Windows Steady State, Deep Freeze, OR Centurian?

ETdude
ETdude used Ask the Experts™
on
I have about 45 workstations and antivirus slows them down and we had many bots, spyware,  etc. despite a firewall based antivirus solution. Looking for something totally effective in keeping computers fast and MALWARE FREE!

Any suggestions, experience, etc on hard drive protections solutions such as Windows Steady State, Deep Freeze or Centurian Technologies?

We use WINDOWS XP PROFESSIONAL!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Microsoft Security Essentials has been downright amazing for most people. Comodo Antivirus is also quite amazing. Their Internet Security suite is really good to but I find that it annoys most users simply because it catches way too many false positives.
Several of the libraries that I have been to use Deep Freeze. It appears to be pretty reliable and solid. Once the machine is setup, you set deep freeze to a "frozen" state and reboot. It limits alot of the fucntions of a working computer, ie. no right click, no software installation, no hdd access, etc. etc. The limited things that a users can do, such as save documents to the desktop, is reversed at the next reboot. When you want to install software or printers, you go into deep freeze and "un-thaw" it. Once the pc is rebooted  you can then make changes and then freeze it again for the changes to take effect.
Commented:
I have not used steady state yet, but my impression is that it is not centrally managed. Deep Freeze on the other hand work very well with XP and has centralized management (I believe you still have to purchase that component).
As far as internet security though, you are still going to want that. I do not know what package you are using or even if its been updated (latest version). Symantec Endpoint Protection 11.05 and above is very nice. or Symantec Internet Security 2010 if you want non-enterprise. They are not as ram intensive as versiosn in the past.  It costs but what is it worth to you? You still have people infecting the machine and in the interim of getting around to rebooting the machine, it is infecting the other machines and sucking up the bandwidth (even for machines not in your lab). I worked in a large school environment and it is still essential.
Farstone's snapshot is fairly inexpensive as a quick restore solution.  I've seen to many machines hit with spyware with Norton happily greenlighting, as well as Trend Micro.  My current favorite is Kaspersky Internet Security.  I have not had any problems with the machines running it.
Top Expert 2013

Commented:
a hardware solution is a reborn card for each PC : http://www.lenten.com/news.asp
I suggest to use a Watchguard firewall with UTM bundle

www.watchguard.com

included many security features and protection. The AV scan is performed at the gateway, so before they touch the machine the viruses get filtered... and much more
I see one problem, user education.  You've got to convince your users that "it's too slow with an AV" is completely unacceptable.  No glove, no love, it's an AIDS epidemic out there people.  Such as that.

The programs you're asking  about in your initial question are for "locking down" a machine so the user cannot make changes  to it, cannnot install anything, etc.  You'll want to ensure critical hotfixes, anti-virus updates and such are taken care of though.

If your machinnes are in a  domain environment you may be able to accomplish much of the "freezing" by simply making machines domain members, making all users regular users in the domain, not domain admins, not even local machine admins of their own machines, maybe power user for some.  Most of all, there is domain policy editor (much like there is local policy editor) and with it you could "lock down" what users are allowed to do and not do (not delete browser history for instance).  Migrating the user profiles from local accouts to domain accounts may be needed.   On the  other hand Steady State is more of a "home" version with user-friendly UI and management for those who cannot be bothered with all that "policy editor" keys stuff.

Unfortunately it is still NO substitute for an AV.

Well, in today's day and age you cannot just have antivirus at the firewall, since wireless access points, USB sticks, burnable discs, and people taking laptops elsewhere else and then plugging into the company side of the LAN can infect them all no matter how well fortified the internet access.  All the machines have to have continuous protection, even if that does mean it checks every single file before accessing / opening / running it and they're slower by 10 to 20%.  

Your corporate email should probably scan attachments inside the mail server.  That's also the best place to intercept spam and administer whitelists, blacklists, and have users occaisionally check their junk folder for false positives.

If your 45 computers do not have enough RAM and so the extra overhead of each's AV cause them to do excessive virtual memory swapping, sufficient ram is needed.  Heavily fragmented disks can slow things down and to defrag the memory pagefiles and other usually undefraggable files you can use PageDefrag http://technet.microsoft.com/en-us/sysinternals/bb897426.aspx once.

