Security for Teenage Children's x64bit Win 7 PCs - Suggestions?

[Feandur]

Currently thinking either ..........

* Anti-executables : VoodooShield; or EXE RadarPro [not sure of the difference];

* Policy Hips : App Guard.



Currently just running a standard AV with Malwarebytes realtime....but could change that easily enough.

Anyone found aneffective simple solution to PC security for teenage users?


- have a good day
feandur

[KelvinW4]

Sandboxie and Lockdown with EXE Radar Pro would do it

[Hungry Man]

I would imagine that a teenager would hate an antiexecutable. Regardless, I'd say EMET + Chrome and keep them as up to date as possible.

If they're not gamers why not throw Ubuntu on there? You won't ever have to worry about security, updates are managed centrally through the operating system, and it'll do everything the typical user needs.

[KelvinW4]

Why hate the anti-executable? If it is locked down and perfectly whitelisted it would be quite and safe.

[Hungry Man]

Well any time they'd want to run something new or any time an application updated they'd have to allow it.

Considering how much people hate UAC I'd imagine the same thing but for every application would be a pain for the average user.

[KelvinW4]

Okay I see your viewpoint it is freedom vs security/annoyance in terms of Anti-Execution software

[pegr]

Quote:

Originally Posted by Feandur

Anyone found an effective simple solution to PC security for teenage users?

I did something like this a while ago for a friend whose teenage children were regularly infecting their PC. The parents didn't want to restrict the children's activities while using the PC. After demonstrating some possible approaches, the parents agreed that light virtualization, combined with a limited user account, would provide an easy and effective solution to the problem. A real-time AV was already installed.

I created a limited user account for the children, installed Shadow Defender and set Shadow Defender to automatically enter Shadow Mode on boot. The data folders within the children's user profile were excluded from protection so that they could save data. I locked Shadow Defender with a password that was different to the one used for the system administrator account. Any attempt to open Shadow Defender to exit Shadow Mode required the entry of two passwords because of User Account Control.

That ended the problem. Only an adult with access to the system administrator account was able to exit Shadow Mode in order to install software and apply system updates.

Combining light virtualization with AppGuard, which you are already considering, would make for rock solid protection. AppGuard is effective without being annoying because it applies policy restriction to untrusted applications and silently blocks any behaviour that contravenes the policy without bothering the user.

I'm not saying that any of this is what you should do and I'm not making specific recommendations for either Shadow Defender or AppGuard - just sharing information with you to help you decide on an approach. You will need to experiment to find what works best for you.

Kind regards

[wat0114]

Give them a Standard account to run in only, with no access to admin account (password it). Sandboxie (force browsers) + EMET + UAC @ max + keep it updated, to augment it. They may not be happy about being denied installation rights, but too bad. You must NOT allow them ability to install programs; it's a guaranteed recipe for disaster.

Hungry suggested Ubuntu if they don't game and that's an excellent option as well. Linux pretty much takes care of security for you, as long as you allow the Update Manager to install updates.

[Hungry Man]

A friend of mine got his first personal computer (he'd used a super ancient PC for his business software) a little while ago. I basically did the following:

1) Set him up with Chrome as the default browser. This takes care of browser exploits/ Flash exploits.

2) Installed Adobe Reader. I don't think any exploit has bypassed its sandbox yet.

3) Installed EMET.

DEP Always On. SEHOP Always On. ASLR Opt In.

I forced every program I'd installed and used all.XML.

4) I installed Microsoft Security Essentials just in case he downloads something malicious.

That's all I could really do. I didn't want him to have to ever deal with the security, I chose MSE because it's got such a low false positive rate.

I like security to stay out of peoples way. I think most people do. As far as I know he hasn't had an infection yet.

[Dark Shadow]

Setup Standard user Account with chrome or Dragon Browser chrome based.Add EMET and add all browsers in the configuration.AppGuard is great idea but remember a standard account must be set up to use parental control of AG to protect its defenses from being disabled.I also would suggest norton DNS and choose the best policy the fits.

[ComputerSaysNo]

Quote:

Originally Posted by KelvinW4

Sandboxie and Lockdown with EXE Radar Pro would do it

Yeah sorry but no for teens or any casual user.

Quote:

A friend of mine got his first personal computer (he'd used a super ancient PC for his business software) a little while ago. I basically did the following:

1) Set him up with Chrome as the default browser. This takes care of browser exploits/ Flash exploits.

2) Installed Adobe Reader. I don't think any exploit has bypassed its sandbox yet.

3) Installed EMET.

DEP Always On. SEHOP Always On. ASLR Opt In.

I forced every program I'd installed and used all.XML.

4) I installed Microsoft Security Essentials just in case he downloads something malicious.

That's all I could really do. I didn't want him to have to ever deal with the security, I chose MSE because it's got such a low false positive rate.

I like security to stay out of peoples way. I think most people do. As far as I know he hasn't had an infection yet.

Listen to this man.

[Cloud]

Quote:

Originally Posted by wat0114

Give them a Standard account to run in only, with no access to admin account (password it). Sandboxie (force browsers) + EMET + UAC @ max + keep it updated, to augment it. They may not be happy about being denied installation rights, but too bad. You must NOT allow them ability to install programs; it's a guaranteed recipe for disaster.

Oh come on, wat, we [teens] aren't that ignorant. You can give them a standard account + AV + UAC and he/she will be fine. I believe the setup will vary on age and knowledge. I mean, why not share the basics if they don't know it already?

