Solved

disk protection and best practice for public PC

Posted on 2011-09-09
7
308 Views
Last Modified: 2012-05-12
We have a requirement to spec some “public PC’s” in a learning centre that can be accessed (upon booking) by members of the public. Currently the machines have a tool installed that should image the systems config and return to it once the machine reboots/new user accesses it.

http://www.faronics.com/enterprise/deep-freeze/

However there are concerns this tool affects the ability to update certain software when security releases are made. The concept of disk freeze is good but I thought I would brainstorm some ideas on disk protection for public machines – and what other security solutions need to be configured. It should be centrally controllable.
0
Comment
Question by:pma111
  • 3
  • 3
7 Comments
 
LVL 7

Assisted Solution

by:jesaja
jesaja earned 100 total points
Comment Utility
it depends on the size of you environment and Budget I would have a look for VDI especially VMware View.
 
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Thanks - can u go into any detail on how that is better than the tool linked - what security benefits it brings. In terms of public pc there will only be 5 devices
0
 
LVL 6

Expert Comment

by:IanMurphy
Comment Utility
Security updates are of minor concern when the machine is reset after reboots. While its a good idea to maintain them up to date, its limited what an attack can do when its simply deleted at the end of the day or whenever the user logs out.
Deep freeze works very well. The machines can be configured in the bios to boot at a certain time (say sunday @ 4am), deep freeze can be configured to start 'thawed' at this time, and wsus can be used to automatically apply patches at this time as well.

They have a doc which explains how to do this.
http://www.faronics.com/assets/DFEnt_PatchManagement.pdf

Ian
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 3

Author Comment

by:pma111
Comment Utility
Hi IanMurphy,

re:

Security updates are of minor concern when the machine is reset after reboots. While its a good idea to maintain them up to date, its limited what an attack can do when its simply deleted at the end of the day or whenever the user logs out.

Could you go into a bit more detail on this in laymans terms/management speak?

Also -

"The machines can be configured in the bios to boot at a certain time (say sunday @ 4am), deep freeze can be configured to start 'thawed' at this time, and wsus can be used to automatically apply patches at this time as well."

Any more detail on "thawed" etc.


0
 
LVL 6

Expert Comment

by:IanMurphy
Comment Utility
>Could you go into a bit more detail on this in laymans terms/management speak?

What deep freeze does is to maintain the system exactly the same after every reboot.

You install something, reboot and its not there any more.

You visit a web page which has some malicious code which makes use of a bug in your browser to install an application on your PC. Reboot and its gone.

Someone inserts a pendrive with a virus and they manage to infect the machine. You reboot and its gone.

Someone changes the wallpaper and sets the colours to vivid colours. You reboot and its back to normal.

>Any more detail on "thawed" etc.

Thawed is the term that faronics use to describe the state when you can apply patches to a system with Deep Freeze installed. An admin can manually take a series of steps to unlock the Deep Freeze system and allow the installation of an application. After reboot this application is still present.

Many PCs have an option in their BIOS settings which causes the machine will switch itself on and boot at a particular time. Deep Freeze can be configured to be disabled between 4am and 7am and whatever patch management system you use can be programmed to apply patches automatically at this same time.... so your systems can be updated once a day or week by whatever method you normally use.

Ian
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Ok many thanks

Would this tool affect antivirus definitions being applied?

Our concern is these devices are essentially joined to the corporate network so if a machine was infected , regardless of whether they are wiepd of any malware the day later - could the malware have an opportunity to affect othter machines in the network.

Should public PC's be joined to a private network, or essentially "stand alone"

You will see I am not a tech admin who has used this product before - does it have enterprise packages with central control?
0
 
LVL 6

Accepted Solution

by:
IanMurphy earned 400 total points
Comment Utility
It is possible to be infected with a virus or trojan which attempts to propagate across the network, yes. This is possible with machines which have Anti virus and anti spyware installed too. Until the AV company gets hold of an example and adds it to their list then its not detected.

If you take basic precautions, such as setting up the pc to be used with a non-admin account - or even a local only account, update windows and the AV once a week, maybe even put the PC's on a subnet which is filtered off from the rest of the network using a firewall and some restrictive rules - then you should be reducing the probability of problems down to a reasonable level.
I could almost bet you'll never need to worry about them again.

No solution is perfect. Everything has holes and everything can be attacked. You need to make life as difficult as possible for a virus or trojan to spread. A machine which is fully patched to last week with the AV signatures up to date as of a week ago and on which the user is not an administrator is already light years ahead of the majority of PC's out there.

We see infections regularly on machines which are supposedly protected. The stats on detection are frightening. The very best AV solutions only detect a low percentage of the known viruses out there. They do detect the vast majority of the ones which are usually passed around... but the rare ones can skip past.... and then there are the famous zero day exploits.

The problem is usually discovering that they are there and then getting rid of them. With deep freeze you reboot and its gone. Most infections will not even be noticed be the user or the admin.

Most of this will not concern you in general, especially if these boxes are rebooted more than once a day.

One of the guys here in the office bought deep freeze for his nephews PC as he got fed up with having to visit and spend his afternoons removing keyloggers and trojans. Since installing Deepfreeze a year or so ago he hasn't had to touch it. If it survives teenagers it will survive almost anything.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now