Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Security IT

Ask Slashdot: Protecting Home Computers From Guests? 572

Posted by timothy
from the quick-name-an-os-that's-never-been-compromised dept.
An anonymous reader writes "We frequently have guests in our home who ask to use our computer for various reasons such as checking their email or showing us websites. We are happy to oblige, but the problem is many of these guests have high risk computing habits and have more than once infested one of our computers with malware, despite having antivirus and the usual computer security precautions. We have tried using a Linux boot CD but usually get funny looks or confused users. We've thought about buying an iPad for guests to use, but decided it wasn't right to knowingly let others use a computing platform that may have been compromised. What tips do you have to overcome this problem, technologically or otherwise?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Protecting Home Computers From Guests?

Comments Filter:
  • Guest wifi... (Score:5, Insightful)

    by Anonymous Coward on Thursday April 04, 2013 @03:29PM (#43361939)

    I think they call it guest wifi and byod.

    • by ackthpt (218170) on Thursday April 04, 2013 @04:12PM (#43362677) Homepage Journal

      "Sorry, it's broken. Burned out some bits, radiation leak, 2.8 dead."

    • Re:Guest wifi... (Score:4, Insightful)

      by Anonymous Coward on Thursday April 04, 2013 @04:22PM (#43362797)

      Uhhhh, a guest account with limited privileges, maybe?

  • Malware eh? (Score:5, Funny)

    by i_ate_god (899684) on Thursday April 04, 2013 @03:30PM (#43361943) Homepage

    > We are happy to oblige, but the problem is many of these guests have high risk computing habits and have more than once infested one of our computers with malware,

    Really? It's not that they started typing something into your browser and the browser history showed off all the sick and twisted porn you watch? :P

  • Linux Boot (Score:5, Insightful)

    by Sylak (1611137) on Thursday April 04, 2013 @03:30PM (#43361945)
    Have a dedicated Linux boot just for them, and if they give you funny looks tell them too bad.
    • by xxxJonBoyxxx (565205) on Thursday April 04, 2013 @03:37PM (#43362113)

      >> Have a dedicated Linux boot just for them, and if they give you funny looks tell them too bad.

      This. As long as you can PRINT from it. (Most of the time I loaned "local" computer access it was to let someone print airline boarding passes.)

      Also make a couple paper copies of your WiFi creds and encourage them to BYOD.

    • Re:Linux Boot (Score:5, Interesting)

      by Phillip2 (203612) on Thursday April 04, 2013 @03:41PM (#43362207)

      I've had lots of visitors in my house, of various ages, various skills levels. Most of them managed to get a browser open on linux, then it all works from there.

      Other way is to use a VM, with a snapshot, so you can just revert it when you have finished.

    • Re:Linux Boot (Score:4, Informative)

      by icebike (68054) on Thursday April 04, 2013 @04:23PM (#43362809)

      Have a dedicated Linux boot just for them, and if they give you funny looks tell them too bad.

      Once you have Linux, it doesn't have to be dedicated. Just use a Guest Account with permissions to use the browser, and not much else.

      The big thing is just get rid of Windows in your home. You have nothing that needs interoperability with your work that
      can't be handled by Linux. Once you dump Windows, all the bad browsing habits no longer matter.

      The problem here is the insistence of keeping Windows for no good reason.

      • by Idbar (1034346)
        If you have a license already, why not use it? Use that license to run on a VM. You can run Linux on your host, and you give the guests the possibility of using a "Windows machine" which is only a VM, you can revert to a previous state once they have used it.

        The issue is not about getting rid of Windows, is knowing that you very likely paid for a license, so why not put it to use anyways?
  • Virtual Machine (Score:5, Insightful)

    by FiveLights (1012605) on Thursday April 04, 2013 @03:30PM (#43361965)
    Set up a VM in Virtual Box for them to use. Take a snapshot of when it was healthy and new and just revert to that each time someone wants to use it. Even paying for a Windows install for the VM would be cheaper than an iPad.
    • Windows Steadystate used to do a decent job of this on XP.
      • Windows Steadystate used to do a decent job of this on XP.

        Which, for some reason that probably had nothing to do with pushing AD and group-policy tinkering on a bunch of schools and libraries and other relatively unsophisticated organizational users, is why Microsoft killed it. Support ended a couple of years back, availability 3-ish. No 64-bit or Win7 compatible version ever existed.

        • Re: (Score:3, Informative)

          by Anonymous Coward

          Windows Steady State for 7 is a do it yourself through Windows 7 tools matter. http://www.microsoft.com/en-us/download/details.aspx?id=24373

          • by mlts (1038732) *

            I actually bothered with a license for DeepFreeze for the one box that I allow guests to use. That, a Kensington lock, BitLocker and proper password protection of the BIOS and the HDD is good enough.

