Ask Slashdot: Protecting Home Computers From Guests?

An anonymous reader writes "We frequently have guests in our home who ask to use our computer for various reasons such as checking their email or showing us websites. We are happy to oblige, but the problem is many of these guests have high risk computing habits and have more than once infested one of our computers with malware, despite having antivirus and the usual computer security precautions. We have tried using a Linux boot CD but usually get funny looks or confused users. We've thought about buying an iPad for guests to use, but decided it wasn't right to knowingly let others use a computing platform that may have been compromised. What tips do you have to overcome this problem, technologically or otherwise?"

Boot to the guest account

[AlphaBit]

The media PC in my living room boots directly into the Guest account. Under the guest account I can USE almost all the programs I have installed seamlessly. There are some minor issues with software updates, XBOX controllers, and a complete inability to configure network settings, but that's about it. If I need to do anything that requires more rights I can deal with the UAC prompts that show up or simply log out and back in as an admin.

I know it's not flawless but I still feel pretty comfortable letting my tech savvy (e.g. dangerous) friends stay over unattended. It wouldn't hold up to anyone seriously determined to break the security but they have access to the physical machine and can't really be stopped anyway.

Re:Linux Boot + PRINTER

[xxxJonBoyxxx]

>> Have a dedicated Linux boot just for them, and if they give you funny looks tell them too bad.

This. As long as you can PRINT from it. (Most of the time I loaned "local" computer access it was to let someone print airline boarding passes.)

Also make a couple paper copies of your WiFi creds and encourage them to BYOD.

Re:Virtual Machine

[Erioll]

I agree. Fullscreen the VM, and they'll probably never even know that they weren't using your "actual" PC.

Re:Hey, I'm lazy too!

[gagol]

Solutions evolve with time, in order for Google to index relevant pages, we have to create content. That is happening as we speak!

iPad

[tverbeek]

"We've thought about buying an iPad for guests to use, but decided it wasn't right to knowingly let others use a computing platform that may have been compromised."

Seriously? What have you been reading that gives you bizarre notions like that? The iPad has a number of general shortcomings, most of which are related to its single-user OS and its closed architecture. And I'd hesitate to lend a guest my iPad, but only because – once unlocked for use – it's wide open for the user to poke around (e.g. read my mail, browser history, etc). But in terms of the OS being compromised, an iOS device that hasn't been deliberately jailbroken (by you) is about as safe an internet-access device as you're likely to find, short of custom building a Linux- or BSD-based system yourself.

privileges

[Dandano]

Create an account that does not have the ability to change the operating system, a "user" account for your friends. It won't prevent all problems, but it does cut down on the ability of malware to corrupt you system outside that user's folder.

Re:Virtual Machine

[Pluvius]

If you have Windows 7 Pro or greater, you can get an instance of XP running on Virtual PC for free. It's called "Windows XP Mode."

Rob

Re:Virtual Machine

[steveg]

Why go to all the trouble of reverting the snapshot?

Just set the disk to "non-persistent" and nothing they do will modify the system. Each time the VM is restarted it's back to its default state.

I don't have any experience with VirtualBox, but with VMware include a line something like this in the .vmx file:

ide0:0.mode = "independent-nonpersistent"

When you want to make changes, shut down the VM and change that line to:

ide0:0.mode = "persistent"

then change it back when it's the way you want it.

I'm sure VirtualBox has something similar.

Re:Virtual Machine

[Anonymous Coward]

Windows Steady State for 7 is a do it yourself through Windows 7 tools matter. http://www.microsoft.com/en-us/download/details.aspx?id=24373

Buy a Chromebook

[Jim Hall]

We've thought about buying an iPad for guests to use, but decided it wasn't right to knowingly let others use a computing platform that may have been compromised.

If you're willing to buy a $499 iPad [apple.com] just for guests to use, then you'd probably be willing to buy a $249 Chromebook [google.com] instead. It's a great second laptop, and perfect for guests to use. There's even a "Guest" account they can use, and it clears the data when they are done using it. And it's secure - which you want if your guests have "high risk computing habits."

Guest account on a Mac is perfect for this

[DavidinAla]

If you have a Mac, there's a standard user account called Guest. This account has privileges to do normal user things, but can't install apps or make other changes to the computer. (And the account has no access to other users' data.) No matter what the guest user does in that account, it can't hurt you —and the entire Guest account is in a fresh state each time you log in to it. It's designed exactly for something such as this, and it works very, very well in real use.

Re:Linux Boot

[icebike]

Have a dedicated Linux boot just for them, and if they give you funny looks tell them too bad.

Once you have Linux, it doesn't have to be dedicated. Just use a Guest Account with permissions to use the browser, and not much else.

The big thing is just get rid of Windows in your home. You have nothing that needs interoperability with your work that
can't be handled by Linux. Once you dump Windows, all the bad browsing habits no longer matter.

The problem here is the insistence of keeping Windows for no good reason.

Re:Guest wifi...

[immaterial]

Windows may be a problem here, but the built-in guest account on OS X is perfect for this purpose. Enable it, and guests can log in the guest account (no password), which acts like a standard user account (they have full access to the browser and any other globally-installed apps) except that at logout, the entire account is wiped clean. Since your guests don't have administrator access to your computer they can't mess up anything outside the guest account, and anything they do inside that account is automatically cleaned up for you when they're done.

Re:Virtual Machine

[dissy]

For VirtualBox, the method I use is slightly different but gives similar results in the end.
This must be done from the command line with the vboxmanage.exe tool, I'm not aware of a GUI way to do it.

I have a 'template' VM with fully setup windows and configured how I want it.
Then I make a new 'guest' VM (from scratch) and copy the template disk image to a new name (cloned, from virtual media manager), from template.vdi to guestbox.vdi, and then I use a command line tool to set the new disk image immutable, so it can not be changed again.

vboxmanage modifyhd whereever/guestbox.vdi --type immutable

Then point the guest vm to the guestbox.vdi image under settings -> storage.

Each time the VM boots, disk writes go into a seperate copy-on-write file, which gets deleted once the VM is powered down. A "revert" action takes as long as a delete command unlinking an inode.

When I need to make updates, I do that in my template vm, then copy over the vdi setting it immutable again. Copy the new guest image over the old one, and the VM is updated.

Re:iPad's cost money...

[Gription]

The OP most likely doesn't have Mac as most Mac users believe they are immune from the problems of malware. (Lower probability of blindly running blindly off a cliff is not the same thing as immunity...) The OP almost certainly doesn't use Linux seeing they way they differentiated the Linux boot CD from their normal environment.
So if they want to install an add on VM system like VMware they can:
- Acquire and install the virtual host software
- Figure out how to install the virtual OS inside the host
- Figure out how to activate and/or license the virtualized OS

Or if the OP has Win 7 (pretty good odds)
- They can follow the prompts on the download page for XP Mode and get a legally licensed, preloaded, and activated copy of Win XP in a virtual environment that 95% of adults will be able to navigate with no learning curve. I was mistaken earlier when I thought XP Mode required the Pro version of Windows. (Pretty uncharacteristic of them to make something like that available for free across the whole product range.)
The download link is: Microsoft Download Center - XP Mode [microsoft.com]. Just follow the page instructions and download and install the pieces and you are golden. I would create them a separate Win 7 user and remove all the obvious icons for anything local to keep them from mucking things up.

Once it is in it runs as if it is an RDP session to a remote computer. Very simple.


But yeah, if you want to buy or stealware a more difficult solution, then yeah, that is possible.