Look at it this way, X years ago you could run XP service pack 2 "ok" with 256 of ram, and "decent" with 512.  However, as more hotfixes, hundreds have come out, every one of those tends to make some DLLs and parts of programs that much more "thorough" and that means bigger and more memory needs, and the browsers getting bigger and more capable, and adobe flash v5 versus v10 now, and sure enough by Service Pack 3, that same 256 will be brutally slow and you need twice as much ram to run at the same speed as before, 512 or preferably 1G.  Obviously it depends how many programs you try to juggle at the same time, and what those programs needs are too.

Also keep in mind even the best AVs will still only catch about 96%, independent and review lab tests show.

In a corporate environment there is some advantage to a symantec norton corporate with it's ability to centrally administer and monitor the updates, shielding and scanning status policies and permissions.  Do you want to pay internet bandwidth to download 4x a day x1 or x45?

You could go the consumer "free" route, and Microsoft Security Essentials are proving to be top tier.

For those who like free, AVG Free will also protect for 96% of viruses AND gives web site advisory for known bad sites.  But that only protects from viruses what about malware spyware.  Microsoft's free includes some, AVG internet security costs (they hope you'll see the value) or again the free route you could supplement AVG free withl Spybot Search & Destroy and Malwarebytes.  Spybot has a "shield" component in TeaTimer though it's not obvious to novices it doessome protection of registry and log things.  Alternatively Adaware, but it butts heads with Spybot's so do one or the other.  I prefer Spybot for it's ability to schedule the updates and schedule the scans, something usually only the "pay" programs have.  

In my experience an AV shielding continuously is a must, and as for malware/spyware, for novice users anti-spyware scans once a month give or take usually suffice.  For "smart" users who don't get suckered by social engineering or web ads or such, once a year or only when they notice suspicious behaviour.

Even then, you might get hit by the 3% get slip through.

So then, as much as possible if many machines are the same and you have "backed-up" images that you can recover a machine with windows and all the needed programs, that helps.  Such as these 12 machines are the same and need developer tools, these twenty support staff are the same and have these office tools, these 12 salemen laptops, etc etc.  So the whole machine can be "reloaded" with everything except their "files", and then of course, important corporate documents on servers that are backed up constrantly, and either occaisional or frequent backups of workstation user-files, documents, local email storage/archive, favourites etc.

Did I mention backups?  Backups.

Author

Commented:
Dear Ocanda Techguy...Thanks for your comprehensive answer.  I have researched the hard drive locking software and Steady State may not work for corporate environment due to lack of sophisticated features to allow for writing to specific folders and such.

Since we do have some Antivirus & Antispyware on the firewall and I don't want to load a server or workstation with AV software that is often the blame for some application not working or being slow i think a HDrive protection product is the best route.  

If Malware can't write to a machine then isn't that better than some AV that cannot keep up to date with the creative malware that plagues the internet?
Top Expert 2013

Commented:
any comments on my post ?

Commented:
Well a solution could be an
Intrusion Prevention Systems (IPS) or an  Intrusion Detection and Prevention Systems (IDPS)
this would slow down your internet connection as it would check every incoming package but it's worth the money.
Not sure I agree (as evidenced by my answer)
If malware can't write it also means your users can't write.
Some software will dump a log on an error, and then you discover your log was not saved? Not too good.
If this is a library, a classroom, sure, and yes possibly if this is a business with a bullpen, steno pool, telephone support cubicles or something where each desk is generic with the same client software and no individual files can be saved, all files must be saved to the user home folder on a server, then cookie-cutter the machines over and over is fine.  You'll still need AV on the servers though, and if you avoid AV "because" it makes it too slow, well I explained how to check, because, I'd say the system(s) are underpowered.  On a terminal server do you want 27 copies of the AV running for 27 TS sessions, yeah probably not, so get the right product config for that, but somewhere on the servers there had better be AV (imheo).  Yes anti-malware can be almost as important, it's just that anti-virus tends to stop the truly truly malicious, which is why I find I can anti-malware occaisionally versus AV always.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial