security for a reckless internet kid

[amiti]

Hello ,

I am building a pc that will be used also by my young nephew. He likes to download all the bad stuff from the internet no matter how many advices he receives . I don't want to limit his actions nor do I want to delete all of his downloads and installations each time he exits / logs off.

I was wondering if there is a way to constantly keep a user in a sandboxed / virtualized account isolated from other users; A sandbox/Virtual environment that won't be re-initialized each time the user logs on or reboots but will let the user building up his own messy account without affecting other user accounts.

Thank you for any advice or suggestion.

[kupo]

This one's very easy if it's just a kid. You don't even need third party software for this. Set UAC to max. Make a separate standard user account for him. Password protect the administrator account, enable parental controls (the block program that is not whitelisted) (just check every executable when setting it up). That's it, he won't be able to run any programs without the admins password. You could even use OpenDNS, or any web filtering software, there's a bunch of them that's free. Disable access to file hosting site, pr0n, etc. And make sure that no torrent client is installed, or he can't access the torrent client in his account.
EDIT: I see that you don't want to limit his actions. Guess I should have read before posting
EDIT2: Just a bit of advice, if he download lots of bad stuff, you need to limit his actions, with a user like that, it's only a matter of time before you get infected. So I suggest to you to use either the method I suggested (parental controls) or see Faronics Anti-Executable.
EDIT3: I remember a program that does exactly what you wanted -http://icoresoftware.com/ (Note: Supported Operating Systems: Microsoft Windows XP (Service Pack 3) (32-bit only))

[amiti]

Thanks skudo12, Icore seems adequate but I use windows 7 x64... Isn't there a similar product or a different way that supports x64 systems?

[kupo]

Well, their is a bunch of virualization product. I just don't know if they will work the way you wanted. I am using Returnil but I don't know if you can "force" to start virtual mode per account. You could wait for someone more knowledgeable about this.

[dw426]

Please don't just let the kid do whatever he wants, we've got enough PEBKACs to keep malware authors and hackers in business as it is without adding more. The "he won't listen" excuse is just that, an excuse. No halfway responsible usage, no PC. Alright, enough parenting 101. If you're bound and determined to let the kid run free, even if you've got to pay for it, get him some sort of virtual system like Sandboxie or Returnil. In fact, if you get Sandboxie, it's going to have to be paid for, because this kid needs a forced browser, and that's only available in the paid version.

Returnil is a great option as far as set it and forget it, however, I've found at times for folders, registry items and such to "leak through", meaning they are there when the system is shut down and you log into the "real" system. However, yet another problem exists, Returnil only works if you push the button and put it into virtual mode. Actually, although Skudo gives great advice for just such a kid, if you aren't going to limit anything he does, then nothing I suggest or Skudo suggests is going to work.

Unfortunately few things in life keep you safe without limiting an action.

[Tsast42]

What a nightmare! I think we all know this kind of user and in my experience it pretty much doesn't matter what you have installed, they will always determine some way to get around it and infect the computer. Add to this the 64 bit Windows 7 and that greatly restricts the few examples of software that might make a difference for such a user.

Hmm the only thing I can think of is full fledged virtualisation in a Virtual Machine: he could do what he wants within it and it will run as usual and be saved only to the virtual hard disk. You would need to combine that with some sort of program or combination of native settings to prevent him from making any changes to the host Operating System however, otherwise in no time at all you'll see him saving and running stuff directly from the host.

I'm not quite sure what would be best for that purpose. Something like SUA + SRP would protect the host Operating System but I would imagine would also limit the VM too so would defeat the purpose. Then there are programs that would work well for this purpose, such as Windows Steadystate or Defensewall but these won't work on Windows 7 64. Perhaps there is some sort of VMware software that could lock the user within Wonderland? I'm sorry for being unhelpful but I can't think of anything that would work on Windows 7 64 that will prevent the user from changing the host OS without also curtailing the adventures in Wonderland. Perhaps someone else would know of something suitable?

[acr1965]

what about something like returnil?

[zapjb]

I'd install a drawer system in the tower. 2 HDDs & 1 open space for 1 drawer. Password protect yours. Then let the kid do whatever. Then when you want to use the computer take his drawer out & put your drawer in. Use a high quality drawer though as a poor quality drawer won't withstand repeated uses.

