Kiosks, WiFi, Domains and Security

[Jay]

The issues:

1. As I mentioned in a previous post a long time ago I was a bit concerned with Kiosk security because of the Shared Folders, that OD (and often third party Xray acquisition software) need to run. Basically the fear is that anyone using Kiosk Mode could potentially browse to these folders by tricking OD on a kiosk to shut down using Windows commands. This is true of all Kiosks, wired and wireless.

2. These fears are multiplied when one the added risk of WiFi is factored in. For starters if someone steals a tablet they could potentially stand outside your office and connect to your entire system. In large offices with 2 or more tablets, a day or two could go by before such a thing is noticed.

3. Unfortunately Wireless Kiosks are the way to go if one has limited space. They are convenient and compact and trendy and often have touch screens for signing. And they have all the usual benefits of a wired kiosk.

4. Independent of Kiosk Mode issues, the OpenDentImages folder should better protected. Jordan, you suggested a Image Server but maybe there is a clever way to do this without a major rewrite of the OD architecture.

I really do think this issue is the proverbial elephant in this forum and I believe forum members could help by coming up with a set of guidelines to configure Kiosks or Wireless Kiosks and WiFi in a secure fashion. Even trained IT people may not be fully aware of the idiosyncrasies of OD so we are uniquely qualified to brainstorm this issue. Some questions to consider:

1. Can we run Kiosk Mode in a way that it does not need the usual privileges?

2. Can a Domain provide more security than a Workgroup? Maybe future OD versions can take into account, the added security afforded by a Domain.

3. Should an Intrusion Protection/Prevention System be installed in addition to the usual WPA2 encryption? If so, has anyone tried any solution?

4. Can OD's Kiosk mode be made to run over the World Wide Web so that we can island the Kiosk completely from our LAN?

5. Is it possible to provide Guess WiFi Access to your patients and still maintain network security?

Please feel free add to this list and comment on it. Maybe I am being over cautious but I think it will be useful to deal with these issues once for all.

[teethdood]

Your post brings up multiple points, and I only want to answer a couple of them, so...

* Guest WiFi: This is possible using a router that is compatible with DD-WRT or Tomato router firmwares. The Guest network is set to be entirely separate from the main network. If you are extra an*l, buy another router and set up the Guest SSID there. Google is your friend.

* Security for Shared folders: In your Kiosk tablet/PC/whatever, do not have windows remember the Shared folder credentials (user/pass combo to access the Shared folders on the server, which include the OpenDentImages folder). When you use the kiosk to run OD in the morning, it will complain that the path to the OpenDentImages is invalid blah blah, so then click on the OpenDentImages folder on the server to bring up the user/pass, so there you go.

[Jay]

Thanks for responding.

Your post brings up multiple points, and I only want to answer a couple of them, so...

* Guest WiFi: This is possible using a router that is compatible with DD-WRT or Tomato router firmwares. The Guest network is set to be entirely separate from the main network. If you are extra an*l, buy another router and set up the Guest SSID there. Google is your friend.

I am aware that the guest network can be created by placing guests on their own subnet. For the truly an*l there is also the option of getting a second DSL connection and sharing that. But do most people run their guest networks as an open network or do they require some basic authentication to limit access to one's own patients. Apart from bandwidth issues, in urban areas it seems unsafe to run open networks that can be (mis)used by anyone with a wifi card. I mean someone may not be able to hack your LAN but anything they do on the WWW will be traced back to your network. So should one hand out password(s) or have a Starbucks type implementation.

* Security for Shared folders: In your Kiosk tablet/PC/whatever, do not have windows remember the Shared folder credentials (user/pass combo to access the Shared folders on the server, which include the OpenDentImages folder). When you use the kiosk to run OD in the morning, it will complain that the path to the OpenDentImages is invalid blah blah, so then click on the OpenDentImages folder on the server to bring up the user/pass, so there you go.

This sounds good except but I always believed that OD needs the shared folders to be accessible by 'EVERYONE'

[Jay]

Just learned from OD Support that Webforms feature is not compatible with collecting legal signatures so using a tablet with Webforms to get signatures on consent forms is not an option unless we print the downloaded Sheet, get people to sign the printout and then scan. Please correct me if this is not the case.

[teethdood]

Don't share with EVERYONE. You can specify which existing user on the server gets Full access. Then, enter that user's user/pass into the kiosk/other client computers to access the server's resource.

