103
39
I realize that virus-proof on a Windows PC is far fetched, but in the interest of keeping time spent as the "family-tech-support" to a minimum, I am looking for ideas to lock a computer down to the point that it is very hard to collect ad-ware/spyware, malware, or viruses.
Assume the user is my mom, who rarely, if ever, needs administrator access and mostly uses the computer for MS Office and web browsing.
Andrew Garrison
Posted 2009-07-28T13:56:01.340
Reputation: 403
83
Probably the best advice I've ever heard on the topic is: Stop running as an administrator.
Kirill Strizhak
Posted 2009-07-28T13:56:01.340
Reputation: 1 119
1This is the easiest and fastest way. RANU. – None – 2009-07-28T14:17:02.740
27Easiest? On Windows XP? You must be joking. (I once tried that.) – user1686 – 2009-07-28T15:35:09.087
1@grawity: umm, try harder? :] Ok, sorry. Bad joke, just couldn't resist ;) Yes it is not as easy as it sounds, and requires some tweaking. But, imho, it has the greatest impact that only maybe hiding behind NAT and firewall may come close to. – Kirill Strizhak – 2009-07-28T15:51:09.443
Yup, easy. Even my mom and dad can do it. – Treb – 2009-07-29T09:11:47.793
5I disagree. I've tried it, but a lot of windows programs are poorly coded, and asume you've got the default windows with the default everything. I also tried moving the "my documents" folders to another drive, and some programs just wrote on C: ... – Manu – 2009-08-09T22:04:31.143
Yeah, it ain't *NIX :] I've had many problems even on that new and shiny Win7. That's why I personally like Gnoupie's answer more. Can't blame it on the OS alone though. Software developers assuming that running as an admin is the only way anyone uses windows contribute to the problem. Well, I think it has to stop at some point - maybe more people should begin running as users and start nagging about how it doesn't work in some cases? I doubt that it will make a noticeable part of existing software to be fixed, but maybe at least people writing new software will take it into account? – Kirill Strizhak – 2009-08-10T05:40:20.390
I do this, but I really miss "sudo". – mmyers – 2009-08-13T16:53:00.947
I always replace the crappy software with better software, that respects my choices of account privileges and well-known-folder locations. Vista's UAC caused many software authors to improve their applications. – macbirdie – 2009-08-18T14:06:33.407
mmyers - use sudowin ;) – macbirdie – 2009-08-18T14:07:27.883
5It used to be a real problem to run without admin rights however since the annoying UAC prompt in vista a lot of the big companies have reengineered their software to not need admin rights so often. If you haven't tried it for a couple of years it might be time to try again. – Col – 2009-08-25T12:54:59.357
50
I get very grumpy when I see these questions, because too many people just want to change the computer, and not the user (when it's the user that causes the issues, invariably).
Consider: Almost every network has a NAT device in place between the LAN and the Internet. This stops random crap from just wandering in, so the overwhelming majority of machines are going to be just fine.
Only when the user is in place is it an issue. My solution: fix the user.
My list to keep your Mom's PC bulletproof:
Educate her on computer security, and computer usage:
Install Google Chrome - Fast, lean browsing machine.
Install your choice of free anti-virus. Something with a low amount of harassment is good.
Ensure automatic updates are turned on, and that your mother knows how to deal with them. Accept them, install them, reboot the computer.
My parents ran a Windows XP machine for 4 years with no software firewall - running just Firefox and AVG. They were checking their email, doing online banking, playing some Guild Wars online, and they had no viruses. I've had plenty of challenges from random people who tried to find viruses on my computers, but they always just end up wasting their time.
