Security for Teenage Children's x64bit Win 7 PCs - Suggestions?

Discussion in 'other anti-malware software' started by Feandur, Sep 24, 2012.

Thread Status:
Not open for further replies.
  1. Feandur

    Feandur Registered Member

    Joined:
    Jun 15, 2005
    Posts:
    401
    Location:
    Australia
    Currently thinking either ..........

    * Anti-executables : VoodooShield; or EXE RadarPro [not sure of the difference];

    * Policy Hips : App Guard.



    Currently just running a standard AV with Malwarebytes realtime....but could change that easily enough.

    Anyone found aneffective simple solution to PC security for teenage users?


    - have a good day
    feandur
     
  2. KelvinW4

    KelvinW4 Registered Member

    Joined:
    Oct 11, 2011
    Posts:
    1,199
    Location:
    Los Angeles, California
    Sandboxie and Lockdown with EXE Radar Pro would do it
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I would imagine that a teenager would hate an antiexecutable. Regardless, I'd say EMET + Chrome and keep them as up to date as possible.

    If they're not gamers why not throw Ubuntu on there? You won't ever have to worry about security, updates are managed centrally through the operating system, and it'll do everything the typical user needs.
     
  4. KelvinW4

    KelvinW4 Registered Member

    Joined:
    Oct 11, 2011
    Posts:
    1,199
    Location:
    Los Angeles, California
    Why hate the anti-executable? If it is locked down and perfectly whitelisted it would be quite and safe.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Well any time they'd want to run something new or any time an application updated they'd have to allow it.

    Considering how much people hate UAC I'd imagine the same thing but for every application would be a pain for the average user.
     
  6. KelvinW4

    KelvinW4 Registered Member

    Joined:
    Oct 11, 2011
    Posts:
    1,199
    Location:
    Los Angeles, California
    Okay I see your viewpoint it is freedom vs security/annoyance in terms of Anti-Execution software :)
     
  7. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    I did something like this a while ago for a friend whose teenage children were regularly infecting their PC. The parents didn't want to restrict the children's activities while using the PC. After demonstrating some possible approaches, the parents agreed that light virtualization, combined with a limited user account, would provide an easy and effective solution to the problem. A real-time AV was already installed.

    I created a limited user account for the children, installed Shadow Defender and set Shadow Defender to automatically enter Shadow Mode on boot. The data folders within the children's user profile were excluded from protection so that they could save data. I locked Shadow Defender with a password that was different to the one used for the system administrator account. Any attempt to open Shadow Defender to exit Shadow Mode required the entry of two passwords because of User Account Control.

    That ended the problem. Only an adult with access to the system administrator account was able to exit Shadow Mode in order to install software and apply system updates.

    Combining light virtualization with AppGuard, which you are already considering, would make for rock solid protection. AppGuard is effective without being annoying because it applies policy restriction to untrusted applications and silently blocks any behaviour that contravenes the policy without bothering the user.

    I'm not saying that any of this is what you should do and I'm not making specific recommendations for either Shadow Defender or AppGuard - just sharing information with you to help you decide on an approach. You will need to experiment to find what works best for you.

    Kind regards
     
  8. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    Give them a Standard account to run in only, with no access to admin account (password it). Sandboxie (force browsers) + EMET + UAC @ max + keep it updated, to augment it. They may not be happy about being denied installation rights, but too bad. You must NOT allow them ability to install programs; it's a guaranteed recipe for disaster.

    Hungry suggested Ubuntu if they don't game and that's an excellent option as well. Linux pretty much takes care of security for you, as long as you allow the Update Manager to install updates.
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    A friend of mine got his first personal computer (he'd used a super ancient PC for his business software) a little while ago. I basically did the following:

    1) Set him up with Chrome as the default browser. This takes care of browser exploits/ Flash exploits.

    2) Installed Adobe Reader. I don't think any exploit has bypassed its sandbox yet.

    3) Installed EMET.

    DEP Always On. SEHOP Always On. ASLR Opt In.

    I forced every program I'd installed and used all.XML.

    4) I installed Microsoft Security Essentials just in case he downloads something malicious.

    That's all I could really do. I didn't want him to have to ever deal with the security, I chose MSE because it's got such a low false positive rate.

    I like security to stay out of peoples way. I think most people do. As far as I know he hasn't had an infection yet.
     
  10. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Setup Standard user Account with chrome or Dragon Browser chrome based.Add EMET and add all browsers in the configuration.AppGuard is great idea but remember a standard account must be set up to use parental control of AG to protect its defenses from being disabled.I also would suggest norton DNS and choose the best policy the fits.
     
  11. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,425
    Yeah sorry but no for teens or any casual user.


    Listen to this man.
     
  12. Cloud

    Cloud Registered Member

    Joined:
    Feb 1, 2011
    Posts:
    1,030
    Location:
    United States
    Oh come on, wat, we [teens] aren't that ignorant. You can give them a standard account + AV + UAC and he/she will be fine. I believe the setup will vary on age and knowledge. I mean, why not share the basics if they don't know it already? ;)
     
  13. Feandur

    Feandur Registered Member

    Joined:
    Jun 15, 2005
    Posts:
    401
    Location:
    Australia
    Thanks All...

