Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

disk protection and best practice for public PC

Posted on 2011-09-09
7
Medium Priority
?
316 Views
Last Modified: 2012-05-12
We have a requirement to spec some “public PC’s” in a learning centre that can be accessed (upon booking) by members of the public. Currently the machines have a tool installed that should image the systems config and return to it once the machine reboots/new user accesses it.

http://www.faronics.com/enterprise/deep-freeze/

However there are concerns this tool affects the ability to update certain software when security releases are made. The concept of disk freeze is good but I thought I would brainstorm some ideas on disk protection for public machines – and what other security solutions need to be configured. It should be centrally controllable.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 7

Assisted Solution

by:jesaja
jesaja earned 400 total points
ID: 36508718
it depends on the size of you environment and Budget I would have a look for VDI especially VMware View.
 
0
 
LVL 3

Author Comment

by:pma111
ID: 36508761
Thanks - can u go into any detail on how that is better than the tool linked - what security benefits it brings. In terms of public pc there will only be 5 devices
0
 
LVL 6

Expert Comment

by:IanMurphy
ID: 36508768
Security updates are of minor concern when the machine is reset after reboots. While its a good idea to maintain them up to date, its limited what an attack can do when its simply deleted at the end of the day or whenever the user logs out.
Deep freeze works very well. The machines can be configured in the bios to boot at a certain time (say sunday @ 4am), deep freeze can be configured to start 'thawed' at this time, and wsus can be used to automatically apply patches at this time as well.

They have a doc which explains how to do this.
http://www.faronics.com/assets/DFEnt_PatchManagement.pdf

Ian
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 3

Author Comment

by:pma111
ID: 36508936
Hi IanMurphy,

re:

Security updates are of minor concern when the machine is reset after reboots. While its a good idea to maintain them up to date, its limited what an attack can do when its simply deleted at the end of the day or whenever the user logs out.

Could you go into a bit more detail on this in laymans terms/management speak?

Also -

"The machines can be configured in the bios to boot at a certain time (say sunday @ 4am), deep freeze can be configured to start 'thawed' at this time, and wsus can be used to automatically apply patches at this time as well."

Any more detail on "thawed" etc.


0
 
LVL 6

Expert Comment

by:IanMurphy
ID: 36509059
>Could you go into a bit more detail on this in laymans terms/management speak?

What deep freeze does is to maintain the system exactly the same after every reboot.

You install something, reboot and its not there any more.

You visit a web page which has some malicious code which makes use of a bug in your browser to install an application on your PC. Reboot and its gone.

Someone inserts a pendrive with a virus and they manage to infect the machine. You reboot and its gone.

Someone changes the wallpaper and sets the colours to vivid colours. You reboot and its back to normal.

>Any more detail on "thawed" etc.

Thawed is the term that faronics use to describe the state when you can apply patches to a system with Deep Freeze installed. An admin can manually take a series of steps to unlock the Deep Freeze system and allow the installation of an application. After reboot this application is still present.

Many PCs have an option in their BIOS settings which causes the machine will switch itself on and boot at a particular time. Deep Freeze can be configured to be disabled between 4am and 7am and whatever patch management system you use can be programmed to apply patches automatically at this same time.... so your systems can be updated once a day or week by whatever method you normally use.

Ian
0
 
LVL 3

Author Comment

by:pma111
ID: 36509307
Ok many thanks

Would this tool affect antivirus definitions being applied?

Our concern is these devices are essentially joined to the corporate network so if a machine was infected , regardless of whether they are wiepd of any malware the day later - could the malware have an opportunity to affect othter machines in the network.

Should public PC's be joined to a private network, or essentially "stand alone"

You will see I am not a tech admin who has used this product before - does it have enterprise packages with central control?
0
 
LVL 6

Accepted Solution

by:
IanMurphy earned 1600 total points
ID: 36509924
It is possible to be infected with a virus or trojan which attempts to propagate across the network, yes. This is possible with machines which have Anti virus and anti spyware installed too. Until the AV company gets hold of an example and adds it to their list then its not detected.

If you take basic precautions, such as setting up the pc to be used with a non-admin account - or even a local only account, update windows and the AV once a week, maybe even put the PC's on a subnet which is filtered off from the rest of the network using a firewall and some restrictive rules - then you should be reducing the probability of problems down to a reasonable level.
I could almost bet you'll never need to worry about them again.

No solution is perfect. Everything has holes and everything can be attacked. You need to make life as difficult as possible for a virus or trojan to spread. A machine which is fully patched to last week with the AV signatures up to date as of a week ago and on which the user is not an administrator is already light years ahead of the majority of PC's out there.

We see infections regularly on machines which are supposedly protected. The stats on detection are frightening. The very best AV solutions only detect a low percentage of the known viruses out there. They do detect the vast majority of the ones which are usually passed around... but the rare ones can skip past.... and then there are the famous zero day exploits.

The problem is usually discovering that they are there and then getting rid of them. With deep freeze you reboot and its gone. Most infections will not even be noticed be the user or the admin.

Most of this will not concern you in general, especially if these boxes are rebooted more than once a day.

One of the guys here in the office bought deep freeze for his nephews PC as he got fed up with having to visit and spend his afternoons removing keyloggers and trojans. Since installing Deepfreeze a year or so ago he hasn't had to touch it. If it survives teenagers it will survive almost anything.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question