EvilChookie
Posted 2009-07-28T13:56:01.340
Reputation: 4 519
17I agree that educating the user is ultimately the best thing to do, unfortunately it is not feasible in all situations. – Andrew Garrison – 2009-07-30T16:20:23.457
5I'd disagree - the only time it's not feasible to educate someone is when they don't want to learn. – EvilChookie – 2009-07-30T17:26:44.147
"Read what the error message is telling you". Techies may be advised to not take the meaning of the error message description too seriously, but google the error message. End users sometimes do take it too seriously. Or they say "Computer says I can't do this". – barlop – 2010-11-16T21:59:11.793
4knowledge > automation – Paul Nathan – 2009-08-13T17:29:47.193
5In my experience, anything that pops up with an error message just provokes the "click to make it go away" reaction. Pending education, I'd still be looking at other solutions... – Benjol – 2011-04-27T07:44:37.503
1I have to say, I agree with this to a degree. You shouldn't have to learn about security and advanced settings to use a computer. No other household tech requires such knowledge, and really it's about time computers caught up. That said, your list of things to learn sound very reasonable, IMO. – Django Reinhardt – 2011-04-28T11:07:03.890
1As a counterpart to educating the user, maybe if the user refuses education, you should just take the computer away. We don't just let any random yahoo jump in a car and drive it, do we? ...oh wait. – Jay R. – 2009-09-18T18:18:48.900
1@Jay: Typically most people who drive need to be licensed to drive. Bad drivers are typically the result of bad instruction. In my opinion, bad drivers = bad instruction (or lack thereof). Problems with computers = bad instruction (or lack thereof). – EvilChookie – 2009-09-18T19:58:19.527
Can't agree with the chrome recommendation. Chrome is neither fast nor clean anymore. Try an unencumbered browser like firefox. – Darth Egregious – 2013-04-10T19:55:13.373
30
I don't like just providing links as answers but have a look at this comprehensive lock down guide.
Windows XP Professional Configuration Checklist Details
Bruce McLeod
Posted 2009-07-28T13:56:01.340
Reputation: 5 490
9http://www.nsa.gov/ia/guidance/security_configuration_guides/current_guides.shtml Has a host of guides on locking down different operating systems. – Kenneth Cochran – 2009-07-28T14:06:04.537
Nice checklist! – Ivo Flipse – 2009-07-28T14:29:33.890
2Need to add "run as standard user" or "do not run with administrator privileges by default" – Joel Coehoorn – 2009-07-28T14:51:42.230
1That list has problems for home users... ICS behind most home routers leads to double NATing. SRP is pretty administration heavy (I believe it's better in win7). Also, not having an account password helps the account not be remotely accessable. – Ari Pernick – 2009-07-28T15:20:51.267
@Doubt - your comment should be an answer. – Andrew Garrison – 2009-07-28T15:20:52.640
In my experience, users will somehow come up with very creative ways to get around any safeguards in place and install spyware/viruses. – Travis – 2009-07-28T15:55:01.213
Would love it if a similar guideline was posted for Win 7, 8.1 and 10 – Alex S – 2016-04-12T09:54:30.327
On the topic of lockdown - TrustNoExe implements a whitelist of executables
– Caspar – 2011-09-13T01:28:42.26315
Besides teaching her to avoid installing silly things, I don't really see a way.
Of course, have the system updated and with an anti-virus (eventually a firewall).
But in general, if you want to avoid "family-tech-support", there is no real way. Because if you start adding things to block content, block what she can do, you won't be called for the "tech-support", but for the "why can't I do that ?".
Gnoupi
Posted 2009-07-28T13:56:01.340
Reputation: 7 909
Yes, probably your answer is better :] If user want's to install something, then he will do it... The most effective way is to educate a user. Unfortunately, that is also the most time and effort consuming way. I just some times run out of patience :( – Kirill Strizhak – 2009-07-28T14:05:17.020
14
Buy her a Mac, seriously all of my family have moved over to Apple Mac's and it's so much easier to fix (if anything ever goes wrong, which doesn't happen often).
Alternatively if she/you can't afford that install Ubuntu.
