Solved

disk protection and best practice for public PC

Posted on 2011-09-09
7
311 Views
Last Modified: 2012-05-12
We have a requirement to spec some “public PC’s” in a learning centre that can be accessed (upon booking) by members of the public. Currently the machines have a tool installed that should image the systems config and return to it once the machine reboots/new user accesses it.

http://www.faronics.com/enterprise/deep-freeze/

However there are concerns this tool affects the ability to update certain software when security releases are made. The concept of disk freeze is good but I thought I would brainstorm some ideas on disk protection for public machines – and what other security solutions need to be configured. It should be centrally controllable.
0
Comment
Question by:pma111
  • 3
  • 3
7 Comments
 
LVL 7

Assisted Solution

by:jesaja
jesaja earned 100 total points
ID: 36508718
it depends on the size of you environment and Budget I would have a look for VDI especially VMware View.
 
0
 
LVL 3

Author Comment

by:pma111
ID: 36508761
Thanks - can u go into any detail on how that is better than the tool linked - what security benefits it brings. In terms of public pc there will only be 5 devices
0
 
LVL 6

Expert Comment

by:IanMurphy
ID: 36508768
Security updates are of minor concern when the machine is reset after reboots. While its a good idea to maintain them up to date, its limited what an attack can do when its simply deleted at the end of the day or whenever the user logs out.
Deep freeze works very well. The machines can be configured in the bios to boot at a certain time (say sunday @ 4am), deep freeze can be configured to start 'thawed' at this time, and wsus can be used to automatically apply patches at this time as well.

They have a doc which explains how to do this.
http://www.faronics.com/assets/DFEnt_PatchManagement.pdf

Ian
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 3

Author Comment

by:pma111
ID: 36508936
Hi IanMurphy,

re:

Security updates are of minor concern when the machine is reset after reboots. While its a good idea to maintain them up to date, its limited what an attack can do when its simply deleted at the end of the day or whenever the user logs out.

Could you go into a bit more detail on this in laymans terms/management speak?

Also -

"The machines can be configured in the bios to boot at a certain time (say sunday @ 4am), deep freeze can be configured to start 'thawed' at this time, and wsus can be used to automatically apply patches at this time as well."

Any more detail on "thawed" etc.


0
 
LVL 6

Expert Comment

by:IanMurphy
ID: 36509059
>Could you go into a bit more detail on this in laymans terms/management speak?

What deep freeze does is to maintain the system exactly the same after every reboot.

You install something, reboot and its not there any more.

You visit a web page which has some malicious code which makes use of a bug in your browser to install an application on your PC. Reboot and its gone.

Someone inserts a pendrive with a virus and they manage to infect the machine. You reboot and its gone.

Someone changes the wallpaper and sets the colours to vivid colours. You reboot and its back to normal.

>Any more detail on "thawed" etc.

Thawed is the term that faronics use to describe the state when you can apply patches to a system with Deep Freeze installed. An admin can manually take a series of steps to unlock the Deep Freeze system and allow the installation of an application. After reboot this application is still present.

Many PCs have an option in their BIOS settings which causes the machine will switch itself on and boot at a particular time. Deep Freeze can be configured to be disabled between 4am and 7am and whatever patch management system you use can be programmed to apply patches automatically at this same time.... so your systems can be updated once a day or week by whatever method you normally use.

Ian
0
 
LVL 3

Author Comment

by:pma111
ID: 36509307
Ok many thanks

Would this tool affect antivirus definitions being applied?

Our concern is these devices are essentially joined to the corporate network so if a machine was infected , regardless of whether they are wiepd of any malware the day later - could the malware have an opportunity to affect othter machines in the network.

Should public PC's be joined to a private network, or essentially "stand alone"

You will see I am not a tech admin who has used this product before - does it have enterprise packages with central control?
0
 
LVL 6

Accepted Solution

by:
IanMurphy earned 400 total points
ID: 36509924
It is possible to be infected with a virus or trojan which attempts to propagate across the network, yes. This is possible with machines which have Anti virus and anti spyware installed too. Until the AV company gets hold of an example and adds it to their list then its not detected.

If you take basic precautions, such as setting up the pc to be used with a non-admin account - or even a local only account, update windows and the AV once a week, maybe even put the PC's on a subnet which is filtered off from the rest of the network using a firewall and some restrictive rules - then you should be reducing the probability of problems down to a reasonable level.
I could almost bet you'll never need to worry about them again.

No solution is perfect. Everything has holes and everything can be attacked. You need to make life as difficult as possible for a virus or trojan to spread. A machine which is fully patched to last week with the AV signatures up to date as of a week ago and on which the user is not an administrator is already light years ahead of the majority of PC's out there.

We see infections regularly on machines which are supposedly protected. The stats on detection are frightening. The very best AV solutions only detect a low percentage of the known viruses out there. They do detect the vast majority of the ones which are usually passed around... but the rare ones can skip past.... and then there are the famous zero day exploits.

The problem is usually discovering that they are there and then getting rid of them. With deep freeze you reboot and its gone. Most infections will not even be noticed be the user or the admin.

Most of this will not concern you in general, especially if these boxes are rebooted more than once a day.

One of the guys here in the office bought deep freeze for his nephews PC as he got fed up with having to visit and spend his afternoons removing keyloggers and trojans. Since installing Deepfreeze a year or so ago he hasn't had to touch it. If it survives teenagers it will survive almost anything.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Beyond Tools A conversation I recently had with the DevOps manager of a major online retailer really made me think about DevOps monitoring tools (https://www.onpage.com/devops-incident-management-tool/). The manager and I discussed how sever…
With healthcare moving into the digital age with things like Healthcare.gov, the digitization of patient records and video conferencing with patients, data has a much greater chance of being exposed than ever before.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question