Setting up Computers to Make Them Unbreakable/Safe Internet Content, Please Advise..

blobert

Hi Guys,

A couple of years ago I needed to set up a few computers that were going to be used fairly constantly by people that had little to no knowledge of computers. The primary use was going to be internet, the place where I was installing they wanted them to have a content filter installed to stop people looking at porn etc.

At the time I set up the computers using a program called Deep Freeze (which reverted them to a set state every time they were restarted) and some Net Nanny type internet content filter (cannot remember the name).

This worked reasonably well, except the users would not read the signs saying not to save things on the hard drive (as they got wiped) and also they managed to bypass the content filter quite easily and still access porn/other things they were not meant to be accessing.

Am now charged with setting up these computers again and am looking for advice on the best way to do them.

I want them to be as unbreakable as possible and secure in terms of content filtering. I'd also like to have a secure password system so people can only be logged on by staff, I had set user accounts in XP but that is very easy to bypass, could switch to Windows 7 if this will make them more secure. Was looking at NetNanny but it seems to have a lot more functionality than I need, I only need content filtering.

I'm not going to be able to maintain these systems more than once a year, so something as robust as possible is the best solution. As I said the guys that will be using the computers will not be very tech savvy and will undoubtedly install all sorts of viruses, unwanted software etc.

Can anyone advise on what software options I should be looking at?

Any advice would be much appreciated.
Thanks

jpl888

Ok deep breath.

On the content filtering side OpenDNS is as good as anything in my experience.

On locking down the PCs the best idea might be to install Ubuntu and use Pessulus to lock the desktop down. Since using Linux will impede the usual download and install crap, you only need to worry about "messing" then.

pessulus enables the system administrator to set mandatory settings in
GConf, which apply to all users, restricting what they can do, which may
be of particular usefulness for kiosks (internet cafes, for example).

Examples of what can be locked down are the panels (no changes in the panel
configuration are allowed, locking their position and their contents), some
of their functions individually (disabling screen locking and log out), the
web browser (disabling specific protocols, arbitrary URLs, forcing the user
to be in fullscreen mode), among many others.

I haven't used Pessulus so I don't know how easy it is to get around but it appears to be the only officially supported kiosk app for Gnome in Ubuntu, so would seem a good place to start.

You will also want to configure egress filtering on the firewall to attempt to stop people using different DNS servers or VPN clients and the like to get around the content filtering.

The set-up I use is for businesses (not locked down) and involves Windows clients, OpenDNS and HAVP (to scan internet content for viruses) it works and works well. Obviously it won't stop everything but between that and SPAM filtering the only significant virus outbreak I've seen in 5 years on such a network was spread via USB drive and Windows XP's brain dead autoplay functionality.

Any questions?

blobert

Thanks very much for the very detailed reply I appreciate it.

I don't think I would have the required computer skills to go the Ubuntu route, it's not something I'm familiar with at all. I agree it would be the best way of locking them down.

Will need to keep in Microsoft as they will also be used for basic computer classes using MS Office.

Not familiar with Windows Clients, I'll do a bit of reading up on this.

My day job is nothing to do with computers, I got roped into setting these up before in a previous workplace as I knew the most of the staff working there and as a charity they did not have the money to hire someone. I now go back there from time to time to fix up any problems they are having.

So ideally some kind of basic software solution would be the way to go. OpenDNS looks good, will use that for the filtering. Will have a look at HAVP also.

Any advice on the best way to set up Windows XP/7 to minimise potential damage would be much appreciated.

Thanks,
Robert

bhickey

blobert wrote: »

Any advice on the best way to set up Windows XP/7 to minimise potential damage would be much appreciated.

Well if you keep all the machines to either Windows XP or Vista then you can use Microsoft's Steady State product to return things to the same state on reboot. It should be flexible enough for you to use it whichever way suits you. Unfortunately it's not supported on Windows 7.

jpl888

I seem to have lead you into a misunderstanding, when I refer to "windows clients" I am referring to a machine with Windows installed on it i.e. a Windows PC.

HAVP is Linux only and normally run's on a server.

Between that OpenDNS and Microsoft Security Essentials my customers have few problems with viruses and malware and they are generally sensible enough not to download and install things.

The steady state tool the previous poster mentions sounds like a good place to start locking down, as long as it works properly.