You can mark this answer as "not useful" but when it comes down to it Windows isn't meant for mum's or anyone who's incompetent with computers.
cust0s
Posted 2009-07-28T13:56:01.340
Reputation: 1 041
3+1 I did this as well a few years ago. Not only did it drop my tech support calls to ZERO (seriously!) my mom absolutely loves her iMac w/iTunes, FireFox, and Mail. – Matt Rogish – 2009-08-18T17:05:56.457
3I tell my friends and family that I refuse to help them with their computer troubles unless they use Mac or Linux. They complain that Macs are expensive, but then I explain that it's an illusion because it's only true if they consider my time worthless. Now almost all of them use Macs except for my one kid sister who uses Ubuntu. And I have a lot more free time :-) – KaptajnKold – 2011-04-30T10:46:39.097
1I would agree if someone said that this doesn't answer the actual question, but I think deserves to be in the list of solutions. I have switched 4 families (plus my fam of 7 to Ubuntu). I switched them not because they are computer geeks but because they are totally non-technical and I got tired of endless support calls. Once I find a distro upgrade that is worth it I bring them up to date, otherwise I just let them run day after day, month after month. They typically 1) Browse, 2) Music+Videos, 3) Office type work. – Dennis – 2011-10-04T19:59:34.697
12
In general,
Ari Pernick
Posted 2009-07-28T13:56:01.340
Reputation: 1 458
out of curiosity.. how is x64 anymore secure than 32bit? – NoCarrier – 2009-07-28T16:33:46.423
4@NoCarrier, two reasons leap to mind. First, the 64-bit kernel requires that all device drivers be signed so it is much harder to inject hostile code into the kernel itself. Second, at the moment, there are fewer x64 machines out there, so there are fewer attacks against them in the wild. As more systems go 64-bit, the dynamics will change... – RBerteig – 2009-07-28T23:15:23.773
Another factor is Kernel Patch Protection, which makes it harder for malware to bind to random points in the kernel. – Ari Pernick – 2009-08-11T15:24:38.590
12
Well I would shy away from Norton - In my experience this just grinds the PC to a halt (McAfee isn't much better either!)
I have 4 computers in the house being used by myself, and the "kids" (14, 18 and 20) and I've installed the following;
At the end of the day I don't think there is a 100% foolproof solution to this one. My kids still manage to install toolbars and the like. If you lock the system down too far then it just becomes unusable.
DilbertDave
Posted 2009-07-28T13:56:01.340
Reputation: 141
Huh! How did this end up here - I was answering another (related) question ;-) – DilbertDave – 2009-08-13T15:32:42.950
@DilbertDave: I've flagged it for "moderator attention" for being a dupe, and apparently a mod has merged the two questions. – fretje – 2009-08-13T15:40:17.970
That will explain it then - Hope my response still makes sense ;-) – DilbertDave – 2009-08-13T15:41:26.203
11
Install Ubuntu and all your problems will be healed!
I've had Ubuntu on my netbook for quite some time and just re-installed XP on my parents.
They got a virus just a week into using it.
8
Educate the users!
rookieb
Posted 2009-07-28T13:56:01.340
Reputation: 11
2Said already several times, but I guess always nice to repeat. – Gnoupi – 2009-08-18T17:34:48.957
7
Here is what I usually do before turning a computer back in to someone who gave it to me to clear up spyware, etc:
On the other hand, you could just install something like DeepFreeze which will revert the OS back the state it was when you installed it on each restart (not free, though).
Edit: As Keck pointed out in his answer, Microsoft has a free alternative to DeepFreeze called Windows SteadyState.
Travis
Posted 2009-07-28T13:56:01.340
Reputation: 2 125
+1 for Deepfreeze. Works really good if you setup a second thawed partition and redirect the desktop/documents/data folders to the thawed partition. – Zoredache – 2010-07-13T21:41:43.650
7
Seriously, if you lock the machine down for protection, the main thing you can do is set Internet Explorer (or whatever) to run with high security, which means that none of her favorite web sites will work, which means that you're going to get even more family-tech-support calls than before ("why won't TexasHoldem.com work any more?").
