Pau Lo
asked on
disk protection and best practice for public PC
We have a requirement to spec some “public PC’s” in a learning centre that can be accessed (upon booking) by members of the public. Currently the machines have a tool installed that should image the systems config and return to it once the machine reboots/new user accesses it.
http://www.faronics.com/enterprise/deep-freeze/
However there are concerns this tool affects the ability to update certain software when security releases are made. The concept of disk freeze is good but I thought I would brainstorm some ideas on disk protection for public machines – and what other security solutions need to be configured. It should be centrally controllable.
http://www.faronics.com/enterprise/deep-freeze/
However there are concerns this tool affects the ability to update certain software when security releases are made. The concept of disk freeze is good but I thought I would brainstorm some ideas on disk protection for public machines – and what other security solutions need to be configured. It should be centrally controllable.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Security updates are of minor concern when the machine is reset after reboots. While its a good idea to maintain them up to date, its limited what an attack can do when its simply deleted at the end of the day or whenever the user logs out.
Deep freeze works very well. The machines can be configured in the bios to boot at a certain time (say sunday @ 4am), deep freeze can be configured to start 'thawed' at this time, and wsus can be used to automatically apply patches at this time as well.
They have a doc which explains how to do this.
http://www.faronics.com/assets/DFEnt_PatchManagement.pdf
Ian
Deep freeze works very well. The machines can be configured in the bios to boot at a certain time (say sunday @ 4am), deep freeze can be configured to start 'thawed' at this time, and wsus can be used to automatically apply patches at this time as well.
They have a doc which explains how to do this.
http://www.faronics.com/assets/DFEnt_PatchManagement.pdf
Ian
ASKER
Hi IanMurphy,
re:
Security updates are of minor concern when the machine is reset after reboots. While its a good idea to maintain them up to date, its limited what an attack can do when its simply deleted at the end of the day or whenever the user logs out.
Could you go into a bit more detail on this in laymans terms/management speak?
Also -
"The machines can be configured in the bios to boot at a certain time (say sunday @ 4am), deep freeze can be configured to start 'thawed' at this time, and wsus can be used to automatically apply patches at this time as well."
Any more detail on "thawed" etc.
re:
Security updates are of minor concern when the machine is reset after reboots. While its a good idea to maintain them up to date, its limited what an attack can do when its simply deleted at the end of the day or whenever the user logs out.
Could you go into a bit more detail on this in laymans terms/management speak?
Also -
"The machines can be configured in the bios to boot at a certain time (say sunday @ 4am), deep freeze can be configured to start 'thawed' at this time, and wsus can be used to automatically apply patches at this time as well."
Any more detail on "thawed" etc.
>Could you go into a bit more detail on this in laymans terms/management speak?
What deep freeze does is to maintain the system exactly the same after every reboot.
You install something, reboot and its not there any more.
You visit a web page which has some malicious code which makes use of a bug in your browser to install an application on your PC. Reboot and its gone.
Someone inserts a pendrive with a virus and they manage to infect the machine. You reboot and its gone.
Someone changes the wallpaper and sets the colours to vivid colours. You reboot and its back to normal.
>Any more detail on "thawed" etc.
Thawed is the term that faronics use to describe the state when you can apply patches to a system with Deep Freeze installed. An admin can manually take a series of steps to unlock the Deep Freeze system and allow the installation of an application. After reboot this application is still present.
Many PCs have an option in their BIOS settings which causes the machine will switch itself on and boot at a particular time. Deep Freeze can be configured to be disabled between 4am and 7am and whatever patch management system you use can be programmed to apply patches automatically at this same time.... so your systems can be updated once a day or week by whatever method you normally use.
Ian
What deep freeze does is to maintain the system exactly the same after every reboot.
You install something, reboot and its not there any more.
You visit a web page which has some malicious code which makes use of a bug in your browser to install an application on your PC. Reboot and its gone.
Someone inserts a pendrive with a virus and they manage to infect the machine. You reboot and its gone.
Someone changes the wallpaper and sets the colours to vivid colours. You reboot and its back to normal.
>Any more detail on "thawed" etc.
Thawed is the term that faronics use to describe the state when you can apply patches to a system with Deep Freeze installed. An admin can manually take a series of steps to unlock the Deep Freeze system and allow the installation of an application. After reboot this application is still present.
Many PCs have an option in their BIOS settings which causes the machine will switch itself on and boot at a particular time. Deep Freeze can be configured to be disabled between 4am and 7am and whatever patch management system you use can be programmed to apply patches automatically at this same time.... so your systems can be updated once a day or week by whatever method you normally use.
Ian
ASKER
Ok many thanks
Would this tool affect antivirus definitions being applied?
Our concern is these devices are essentially joined to the corporate network so if a machine was infected , regardless of whether they are wiepd of any malware the day later - could the malware have an opportunity to affect othter machines in the network.
Should public PC's be joined to a private network, or essentially "stand alone"
You will see I am not a tech admin who has used this product before - does it have enterprise packages with central control?
Would this tool affect antivirus definitions being applied?
Our concern is these devices are essentially joined to the corporate network so if a machine was infected , regardless of whether they are wiepd of any malware the day later - could the malware have an opportunity to affect othter machines in the network.
Should public PC's be joined to a private network, or essentially "stand alone"
You will see I am not a tech admin who has used this product before - does it have enterprise packages with central control?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER