If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
Protecting a computer that is 2000 miles away
Hey all.. A question for the techies here, I currently attempt to take
care of my 85 yr old mother's computer from across the country using teamviewer. She is getting kind of forgetful about NOT installing everything with certain updates. example would be getting open office with java and such. It seems I log into her computer every few days and chrome or driver detective, bogus antivirus software or a new brozer of some kind has been installed on this computer. she swears she is not doing it. Is there a way to lock it down so unless she has some kind of password or something then nothing can be installed? I simply cannot come home from work every other night and spend half the night getting rid of all the crap on her system only to find it there again 2 days later. I am not totally dumb about these things but I cannot think of a simple way right now to prevent this from happening. She is the administrator on that box and I might need it to stay that way in order to do what I do with teamviewer.. Her computer is a Dell win7 home Avast premier malwarebytes free super antispyware free Also win update constantly changes its own settings and keeps trying to install win 10. She firmly believes she will not outlive win 7 so does not want win 10. |
Ads |
#2
|
|||
|
|||
Protecting a computer that is 2000 miles away
Drew wrote:
She is the administrator on that box and I might need it to stay that way in order to do what I do with teamviewer.. She should not be 'operating' as administrator; she should be a standard user. That way she can't OK changes requiring admin. You can operate as admin when you are TV. You can get rid of the Win7 updates toward Win10. If there is already some kind of infestation, you need to clean it up. You can get some experienced and vetted help by going to one of the established sites such as Bleeping using her computer. Since there is a lot of rebooting with the cleanup, you should configure TV so that you have access to it before login. -- Mike Easter |
#3
|
|||
|
|||
Protecting a computer that is 2000 miles away
Per Drew:
. It seems I log into her computer every few days and chrome or driver detective, bogus antivirus software or a new brozer of some kind has been installed on this computer. she swears she is not doing it. Is there a way to lock it down so unless she has some kind of password or something then nothing can be installed? I think she is probably right in that she is not doing anything explicit.... but plenty of web pages slip stuff in on you under the table. Ditto installing common freebie products - you have to look hard for the pre-checked "Install all this marketingware garbage" checkbox and un-check it. The good-right-and-holy path security-wise seems to be to have a separate "Admin" ID that is authorized to install/remove applications and day-to-day "User" ID that is not authorized to do that. I suspect your mother is logging on with an Admin ID - even though she might have it set so there is no PW prompt. The cure would be to set up a separate "User" ID - also with no PW prompt if appropriate, set a PW for Admin, and figure out how to have the PC default to using the "User" ID.... or train her to only log on with the "User" one. Maybe Greater Minds Than Mine can chime in on this. -- Pete Cresswell |
#4
|
|||
|
|||
Protecting a computer that is 2000 miles away
Per Drew:
Also win update constantly changes its own settings and keeps trying to install win 10. She firmly believes she will not outlive win 7 so does not want win 10. I disabled two services several months ago: - Windows Update - Background Intelligent Transfer Have not had a problem with spontaneous Windows Updates since - and I was having periodic episodes of them before, in spite of settings to the contrary. OTOH, it's on me to go out and manually get whatever security updates should be applied.... -- Pete Cresswell |
#5
|
|||
|
|||
Protecting a computer that is 2000 miles away
"Drew" wrote in message
... Hey all.. A question for the techies here, I currently attempt to take care of my 85 yr old mother's computer from across the country using teamviewer. She is getting kind of forgetful about NOT installing everything with certain updates. example would be getting open office with java and such. It seems I log into her computer every few days and chrome or driver detective, bogus antivirus software or a new brozer of some kind has been installed on this computer. she swears she is not doing it. Is there a way to lock it down . . . ? Malwarebytes can be configured to prevent installing new software and otherwise automatically detect and act against malware or suspicious files. This configuration makes the PC run slowly for the first 5-10 minutes after startup, but this ends soon as has no other effect. She is the administrator on that box and I might need it to stay that way in order to do what I do with teamviewer.. This is worth verifying. No naive user should be enabled as administrator. -- Don Phillipson Carlsbad Springs (Ottawa, Canada) |
#6
|
|||
|
|||
Protecting a computer that is 2000 miles away
On Sat, 13 Feb 2016 09:21:47 -0800, Drew wrote:
Is there a way to lock it down so unless she has some kind of password or something then nothing can be installed? Yes, of course. It's called User Access Control. Right now she must be running with full admin rights. Change her to a regular user, which lacks the ability to install things. Caveats: Some things may stop working because of a permissions mismatch. Make sure you keep a true admin account on her machine for yourself. -- Stan Brown, Oak Road Systems, Tompkins County, New York, USA http://BrownMath.com/ http://OakRoadSystems.com/ Shikata ga nai... |
#7
|
|||
|
|||
Protecting a computer that is 2000 miles away
Drew wrote on 2016/02/13:
Hey all.. A question for the techies here, I currently attempt to take care of my 85 yr old mother's computer from across the country using teamviewer. She is getting kind of forgetful about NOT installing everything with certain updates. example would be getting open office with java and such. It seems I log into her computer every few days and chrome or driver detective, bogus antivirus software or a new brozer of some kind has been installed on this computer. she swears she is not doing it. Is there a way to lock it down so unless she has some kind of password or something then nothing can be installed? I simply cannot come home from work every other night and spend half the night getting rid of all the crap on her system only to find it there again 2 days later. I am not totally dumb about these things but I cannot think of a simple way right now to prevent this from happening. She is the administrator on that box and I might need it to stay that way in order to do what I do with teamviewer.. Her computer is a Dell win7 home Avast premier malwarebytes free super antispyware free Also win update constantly changes its own settings and keeps trying to install win 10. She firmly believes she will not outlive win 7 so does not want win 10. Use disk virtualizing software where all changes to the virtual disk are wiped on a reboot. Then no matter what she changes, a reboot gets back to a known good state. All other hardware is real (not virtualized) and the virtual disk is almost as fast as the real hardware (very little overhead for the stacked file I/O driver). If you want, you could even schedule a reboot to happen at night while she is sleeping but that means, of course, that the computer is left powered on 24x7. Since a reboot wipes everything on the OS partition back to a stored known good state, all data files have to be moved to another drive (i.e., another partition on the same or different disk). Some will let you whitelist some folder paths on the protected disk but is a potential infection vector. Some such products a Microsoft SteadyState (discontinued but still works) Try & Decide (part of Acronis TrueImage bundle) (*) Returnil QuietZone (*) Faronics DeepFreeze Toolwiz Time Freeze Shadow Defender Rollback Rx (*) I've used these although for Returnil it was their prior Virtual System Safe which had a free version (but they don't have a free version anymore). You already have Avast so check if its Try & Decide feature has an option to activate it on bootup so it is always active. You can't rely on granny knowing when she will will be committing some action that threatens the stability, security, or privacy of her computer. This means of snapshotting the computer for immediate restoration does NOT obviate the need to perform regularly scheduled backups (again, do not rely on the user to do periodic backups), plus these tools do not guard against hardware failure. Most, maybe all of these, have an option to be active on boot. That way, they are always active (rather than relying on the user to decide when to protect themself before committing any dubious action). I've seen schools use these where the VD software always loads on bootup, the kids use the computers during the day, and the computer are scheduled to reboot at night so the computers are in a known state the next class day. They either put their data files on removable media to take with them and bring back to school or they save their data files on a drive that is for some other partition. Remember that ALL changes to the virtual disk are discarded on a reboot including, for example, a config change in an e-mail client to check spelling before send (so after the next reboot that option will not be set anymore). You get the OS partition configured and tweaked how you want and that is what gets restored on a reboot. Most just have one state to which they will restore. Some offer multiple snapshots to which you can restore. Under no circumstances (unless you intend to be vicious) use Comodo's Time Machine. It is flaky and kills many setups, so unless you do backups then you lose everything on the protected partition. If you don't like this scheme of virtualizing all disk changes to discard them upon reboot (the paywares offer an option to reboot and save changes) then start scheduling image backups on her computer. save the backups in a partition on a different disk (so if her OS partition on the primary disk gets corrupted or