Approach for preventing or limiting access to personal computer

So the context of my question is this:

1. I own a personal computer, and I keep it super-secure/bullet-proof etc with Sandboxie and a good security approach.
2. I live in a house.
3. There are other people in this house.
4. These other people may want to borrow my computer for basic purposes like surfing the internet or using basic programs that are already installed on my computer.

What do people think is the best way to approach this, so that no harm can be inflicted on my system?

I can think of a few ideas:
1. Lockdown the computer with password protection, so that people in the house can't even access my computer (this seems a bit selfish haha).
2. Use a classical HIPS and lockdown my computer with password protection so that nothing untrusted/unknown can run (this may require a bit of configuration, and means I have to use a HIPS, which I don't want to).
3. Use Anti-executable 2.3 and enable its maximal protection whenever I'm away from the computer (this is the option I am seriously thinking about).
4. Educate everyone in the house about having a good security approach, and make them familiar with Sandboxie (too much work and probably not reliable at all!)
5. LUA?

 

Can you say LUA? lol, you can also, if so inclined, create an account or group that has much locked down, much like a kiosk would, so that much is not accessible except maybe a browser and text editor, wordpad or something. Or whatever program you would like.

Go to a hospital, find their complimentary internet computer, and you will see what I mean. At least where I live the hospitals have computers for guests that have pretty much everything locked down except the browser and a few basic things like notepad or solitaire etc.

Then you dont worry because this 'guest' account is held at bay with permissions.

Sul.

 

LUA + SRP + SuRun might be a good idea. Use a default-deny policy with SRP.

Personally I would password protect my computer and not let anyone use it.

 

Returnil or Shadow Defender are made for this situation!

 

Password protect your account and create LUA account/s for other users. Force sandboxed programs such as the browser, pdf reader, media players, etc. Delete sandbox on close and of course other handy restrictions that your aware of. Add in a reboot to restore program and your about 99%.

Buy a used 2nd computer, install wireless card and connect to a wireless router. Or you can go the wired route. This is the best option as it doesn't expose your personal data on your main rig to the world if it would happen to get hosed. Plus it makes everyone happy to have a machine of their own. Image before you let them touch it .

Buy dot com has used leased computers from around $119 without a monitor. Most I've seen come with XP Pro so LUA and SRP can be used. Heck, I found my sis's new dual core lappy for $400 which is now $350 after rebates. I know money can be hard to come by but a 2nd machine is the perfect solution. You can also experiment on it instead of your own rig .

AE is another good solution. Also, Sully mentioned public kiosks which may be using Windows Steady State. It's not only a reboot to restore but can enforce many restrictions from what I understand.

P.S. My mother has been using my old computer with Windows firewall, Avast and Sandboxie. The other night I taught her how to Terminate All Programs because a tab/window wouldn't let her close it (she was playing games at pogo). It worked perfectly and the sandbox deleted upon closing. I believe she's finally appreciating the sandbox concept .

 

Tell them to buy their own computer, and to keep their dirty paws off your pristine machine haha.

All jokes aside another cheap, average spec machine is probably the best. You don't have to play musical chairs with the one machine, plus with theirs they can trip over the power cord, spill a drink in the tower and delete /system32/ and it won't effect you.

Otherwise... Create a dual boot and lock your partition, then they can have their own OS and turn their filesystem in to confetti.

 

LUA obviously. This is exactly what LUA is for. Never, ever, ever give an admin account for use to someone you do not fully trust as much or more than you trust yourself - even if you've loaded the system full of all kinds of security software from anti-executables to fancy rollback type software. All it takes is for the user to turn the security software off (perhaps because they think it's slowing down a "game" they want to play), or for there to be a flaw of some sort in the security software, and then bad things may happen.

 

1. Lockdown the computer with password protection, so that people in the house can't even access my computer (this seems a bit selfish haha).

thats what i do, screw if anyone else wants to use my comp, if they cant learn, then they dont deserve to use it (ive had bad past experiences with family members and computers )

 

lol, there is something about family members using a computer that just is wrong. I have a computer for each of my kids and my wife. My dad or brothers or brothers-in-law occassionally need internet access when they are in town as well. I used to let them use mine. But now, they don't even bother. They use my wifes. Suits me fine. It seems that my system is a little too tweaked for thier tastes. Must not be as easy to use, but to me it seems much easier

Maybe it would be best just to setup a LUA for whomever, then tweak that sucker so much is locked down. Easy to do, costs nothing, and unless they get root they cannot change it.

Sul.

 

Password protection on security software is nice in some cases. But when it comes to sharing a computer, there's more than just malware to consider. What about user access to our sensitive or important files, for example? A perfect anti-malware might prevent 100 % of malware infections, but will it prevent the local user who has admin privileges from viewing, modifying or deleting your files using built-in Windows functions? If you give someone an admin account, that means they have full access or can forcefully take access to anything that isn't encrypted. This may be something to consider. I for one know that I have some files on most of my systems that I wouldn't want everyone to see. For example, I would rather not let the lil' kids watch violent war movies like Saving Private Ryan that I have around on the hard drive when I've left them alone to use the computer for a moment. I'd rather have them watch moomin cartoons on their own limited account that doesn't allow even read access to my files.

 

What about locking the door ?

If you want to allow others to use your computer LUA+SRP would seem to be a good choice. But can you be certain that they won't be able to access your administrative account ? Passwords can be bypassed.

Maybe Deep Freeze would be a good choice ?

 

Make them use a Linux liveCD when they want to browse the web. This will have absolutely no effect on your Windows install (better than Sandboxie). A typical Linux liveCD is ~600 MB, but you can find them smaller. They come with everything out of the box -- Firefox, a e-mail client, etc..

 

ive actually had to do that once, it was very awkward, very awkward carrying around a Hard Drive......

 

I see no option better than buying a second computer.
You have worked hard to get your computer exactly the way you want it and allowing anyone else to use it will invariably lead to undesired changes.

Could you really feel as comfortable using it after someone else has used it- unsupervised ?

I see no way to unequivocally secure a PC or Mac, no matter how hard you try.

-Therefore-
A second computer for the family.

There are a number of outlets for such;
one I have personally used is HCDI Trading.

http://www.hcditrading.com/Shop/Control/fp/SFV/29664

You can buy a used computer with XP Pro there for less than you would pay for that OS separately.
They also sell monitors and package deals are available.

Just my personal opinion.

 

I think it blocks command prompt executed malware.
script executed malware is pretty much extinct.

 

Get an old XP installed 20-40 gig drive, partitioned and imaged, and unplug your drive and hook that one up for anyone else to use.

Be a bit of fun seeing how infected they can get then if need be just wipe and reimage.

 

Oh! Franklin that reminds me of a great solution. I plum forgot about it. You can buy or build a hdd switch that mounts in the front in one of your drive bays. I think I saw it on Newegg or Frys or something like that one time. It was like $20, and it was a simple key/lock on the front, and inside it would route one of two hdds to the mobo. This way you could shut down, turn the key, and have complete segregation. Then lock down the guest drive as you see fit never having to worry about anything touching your drive, unless any new bugs figure out how to communicate to hdds wireless

Sul.

 

I also had forgotten about the HDD switch. Here is an old post about one of them. I checked and it's out of stock at sidewinders.

Review from above link. http://www.madshrimps.be/?action=getarticle&number=1&artpage=3393&articID=814

Out of stock item. http://www.sidewindercomputers.com/duduhadrposw.html

These folks have them in stock. http://www.performance-pcs.com/catalog/index.php?main_page=product_info&products_id=25675

I saw some with keys but they were expensive. http://www.industechnologies.com/default.asp