Is Acronis any good for my project?

Dear experts,

I am planning a project and I am asking myself (well, I am asking you, actually) how to best achieve my goals. I'd like to use Acronis True Image software if possible since I think it is a good product. But let me introduce that project to you and see if you could bring me onto the right path...

I have four potential software configurations (Windows, installed software, configurations), all of them running on the same hardware. This should be a small partition which boots at startup (let's say 4 GB of data on a 10 GB partition; Image A, B, C and D - created by Acronis True Image and protected by a password). I want to save those four images to a hidden partition on the same hard drive as the above partition. An you guess it...

... while the normal user should have a "normal" system, a "factory worker" should have a menu driven system to recover each of those password protected files to the systems boot drive. Acronis MUST NOT be installed on that system, so I am thinking of some kind of "programmable" Acronis True Image Recover Boot CD. Plus, the same "factory worker" should be able to use an automatism to update the four image files via network (remember: the files are in a hidden area of the hard drive). Actually, the "factory worker" is some kind of administrator, but I'd like to be those tasks as "trivial" as possible to enable a wider range of people to do those tasks without the need of teaching them how to hide or unhide partitions, etc...

Is Acronis True Image software doing this (or capble of being scripted in a way to do this)? And what must be further considered?

It is clear to me that there this is no easy way or straight forward product, but to me it seems like something that somehow could be done...

Are you willing to help me? I would be very glad and appreciate your help and your thoughts on that.

Oliver Rosenkranz
o.rosenkranz@estensis.de

 

I think you can forget about the "programmable" (or "scripted") True Image (Unless you can provide Acronis with a signed check for 10,000 TI licenses ).

True Image, the Secure Zone ( = a hidden partition), and Secure Zone Manager, comes to mind, but that violates your principle of "Acronis MUST NOT be installed".

How about creating a bootable True Image Rescue DVD instead of a Rescue CD? The DVD should be large enough to hold both TI and a 4 GB image file. For ease of you, you could prepare 4 different DVD's, with identical copies of the True Image program, but with different OS images. It will not be menu-driven, but it will be close....

Or forget about the hidden partition, and store the images on a network server. It would work very similar to the 4 x DVD solution, except the "factory worker" would retrieve the OS image from the server instead of from the DVD.

 

Rosinni, kinda off-topic, but....

Sounds to me you're looking at the wrong solution. I don't see your users wait for 10/15 minutes while the restore runs at each boot?

You *could* pull it off using a program to change your active partition, and with DOS based imaging (Ghost 2003 does command line from DOS)

What you need is one of the following:

A) Windows Domain environment, 2003 if possible. Define security groups for different users. Use Global policies to define what a user can or cannot access on the workstations (these should be loaded with all possibilities) - learn about system policies and be amazed what lockdown is possible with this, you can run one user with "Word" and "Shutdown" only in their start menu, and the other user with all bells & whistles!

B) Use terminal server(s) and configure them to the different needs of users. Supply users with Thin Clients.

C) Take a look a VMware Workstation to run virtual machines, or better yet, build secure machines with VMware ACE.

D) Install different windows setups to different drives/partitions and use a bootloader to hide all partitions not currently active.

 

Well, I am not familiar with Acronis TI Corporate Workstation "client" components, but as far as I understand, this client can be "automated" with command line arguments... wouldn't it be somehow possible to use this client in a "bootable CD" environment?

The Problem with DVDs is... I plan to do frequent updates of all four images. This means that I have to look for an easy deployment of those images - best would be image files...

Well, I need a flexible solution where the "switching images" part is a stand-alone job, while the maintainance (update of images, creation of new master images) is done in a network environment... please read my reply to the next mail which explains a bit more...

Thank you,
Oliver

 

Well, you misunderstood what I said... I am not having users like normal staff or so, I have clients who speak different languages and have different requirements for software. The PCs will be used as stand-alone PCs by each client for a few days. The "factory worker" is a person collecting the PC and re-imaging it onsite for the next client...

Switching between active partitions would mean that future clients would work on "polluted" partitions (as each client has full access to "his" installations).