[Feandur]

Thanks All...

Some thoughts.......

Quote:

Well any time they'd want to run something new or any time an application updated they'd have to allow it.

- Good point Hungry Man !

Quote:

AppGuard is great idea but remember a standard account must be set up to use parental control of AG to protect its defenses from being disabled

- Dark Shadow, as I am not yet a user of Appguard I'm not up to speed on what this means....can you elaborate?....does it mean to install appguard in the Admin account, and some how configure it for each child's account?....or does appguard only run in an admin account ?....[in which case it's a No-Go for me.]

Quote:

Combining light virtualization with AppGuard, which you are already considering, would make for rock solid protection

- pegr, could appguard be used by itself [with my current NIS, and MBAM pro] and leave out Shadow Defender ? Would it be silent enough to be basically "set and forget" ?

- cheers,
have a good day
feandur.

[Feandur]

Without turning this into an "A" vrs "B" situation I wonder is Voodoo Shield more silent then EXE Radar Pro?.....in the sense of just setting up a one time white list and blocking everything else, so there is no need for user decisions.

......So I could use Voodoo Shield as an alternative to Appguard?

I suppose it would mean agreeing with the children what their programs were to white list them up front..........

..... .....

-------Well, that may or may not work

- have a good day,
feandur

[Dark Shadow]

AppGuard can be turned off simply from a right click on tray or through the GUI as a Admin but When you set up a standard account then the admin will be the power user that can control the parental set up through the GUI and password protect it and will lock the standard users from access to any changes with its protection levels.If and when the teenagers log on stander user account there is nothing they can do to disable it. Also the options to lower or turn off Appguard protection from system tray is no longer there.

[pegr]

Quote:

Originally Posted by Feandur

pegr, could appguard be used by itself [with my current NIS, and MBAM pro] and leave out Shadow Defender ? Would it be silent enough to be basically "set and forget" ?

Yes, AppGuard could be used by itself without Shadow Defender, alongside your existing anti-malware programs. A small amount of initial configuration is usually required, but after that AppGuard operates quietly in the background, silently applying policy restriction to untrusted applications without involving the user. There is an active AppGuard thread where you can ask questions and get help: -

AppGuard 3.x 32/64 Bit

[Dark Shadow]

Good pointed out by Pegr Also Barb has some nice screen shots about power user set up with AppGuard but Just got to go digging around a bit as it is a long on going thread.

[themorpethian]

Sorry my first post, but if you simply want to restrict the teenagers access and more then!

If you have windows 7 x64 then why not use you own free software Windows Live Essentials 2012 Family Saftey.

All you need is a Hotmail account.

Heres a guide take a look at what it can do for you!

http://www.vikitech.com/9935/guide-w...ental-controls

Just download the installer and choose what to install

Themorpethian

[jo3blac1]

Quote:

Originally Posted by KelvinW4

Why hate the anti-executable? If it is locked down and perfectly whitelisted it would be quite and safe.

Because when a teenager wants to download and try a new game he will not be able to. Eventually he will find ways to crack anti-executable protection and install whatever he pleases.

I wouldnt do anything like an appgourd or antiexecutable for that reason. Instead try going with Chrome, EMET, MBAM, HMP and Rollback Rx. I would also try to educate the teenager instead of locking down the computer. Most parents miss the fact that teenagers/children cannot be controlled, they can be educated and you then can hope for the best.

[Cloud]

Quote:

Originally Posted by jo3blac1

I would also try to educate the teenager instead of locking down the computer. Most parents miss the fact that teenagers/children cannot be controlled, they can be educated and you then can hope for the best.

Thank you! lol I had just said that but in a less educated fashion. It can also be the teen that educates himself and applies that information. It happens.

[wat0114]

The company I work for employs an IT department that manages several thousand desktop computers, with all but only a small percentage of authorized staff denied administrative access to them - and we're all adults. Essentially they're "locked down" by restricting us to a Standard user account and through the use of scripts that apply Group Policy restrictions. Is this the right approach, or should IT instead allow everyone full administrative access, and simply try to educate every desktop user on safe computing practices? How do you think this would pan out in the long haul?

[adrenaline7]

Quote:

Originally Posted by wat0114

Essentially they're "locked down" by restricting us to a Standard user account and through the use of scripts that apply Group Policy restrictions. Is this the right approach, or should IT instead allow everyone full administrative access, and simply try to educate every desktop user on safe computing practices? How do you think this would pan out in the long haul?

It would pan out to be a huge gigantic failure. 100% guaranteed.

[jmonge]

failure. 100% guaranteed.

[ComputerSaysNo]

Quote:

Originally Posted by wat0114

How do you think this would pan out in the long haul?

Please don't do this. Admin accounts + regular users = pwnage

[Zorak]

I've managed to keep our family computers safe from the ravages of teenagers for over 8 years. See my signature for what I currently use, but it has been a similar setup for most of that time. In my opinion the two most important safeguards are the Standard User Account and the Software Restriction Policy.

I'd also make the point that there is more to maintaining a family PC than just security. If users (especially children/teenagers) are allowed to simply install anything they come across, then your brand new, multi-core, high GHz beast will quickly turn into a computing slug. It will get so loaded up with auto-starts, toolbars and all manner of dodgy background processes you will swear someone has poured concrete into it. Those same teenagers will then be insisting you buy them a new computer because the current one is so slow