Security suite for the dangerous surfer?

Let's assume that your PC is about to be exposed to some very bad habits. This time of year, with family and friends coming over and in for the holidays, this isn't a bad assumption. Maybe your teeanage nephews might try to donwload music while they are in town. They might also send instant messages to their friends. Your brother in-law might hit some porno sites while nobody is looking. And your mother might even be surfing on your computer during the holidays. So your PC could be much more at risk during the holiday season than it would be at any other time.

Keeping in mind that none of the people that will be on your PC are computer experts, what software would you put on your PC to protect it from these bad habits? You can't use any of the advanced HIPS programs like SSM or Pro Security because the end users won't know how to use it.

Basically, set up up a suite for really dangerous surfing habits. For bonus points keep it light on resources and inexpensive. Though this is optional.

 

1) Anti-Executable or similar, to prevent any unauthorized installation - deliberate or remote - of executables

2) Deep Freeze or similar: system reverts to previous good state on reboot.

Both of these programs require no action/knowledge on the part of your guests: any unauthorized activity is "default deny."

regards,

-rich

 

It's not just dangerous surfing you have to worry about. What about deleting files/folders, etc. I would recommend something like FirstDefense ISR and use a 'frozen', password protected snapshot. Or protect all partitions with ShadowUser.

 

1. Take an image b4 they come & restore it after they leave.

2. mobile/exchangeable drive racks
Excellent if you share the computer with others. Especially when they're click happy, turn off AV & PF cause an app told them. Etc.
So the OS is crippled. Who cares? Wait till they all leave.
Just pop their tray out. And put in your saved&clean HDD. And when you're done. Reclone. You have 2 clean HDDs.


Because any unsafe surfer/knucklehead can defeat any security suite.

 

Since his users are not computer literate, SU may not be a good choice since decisions to commit/discard must be made before reboot (if I understand it correctly).

DF is more bullet proof for this situation, in that all changes are discarded by default upon reboot.

AE will prevent any deleting of executables (incl. drivers) which might crash the system.

regards,

-rich

 

Use any good imaging program - make a full image and then let them do what they want. when they have gone home restore the image and its as though nothing has happened. I use Acronis and reset the lap tops and desk machines used by my family all year round. Its easier than trying to get them to be secure.

 

depends how unsafe they are IMO.
in some cases it might be ok to use limited account put password protection on antivirus and firewall and run IE in sandbox.
lodore

 

Can't get any safer than a Linux virtual run from a CD using Firefox on your Windows box. No Windows files to infect and any junk collected goes bye-bye when you switch to your main OS.

You just download a Linux (like Ubuntu) iso, burn it to a CD and boot your computer with the CD inserted. Usually, the BIOS has the boot menu with the CD before the hard drive. Don't install Linux, just boot the CD and voila' bullet proof surfing.

 

Make um use the guest account

 

VMWare is good. If anyone ever uses my PC it's always my virtual machine

 

Or just hide it away somewhere and tell them it's still in the shop since their last visit!

 

For a very unsafe surfing, one should have BZ or DW, or Geswall or sandboxie. These tools have been designed for this purpose. And after surfing, you can erase changes made to the system easily. Because downloaded stuff is isolated, no worries.

It should be definitely the first line of defense. As Ilya says, you can always have an AV (or even another kind of hips like behaviour blocker) to make you feel more comfortable.

 

Other than your normal anti-malware and firewall setup, you might consider something like LinkScanner Pro and a Limited User, or better yet Guest, account. I would also restrict internet usage to a browser like Firefox or Opera. If you happen to use Prevx1 you could also set it to automatically block unknown programs (and password protect the console).

 

I agree with controler...

Password protect your account and switch on the guest account.
Another good suggerstion by [suave]...

For simplicity download and install the vmplayer goto easyvmx and download the .vmx relating to your os disk, make and give them their own vm. Just delete it when they're gone.
All are good suggestions and I think I can also add one http://www.microsoft.com/windowsxp/sharedaccess/default.mspx
ms shared computer toolkit.

 

Kaspersky and Prevx1 have protected me during dangeous surfing, but for newbies i guess different measures (sandox or rollback software) would be more appropriate.

 

Download Site adviser

 

2 options -- each 99% bullet proof..

1- DeepFreeze the drive so nothing permanent gets added/deleted/modified. NOTHING! (60-day free trial)
OR
2- Image-for-DOS the drive before they start, then restore the image after they leave. (30-day free trial).

 

Hi, folks: People tend to use public computers to do crazy tasks, just because these machines are not their own. And Adm. of these boxes put in DeepFreeze to counteract these attempts. And it works most of the time. And saves them a lot a lot of downtime. If every pc would come w/ DF installed, all the anti-malwares vendors would cry blue all the way to their banks.

 

I am trialing Defence wall (30 day trial), I was lurking on their forum to see what I could pickup. I saw you were there asking questions

 

I'd use a 2 pronged approach:

1. Make your present security setup as tight as possible.
2. Make a full system backup in case step 1 fails.

For step 1, making a separate profile or account for guest users, is an excellent start.
If you use a HIPS or similar software, make use of any password option it has that prevents access to its user interface.
Set the HIPS to not prompt for unknowns and just block them outright.
If your firewall has a password option, that prevents shutdown or access to the ruleset, use it.
If your browser has a master password option, use it to keep them from using your accounts.

Hopefully, none of these guest users are of the "geek wannabe" types that know just enough to be dangerous, ones that will try to shut down or uninstall a firewall, delete their browser history or try to add a porn program. If you have any suspicions that a potential user might qualify as one of these, try to take some additional precautions.

1. Use an install monitoring program like Inctrl5 to take a system snapshot before the guests use the PC. Then take another after they're gone. All file system and registry changes will be documented, giving you an easier time undoing any changes they might have made. Yes, system backup would make this unnecessary, but it can be useful with young users to determine just what they've been doing, in case there's something their parents need to know about. Index.dat suite can be useful for those "guests" who think they can hide their online activities by clearing the history and cookies.
2. Deny them access to the control panel, the add-remove programs applet, the browser security settings, etc
3. If you have any software that can control what areas of the file system they can access, block them from your personal files, the core system folders, etc.

For step 2, the creating a full system backup, if you have a backup program like Acronis, Image for DOS, etc, you already have the solution to whatever they can do. If you don't have good backup software, make a restore point. At a bare minimum, make a full registry backup.
Hopefully, they'll all behave and you won't have to use any of the backups.
Rick

 

whilst I accept all your points isn't certainty better than hope ? - i.e just make an image, let them do what they like and then restore the image - no need to hope nor be concerned about what they have done.

 

As others have said, set up a limited user account for their use. If you have XP Pro, activate the software restriction policy and just use the default rules. I think that would be enough.

Plus for my bonus points, it's extremely light and is free (assuming you have XP pro not home).

 

Cheap,very secure and light for surfing wherever - Sandboxie.

Place a shortcut to "run the default web browser under Sandboxie" on desktop, right click - rename to your browser and also change the icon to suit.

Hide or delete any other browser shortcuts and your guest users probably won't even know they are surfing inside the sandbox.

 

Set bios to boot from cdrom first and disable hard drive boot altogether. Password protect bios.
Boot live linux cd and enjoy.