophic failure. But generally, restoring in such a manner requires that your storage medium is attached in some way to the workstation. That means each public machine would need a tape drive, or CD-R, or you would have to use a portable drive and attach it to the ailing machine. And anyone who has backed up or restored a machine from tape can attest to the time involved. Read on for another method that effectively backs up a Windows system build but takes much less time from which to restore.
The preceding collection of tips will help keep systems stable, but there is an even more powerful way to ensure that your public PCs remain trouble-free over time: create your own virtual 'snapshot' of a stable system build and then refresh from that snapshot whenever your system starts behaving in strange ways.
The 'snapshot' is an important concept. Into each computer build are myriad options that are set for that computer, including driver configuration, network settings, printer selection, program preferences, and other variables.
The beauty of this method is that restoring the system that you painstakingly built once will only take a matter of minutes instead of hours or days.
Another advantage of this method is that it can help you set up a number of new machines in a very short time. At the Loveland Public Library, CO, we used the method below to create one good, stable system build for the public Internet computers and then spread the image to machines with identical hardware builds. A job that could have taken a week was completed in less than two days! Eric Sisler, computer technician for the Westminster Public Library, CO, uses disk-imaging software not only to roll out new (and identically configured) PCs but also to refresh the system builds at least once or twice a year.
The first step is to decide what product or method you want to use to create your 'snapshot.' This first step is vital since it will dictate whether you need to partition your disk into multiple segments, if you can burn the disk image directly to CD-R. The method you use will also determine exactly how the image is restored or distributed when the time comes. Some excellent third-party software that is up to the task includes PowerQuest Drive Image and Norton Ghost, or ImageCast, but there are others as well.
The second step is to create your stable system build. With a brand new machine, it's already done. But with an existing machine, you'll probably want to fdisk (repartition your hard drive), reformat your drive, and reinstall/reconfigure your operating system to ensure a clean build.
The third step is to install and configure other software components, including antivirus, web browser, word processor, firewall, and so on.
Once you're happy with the system build, it's time to create your disk image. Since the method varies, simply follow the direction with your third-party software.
Aren't we finished yet?
Alone, the tips above won't do a complete job. To keep busy fingers from making systems unstable, measures that limit whether (and where) patrons can save files, download programs or data, or prevent changes to the operating system or applications are necessary. If your workstations are running Windows 95/98/ME you can use policy editor to control some system variables. If Windows NT or 2000 is your platform of choice, you can use a combination of policy editor and permissions to limit in a powerful way the types of things your users can do.
If you lack the expertise or time to hack your workstations you'll need an 'OS Helper' to really lock the system down tight. Those include third-party software products such as Ikiosk/WinSelect and Fortres 101 and hardware solutions such as Centurion Guard. In the next issue of netConnect, we'll compare the features of those products by talking to librarians who use them.
| Read part 2 of "In Search of System Stability" in the Spring issue of netConnect |
| Author Information |
| Carson Block (cblock@frii.com) is the Technology Consultant for the High Plains Regional Library Service System in Greeley, CO, a state-funded agency that serves libraries in nine northeast Colorado counties. |
|