            That way, the DeepFreeze-protected machine is one reboot away from getting cleaned up from whatever ails it. Especially with the fact that the guest user has no administrator rights, so malware would have to find a hole to get to a Windows admin context, then find a way to attack the DeepFreeze driver in order

    • Re:Virtual Machine (Score:5, Informative)

      by Erioll (229536) on Thursday April 04, 2013 @03:41PM (#43362205)

      I agree. Fullscreen the VM, and they'll probably never even know that they weren't using your "actual" PC.

    • Agreed. You can also run the machine in a non-persistence mode so that nothing is written to the disk at all while in use. Just periodically fire it up in a persistent state to apply important security updates etc for their safety. Unless they are savvy they won't even know they are running in a VM.

    • Re:Virtual Machine (Score:4, Informative)

      by Pluvius (734915) <pluvius3@gmail.WELTYcom minus author> on Thursday April 04, 2013 @03:55PM (#43362437) Journal

      If you have Windows 7 Pro or greater, you can get an instance of XP running on Virtual PC for free. It's called "Windows XP Mode."

      Rob

    • Re:Virtual Machine (Score:5, Informative)

      by steveg (55825) on Thursday April 04, 2013 @03:56PM (#43362439)

      Why go to all the trouble of reverting the snapshot?

      Just set the disk to "non-persistent" and nothing they do will modify the system. Each time the VM is restarted it's back to its default state.

      I don't have any experience with VirtualBox, but with VMware include a line something like this in the .vmx file:

      ide0:0.mode = "independent-nonpersistent"

      When you want to make changes, shut down the VM and change that line to:

      ide0:0.mode = "persistent"

      then change it back when it's the way you want it.

      I'm sure VirtualBox has something similar.

      • Re:Virtual Machine (Score:5, Informative)

        by dissy (172727) on Thursday April 04, 2013 @05:49PM (#43363803)

        For VirtualBox, the method I use is slightly different but gives similar results in the end.
        This must be done from the command line with the vboxmanage.exe tool, I'm not aware of a GUI way to do it.

        I have a 'template' VM with fully setup windows and configured how I want it.
        Then I make a new 'guest' VM (from scratch) and copy the template disk image to a new name (cloned, from virtual media manager), from template.vdi to guestbox.vdi, and then I use a command line tool to set the new disk image immutable, so it can not be changed again.

        vboxmanage modifyhd whereever/guestbox.vdi --type immutable

        Then point the guest vm to the guestbox.vdi image under settings -> storage.

        Each time the VM boots, disk writes go into a seperate copy-on-write file, which gets deleted once the VM is powered down. A "revert" action takes as long as a delete command unlinking an inode.

        When I need to make updates, I do that in my template vm, then copy over the vdi setting it immutable again. Copy the new guest image over the old one, and the VM is updated.

  • by Anonymous Coward

    The guests, that is.

  • NoScript (Score:5, Interesting)

    by MetalliQaZ (539913) on Thursday April 04, 2013 @03:33PM (#43362007)

    It's a Firefox addon. Check it out. Also Adblock Plus. With those two installed and running, things get a lot safer. Of course, NoScript requires a bit of savvy to be able to browse the web correctly. You might have to help. Otherwise, tell them to bring their own darn laptop.

  • Seriously? (Score:5, Funny)

    by morcego (260031) on Thursday April 04, 2013 @03:33PM (#43362009)

    The moment your computer becomes public (however limited that "public" is), it is a goner. It is like asking how to secure your computer after it was compromised.

    I don't even let my visitor plug into the same network my main computers are, and have both a separated WiFi network and a separated ethernet segment for them (1 port only in the guest room), that I treat as a DMZ. Ok, I'm paranoid, but still.

    Maybe use removable HDs, and keep one for your own use, and swap it for an entirely different one (which you can restore from a Ghost image or something) for your guests. As in PHYSICALLY disconnecting your HDs when they are going to use.

    Otherwise, it is like using band-aids to stop a leaking dam.

    • by Anonymous Coward on Thursday April 04, 2013 @03:59PM (#43362491)

      I don't even tell people where I live.

    • I don't even let my visitor plug into the same network my main computers are, and have both a separated WiFi network and a separated ethernet segment for them (1 port only in the guest room), that I treat as a DMZ. Ok, I'm paranoid, but still.

      I shudder to think what booby traps you set up to keep your house guests away from your silverware and jewelry.

    • by xaxa (988988)

      What kind of guests do you have? Why do they spend so long using the Internet that managing it becomes an issue?

