Link to home
Get AccessLog in
Avatar of Pau Lo
Pau Lo

asked on

disk protection and best practice for public PC

We have a requirement to spec some “public PC’s” in a learning centre that can be accessed (upon booking) by members of the public. Currently the machines have a tool installed that should image the systems config and return to it once the machine reboots/new user accesses it.

http://www.faronics.com/enterprise/deep-freeze/

However there are concerns this tool affects the ability to update certain software when security releases are made. The concept of disk freeze is good but I thought I would brainstorm some ideas on disk protection for public machines – and what other security solutions need to be configured. It should be centrally controllable.
SOLUTION
Avatar of jesaja
jesaja
Flag of Switzerland image

Link to home
membership
This content is only available to members.
To access this content, you must be a member of Experts Exchange.
Get Access
Avatar of Pau Lo
Pau Lo

ASKER

Thanks - can u go into any detail on how that is better than the tool linked - what security benefits it brings. In terms of public pc there will only be 5 devices
Security updates are of minor concern when the machine is reset after reboots. While its a good idea to maintain them up to date, its limited what an attack can do when its simply deleted at the end of the day or whenever the user logs out.
Deep freeze works very well. The machines can be configured in the bios to boot at a certain time (say sunday @ 4am), deep freeze can be configured to start 'thawed' at this time, and wsus can be used to automatically apply patches at this time as well.

They have a doc which explains how to do this.
http://www.faronics.com/assets/DFEnt_PatchManagement.pdf

Ian
Avatar of Pau Lo

ASKER

Hi IanMurphy,

re:

Security updates are of minor concern when the machine is reset after reboots. While its a good idea to maintain them up to date, its limited what an attack can do when its simply deleted at the end of the day or whenever the user logs out.

Could you go into a bit more detail on this in laymans terms/management speak?

Also -

"The machines can be configured in the bios to boot at a certain time (say sunday @ 4am), deep freeze can be configured to start 'thawed' at this time, and wsus can be used to automatically apply patches at this time as well."

Any more detail on "thawed" etc.


>Could you go into a bit more detail on this in laymans terms/management speak?

What deep freeze does is to maintain the system exactly the same after every reboot.

You install something, reboot and its not there any more.

You visit a web page which has some malicious code which makes use of a bug in your browser to install an application on your PC. Reboot and its gone.

Someone inserts a pendrive with a virus and they manage to infect the machine. You reboot and its gone.

Someone changes the wallpaper and sets the colours to vivid colours. You reboot and its back to normal.

>Any more detail on "thawed" etc.

Thawed is the term that faronics use to describe the state when you can apply patches to a system with Deep Freeze installed. An admin can manually take a series of steps to unlock the Deep Freeze system and allow the installation of an application. After reboot this application is still present.

Many PCs have an option in their BIOS settings which causes the machine will switch itself on and boot at a particular time. Deep Freeze can be configured to be disabled between 4am and 7am and whatever patch management system you use can be programmed to apply patches automatically at this same time.... so your systems can be updated once a day or week by whatever method you normally use.

Ian
Avatar of Pau Lo

ASKER

Ok many thanks

Would this tool affect antivirus definitions being applied?

Our concern is these devices are essentially joined to the corporate network so if a machine was infected , regardless of whether they are wiepd of any malware the day later - could the malware have an opportunity to affect othter machines in the network.

Should public PC's be joined to a private network, or essentially "stand alone"

You will see I am not a tech admin who has used this product before - does it have enterprise packages with central control?
ASKER CERTIFIED SOLUTION
Link to home
membership
This content is only available to members.
To access this content, you must be a member of Experts Exchange.
Get Access