Protecting a computer that is 2000 miles away

Hey all.. A question for the techies here, I currently attempt to take
care of my 85 yr old mother's computer from across the country using
teamviewer. She is getting kind of forgetful about NOT installing
everything with certain updates. example would be getting open office
with java and such. It seems I log into her computer every few days and
chrome or driver detective, bogus antivirus software or a new brozer of
some kind has been installed on this computer. she swears she is not
doing it. Is there a way to lock it down so unless she has some kind of
password or something then nothing can be installed? I simply cannot
come home from work every other night and spend half the night getting
rid of all the crap on her system only to find it there again 2 days
later. I am not totally dumb about these things but I cannot think of a
simple way right now to prevent this from happening. She is the
administrator on that box and I might need it to stay that way in order
to do what I do with teamviewer..

Her computer is a Dell
win7 home
Avast premier
malwarebytes free
super antispyware free

Also win update constantly changes its own settings and keeps trying to
install win 10. She firmly believes she will not outlive win 7 so does
not want win 10.

Drew wrote:
She is the administrator on that box and I might need it to stay that
way in order to do what I do with teamviewer..

She should not be 'operating' as administrator; she should be a standard
user. That way she can't OK changes requiring admin. You can operate
as admin when you are TV.

You can get rid of the Win7 updates toward Win10.

If there is already some kind of infestation, you need to clean it up.

You can get some experienced and vetted help by going to one of the
established sites such as Bleeping using her computer. Since there is a
lot of rebooting with the cleanup, you should configure TV so that you
have access to it before login.

--
Mike Easter

Per Drew:
. It seems I log into her computer every few days and
chrome or driver detective, bogus antivirus software or a new brozer of
some kind has been installed on this computer. she swears she is not
doing it. Is there a way to lock it down so unless she has some kind of
password or something then nothing can be installed?

I think she is probably right in that she is not doing anything
explicit.... but plenty of web pages slip stuff in on you under the
table.

Ditto installing common freebie products - you have to look hard for the
pre-checked "Install all this marketingware garbage" checkbox and
un-check it.

The good-right-and-holy path security-wise seems to be to have a
separate "Admin" ID that is authorized to install/remove applications
and day-to-day "User" ID that is not authorized to do that.

I suspect your mother is logging on with an Admin ID - even though she
might have it set so there is no PW prompt.

The cure would be to set up a separate "User" ID - also with no PW
prompt if appropriate, set a PW for Admin, and figure out how to have
the PC default to using the "User" ID.... or train her to only log on
with the "User" one.

Maybe Greater Minds Than Mine can chime in on this.
--
Pete Cresswell

Per Drew:
Also win update constantly changes its own settings and keeps trying to
install win 10. She firmly believes she will not outlive win 7 so does
not want win 10.

I disabled two services several months ago:

- Windows Update
- Background Intelligent Transfer

Have not had a problem with spontaneous Windows Updates since - and I
was having periodic episodes of them before, in spite of settings to the
contrary.

OTOH, it's on me to go out and manually get whatever security updates
should be applied....
--
Pete Cresswell

"Drew" wrote in message
...

Hey all.. A question for the techies here, I currently attempt to take
care of my 85 yr old mother's computer from across the country using
teamviewer. She is getting kind of forgetful about NOT installing
everything with certain updates. example would be getting open office with
java and such. It seems I log into her computer every few days and chrome
or driver detective, bogus antivirus software or a new brozer of some kind
has been installed on this computer. she swears she is not doing it. Is
there a way to lock it down . . . ?

Malwarebytes can be configured to prevent installing
new software and otherwise automatically detect and
act against malware or suspicious files. This configuration
makes the PC run slowly for the first 5-10 minutes after
startup, but this ends soon as has no other effect.

She is the administrator on that box and I might need it to stay that way
in order to do what I do with teamviewer..