The best solution for both of you is to get out of the family-tech-support business. Plead ignorance, charge them for your time, be too busy, tell them GeekSquad will do a better job, refer them to Dell Support, whatever it takes to get out of this trap.
And it is a trap. Sure, you want to help your mom, but how about your sister? cousins? your mom's friends whom she told how great you were at it? Unless you intend for this to become a sideline business, best to nip it in the bud.
Steven A. Lowe
Posted 2009-07-28T13:56:01.340
Reputation: 386
4Friends don't let friends use GeekSquad.
Oh wait. What you're doing is making her not a friend. – Kevin M – 2009-07-29T15:33:28.473
1@[Kevin]: GeekSquad is a lot cheaper than I am – Steven A. Lowe – 2009-07-30T14:57:11.833
4
Here is another one. Maybe it's not exactly what you want, but it takes less time and effort.
Have you considered virtualization? Just let her trash that system, and restore from a snapshot when it is no longer usable. Quick and clean.
And hope she will eventually learn. Or stop trying to learn, 'cause it's easier... It depends on the person, I suppose :)
Kirill Strizhak
Posted 2009-07-28T13:56:01.340
Reputation: 1 119
14Where did all my grandkids pictures go? – None – 2009-07-28T14:18:03.877
This method is perfect for some people. I have encountered people who seem to forget everything you teach them. So it is brand new every single time. These folks could spin your wheels for hours if you let them. Virtualization and Imaging are a good way to cap your level of effort supporting someone like this. – Axxmasterr – 2009-07-28T14:18:05.517
1@Will: Yessss, grandkids pictures... :] Well, I can tell about VMWare: you can set up a shared folder with the hosting OS where you can drop of all of the user files. You can do it after it is screwed up to backup all user data, or before to let user save his data there.
Plus, you can do snapshots often. So there will always be some state saved with all files intact. – Kirill Strizhak – 2009-07-28T14:26:51.057
4
Might want to consider reboot-to-restore softwares such Deep Freeze or Windows SteadyState and create another partition to store data only. So when problems crop up, just reboot the PC.
4
Block obscene online material (they don't know that the Internet is for porn).
Your best bet may be Net Nanny or something similar. Here are reviews of the top Internet Filters
Prevent rogue installations of applications. Prevent them from unknowingly changing the security settings or uninstalling applications.
For these two the best thing might be to make yourself an administrator of the computer and have them log in as guest (or any non-admin login). Use admin settings to disallow installing applications or changing system settings.
Keeping the computer/anti-virus software up to date.
I'd install AVG antivirus and Zone Alarm firewall and activate their automatic updating features, along with AVGs automatic scanning.
For GP you may want to run a Flash-blocker or ad-blocker, they're both easy plug-ins for Firefox.
Graphics Noob
Posted 2009-07-28T13:56:01.340
Reputation: 360
What is GP? General Protection? – Peter Mortensen – 2009-08-18T16:09:53.280
4
Running Windows as a limited user is definitely the best way to keep out malware. Limited user is preferable to anti-virus software and I haven't heard of a single browser vulnerability that was exploitable in limited user mode.
The problem with Windows limited user privilege is that runas works in a completely different user context -- the one that is used to supply the credentials to runas. This breaks down in all kinds of ways that Mom just isn't going to grok. Even getting Mom to understand how to enter runas commands in cmd.exe is going to twist her knickers.
Linux has the right answer and it comes in two parts: first is software repositories and the second is called "sudo" (insert xkcd comic here) which stands for "super user do". sudo runs in the current user context which tends to make things work right. There is a sudo for Windows that I like called surun.exe available from http://kay-bruns.de/download/surun.zip, but I'm not sure I recommend it for Mom unless you tweak it for her. But it does have the nice capability to let Windows Update or Microsoft Update run in limited user mode and it allows limited users to change power options and set the clock.