    Some thoughts.......

    - Good point Hungry Man !

    - Dark Shadow, as I am not yet a user of Appguard I'm not up to speed on what this means....can you elaborate?....does it mean to install appguard in the Admin account, and some how configure it for each child's account?....or does appguard only run in an admin account ?....[in which case it's a No-Go for me.]

    - pegr, could appguard be used by itself [with my current NIS, and MBAM pro] and leave out Shadow Defender ? Would it be silent enough to be basically "set and forget" ?

    - cheers,
    have a good day
    feandur.
     
  14. Feandur

    Feandur Registered Member

    Joined:
    Jun 15, 2005
    Posts:
    401
    Location:
    Australia
    Without turning this into an "A" vrs "B" situation I wonder is Voodoo Shield more silent then EXE Radar Pro?.....in the sense of just setting up a one time white list and blocking everything else, so there is no need for user decisions.

    ......So I could use Voodoo Shield as an alternative to Appguard?

    I suppose it would mean agreeing with the children what their programs were to white list them up front..........

    .....:blink: .....

    -------Well, that may or may not work :ouch:

    - have a good day,
    feandur
     
  15. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    AppGuard can be turned off simply from a right click on tray or through the GUI as a Admin but When you set up a standard account then the admin will be the power user that can control the parental set up through the GUI and password protect it and will lock the standard users from access to any changes with its protection levels.If and when the teenagers log on stander user account there is nothing they can do to disable it. Also the options to lower or turn off Appguard protection from system tray is no longer there.
     
  16. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Yes, AppGuard could be used by itself without Shadow Defender, alongside your existing anti-malware programs. A small amount of initial configuration is usually required, but after that AppGuard operates quietly in the background, silently applying policy restriction to untrusted applications without involving the user. There is an active AppGuard thread where you can ask questions and get help: -

    AppGuard 3.x 32/64 Bit
     
  17. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Good pointed out by Pegr:thumb: Also Barb has some nice screen shots about power user set up with AppGuard but Just got to go digging around a bit as it is a long on going thread.
     
  18. themorpethian

    themorpethian Registered Member

    Joined:
    May 6, 2006
    Posts:
    33
    Sorry my first post, but if you simply want to restrict the teenagers access and more then!

    If you have windows 7 x64 then why not use you own free software Windows Live Essentials 2012 Family Saftey.

    All you need is a Hotmail account.

    Heres a guide take a look at what it can do for you!

    http://www.vikitech.com/9935/guide-windows-live-family-safety-parental-controls

    Just download the installer and choose what to install

    Themorpethian
     
  19. jo3blac1

    jo3blac1 Registered Member

    Joined:
    Sep 15, 2012
    Posts:
    739
    Location:
    U.S.
    Because when a teenager wants to download and try a new game he will not be able to. Eventually he will find ways to crack anti-executable protection and install whatever he pleases.

    I wouldnt do anything like an appgourd or antiexecutable for that reason. Instead try going with Chrome, EMET, MBAM, HMP and Rollback Rx. I would also try to educate the teenager instead of locking down the computer. Most parents miss the fact that teenagers/children cannot be controlled, they can be educated and you then can hope for the best.
     
  20. Cloud

    Cloud Registered Member

    Joined:
    Feb 1, 2011
    Posts:
    1,030
    Location:
    United States
    Thank you! lol I had just said that but in a less educated fashion. :argh: It can also be the teen that educates himself and applies that information. It happens.
     
  21. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    The company I work for employs an IT department that manages several thousand desktop computers, with all but only a small percentage of authorized staff denied administrative access to them - and we're all adults. Essentially they're "locked down" by restricting us to a Standard user account and through the use of scripts that apply Group Policy restrictions. Is this the right approach, or should IT instead allow everyone full administrative access, and simply try to educate every desktop user on safe computing practices? How do you think this would pan out in the long haul?
     
  22. adrenaline7

    adrenaline7 Registered Member

    Joined:
    Apr 27, 2011
    Posts:
    128
    It would pan out to be a huge gigantic failure. 100% guaranteed.
     
  23. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    failure. 100% guaranteed.:D
     
  24. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,425
    Please don't do this. Admin accounts + regular users = pwnage
     
  25. Zorak

    Zorak Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    149
    Location:
    Australian Capital Territory
    I've managed to keep our family computers safe from the ravages of teenagers for over 8 years. See my signature for what I currently use, but it has been a similar setup for most of that time. In my opinion the two most important safeguards are the Standard User Account and the Software Restriction Policy.

    I'd also make the point that there is more to maintaining a family PC than just security. If users (especially children/teenagers) are allowed to simply install anything they come across, then your brand new, multi-core, high GHz beast will quickly turn into a computing slug. It will get so loaded up with auto-starts, toolbars and all manner of dodgy background processes you will swear someone has poured concrete into it. Those same teenagers will then be insisting you buy them a new computer because the current one is so slow :argh:
     
Loading...
Thread Status:
Not open for further replies.