Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

disk protection and best practice for public PC

Posted on 2011-09-09
7
Medium Priority
?
317 Views
Last Modified: 2012-05-12
We have a requirement to spec some “public PC’s” in a learning centre that can be accessed (upon booking) by members of the public. Currently the machines have a tool installed that should image the systems config and return to it once the machine reboots/new user accesses it.

http://www.faronics.com/enterprise/deep-freeze/

However there are concerns this tool affects the ability to update certain software when security releases are made. The concept of disk freeze is good but I thought I would brainstorm some ideas on disk protection for public machines – and what other security solutions need to be configured. It should be centrally controllable.
0
Comment
Question by:pma111
  • 3
  • 3
7 Comments
 
LVL 7

Assisted Solution

by:jesaja
jesaja earned 400 total points
ID: 36508718
it depends on the size of you environment and Budget I would have a look for VDI especially VMware View.
 
0
 
LVL 3

Author Comment

by:pma111
ID: 36508761
Thanks - can u go into any detail on how that is better than the tool linked - what security benefits it brings. In terms of public pc there will only be 5 devices
0
 
LVL 6

Expert Comment

by:IanMurphy
ID: 36508768
Security updates are of minor concern when the machine is reset after reboots. While its a good idea to maintain them up to date, its limited what an attack can do when its simply deleted at the end of the day or whenever the user logs out.
Deep freeze works very well. The machines can be configured in the bios to boot at a certain time (say sunday @ 4am), deep freeze can be configured to start 'thawed' at this time, and wsus can be used to automatically apply patches at this time as well.

They have a doc which explains how to do this.
http://www.faronics.com/assets/DFEnt_PatchManagement.pdf

Ian
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
LVL 3

Author Comment

by:pma111
ID: 36508936
Hi IanMurphy,

re:

Security updates are of minor concern when the machine is reset after reboots. While its a good idea to maintain them up to date, its limited what an attack can do when its simply deleted at the end of the day or whenever the user logs out.

Could you go into a bit more detail on this in laymans terms/management speak?

Also -

"The machines can be configured in the bios to boot at a certain time (say sunday @ 4am), deep freeze can be configured to start 'thawed' at this time, and wsus can be used to automatically apply patches at this time as well."

Any more detail on "thawed" etc.


0
 
LVL 6

Expert Comment

by:IanMurphy
ID: 36509059
>Could you go into a bit more detail on this in laymans terms/management speak?

What deep freeze does is to maintain the system exactly the same after every reboot.

You install something, reboot and its not there any more.

You visit a web page which has some malicious code which makes use of a bug in your browser to install an application on your PC. Reboot and its gone.

Someone inserts a pendrive with a virus and they manage to infect the machine. You reboot and its gone.

Someone changes the wallpaper and sets the colours to vivid colours. You reboot and its back to normal.

>Any more detail on "thawed" etc.

Thawed is the term that faronics use to describe the state when you can apply patches to a system with Deep Freeze installed. An admin can manually take a series of steps to unlock the Deep Freeze system and allow the installation of an application. After reboot this application is still present.

Many PCs have an option in their BIOS settings which causes the machine will switch itself on and boot at a particular time. Deep Freeze can be configured to be disabled between 4am and 7am and whatever patch management system you use can be programmed to apply patches automatically at this same time.... so your systems can be updated once a day or week by whatever method you normally use.

Ian
0
 
LVL 3

Author Comment

by:pma111
ID: 36509307
Ok many thanks

Would this tool affect antivirus definitions being applied?

Our concern is these devices are essentially joined to the corporate network so if a machine was infected , regardless of whether they are wiepd of any malware the day later - could the malware have an opportunity to affect othter machines in the network.

Should public PC's be joined to a private network, or essentially "stand alone"

You will see I am not a tech admin who has used this product before - does it have enterprise packages with central control?
0
 
LVL 6

Accepted Solution

by:
IanMurphy earned 1600 total points
ID: 36509924
It is possible to be infected with a virus or trojan which attempts to propagate across the network, yes. This is possible with machines which have Anti virus and anti spyware installed too. Until the AV company gets hold of an example and adds it to their list then its not detected.

If you take basic precautions, such as setting up the pc to be used with a non-admin account - or even a local only account, update windows and the AV once a week, maybe even put the PC's on a subnet which is filtered off from the rest of the network using a firewall and some restrictive rules - then you should be reducing the probability of problems down to a reasonable level.
I could almost bet you'll never need to worry about them again.

No solution is perfect. Everything has holes and everything can be attacked. You need to make life as difficult as possible for a virus or trojan to spread. A machine which is fully patched to last week with the AV signatures up to date as of a week ago and on which the user is not an administrator is already light years ahead of the majority of PC's out there.

We see infections regularly on machines which are supposedly protected. The stats on detection are frightening. The very best AV solutions only detect a low percentage of the known viruses out there. They do detect the vast majority of the ones which are usually passed around... but the rare ones can skip past.... and then there are the famous zero day exploits.

The problem is usually discovering that they are there and then getting rid of them. With deep freeze you reboot and its gone. Most infections will not even be noticed be the user or the admin.

Most of this will not concern you in general, especially if these boxes are rebooted more than once a day.

One of the guys here in the office bought deep freeze for his nephews PC as he got fed up with having to visit and spend his afternoons removing keyloggers and trojans. Since installing Deepfreeze a year or so ago he hasn't had to touch it. If it survives teenagers it will survive almost anything.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question