This is worth verifying. No naive user should be enabled
as administrator.
--
Don Phillipson
Carlsbad Springs
(Ottawa, Canada)

On Sat, 13 Feb 2016 09:21:47 -0800, Drew wrote:
Is there a way to lock it down so unless she has some kind of
password or something then nothing can be installed?


Yes, of course. It's called User Access Control.

Right now she must be running with full admin rights. Change her to a
regular user, which lacks the ability to install things.

Caveats:

Some things may stop working because of a permissions mismatch.
Make sure you keep a true admin account on her machine for yourself.

--
Stan Brown, Oak Road Systems, Tompkins County, New York, USA
http://BrownMath.com/
http://OakRoadSystems.com/
Shikata ga nai...

Drew wrote on 2016/02/13:

Hey all.. A question for the techies here, I currently attempt to take
care of my 85 yr old mother's computer from across the country using
teamviewer. She is getting kind of forgetful about NOT installing
everything with certain updates. example would be getting open office
with java and such. It seems I log into her computer every few days and
chrome or driver detective, bogus antivirus software or a new brozer of
some kind has been installed on this computer. she swears she is not
doing it. Is there a way to lock it down so unless she has some kind of
password or something then nothing can be installed? I simply cannot
come home from work every other night and spend half the night getting
rid of all the crap on her system only to find it there again 2 days
later. I am not totally dumb about these things but I cannot think of a
simple way right now to prevent this from happening. She is the
administrator on that box and I might need it to stay that way in order
to do what I do with teamviewer..

Her computer is a Dell
win7 home
Avast premier
malwarebytes free
super antispyware free

Also win update constantly changes its own settings and keeps trying to
install win 10. She firmly believes she will not outlive win 7 so does
not want win 10.

Use disk virtualizing software where all changes to the virtual disk are
wiped on a reboot. Then no matter what she changes, a reboot gets back
to a known good state. All other hardware is real (not virtualized) and
the virtual disk is almost as fast as the real hardware (very little
overhead for the stacked file I/O driver). If you want, you could even
schedule a reboot to happen at night while she is sleeping but that
means, of course, that the computer is left powered on 24x7. Since a
reboot wipes everything on the OS partition back to a stored known good
state, all data files have to be moved to another drive (i.e., another
partition on the same or different disk). Some will let you whitelist
some folder paths on the protected disk but is a potential infection
vector. Some such products a

Microsoft SteadyState (discontinued but still works)
Try & Decide (part of Acronis TrueImage bundle) (*)
Returnil QuietZone (*)
Faronics DeepFreeze
Toolwiz Time Freeze
Shadow Defender
Rollback Rx

(*) I've used these although for Returnil it was their prior Virtual
System Safe which had a free version (but they don't have a free version
anymore).

You already have Avast so check if its Try & Decide feature has an
option to activate it on bootup so it is always active. You can't rely
on granny knowing when she will will be committing some action that
threatens the stability, security, or privacy of her computer. This
means of snapshotting the computer for immediate restoration does NOT
obviate the need to perform regularly scheduled backups (again, do not
rely on the user to do periodic backups), plus these tools do not guard
against hardware failure.

Most, maybe all of these, have an option to be active on boot. That
way, they are always active (rather than relying on the user to decide
when to protect themself before committing any dubious action). I've
seen schools use these where the VD software always loads on bootup, the
kids use the computers during the day, and the computer are scheduled to
reboot at night so the computers are in a known state the next class
day. They either put their data files on removable media to take with
them and bring back to school or they save their data files on a drive
that is for some other partition. Remember that ALL changes to the
virtual disk are discarded on a reboot including, for example, a config
change in an e-mail client to check spelling before send (so after the
next reboot that option will not be set anymore). You get the OS
partition configured and tweaked how you want and that is what gets
restored on a reboot. Most just have one state to which they will
restore. Some offer multiple snapshots to which you can restore.

Under no circumstances (unless you intend to be vicious) use Comodo's
Time Machine. It is flaky and kills many setups, so unless you do
backups then you lose everything on the protected partition.

