Ask Slashdot: Protecting Home Computers From Guests? 572
An anonymous reader writes "We frequently have guests in our home who ask to use our computer for various reasons such as checking their email or showing us websites. We are happy to oblige, but the problem is many of these guests have high risk computing habits and have more than once infested one of our computers with malware, despite having antivirus and the usual computer security precautions. We have tried using a Linux boot CD but usually get funny looks or confused users. We've thought about buying an iPad for guests to use, but decided it wasn't right to knowingly let others use a computing platform that may have been compromised. What tips do you have to overcome this problem, technologically or otherwise?"
Boot to the guest account (Score:5, Informative)
I know it's not flawless but I still feel pretty comfortable letting my tech savvy (e.g. dangerous) friends stay over unattended. It wouldn't hold up to anyone seriously determined to break the security but they have access to the physical machine and can't really be stopped anyway.
Re:Linux Boot + PRINTER (Score:4, Informative)
>> Have a dedicated Linux boot just for them, and if they give you funny looks tell them too bad.
This. As long as you can PRINT from it. (Most of the time I loaned "local" computer access it was to let someone print airline boarding passes.)
Also make a couple paper copies of your WiFi creds and encourage them to BYOD.
Re:Virtual Machine (Score:5, Informative)
I agree. Fullscreen the VM, and they'll probably never even know that they weren't using your "actual" PC.
Re:Hey, I'm lazy too! (Score:5, Informative)
iPad (Score:4, Informative)
Seriously? What have you been reading that gives you bizarre notions like that? The iPad has a number of general shortcomings, most of which are related to its single-user OS and its closed architecture. And I'd hesitate to lend a guest my iPad, but only because – once unlocked for use – it's wide open for the user to poke around (e.g. read my mail, browser history, etc). But in terms of the OS being compromised, an iOS device that hasn't been deliberately jailbroken (by you) is about as safe an internet-access device as you're likely to find, short of custom building a Linux- or BSD-based system yourself.
privileges (Score:3, Informative)
Re:Virtual Machine (Score:4, Informative)
If you have Windows 7 Pro or greater, you can get an instance of XP running on Virtual PC for free. It's called "Windows XP Mode."
Rob
Re:Virtual Machine (Score:5, Informative)
Why go to all the trouble of reverting the snapshot?
Just set the disk to "non-persistent" and nothing they do will modify the system. Each time the VM is restarted it's back to its default state.
I don't have any experience with VirtualBox, but with VMware include a line something like this in the .vmx file:
ide0:0.mode = "independent-nonpersistent"
When you want to make changes, shut down the VM and change that line to:
ide0:0.mode = "persistent"
then change it back when it's the way you want it.
I'm sure VirtualBox has something similar.
Re:Virtual Machine (Score:3, Informative)
Windows Steady State for 7 is a do it yourself through Windows 7 tools matter. http://www.microsoft.com/en-us/download/details.aspx?id=24373
Buy a Chromebook (Score:4, Informative)
If you're willing to buy a $499 iPad [apple.com] just for guests to use, then you'd probably be willing to buy a $249 Chromebook [google.com] instead. It's a great second laptop, and perfect for guests to use. There's even a "Guest" account they can use, and it clears the data when they are done using it. And it's secure - which you want if your guests have "high risk computing habits."
Guest account on a Mac is perfect for this (Score:5, Informative)
Re:Linux Boot (Score:4, Informative)
Have a dedicated Linux boot just for them, and if they give you funny looks tell them too bad.
Once you have Linux, it doesn't have to be dedicated. Just use a Guest Account with permissions to use the browser, and not much else.
The big thing is just get rid of Windows in your home. You have nothing that needs interoperability with your work that
can't be handled by Linux. Once you dump Windows, all the bad browsing habits no longer matter.
The problem here is the insistence of keeping Windows for no good reason.
Re:Guest wifi... (Score:5, Informative)
Re:Virtual Machine (Score:5, Informative)
For VirtualBox, the method I use is slightly different but gives similar results in the end.
This must be done from the command line with the vboxmanage.exe tool, I'm not aware of a GUI way to do it.
I have a 'template' VM with fully setup windows and configured how I want it.
Then I make a new 'guest' VM (from scratch) and copy the template disk image to a new name (cloned, from virtual media manager), from template.vdi to guestbox.vdi, and then I use a command line tool to set the new disk image immutable, so it can not be changed again.
vboxmanage modifyhd whereever/guestbox.vdi --type immutable
Then point the guest vm to the guestbox.vdi image under settings -> storage.
Each time the VM boots, disk writes go into a seperate copy-on-write file, which gets deleted once the VM is powered down. A "revert" action takes as long as a delete command unlinking an inode.
When I need to make updates, I do that in my template vm, then copy over the vdi setting it immutable again. Copy the new guest image over the old one, and the VM is updated.
Re:iPad's cost money... (Score:4, Informative)
So if they want to install an add on VM system like VMware they can:
- Acquire and install the virtual host software
- Figure out how to install the virtual OS inside the host
- Figure out how to activate and/or license the virtualized OS
Or if the OP has Win 7 (pretty good odds)
- They can follow the prompts on the download page for XP Mode and get a legally licensed, preloaded, and activated copy of Win XP in a virtual environment that 95% of adults will be able to navigate with no learning curve. I was mistaken earlier when I thought XP Mode required the Pro version of Windows. (Pretty uncharacteristic of them to make something like that available for free across the whole product range.)
The download link is: Microsoft Download Center - XP Mode [microsoft.com]. Just follow the page instructions and download and install the pieces and you are golden. I would create them a separate Win 7 user and remove all the obvious icons for anything local to keep them from mucking things up.
Once it is in it runs as if it is an RDP session to a remote computer. Very simple.
But yeah, if you want to buy or stealware a more difficult solution, then yeah, that is possible.