the disk fails, the backups are still available). To preserve disk space, you could schedule incremental backups but don't make its chain too long. Incrementals are based off a full backup and thereafter on each incremental, so losing one incremental backup file means losing all incrementals thereafter. Schedule a weekly full backup followed by daily incrementals. If you don't have room for all those backups for, say, a 2-month retention, then do a monthly full backup with weekly differentials. That would result in losing a week's changes but better then losing it all. Not many personal backup programs will do a grandfather-father-son backup scheme: monthly full, weekly differentials based off the full, and daily incrementals based off the differentials. Most just give you full+diff or full+incr schemes. Be sure the backup disk is large to accomodate several fulls. There may be times before committing major changes when you want to save a full backup before doing so to have an escape route. Do not rely on System Restore. It is not a backup program. Then when granny screws up her computer, you use the backup program to restore to a prior image of the OS partition. That also means any changes she made are gone: malware, bad configs, unwanted installs, plus any data file changes. If you find malware is stored in the backup for, say, a month then you have to restore to a month-old image to get rid of the malware (if you don't trust disinfection by security software) and that means losing all data for the last month, too. So you might want to have 2 series of backups: one to image the OS partition and another logical file backup that just snags the data files. Then you can restore to a prior partition image for the OS but still have her latest data file(s) from the just-prior data-file backup. While I have used the snapshotting tools (using a virtualized disk to discard all disk changes on a reboot), I have dumped those and just gone with scheduled image backups along with scheduled data backups. They have boot media that can be used if the file system gets so corrupted (e.g., ransomware) that you cannot run the backup program from the backed up OS/app partition. There is the issue that malware can find your backup files and corrupt or encrypt them to be unusable to you. You already have Acronis which has its Secure Zone. That uses a partition number that is non-standard, is unrecognized by typical disk tools, and the SZ partition (which should be on a different disk) is not assigned a drive letter. Twould be nice if they also offered setting the Windows policy to enable/disable all access to the SZ partition. There is malware that can find physical devices, determining partitioning, and detect what file system is used on them but those are few. To protect against those nasties, you would need to schedule image backups that go to a USB-attached disk. The backups would fail (and so would malware access) while the USB-attached disk was powered off. Once you power on the USB-attached disk (after being sure the computer is not infected) the next scheduled backup would succeed. Or you could just do manually-instigated backups to the USB device: you connect via TeamViewer to inspect her computer to ensure there are no pests, bad behaviors, or unwanted installs, tell granny to power up the USB disk, you start the backup job to the USB disk, tell granny to power it off, and thereafter nothing is going to get at the backups on that USB disk (even you until granny powers it back up on your request). She can leave the USB disk attached all the time, just power it off (which means it needs a power switch which 2.5" laptop disks in an external case may not have since they are USB powered instead of A/C powered - so, for those, unplugg the USB cable but some users are rough on the connectors). So you could use disk virtualizing software to immediately restore the computer to the prior state (before VD was enabled) using snapshotting software (e.g., Acronis Try&Decide, Returnil Quietzone) if you really want to keep granny from installing anything or you could use backups to provide a means of wiping out everything she did to get back to a selected backup image. You already have Acronis there. Why aren't you using it? |
#8
|
|||
|
|||
Protecting a computer that is 2000 miles away
VanguardLH wrote:
Drew wrote: to do what I do with teamviewer.. Her computer is a Dell win7 home Avast premier malwarebytes free super antispyware free I don't see Acronis. Use disk virtualizing software where all changes to the virtual disk are wiped on a reboot. Try & Decide (part of Acronis TrueImage bundle) (*) You already have Avast so check if its Try & Decide feature has an option to activate it on bootup so it is always active. Avast isn't Acronis. If you don't like this scheme of virtualizing all disk changes to discard them upon reboot (the paywares offer an option to reboot and save changes) then start scheduling image backups on her computer. Would he be able to TeamViewer image backups? Probably not as user action would be required before there is Windows. So granny would have to be 'phone coached what to do for that method but not the virtualization method, I think. Then when granny screws up her computer, you use the backup program to restore to a prior image of the OS partition. You already have Acronis which has its Secure Zone. Maybe he should *get* Acronis. -- Mike Easter |