If you don't like this scheme of virtualizing all disk changes to
discard them upon reboot (the paywares offer an option to reboot and
save changes) then start scheduling image backups on her computer. save
the backups in a partition on a different disk (so if her OS partition
on the primary disk gets corrupted or the disk fails, the backups are
still available). To preserve disk space, you could schedule
incremental backups but don't make its chain too long. Incrementals are
based off a full backup and thereafter on each incremental, so losing
one incremental backup file means losing all incrementals thereafter.
Schedule a weekly full backup followed by daily incrementals. If you
don't have room for all those backups for, say, a 2-month retention,
then do a monthly full backup with weekly differentials. That would
result in losing a week's changes but better then losing it all. Not
many personal backup programs will do a grandfather-father-son backup
scheme: monthly full, weekly differentials based off the full, and daily
incrementals based off the differentials. Most just give you full+diff
or full+incr schemes. Be sure the backup disk is large to accomodate
several fulls. There may be times before committing major changes when
you want to save a full backup before doing so to have an escape route.
Do not rely on System Restore. It is not a backup program.

Then when granny screws up her computer, you use the backup program to
restore to a prior image of the OS partition. That also means any
changes she made are gone: malware, bad configs, unwanted installs, plus
any data file changes. If you find malware is stored in the backup for,
say, a month then you have to restore to a month-old image to get rid of
the malware (if you don't trust disinfection by security software) and
that means losing all data for the last month, too. So you might want
to have 2 series of backups: one to image the OS partition and another
logical file backup that just snags the data files. Then you can
restore to a prior partition image for the OS but still have her latest
data file(s) from the just-prior data-file backup.

While I have used the snapshotting tools (using a virtualized disk to
discard all disk changes on a reboot), I have dumped those and just gone
with scheduled image backups along with scheduled data backups. They
have boot media that can be used if the file system gets so corrupted
(e.g., ransomware) that you cannot run the backup program from the
backed up OS/app partition. There is the issue that malware can find
your backup files and corrupt or encrypt them to be unusable to you.
You already have Acronis which has its Secure Zone. That uses a
partition number that is non-standard, is unrecognized by typical disk
tools, and the SZ partition (which should be on a different disk) is not
assigned a drive letter. Twould be nice if they also offered setting
the Windows policy to enable/disable all access to the SZ partition.
There is malware that can find physical devices, determining
partitioning, and detect what file system is used on them but those are
few. To protect against those nasties, you would need to schedule image
backups that go to a USB-attached disk. The backups would fail (and so
would malware access) while the USB-attached disk was powered off. Once
you power on the USB-attached disk (after being sure the computer is not
infected) the next scheduled backup would succeed. Or you could just do
manually-instigated backups to the USB device: you connect via
TeamViewer to inspect her computer to ensure there are no pests, bad
behaviors, or unwanted installs, tell granny to power up the USB disk,
you start the backup job to the USB disk, tell granny to power it off,
and thereafter nothing is going to get at the backups on that USB disk
(even you until granny powers it back up on your request). She can
leave the USB disk attached all the time, just power it off (which means
it needs a power switch which 2.5" laptop disks in an external case may
not have since they are USB powered instead of A/C powered - so, for
those, unplugg the USB cable but some users are rough on the
connectors).

So you could use disk virtualizing software to immediately restore the
computer to the prior state (before VD was enabled) using snapshotting
software (e.g., Acronis Try&Decide, Returnil Quietzone) if you really
want to keep granny from installing anything or you could use backups to
provide a means of wiping out everything she did to get back to a
selected backup image. You already have Acronis there. Why aren't you
using it?

VanguardLH wrote:
Drew wrote:

to do what I do with teamviewer..

Her computer is a Dell
win7 home
Avast premier
malwarebytes free
super antispyware free

I don't see Acronis.

Use disk virtualizing software where all changes to the virtual disk are
wiped on a reboot.