      My flatmate is from a different country, and regularly has friends visiting. They often ask to print a ticket or boarding pass, check email, check Facebook, but it's never been a problem. They can log in as guest on any computer, and the wifi password is on a post-it by the router.

    • by cnaumann (466328)

      I don't even let guests use the same internet.

  • Virtual Machine (Score:5, Insightful)

    by Anonymous Coward on Thursday April 04, 2013 @03:33PM (#43362019)

    Something like VirtualBox or VMWare that supports snapshots. Install an OS into the virtual machine and set some firewall rules to keep it from accessing anything else on your network. When they ask to use your computer, launch the virtual machine and set it to full screen. They won't know the difference. When they're done, revert to snapshot.

  • Chromebook? (Score:5, Interesting)

    by Anonymous Coward on Thursday April 04, 2013 @03:34PM (#43362033)

    Sound like a good use for a Chromebook.

  • VirtualBox (Score:2, Insightful)

    by whtmarker (1060730)
    Setup a windows XP virtual machine. Save a snapshot, or a VDI/VMDK file of a clean hard drive image. When they come, boot up the virtual machine in full screen. When they leave, restore the clean snapshot or clean hard drive image.
  • by Anonymous Coward on Thursday April 04, 2013 @03:35PM (#43362055)

    Get smarter guests

    • by Sez Zero (586611)

      Get smarter guests

      Exactly.

      "Hey, can I use your computer to..."

      "No."

      Who doesn't have a smartphone/tablet these days to do such things?!

  • Just create an ad-hoc guest account with limited rights. That way they can't really screw up things. Once the guest has left the premises, remove the account. You don't even have to log out yourself if someone just needs the access for five minutes, just switch users.

    A step further: Build a virtual machine with a e.g. your basic Linux distro or Windows XP, create a snapshot of it in it's "fresh" state, and set it up to talk only directly to the Internet without any access to your local network. You can achi

    • The guest account is the way to go. Anything that infects the PC is unlikely to make it past the guest account as long as you keep your Windows Updates up-to-date. I would also recommend going the extra step and setting ACLs to deny usage of Internet Explorer. Install Firefox and/or Chrome.

  • Use two routers. The turn wi-fi on both. Give the password to the outer router to your guests and ask them to BYOC, bring your own computers. Use the second router, the inner one, to run your home network. Close all the ports and be very secure on the second router. Tell your guests your PC has a virus and so you don't want others connecting to it or using it till you get some help to disinfect it.
  • by AlphaBit (1244464) on Thursday April 04, 2013 @03:36PM (#43362097)
    The media PC in my living room boots directly into the Guest account. Under the guest account I can USE almost all the programs I have installed seamlessly. There are some minor issues with software updates, XBOX controllers, and a complete inability to configure network settings, but that's about it. If I need to do anything that requires more rights I can deal with the UAC prompts that show up or simply log out and back in as an admin.

    I know it's not flawless but I still feel pretty comfortable letting my tech savvy (e.g. dangerous) friends stay over unattended. It wouldn't hold up to anyone seriously determined to break the security but they have access to the physical machine and can't really be stopped anyway.
  • Just say no (Score:5, Interesting)

    by Bill_the_Engineer (772575) on Thursday April 04, 2013 @03:36PM (#43362105)
    Most of the new WiFi routers offer guest networks. Set one up and tell them to bring their own device. With the number of people with smartphones, I don't really see a legitimate need to set up guest computers.
  • "it wasn't right to knowingly let others use a computing platform that may have been compromised."

    Then why are you letting them use ANY computer? There is no platform where you can say 100% that it has not been compromised.

    By far the iPad would be the least likely to be infected by anything, and require the least maintenance. I can't understand your rationale for not going this route at all.

    • by Ksevio (865461)
      The full quote is :

      We've thought about buying an iPad for guests to use, but decided it wasn't right to knowingly let others use a computing platform that may have been compromised.

      Is he really worried about an iPad being compromised compared to a windows box? It's pretty hard to accidentally mess up an iPad even visiting shady sites.

  • I have a cheap fon router which provides two wireless networks. One for my family and one non-encrypted.

    The non-encrypted network normally requires a logon, but some IP addresses can be excluded from that requirement. You might choose to exclude all requirements so that your guests get straight access.

    You also get to rate-limit the connection too.

    If you run a connection and leave it turned on you get free logon to other peoples fon hotspots too - and there are thousands in the UK.

    http://corp.fon.com/how-it- [fon.com]

  • Just use a Linux distro - problems solved. Create a guest account that automatically wipes every time you log out.