Solutions A and B (see your post) are no possible solutions (See above). Solution C would be possible but _very_ expensive. And it would slow down the user's speed. And the client wouldn't get full access to "his" installation.
Too many other problems, too.

Solution D would - again - mean that every client using the same language installation would use the same "installation" which means no defined environment for later clients. I would need to re-image the whole disk after each job. No, I need to "re-fresh" the same active partition either by cloning one of several hidden partitions (not too good as no password protection seems to be possible) or by restoring one of several image files that are placed in a hidden area of the same hard drive and which are password protected (since I don't want a client to fool around with them).

Any solutions that come to your mind
I would be glad for any help.

Oliver

 

Hi,

is it perhaps possible to have a Secure Zone on a hard drive holding all of the image files, then creating a Bootable Rescue CD which executes a certain script. Even if I had to create four different CDs to restore four different image files from that secure zone to the active partition... this would be near enough to perfect.

If this is possible, then could somebody please explain to me how to exactly do it?

Oliver

 

Oliver, my knowledge of new True Image features like Secure Zone, workstation clients, are purely theoretical - I am still using TO 6.0 - so I will let someone else answer those questions.

I have an alternative for you. Not software, but hardware:

http://www.eksitdata.com/guard/

 

Rosinni,

Now I understand your problem.

Maybe you can look into techniques that Cyber Cafe's use, as they have the same kind of problem ("polluted" systems)

Furthermore, you can try to minimize the pollution by running the users as non-administrator in windows. This way they can't alter any important parts of windows, spyware is less effective, and you're practically virus free.

Mandatory profiles come to mind (log off/log on, your standard user profile is back) but that is not possible without server environment. I wonder if there are third party tools to do this.

Seems like a difficult thing you are trying to do!

You could supply the factory workers with Iomega USB Rev drives/disks and let them prepare the machines with the latest images? Your images could be up to 35gb this way. Supply the machines with DVD readers and you can image up to 9gb. Of course you would need some kind of "standard" machine for this.

You think it's really needed to put the images *on* the machine?

Password protection, I don't really see that happen. You could protect the images from reading by storing them into a password protected ZIP on a hidden NTFS partition, but you can't protect them from being deleted. Once a user boots to DOS, FDISK will kill all your protection.

Very though project!

 

OK, here's something:

* In Workstation, there is "Trueimagecmddos", Ti can be run from dos

* GDISK.EXE (part of the old Ghost command set) is a batch programmable version of FDISK. Part of its working is hiding/unhiding partitions, and changing active partitions. This will require a reboot to be detected of course...

* DOS reboot tools are plenty on the net.

* Create your different "boot" partitions, AND another hidden partition with TIB images (passwords are possible on TIBs).

* Make a boot floppy (or make a bootable CD from the floppy) with a good batch file that can "detect" the state it is in, and do all the hard work for you. The reboots will be tricky, but writing "flags" to the second partition is possible, to let the batch know where you are. The TIB password protects your images from tampering.

* Your batch should do the following, roughly sketched:

- Check for drive D to be visible (or whatever drive letter the hidden partition would get)
- Not visible? Activate hidden Partition, reboot
- Visible? Ask user which Partition to restore, or which partition to activate
Ask user password for TIB
if restore chosen, Start TrueImagecmdDOS, do errorlevel checking
If bad password, error and exit with hide TIB partition, reboot
if good, set chosen restored partition to active, message user to remove disk/floppy, hide TIB partition, reboot


Now you can boot a floppy, and choose to start environment X, or restore and boot environment X.

 

Update: Seems like you can use the Secure Zone without installing Acronis & SZM. When you boot from the Rescue CD, the SZ is also available.

 

If I give it a try... more questions arrise:

a: How would I update the image files within several "Secure Zones" of several PCs via network?

B: And which product from Acronis would be my best choice then?

C: And again, can I add any script commands to a Rescue CD to "automatically pick an image (with a certain name) from some "Secure Zone" and restore it to a hard drive's first partition, then set it as active partition (to boot from), then restart?

Thank you in advance,

Oliver Rosenkranz

 

Rossini, all things in C can be done by batch scripting/dos, see above. Secure zone is nothing else than a hidden FAT32 partition