Solved

disk protection and best practice for public PC

Posted on 2011-09-09
7
314 Views
Last Modified: 2012-05-12
We have a requirement to spec some “public PC’s” in a learning centre that can be accessed (upon booking) by members of the public. Currently the machines have a tool installed that should image the systems config and return to it once the machine reboots/new user accesses it.

http://www.faronics.com/enterprise/deep-freeze/

However there are concerns this tool affects the ability to update certain software when security releases are made. The concept of disk freeze is good but I thought I would brainstorm some ideas on disk protection for public machines – and what other security solutions need to be configured. It should be centrally controllable.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 7

Assisted Solution

by:jesaja
jesaja earned 100 total points
ID: 36508718
it depends on the size of you environment and Budget I would have a look for VDI especially VMware View.
 
0
 
LVL 3

Author Comment

by:pma111
ID: 36508761
Thanks - can u go into any detail on how that is better than the tool linked - what security benefits it brings. In terms of public pc there will only be 5 devices
0
 
LVL 6

Expert Comment

by:IanMurphy
ID: 36508768
Security updates are of minor concern when the machine is reset after reboots. While its a good idea to maintain them up to date, its limited what an attack can do when its simply deleted at the end of the day or whenever the user logs out.
Deep freeze works very well. The machines can be configured in the bios to boot at a certain time (say sunday @ 4am), deep freeze can be configured to start 'thawed' at this time, and wsus can be used to automatically apply patches at this time as well.

They have a doc which explains how to do this.
http://www.faronics.com/assets/DFEnt_PatchManagement.pdf

Ian
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 
LVL 3

Author Comment

by:pma111
ID: 36508936
Hi IanMurphy,

re:

Security updates are of minor concern when the machine is reset after reboots. While its a good idea to maintain them up to date, its limited what an attack can do when its simply deleted at the end of the day or whenever the user logs out.

Could you go into a bit more detail on this in laymans terms/management speak?

Also -

"The machines can be configured in the bios to boot at a certain time (say sunday @ 4am), deep freeze can be configured to start 'thawed' at this time, and wsus can be used to automatically apply patches at this time as well."

Any more detail on "thawed" etc.


0
 
LVL 6

Expert Comment

by:IanMurphy
ID: 36509059
>Could you go into a bit more detail on this in laymans terms/management speak?

What deep freeze does is to maintain the system exactly the same after every reboot.

You install something, reboot and its not there any more.

You visit a web page which has some malicious code which makes use of a bug in your browser to install an application on your PC. Reboot and its gone.

Someone inserts a pendrive with a virus and they manage to infect the machine. You reboot and its gone.

Someone changes the wallpaper and sets the colours to vivid colours. You reboot and its back to normal.

>Any more detail on "thawed" etc.

Thawed is the term that faronics use to describe the state when you can apply patches to a system with Deep Freeze installed. An admin can manually take a series of steps to unlock the Deep Freeze system and allow the installation of an application. After reboot this application is still present.

Many PCs have an option in their BIOS settings which causes the machine will switch itself on and boot at a particular time. Deep Freeze can be configured to be disabled between 4am and 7am and whatever patch management system you use can be programmed to apply patches automatically at this same time.... so your systems can be updated once a day or week by whatever method you normally use.

Ian
0
 
LVL 3

Author Comment

by:pma111
ID: 36509307
Ok many thanks

Would this tool affect antivirus definitions being applied?

Our concern is these devices are essentially joined to the corporate network so if a machine was infected , regardless of whether they are wiepd of any malware the day later - could the malware have an opportunity to affect othter machines in the network.

Should public PC's be joined to a private network, or essentially "stand alone"

You will see I am not a tech admin who has used this product before - does it have enterprise packages with central control?
0
 
LVL 6

Accepted Solution

by:
IanMurphy earned 400 total points
ID: 36509924
It is possible to be infected with a virus or trojan which attempts to propagate across the network, yes. This is possible with machines which have Anti virus and anti spyware installed too. Until the AV company gets hold of an example and adds it to their list then its not detected.

If you take basic precautions, such as setting up the pc to be used with a non-admin account - or even a local only account, update windows and the AV once a week, maybe even put the PC's on a subnet which is filtered off from the rest of the network using a firewall and some restrictive rules - then you should be reducing the probability of problems down to a reasonable level.
I could almost bet you'll never need to worry about them again.

No solution is perfect. Everything has holes and everything can be attacked. You need to make life as difficult as possible for a virus or trojan to spread. A machine which is fully patched to last week with the AV signatures up to date as of a week ago and on which the user is not an administrator is already light years ahead of the majority of PC's out there.

We see infections regularly on machines which are supposedly protected. The stats on detection are frightening. The very best AV solutions only detect a low percentage of the known viruses out there. They do detect the vast majority of the ones which are usually passed around... but the rare ones can skip past.... and then there are the famous zero day exploits.

The problem is usually discovering that they are there and then getting rid of them. With deep freeze you reboot and its gone. Most infections will not even be noticed be the user or the admin.

Most of this will not concern you in general, especially if these boxes are rebooted more than once a day.

One of the guys here in the office bought deep freeze for his nephews PC as he got fed up with having to visit and spend his afternoons removing keyloggers and trojans. Since installing Deepfreeze a year or so ago he hasn't had to touch it. If it survives teenagers it will survive almost anything.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
Windows 10 Creator Update has just been released and I have it working very well on my laptop. Read below for issues, fixes and ideas.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question