  • No one touches my computing equipment, period. If you MUST use my machine you are getting a Linux Live Cd. If you dont like, it, use someone else's resources.
  • Obvious answer (Score:3, Insightful)

    by jamesl (106902) on Thursday April 04, 2013 @03:42PM (#43362239)

    ... many of these guests have high risk computing habits and have more than once infested one of our computers with malware ...

    Change a few words ... many of these guests have high risk driving habits and have more than once driven one of our cars into a phone pole ... and the answer is obvious.

    Not convinced? Try this one ...
    ... many of these guests have high risk sexual behavior habits and have more than once infected one or more of our girl/boy friends ...

    • ... many of these guests have high risk sexual behavior habits and have more than once driven one of our cars into a phone pole ...
  • by PPH (736903)

    Anyone who stays at my house has to help slop the hogs and clean out the barn. You can play with the computer afterward.

    Problem solved.

  • With Windows inside the VirtualBox. Once the guests leave, revert the VirtualBox image.

    With a little work, you can make a "guest" login that launches VirtualBox and can't do anything else.

    On the other hand, it might be enough to make a "guest" account, and just run a script that cleans out /home/guest after the users leave:

    # remove all trace of guest directory
    rm -fr /home/guest
    # set up clean copy again
    cp -pr /whatever/guest /home

    If you are using Linux Mint with MATE, your guests should be able to cope with

  • Virtual machine.

  • iPad (Score:4, Informative)

    by tverbeek (457094) on Thursday April 04, 2013 @03:47PM (#43362329) Homepage
    "We've thought about buying an iPad for guests to use, but decided it wasn't right to knowingly let others use a computing platform that may have been compromised."

    Seriously? What have you been reading that gives you bizarre notions like that? The iPad has a number of general shortcomings, most of which are related to its single-user OS and its closed architecture. And I'd hesitate to lend a guest my iPad, but only because – once unlocked for use – it's wide open for the user to poke around (e.g. read my mail, browser history, etc). But in terms of the OS being compromised, an iOS device that hasn't been deliberately jailbroken (by you) is about as safe an internet-access device as you're likely to find, short of custom building a Linux- or BSD-based system yourself.
  • privileges (Score:3, Informative)

    by Dandano (584147) on Thursday April 04, 2013 @03:48PM (#43362353)
    Create an account that does not have the ability to change the operating system, a "user" account for your friends. It won't prevent all problems, but it does cut down on the ability of malware to corrupt you system outside that user's folder.
  • Windows XP with Steadystate
    http://en.wikipedia.org/wiki/Windows_SteadyState [wikipedia.org]

  • Puppy Slacko 5.5 (Score:4, Interesting)

    by b4upoo (166390) on Thursday April 04, 2013 @03:49PM (#43362359)

    Let them run Puppy and if they get confused lend them a hand. Usually most people seem to want to check email or some other trivial task. You do want to be certain that your email account does not allow auto sign in while you have company.

  • by Sigma 7 (266129) on Thursday April 04, 2013 @03:50PM (#43362365)

    Get a cheap computer (i.e. used/refurb), and keep installation media on-hand.

    You can optionally install Linux to make it more resistant to stuff.

    And put the homepage to something [rshirley.com] that discourages them from visiting naughty sites.

  • Chromium OS (Score:4, Interesting)

    by briancox2 (2417470) on Thursday April 04, 2013 @03:50PM (#43362369) Homepage Journal
    Dual boot into it. Problem solved. Everyone loves Chrome. And it's like a rock.
  • by Rysc (136391) * <sorpigal@gmail.com> on Thursday April 04, 2013 @03:56PM (#43362443) Homepage Journal

    I keep a chrome laptop around for this. It's enough for most people, and after logout everything's clean.

  • My two cents...

    Keep an extra media bay or hard drive for a notebook that lets you just remove your hard drive and stick another in.
    Take your regular hard drive and put it away when you've got guests coming over. let anyone use your notebook with this alternate media to boot and run from. Just keep a .iso or other backup from which to do a restore.
    At the end of the night, just reimage the alternate media and put it back on a shelf.
    Put your drive / boot media back in and you've got your machine back. No worri

  • Run backups before they arrive, and run restore after they leave. Plus your machine gets backed up which you probably needed to do anyway.

  • Buy a Chromebook (Score:4, Informative)

    by Jim Hall (2985) on Thursday April 04, 2013 @04:01PM (#43362521) Homepage

    We've thought about buying an iPad for guests to use, but decided it wasn't right to knowingly let others use a computing platform that may have been compromised.