[jordansparks]

Just learned from OD Support that Webforms feature is not compatible with collecting legal signatures so using a tablet with Webforms to get signatures on consent forms is not an option unless we print the downloaded Sheet, get people to sign the printout and then scan. Please correct me if this is not the case.

Instead of printing, you could pull up the sheet on the computer and have them sign it there. This could be done on a screen at the front desk, on a tablet, or in the operatory. Some offices also just using a checkbox online or a typed name instead of a signature. With the correct wording, this might be considered a legal signature. A number of other websites on the internet do the same thing.

[Jay]

Thanks Jordan for your response. I have a couple of follow-up questions.

You wrote:

Just learned from OD Support that Webforms feature is not compatible with collecting legal signatures so using a tablet with Webforms to get signatures on consent forms is not an option unless we print the downloaded Sheet, get people to sign the printout and then scan. Please correct me if this is not the case.

Instead of printing, you could pull up the sheet on the computer and have them sign it there. This could be done on a screen at the front desk, on a tablet, or in the operatory. Some offices also just using a checkbox online or a typed name instead of a signature. With the correct wording, this might be considered a legal signature. A number of other websites on the internet do the same thing.

1. OD support told me that I cannot create a Signature Box in a Sheet created for Webforms use. So my question is, when we download the completed Webform to our system, where would the patient sign?

Don't share with EVERYONE. You can specify which existing user on the server gets Full access. Then, enter that user's user/pass into the kiosk/other client computers to access the server's resource.

2. Jordan, could you comment on this recommendation. It is exactly what I would like to do but haven't in the past because I thought it is not recommended and I do not want connectivity issues at unexpected times.

[jordansparks]

You can put a signature box on a webform. When viewing on the web it will just be a rectangle with a note about collecting the signature later.

Yes, you can change the permissions on the AtoZ folder. No, you probably won't get it right the first time and it will require constant fiddling unless you are an expert. Security takes effort.

[packets]

2. These fears are multiplied when one the added risk of WiFi is factored in. For starters if someone steals a tablet they could potentially stand outside your office and connect to your entire system. In large offices with 2 or more tablets, a day or two could go by before such a thing is noticed.
2. Can a Domain provide more security than a Workgroup? Maybe future OD versions can take into account, the added security afforded by a Domain.
3. Should an Intrusion Protection/Prevention System be installed in addition to the usual WPA2 encryption? If so, has anyone tried any solution?
4. Can OD's Kiosk mode be made to run over the World Wide Web so that we can island the Kiosk completely from our LAN?
5. Is it possible to provide Guess WiFi Access to your patients and still maintain network security?

2) Configure the portable device to manually enter the WPA2 WiFi Passphrase (not saved) in order to access the WLAN. If a perpetrator has physical possession of a resource they own it and potentially all it touches (i.e., your digital assets). Get a computer lock.
2) A domain can add exponentially more control of digital resources within a LAN than does a simple workgroup. OD can be installed within a domain today, with a couple notes: OD folders on the server should be configured only for access by domain users and not the blanket “Everyone” as suggested. Users must still be configured with administrative privileges on the local machine which clearly neuters any attempt at endpoint security. A Windows Pre-Login Banner stating proper use is suggested, and authorized internet access adds an additional layer of threat management.
3) IDS/IPS is a perimeter defense (layer between the public WAN and your private LAN) and would not afford any added WiFi security. WLAN is an extension of the wired LAN using another media (i.e., the air). WPA2 allows for secure network authentication of users, while TKIP or AES provides the level of encryption for the data traversing this media. My favorite “free” open source security gateway appliance is Untangle (http://www.untangle.com).
4) Any device (i.e., laptop, tablet, phone, etc.) having the possibility of touching your digital assets is a potential threat and a risk which must be managed. It’s a question of trust…Can you truly trust any machine remotely accessing your domain and/or its resources?
5) YES! But it requires multiple NAT routers. Just make sure the guest WAP is between your modem and your LAN’s NAT router. Here is a simple but valuable resource better explaining this issue http://www.grc.com/nat/nat.htm. Remember, you are accountable for any/all traffic which traverses your wireless network open or secured.

[Jay]

@packets: Great stuff. I will check the links you mention asap.

[jordansparks]

> Users must still be configured with administrative privileges on the local machine
No. Only for the first time OD is run. Also might be required if OD is to launch another program through a bridge and that program requires admin. But we have many users who do not have OD launched with full admin priv. Updates don't even require admin if you push the msi. We are also working on an install and update configuration that is outside the Program Files so that install and update will not require admin.