Try & Decide (part of Acronis TrueImage bundle) (*)

You already have Avast so check if its Try & Decide feature has an
option to activate it on bootup so it is always active.

Avast isn't Acronis.

If you don't like this scheme of virtualizing all disk changes to
discard them upon reboot (the paywares offer an option to reboot and
save changes) then start scheduling image backups on her computer.

Would he be able to TeamViewer image backups? Probably not as user
action would be required before there is Windows. So granny would have
to be 'phone coached what to do for that method but not the
virtualization method, I think.

Then when granny screws up her computer, you use the backup program to
restore to a prior image of the OS partition.

You already have Acronis which has its Secure Zone.

Maybe he should *get* Acronis.



--
Mike Easter

Drew wrote:
Hey all.. A question for the techies here, I currently attempt to take
care of my 85 yr old mother's computer from across the country using
teamviewer. She is getting kind of forgetful about NOT installing
everything with certain updates. example would be getting open office
with java and such. It seems I log into her computer every few days and
chrome or driver detective, bogus antivirus software or a new brozer of
some kind has been installed on this computer. she swears she is not
doing it. Is there a way to lock it down so unless she has some kind of
password or something then nothing can be installed? I simply cannot
come home from work every other night and spend half the night getting
rid of all the crap on her system only to find it there again 2 days
later. I am not totally dumb about these things but I cannot think of a
simple way right now to prevent this from happening. She is the
administrator on that box and I might need it to stay that way in order
to do what I do with teamviewer..

Her computer is a Dell
win7 home
Avast premier
malwarebytes free
super antispyware free

Also win update constantly changes its own settings and keeps trying to
install win 10. She firmly believes she will not outlive win 7 so does
not want win 10.

On an older OS, there was Windows SteadyState.

Using that as a keyword, I was able to find this article.

http://blogs.technet.com/b/panosm/ar...implified.aspx

I don't know if "simplified" is the right word for that.
It looks like a lot of work, whatever they're doing.
And I didn't even know there was a "boot from VHD" capability
in Windows 7. I've never done that, have no idea of the
details.

But at least someone tried to address the need to make
a copy of the OS, where when you reboot, it's all
restored to the way it was. You might still need
to set up a second storage device to hold data files.
Perhaps the user profile points to D: for all the
downloaded data files. On a reboot, C: will refresh, but
a second hard drive would continue to hold the user content.
If a malware program was sitting on D: , it might
still "inconvenience" the user. Totally locking down
things so there was no persistent user storage, wouldn't
make the machine all that useful.

I would call that article an "illustration", rather than
a practical solution. But consider that your public library
uses similar software, to keep the library machines in good
shape. Every time a patron reboots a public library machine
(as part of the logon procedure), they're getting a
fresh copy of C: , with the malware from the previous
patron removed. So commercial implementations of
SteadyState exist, and they're used for public
library situations or used by Internet Cafe owners.

The SteadyState approach isn't perfect - for machines
where script kiddies have physical access to a machine,
they may still find ways to tip it over. But if the
user is "trusted" to not try stuff like that, the chances
are much better of keeping the machine upright.

Paul

On Sat, 13 Feb 2016 21:10:42 -0500, Paul wrote:

I would call that article an "illustration", rather than
a practical solution. But consider that your public library
uses similar software, to keep the library machines in good
shape. Every time a patron reboots a public library machine
(as part of the logon procedure), they're getting a
fresh copy of C: , with the malware from the previous
patron removed.

A library computer that can be rebooted by a patron? I've seen quite a few
library PCs, but never one that could be rebooted, at least in any normal
way. I suppose a patron could yank the power cord.

--

Char Jackson

Mike Easter wrote on 2016/02/13:

Avast isn't Acronis.

Yeah, my eyes lied to my brain. Oh well, he didn't say solutions had to
be free and Acronis, as mentioned, has its Try&Decide virtualized disk
feature (much like how Returnil's System Safe works which was free but
they discontinued it and went to QuietZone which is payware).