    If you're willing to buy a $499 iPad [apple.com] just for guests to use, then you'd probably be willing to buy a $249 Chromebook [google.com] instead. It's a great second laptop, and perfect for guests to use. There's even a "Guest" account they can use, and it clears the data when they are done using it. And it's secure - which you want if your guests have "high risk computing habits."

  • Extra computer, different network/workgroup/domain, different room. Who would "share" one's own machine with anyone?
  • Eight (Score:3, Funny)

    by Tablizer (95088) on Thursday April 04, 2013 @04:11PM (#43362665) Journal

    Just put Windows 8 on it. Nobody will be able to figure out how to launch anything besides Bing and Zune.

    • That would put ME at a disadvantage, some of the people I invite over have Win8, unlike me.

      One of them mentioned he actually LIKES it. I haven't spoken with him since, I don't want to be associated with lunatics.

  • by DavidinAla (639952) on Thursday April 04, 2013 @04:13PM (#43362691)
    If you have a Mac, there's a standard user account called Guest. This account has privileges to do normal user things, but can't install apps or make other changes to the computer. (And the account has no access to other users' data.) No matter what the guest user does in that account, it can't hurt you —and the entire Guest account is in a fresh state each time you log in to it. It's designed exactly for something such as this, and it works very, very well in real use.
    • Re: (Score:3, Interesting)

      by D1G1T (1136467)
      2nd this. Use it all the time to give friends and colleagues access to their email while traveling or whatever. Wipes all data when they log out. Need a mac though; doing hackintosh for just this is overkill.
  • by Inigo Montoya (31674) on Thursday April 04, 2013 @04:15PM (#43362711) Journal

    These comments suggesting a Linux boot CD, or a Virtual Machine (VMWare , VirtualBox, etc) are all viable solutions if you trust your guest to stay within the environment you give them.

    A VM, in my opinion, is really just useless, because the guest can switch away from it too easily and get at your main machine. Then perhaps become confused which browser is which, see your firefox on the desktop, double click and continue away... This is common with guests that are not too computer savvy....

    Someone mentioned using a VM with a guest network and router firewall rules?? that's just more useless, the guest is sitting at your main machine. See the point above.

    A linux boot CD is much better than a VM, with firewall rules to prevent this booted machine from accessing the local network, but any linux environment gives local access to local drives, so before you know it your (computer savvy guest) is browsing your local hard drive from your standard everyday system you use, and reading all your fine datas. Or if they are a reboot happy user (I've seen that, if the browser gets slow they power off) then that user may reboot when you're out of the room, and they may now boot into your main system and continue along, without you even knowing it, until much much later. You won't know this unless you are watching what they are doing every minute, and I am sure that won't go over well either.

    The only way to go here is to have a separate guest network (hardwired or wifi or both) and have your guests BYOD. If you wish to be accommodating when they don't have their own device then you can give them a slow, cheap, small laptop from craigslist or something, and make them use that. Use any hard drive mirroring software to wipe and reinstall the Linux OS on it after they leave, or use a netboot to boot an image from a local server which you have a virgin copy of for the next user. As someone else already said, make sure it can access the printer, guests always want to print something.

    I do the above. An old DELL Latitude D600 is the device for my guests. It has a 14" screen, 1 GB RAM, Pentium M 1.6Ghz, a 30GB hard drive, and dual boots Linux Mint or Windows XP so they have a choice if they care. The entire HDD is overwritten from a server image when they are done.

    I say all this because I am the type of person that doesn't want anyone sitting at my local machine. I wish to give them full access, freedom to take their time and do what they want, without me watching guard over them to be sure they aren't reading anything of mine. I don't want them to start my Yahoo, or MSN , or read my email, my PC has years of financial data on it, local documents to my Condominium Corporation, letters to family, and the other 50% is ... well... we all know what the Internet is really for ;)

  • by roc97007 (608802) on Thursday April 04, 2013 @04:46PM (#43363081) Journal

    ...and then delete it when they leave.

  • by ssam (2723487) on Thursday April 04, 2013 @04:59PM (#43363253)

    I made an account with username 'guest' and password 'password'. then just let them log on.

    I also had ssh installed. one day the sysadmin at work come to see me and tells me that my laptop had been blocked from the network because it was making a large number of outgoing ssh connections. important lessons were learned.

    (some distros offer a locked down password-less guest account. this is a much better idea)

  • by Myopic (18616) * on Thursday April 04, 2013 @08:24PM (#43364987)

    "We have tried using a Linux boot CD but usually get funny looks or confused users."

    So, then, you already solved your problem. Why are you posting to Slashdot?

Loan-department manager: "There isn't any fine print. At these interest rates, we don't need it."

Working...