Windows Security and On-line Training Courses?

eggegick writes "My wife has taken a number of college courses over the last three years and many of the classes used on-line materials rather than books. The problem was these required IE along with Java, Active X and/or various plug-ins (the names of which escapes me), and occasionally I'd have to tweak our firewall to allow these apps to run. I don't think any of these training apps would work with Firefox. All of this made me cringe from a security point of view. Myself, I use Firefox, No-Script, our external firewall and common sense when using the web. I have a very old Windows 2000 machine that I keep up to date. To my knowledge, I've never had a virus or malware problem. Her computer is a relatively new XP machine, and at this point she feels her computer has something wrong. But now she prefers to use my old machine instead of hers since it seems to be more responsive. We plan to run the recovery disk on hers. Assuming the college course work applications were part of the cause, what recommendations do any of you have for running this kind of software? Is there a VMware solution that would work — that is, have a Windows image that is used temporarily for the course work and then discarded at the end of the semester (and how do you create such an image, and what does it cost?)."

Windows SteadyState

[benjymouse]

is also an option. Can completely lock down a PC. All changes are written to a separate "log" partition which can be reverted. Logs can be kept separate for individual users and the system. For instance you can configure Windows SteadyState to discard all user changes at each boot but allows the system to update itself through Windows Update

It's available for XP and Vista (32 bit) free from Microsoft: http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx [microsoft.com]

GRUB

[Anonymous Coward]

You can use the instructions here [faqs.org] to install the same copy of windows into two different partitions on the same machine. I use this on my laptop; one image for everyday use, and one for logging in to my company's VPN (which requires specific software that I don't want to have running all the time).

Re:Yeah, except

[Patch86]

Strange. My GF, who is at uni, uses Blackboard regularly. She's used Firefox + unmodified Zonealarm for the entirety of her 4 year course, and never encountered a problem.

Windows Security.

[vistapwns]

The solution is easy, though you may not like it. Install Vista (It has ASLR, heap protection, pointer protection, dep, integrity levels, and so on) and latest updates. Enable DEP for all processes and memory protection in IE advanced options (must run IE as admin first to change this setting.) Disable all the AcitveX and .NET stuff in the internet zone. Enable Protected Mode for 'trusted zone.' Add necessary, trusted sites to 'Trusted Zone' site list, that require an active-x/.net plug-in. Leave auto-updates on. Don't download anything unless you know for sure the trustworthyness of the people who made it. Using just that, I have been using Vista for almost 2 years without a single Virus, trojan or Worm, or anything at all to speak of, and I surf everything, all day, including very shady sites. Vista pretty much takes care of the automated and drive-by download infections, teaching non-advanced users about web scams that only require a sucker user on the other hand is very difficult, I recently had to clean antivirus-360 from a friends computer because despite all the security (it was XP) she willingly clicked 'download' and 'install' and 'ok' when it said she needed the program on some website. lol.

Can't you just fix the problem?

[diggitzz]

Virtualization is easy, but non-virtualization is even easier. There is a VMWare solution that will work: It's VMWare, and it works exactly like you think it does. The current price is listed on the VMWare website. I don't understand why this is a community-posed question, though, since you seem to have answered yourself in the question.

The free solution, on the other hand, is to just clean up the problems on the XP machine. If the other machines on the network continue to run trouble-free, just fix the one with trouble. You probably don't even need to recover or reinstall. Uninstall the ActiveX components, close the firewall back up, run anti-virus and anti-spyware apps (at least 3 different free ones) to remove anything that might have shown up, and if there are less than a handful of problems detected, you don't really need to reinstall. Run msconfig to check for extra crap at startup, and use HijackThis to check for any remaining browser toolbars, add-ons or other crap you don't want. Then make Firefox the default browser. Incidentally, there is a Firefox add-on available called IETabs which lets you run an IE-specific webpage from Firefox without starting IE and all its add-ons (it does use the base IE rendering engine tho).

If the machine hasn't had a fresh XP install in over a year, then it's time to reinstall anyway, and the sluggishness might have little to do with the extra ActiveX crap your wife had to use.

A cleanup might take you 2 hours. A reinstall could take longer, depending on how organized you and your wife have been about backing up data and how many programs you'll need to reinstall. VMWare works, but isn't free. These are the considerations to balance. Good Luck!