If you set Mom up in limited user mode, you need to create an Administrator account to use for installing and tweaking. I suggest you remote logon and do the heavy lifting for Mom, but check out surun.exe if only to allow AU and the other features it includes by default for limited users.
Another option is to have Mom run her browser in a sandbox, like sandboxie.exe. I can't recommend it, unless you want to prevent Mom from downloading and uploading personal stuff like photos and chain letter jokes. But if Mom doesn't do downloading and uploading, a sandbox is the best way to get limited privilege to apply to the most vulnerable application on Mom's machine.
kwe
Posted 2009-07-28T13:56:01.340
Reputation: 331
3
partition the hard disk.
install Windows and all necessary programs.
point user folders (desktop, documents, favorites, emails, etc.) to another partition.
create a an image of the system drive (usually C:)
something goes wrong, you can restore the computer with a minimum effort to the state it should be in.
if you want to take it to the next level, try this:
install a RAM disk (size depending on the requirements and available system memory).
install Sandboxie and point the container folder to the RAM disk (drop rights if on an admin account) and add the desired download folders to 'Quick Recovery'
it's getting even better if you want to pay the little registration fee for Sandboxie (which allows you to install the software on any computer your own).
alternatively you may consider DeepFreeze, even more efficient but possibly a bit too restrictive for Mum's taste. good luck and enjoy the time you have just saved from being the in-house tech support! :)
2
Make her profile read-only.
greuze
Posted 2009-07-28T13:56:01.340
Reputation: 293
2
My choice as an old time Usenet hacker (white hat, software hacker, etc.)...
Windows XP:
1st drive or partition: install Windows and all needed stuff (you won't be able to touch it after, only the real administrator can do that) Security software is less needed. Remember OpenDNS!
2nd drive or partition: put my documents and a 2nd program files folder in it, portable applications and all files that you want to keep, like music, pictures, etc. (tell everyone that they have to save and install their stuff there because they lose all they have done if not done) > an installation is simple, you change the C for a D (the 2nd drive), C:/Program Files/.
Also link My Documents folder to the one in the 2nd drive.
Now put Windows steady state at all settings, it will reset the computer as you installed it for the 1st drive only at each restart.
For Linux: Also note that the Linux idea is not all-wrong, it's also bulletproof! Ubuntu (Big up for Edubuntu - Ubuntu project for education for not very rich nations) is simple but she use her computer so little but SliTaz 2 a little modded (with help or by learning - it's worth it!) should be more than enough 30 Mo only for a Linux desktop that will be faster than any Windows version but you have a downside and OpenDNS work with it also.
The real deal: the family is ready if it has a real value: money, learning, help good projects, being part of a real team that really work for them or keep up with Microsoft that don't understand the need of peoples that slave them blocking their reals thoughts, that make a product that sometime miss more than win ... For me, it's why I gave Linux a chance. It's not perfect, but I have found some parts that I can live without now, mostly human, though.
My Linux passion came from people that work for the freedom of the knowledge like Didier Roche, a writer and secretary from the French Ubuntu team and the knopmyth developer so I wish luck to both of you, if you read me ... That's the real Linux life, even Linux stars are just like normal people and they will help you, like they have been helped by someone before. I want to be a part of this chain, that's all! The true beauty of the world is sharing!
zillion
Posted 2009-07-28T13:56:01.340
Reputation: 398
0
Install Ubuntu :) It will silently update itself, it never breaks, Firefox is the same as in Windows, MS Office will work under Wine. I had really positive experience with it and really negative one with Windows XP in the same situation.