[Ranget]

antiexcutable with a password

or just comodo set to Block and Password protected

[Peter2150]

I am afraid I take a bit of a different approach. If it was my computer, and I paid for it and built it, knowing what you've said about your nephew it was me, he simply wouldn't be using it.

[noone_particular]

I'm not sure how well it would work on Win7 or 64 bit. With classic HIPS on 32 bit, you can specify which apps or processes can parent another. With a package based around Sandboxie for instance, you could block explorer from launching the browser or most any other process and make Sandboxie the only allowed parent for all the user apps. That would force all of his activities into the sandbox. I'd suggest such a setup whether you use the free or paid version of Sandboxie. It would lock down the host should something he gets into manage to escape containment. Look to the idea of making the system itself default-deny for all things not in the sandbox of the sandbox. It may also be possible to do the equivalent with VirtualBox or VMWare, giving him free reign on the virtual system but absolutely no access to the host system.

Normally I have no issues with allowing someone to use my PC as it's configuration won't allow that kind of behavior. With that type of activity allowed, I'd let him trash his own PC and wouldn't let him touch my own.

[amiti]

Thank you for all the suggestions and help!

The pc isn't mine. It is my brother's but his son is the "threat" I would like him to feel free more or less without me coming to the rescue once a week.

I found a software called Bufferzone that lets browsing and installing from the internet - all in a isolated sandbox that is kept between sessions. I have just had preliminary look at it but so far it seems friendly enough and unobstructive.

Do you know if the new 64-bit version is stable? Is it as safe as sandboxie?

[kupo]

You are using a 64-bit version. If you want it to be as safe as possible, use Sandboxie as it has the "experimental protection" that will make Sandboxie's protection in 64-bit be the same as 32-bit. But again, virtualization/isolation is not perfect, I suggest you and your brother discipline that child and ban him in using the computer. (not a joke)

[Montmorency]

Quote:

Originally Posted by skudo12

I suggest you and your brother discipline that child and ban him in using the computer. (not a joke)

Quite right!

[Hungry Man]

MSE. Low false positives so the kid isn't constantly harrassed/ loses trust in his AV.

Chrome with Adblock. No Flash/Chrome exploits to worry about and some Java exploits will break.

EMET. Prevents many Java exploits.

Not much else to do. I use this setup for old people/ young people and it's always worked well.

[The Shadow]

Imho the best solution is Shadow Defender (don't need anything else). Just enable it to start with Windows and set it to automatically enter Shadow Mode on bootup. Then password protect it so the kid can't commit or exclude anything, or screw with it in any way. That will do it and no worries!

[TheQuest]

Hi amiti

I agree 100% with The Shadow.

Quote:

Originally Posted by The Shadow

Imho the best solution is Shadow Defender (don't need anything else). Just enable it to start with Windows and set it to automatically enter Shadow Mode on bootup. Then password protect it so the kid can't commit or exclude anything, or screw with it in any way. That will do it and no worries!

Take Care
TheQuest

[amiti]

Shadow defender doesn't let the child to play and keep his changes to the system between sessions. Each reboot reverts to the safe original state. I think Returnil can do this too. Right?

Disciplining the child is not an option for me. He is 9yo and in time I believe he will learn to be more careful. For the time being I try to give him the safest playground to explore.

For now bufferzone looks promising but I am worried it is too bloated and thus wouldn't be stable in all situations.

[Montmorency]

Quote:

Originally Posted by amiti

Disciplining the child is not an option for me. He is 9yo and in time I believe he will learn to be more careful.

With the free reign you give him he will never learn.
Your attitude to children illustrates the expression spoiled brat.

[Sully]

People (kids or adults) seem to learn best by getting hosed aka "school of hard knocks". If you could give him his own machine, which he could put pics on and download songs (or most likely saved game files), and then he were to lose them, he might learn the valuable lesson. Some never do though.

As to the problem:

Shadow Defender allows him to turn the machine on, log in, and not mess up "your" machine. It doesn't do anything to teach him right/wrong skills, but does achieve your goal.