I will be glad to give any other advice I can if you are stuck at any stage.

jpl888

This sounds good to me, has snapshot functionality, and it's Windows 7 compatible:-

http://csi-windows.com/blog/all/27-csi-news-general/214-free-replacement-for-microsoft-steadystate-on-windows-7-its-like-vmware-snapshots-for-real-machines

blobert

Thanks again for the advice, the Comodo program could be worth having a look at.

Ideally I'd like to have the ability to restore the computer on restart but have a certain folder (my documents for example) not be erased each time.

I'd also be keen to use Windows 7 over XP for the parental control option which limits login times.

Previously we had a system where staff would have to go turn on and log in the 4 computers in the morning and off again in the evening, if it was possible to have a system where the users could turn them on themselves but only log in (to a guest account) during set hours that would be good, would make things easier for staff.

So perhaps a combo of the Windows 7 parental controls to control the use times, Open DNS for the content filtering and Comodo to make sure they go back to the same state each day (minus the My Documents folder) would be a good set up.

Any further advice would be appreciated.

One thing I noticed before was that I would get a lot of nags about updating flash, java etc, I wonder if there is some easy way to stop programs calling out for updates, ie once I have it set up the way I want, no more updates.

Thanks again for all the help, its much appreciated.

jpl888

I'm looking at Comodo now in a VM will post back when I have more info.

jpl888

From the Comodo Time Machine user guide:-

Synchronize these files or folders when restoring system to another snapshots - You can select
important files/folders to be synchronized with the system whenever you are restoring your system to a
previously taken snapshot. This prevents you from losing important files even on restoring your system to a
previous date in the event of system crash, virus attacks etc.

On the updating front I'm afraid you are stuck. I think the only thing you could do is go to site every few months to update the baseline snapshot.

You should also be aware that if you are preserving the documents folder across snapshots there is a chance you will be preserving a virus too.

You could really do with a decent firewall as well. The egress filtering and logging I have gives me a pretty good heads up if a virus/malware has got in, basically you will see a lot of strange port numbers and 1000's of packets being denied, one step at a time though.

jpl888

It looks pretty easy to use, there aren't that many options. I'd say it is definitely the way to go.

Knasher

If you have a static group of people using the computers then it might be a good idea to set up a file server for users to save files on to. You would then be able to lock down the computers such that the users can't change any files on them while still being able to save their files to the My Documents folder. You would also be able to have it so that it doesn't matter which computer a person uses as their files would be accessible from all of them.

Personally I would be using linux and samba for this, but you can also get windows server to do it. AFAIK you should also be able to implement time restrictions in either.

jpl888

I agree with Knasher on the file storage front and in fact Samba is used on all my customer's servers where they need it, then you would also be able to implement HAVP, decent firewall, etc, etc.

You don't need a fast machine to do it and it doesn't need to be a "server" either. Once installed you can use it to get remote access to the PC's using RDP/VNC too.

It isn't complicated either, just like any elegant solution you need to learn the ropes. I can help you with that.

bluferbl

Check out Windows SteadyState...it's a free addon from Microsoft. I recently installed it on some PCs for use by students and it's working very well. Reasonably tweakable and the price is spot on!

jpl888

bluferbl wrote: »

Check out Windows SteadyState...it's a free addon from Microsoft. I recently installed it on some PCs for use by students and it's working very well. Reasonably tweakable and the price is spot on!

Yeah we already mentioned that. Unfortunately Microsoft has dropped the ball and it's not supported in Windows 7 and the replacement feature was dropped from Windows 7 as they didn't have enough time to finish it. That's how I found Comodo Time Machine by searching forums for that.

Comodo looks like it will do the business and again it is "the right price" i.e. gratis.

blobert

Thanks again for the replies guys, they are much appreciated.

The file server and other stuff still sounds beyond my limited technical abilities.

Seeing as the 4 computers are identical I was hoping to be able to set up one of them correctly and then copy the image to the other 3 (not sure if this is an issue in terms of software licences, they have separate licences for each of them). Was also hoping that using Comodo I could have a baseline restore point so that if that one of them became damaged they could restore it to a working state without me having to drop in to fix it.

Learning how to do a proper job on this would be nice but I'm pressed for time at the moment so a dirty fix that will do the job will have to suffice.

mach1982

As they only being user for the web have you thought of using Linux as the os , no virus , malware etc .There version that look just like XP http://news.softpedia.com/news/Ylmf-OS-Ubuntu-That-Looks-Like-Windows-130919.shtml