vava
Posted 2009-07-28T13:56:01.340
Reputation: 5 238
-1 - Not an answer to this question. – DavidWhitney – 2009-07-30T16:08:29.347
Changing OS is not going minimize the family tech support required, quite the opposite. – Dave Webb – 2009-08-18T14:34:30.493
5I'm not so sure about that. If I was setting up a computer for an older family member with little to no computer skills, I would strongly consider a minimal Ubuntu or other Linux-type OS install with OpenOffice and a single browser (or just teach them to use Google Docs). For many, many people, a computer is 99.9% of the time a machine for running a browser (and 0.1% of the time a machine for playing solitaire - which can be played in a browser). Or make her buy a Mac. – CMPalmer – 2009-08-18T16:10:42.247
1yes, firefox is the same everywhere. Non-techie people don't care that much how button they have to click to start it look. They don't really see the difference. And simple fact that there are no viruses and nothing can go wrong except hardware failure makes it so much easier to work with. – vava – 2009-08-19T04:41:11.073
0
Install Opera and/or FireFox. Install NoScript in FireFox.
Make sure (with shortcuts, etc.) that Opera/FireFox is easier to start/find than Internet Explorer. Try to make Internet Explorer unsusable, like directing it to a non-existing proxy-server, etc.
Make Opera/FireFox the default browser.
The following makes use inconvenient, but the question was about security:
Block JavaScript for all sites (e.g. set in Preferences in Opera and using NoScript in FireFox), except for the ones you explicitly allow. Most of these will need to be set later by the (inexperienced) user. This is where it becomes inconvenient.
Allow JavaScript for some common sites, e.g. YouTube and Gmail. Test that it actually works.
Peter Mortensen
Posted 2009-07-28T13:56:01.340
Reputation: 10 992
2You'll probably get more calls running with NoScript than you would every 3-6 months when something bad happens.
"Why doesn't [every internet site] work?" – DavidWhitney – 2009-07-30T16:09:24.353
0
Install A-SquaredAntiMalware (paid) and make sure that it updates and scans automatically. Also set all "Surf Protection" settings to "Block Silently. Add MVP Hosts file, OpenDNS, and WinPatrol. Explain that if Scotty barks it's important and read it carefully. WinPatrol warnings are the only ones she'll get, and those very infrequently. Also explain that she will see a lot of 404's as her protection works for her- and that's a good thing.
This is the way I protect my 83-year old mother's Windows XP system, and she has had absolutely no malware issues at all.
0
Synetech
Posted 2009-07-28T13:56:01.340
Reputation: 63 242
0
Try Sandboxie
Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.
Benefits of the Isolated Sandbox
Secure Web Browsing: Running your Web browser under the protection of Sandboxie means that all malicious software downloaded by the browser is trapped in the sandbox and can be discarded trivially.
Enhanced Privacy: Browsing history, cookies, and cached temporary files collected while Web browsing stay in the sandbox and don't leak into Windows.
Secure E-mail: Viruses and other malicious software that might be hiding in your email can't break out of the sandbox and can't infect your real system.
Windows Stays Lean: Prevent wear-and-tear in Windows by installing software into an isolated sandbox.
meguroyama
Posted 2009-07-28T13:56:01.340
Reputation: 130
35Encase it in lead ;) – DisgruntledGoat – 2009-07-29T10:56:43.793
23I was thinking Kevlar! – Pauk – 2009-07-30T15:00:27.523
36Unplug the Internet connection. – Scott – 2009-07-30T15:23:42.357
2Power it with Kryptonite! – Moab – 2010-06-28T03:27:09.603
2Throw it out the window! – studiohack – 2010-09-29T13:32:42.420
7Switch to Ubuntu – Aki – 2010-11-04T14:26:43.527
A mother's computer is likely not going to get anything on it.. Just their standard websites. Many of them hardly surf the web. Or do so very conservatively. – barlop – 2010-11-16T22:02:31.137
not really, discussion over there doesn't expand into software, mostly about configuring windows for safety – Jake McGraw – 2009-08-13T15:30:26.557
Woah, did my question just get merged? – Jake McGraw – 2009-08-13T15:50:47.133
31Unplug the power cable. – zildjohn01 – 2009-08-19T02:34:53.200
Like Aki said, get her off the vulnerable OS. Ubuntu will let her use Open Office, Firefox, and a myriad of media players. – dotancohen – 2013-05-27T15:09:41.867