A standard user account without admin access is more restrictive, forcing him to obey your rules. Again, it doesn't teach him right or wrong computing skills because you are enforcing it, but it does, again, keep him from wrecking "your" machine.

The other tools at your disposal do not ensure complete protection. Well, the alternatives to shadow defender do, like returnil etc. But in general, if you use a sandbox or a hips type tool, and you give him admin rights, there is no guarantee.

I rather like the prospect of a boot right into it solution. It gives him no recourse to mess up "your" machine.

Do note the use of "your" in my response. To me, that is the real issue here.Whether or not you want to teach him now, or ever, about the right and wrong things to do (in terms of keeping a computer in good shape), it all comes back to one thing - it is "your" machine. If you value having a clean machine that performs well etc, then you are going to have to take some measure to keep it that way. It "appears" that you don't want to restrict the lad too much but you also want to keep "your" machine in good order. I believe the two are mutually exclusive.

For what its worth anyway

Sul.

[Critter2]

I agree with Montmorency

[zapjb]

Look at my post #8. That'll teach the reckless internet kid. And the responsible user won't be phased.

[amiti]

Thank you all for the suggestions , even the educational ones

I want to clarify the computer is my brother's and so is the kid. If someone should discipline the boy it is not me. I am only helping out , trying to set up the system in the safest way possible , knowing perfect solutions do not exist.

Maybe explaining in detail the measures put in to make his system safer would make the boy appreciate the threats no less than disciplining him?

[Sully]

Quote:

Originally Posted by amiti

I want to clarify the computer is my brother's and so is the kid. If someone should discipline the boy it is not me. I am only helping out , trying to set up the system in the safest way possible , knowing perfect solutions do not exist.

Same problem arises then for your brother. If he wants a clean machine, he will have to take control. I understand that is what you are trying to achieve, searching for a mechanism that you can implement for them, in thier situation. I have dealt with the same situation (although not always kids who are the problem, but adults as well) many times. Generally the issue is resolved once you have them login as users and keep the admin credentials to someone who is more knowledgable about computers. I find this approach has been better for the less educated, and the other tools (hips/sandbox/virtualizing/etc) are usually more valuable for more advanced users.

Good luck.

Sul.

EDIT: Also, even at 9, kids have amazing learning and retention capabilities. You are likely correct, at least IMO, that explaining it to him might be the best route. Not that limiting while learning is a bad thing.

[Tsast42]

Quote:

Originally Posted by acr1965

what about something like returnil?

Good idea, the only thing is I don't think it has password protection. On the other hand it's only being used as a failsafe and as it'd be more work to turn it off than to just use the VM it could work, just save the virtual hard drive (of the VM) on a non-system partition so that it would remain constant between uses.

I wouldn't recommend application sandboxing for such a user, as such programs are limited by design: sooner or later the child is going to want to install something that won't run inside the sandbox because it requires some further measure of system access than is allowed by such software, and this is exacerbated on a 64 bit Operating System. The consequence is that he'll just install his junk outside it. A Virtual Machine allows him a lot more free reign.

On the subject of free reign another idea to consider is an internet filter such as Norton DNS or K9 Web Protection. These will block a lot of malware before it even reaches the computer and will allow for some measure of control over where he goes online: no child should be allowed uncensored viewing of the World Wide Web.

Norton DNS is good for minimal filtering of malware and pornography, it's completely automated and you hardly ever notice it as nothing is installed on your computer; a further bonus is that it speeds up the connection. Where it falls down is in additional content filtering: beyond malware and smut there's a third option to block what it calls 'non-family-friendly' sites, but as there is no installation on your system this cannot be configured and is very rough - it will stop the entire household from buying a lottery ticket or tobacco but will allow the viewing of nudity for artistic purposes

K9 Web Protection is designed as a parental supervision tool: the upside to this is excellent customisability and that it cannot be evaded and switched off without the password where Norton DNS can be easily removed with a few clicks. The downside is that it tracks and lists every connection that is ever made through your computer to another website: whilst it's true that you need to login to your account to view it, just the idea of having a huge undeletable list of every site your computer has ever accessed by time and date creeped me out. Of course this may be just what some parents will want.