Would he be able to TeamViewer image backups?

It has been a long time, every since Microsoft introduced VSS, since
doing a partition image backup required a quiescent OS (i.e., where you
had to boot from backup media to run the backup under that OS so the OS
in the partition you were backing up wasn't running). VSS has been
available since Windows XP which was released in 2001, so it has been
around for 15 years. He can do the backups. If he starts a restore,
well, that depends on the backup program and edition (free, Pro, etc).
Some will restore the OS while you are using it but require a reboot
after the restore completes to finish off that last file overwrites.

For the backup job, he can start that in TeamViewer (for a manual run)
or just use Task Scheduler or the backup program's scheduler (some still
demand using their own) to schedule them to run when the computer is
expected to be idle. For a restore, either it will reboot to run it as
the startup OS or using boot media so he is out of the picture or the
backup product allows in-place restores but will still disconnect him
when the subsequent reboot is required.

Char Jackson wrote:
On Sat, 13 Feb 2016 21:10:42 -0500, Paul wrote:

I would call that article an "illustration", rather than
a practical solution. But consider that your public library
uses similar software, to keep the library machines in good
shape. Every time a patron reboots a public library machine
(as part of the logon procedure), they're getting a
fresh copy of C: , with the malware from the previous
patron removed.

A library computer that can be rebooted by a patron? I've seen quite a few
library PCs, but never one that could be rebooted, at least in any normal
way. I suppose a patron could yank the power cord.


All I can tell you, is there is a long delay from the
logout (end of session) until a login prompt appears
again. The delay seemed too long to be logout,
and it was long enough to reboot.

http://mediawiki.middlebury.edu/wiki/LIS/SteadyState

And the setup is engineered to not give away details,
as there were no hints while I was using it, as
to what commercial product was involved.

I wasn't there to haxor the machine, merely use it.
This was at a time when I hadn't wasted the money
on an inkjet printer. (Prints at the library are
five cents a sheet or so.) I own an inkjet now, but
with the amount I use it, I can never be sure the
cartridges won't be dried up. I go to the library
so seldom, I end up getting a new library card
every time.

Paul

On Sat, 13 Feb 2016 14:47:58 -0600, VanguardLH wrote:
Use disk virtualizing software where all changes to the virtual disk are
wiped on a reboot.


She might be a little annoyed to find photos, emails, and the like
vanishing.

--
Stan Brown, Oak Road Systems, Tompkins County, New York, USA
http://BrownMath.com/
http://OakRoadSystems.com/
Shikata ga nai...

In message , Stan Brown
writes:
On Sat, 13 Feb 2016 14:47:58 -0600, VanguardLH wrote:
Use disk virtualizing software where all changes to the virtual disk are
wiped on a reboot.

(Does it have to be virtualising? Is that what machines in public
libraries, internet cafes, etc., do?)

She might be a little annoyed to find photos, emails, and the like
vanishing.

One would _hope_ it could be set up so that software (including email)
_resided_ on (say) C: which got the resets, but saved files to D:
(including indexing etc. files for the email).
--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

A perfectionist takes infinite pains and often gives them to others

Stan Brown wrote:
On Sat, 13 Feb 2016 14:47:58 -0600, VanguardLH wrote:
Use disk virtualizing software where all changes to the virtual disk are
wiped on a reboot.


She might be a little annoyed to find photos, emails, and the like
vanishing.


You'd keep the user folders on a second disk, the OS
portion on the virtualized one.

Just as, in a similar sense, a Linux on a USB key
keeps a read-only portion for the OS, and
any "diffs" are contained in a persistent store.

To make a "totally locked down" environment useful,
you have to give the user some sort of persistent
storage. While a paranoid person might be happy
to lose everything at the end of a compute/surf
session, most normal people would be quite upset
if not able to keep anything.

I at least need my bookmarks :-)

Paul