All,
First, I apologize because this is much more of an IT question than a coding
question, but I come from an IT/desktop support background with a particular
interest in security.
How are larger, academic libraries securing your employee-used, shared
workstations -- specifically, the circulation desk machines and the back-end,
ILL scanning stations? I have been trying mightily for a few years to
eliminate the shared-password generic accounts because they present a real
security/privacy concern. I am running into some real road-blocks though, and
I'm wondering if anyone here has found solutions that work.
Having viewed the chaotic state of the circulation desk with the constant churn
of employees using the stations, I have conceded that it is better to use a
generic login than to have folks log in/out constantly.
The ILL employees who do a lot of scanning don't have the rapid-fire turnover
at their workstations, but they (or their manager) is insisting on a generic
login because the scans need to be saved in a specific, network location and
Acrobat has no mechanism to set the default save location for all users. (I
hate Adobe!) When we have tried using personal logins, folks forget, don't
notice, or don't know about watching that the PDFs are saved in the proper
location, and those scans have to be redone by someone else or are inaccessible
within the particular employee's private user profile until they return to work
(which could be days-weeks with student employees).
In both cases, users still need to sign into services as themselves (the LSP --
Alma --, scheduling, wiki documentation, ILLiad, etc.), so I'm not really sure
what the security advantages are with the generic account (especially for ILL
scanning). I've had to push settings to prevent the browsers (Edge, Chrome and
FireFox) from saving passwords. I also have automated scripts running to
regularly blow away the MS Teams configuration to prevent users from using it
as someone else. (Teams "helpfully" remembers credentials for one-click login
even after logging out of it and rebooting.) I have not been able to find a
way to do the same with MS Office, so I have been forced to uninstall it
completely. Otherwise, everyone who uses it while logged onto the computer
with the generic account is signed into/owns all the M365 documents as the user
who first used it (and had to sign into M365).
The lack of Microsoft Office is the particular issue that I'm being pressed on
to prompt me to post this. I should add that I can't use device licenses for
M365 (where login/registration isn't required) because they only work with
Azure Active Directory which we do not have. What are you all doing? I've
been considering trying to set circ desk systems up as mulit-app, auto-login
kiosks so at least we don't need to share the generic password, but the other
problems still remain.
Any feedback is appreciated.
Thanks,
Erich
--
Erich Hammer Head of Library Systems
er...@albany.edu University Libraries
518-442-3891 University @ Albany
"Faith is the unflagging determination to remain ignorant
in the face of any and all evidence that you're ignorant."
-- Shaun Mason