Re:Virtualization is your friend

[Anonymous Coward]

A virtual machine may be overkill for this sort of situation. I'd recommend looking into Sandboxie. It's a bit more lightweight, as rather than mimicking an entire machine and all its resources, it merely traps and re-implements OS calls to be neutered to affecting a disposable area. I haven't used it myself (I live dangerously), but the Security Now guys were raving about it.

Re:GRUB

[Anonymous Coward]

To clarify, this is just a link to the bootloader setup. It is not that relevent, IMO, because that is not the typical way that people setup to use virtualization. I don't recommend it for a newbie. It is better to encapsulate your virtual disc as a file on an already known filesystem. Just follow the normal instructions when learning about VMs.

The way you have proposed setting up often leads to confusion. People think they can use the same exact partition they use with a physical machine that they use with a virtual machine. In rare cases this works, but most often it leads to "blue screen" boots due to HD controller mismatches, etc.

There is also another non-technical problem. That is, XP's license terms do not allow this, as I understand them (IANAL). The reason behind activation requires a license to be linked to the hardware. The "virtual" hardware is different than the "physical" hardware and requires its own license. Again, just my opinion.

Had a similar case with wife taking classes...

[Ungrounded Lightning]

Wife in question has administered lab machines before. So I left the Windows admin to her. B-)

For net access I put a third ethernet card in the Linux-based firewall machine and added rules:
  - This new "red" net, like the "blue" net where the linux boxen live, was essentially restricted to talking to the firewall machine and outgoing TCP connections (plus very few specific other things.)
  - "Red" and "blue" were treated, with respect to each other, as just as foreign as the wild-and-woolly Internet.

I know this doesn't answer questions about "How do you protect the Windows machine?". But there is plenty of stuff elsewhere about that. Plugging Microsoft's security holes is a multi-billion dollar industry. This was "How do you protect the rest of the machines in the house?". Giving Windows boxen their own LAN segment and walling it off from reduces the problem to the equivalent of a Windows box (or LAN of them) alone behind a NAT/Firewall machine. That's an already (sorta) solved problem.

Re:Internet College web sites and virtual machines

[markdavis]

Technically, MS-Windows XP Home is "not allowed" to be run in a virtual session. Read the license. You have to use the more expensive MS-Windows XP Pro or ultimate, and even then, there are draconian restrictions.

Me? I just use Linux. Free. And no need to have snapshots in a VM to protect my system from typical MS-Windows snafu's. But if you want, you can run MS-Win under Virtualbox under Linux; also free, but in addition, it is open source (while just as fast and capable).

Hard drive cloning - easy, safe, secure

[az-saguaro]

This thread has generated a lot of great responses, and you can pick and choose from a variety of good solutions. Here is another, the one that I have settled on as my preferred safety-backup-reinstall method: hard drive clones.

I use XP-SP2. My main machine has been running smooth as silk for 4 years. I have had rare problems, but when they have occurred, they have been of mixed causes - hard drive failure, a UPS failure which caused unbootable file system corruption, and even a trojan picked up right here on a Slashdot link a few months ago. No sweat for me though . . .

My backup solution depends on external hard drives which mirror my internal drives. I keep all data and apps (other than those that insist on installing under \ProgramFiles) on separate internal drives. That way, if C: gets corrupted, my other data is safe. My C: system drive has only the OS and ProgramFiles apps. This means that I can keep the system drive relatively small (120GB), meaning I can buy several mirror drives quite inexpensively.

I have several C: drive mirrors. I duplicate my main drive to these external backups 2 or 3 times a week. I duplicate just before any major system or application upgrade. I use an older version of Norton Ghost (v9) for this, which makes flawless duplicates while running in the background. (I also use Acronis to make point-in-time compressed images of the drive, which can be reloaded onto a hard drive if need be.)

The few times that I have had a disaster, I just pull out my latest mirror, swap it into the disk-0 position, and turn my machine back on - like nothing ever happened.

Consequently, this is also a great way to test installations or new software, or to create drives that you or your wife could use for your own purposes.

(See the comments above by diggitzz about cleaning up your dirty system before getting ready to make your first mirror image.)

Ever since settling on the system-drive-mirror solution for my OS safety backups, I have not had a moment's anxiety about losing a drive, testing new OSes, nor keeping my installation clean.