#9
|
|||
|
|||
Protecting a computer that is 2000 miles away
Drew wrote:
Hey all.. A question for the techies here, I currently attempt to take care of my 85 yr old mother's computer from across the country using teamviewer. She is getting kind of forgetful about NOT installing everything with certain updates. example would be getting open office with java and such. It seems I log into her computer every few days and chrome or driver detective, bogus antivirus software or a new brozer of some kind has been installed on this computer. she swears she is not doing it. Is there a way to lock it down so unless she has some kind of password or something then nothing can be installed? I simply cannot come home from work every other night and spend half the night getting rid of all the crap on her system only to find it there again 2 days later. I am not totally dumb about these things but I cannot think of a simple way right now to prevent this from happening. She is the administrator on that box and I might need it to stay that way in order to do what I do with teamviewer.. Her computer is a Dell win7 home Avast premier malwarebytes free super antispyware free Also win update constantly changes its own settings and keeps trying to install win 10. She firmly believes she will not outlive win 7 so does not want win 10. On an older OS, there was Windows SteadyState. Using that as a keyword, I was able to find this article. http://blogs.technet.com/b/panosm/ar...implified.aspx I don't know if "simplified" is the right word for that. It looks like a lot of work, whatever they're doing. And I didn't even know there was a "boot from VHD" capability in Windows 7. I've never done that, have no idea of the details. But at least someone tried to address the need to make a copy of the OS, where when you reboot, it's all restored to the way it was. You might still need to set up a second storage device to hold data files. Perhaps the user profile points to D: for all the downloaded data files. On a reboot, C: will refresh, but a second hard drive would continue to hold the user content. If a malware program was sitting on D: , it might still "inconvenience" the user. Totally locking down things so there was no persistent user storage, wouldn't make the machine all that useful. I would call that article an "illustration", rather than a practical solution. But consider that your public library uses similar software, to keep the library machines in good shape. Every time a patron reboots a public library machine (as part of the logon procedure), they're getting a fresh copy of C: , with the malware from the previous patron removed. So commercial implementations of SteadyState exist, and they're used for public library situations or used by Internet Cafe owners. The SteadyState approach isn't perfect - for machines where script kiddies have physical access to a machine, they may still find ways to tip it over. But if the user is "trusted" to not try stuff like that, the chances are much better of keeping the machine upright. Paul |
#10
|
|||
|
|||
Protecting a computer that is 2000 miles away
On Sat, 13 Feb 2016 21:10:42 -0500, Paul wrote:
I would call that article an "illustration", rather than a practical solution. But consider that your public library uses similar software, to keep the library machines in good shape. Every time a patron reboots a public library machine (as part of the logon procedure), they're getting a fresh copy of C: , with the malware from the previous patron removed. A library computer that can be rebooted by a patron? I've seen quite a few library PCs, but never one that could be rebooted, at least in any normal way. I suppose a patron could yank the power cord. -- Char Jackson |
#11
|
|||
|
|||
Protecting a computer that is 2000 miles away
Mike Easter wrote on 2016/02/13:
Avast isn't Acronis. Yeah, my eyes lied to my brain. Oh well, he didn't say solutions had to be free and Acronis, as mentioned, has its Try&Decide virtualized disk feature (much like how Returnil's System Safe works which was free but they discontinued it and went to QuietZone which is payware). Would he be able to TeamViewer image backups? It has been a long time, every since Microsoft introduced VSS, since doing a partition image backup required a quiescent OS (i.e., where you had to boot from backup media to run the backup under that OS so the OS in the partition you were backing up wasn't running). VSS has been available since Windows XP which was released in 2001, so it has been around for 15 years. He can do the backups. If he starts a restore, well, that depends on the backup program and edition (free, Pro, etc). Some will restore the OS while you are using it but require a reboot after the restore completes to finish off that last file overwrites. For the backup job, he can start that in TeamViewer (for a manual run) or just use Task Scheduler or the backup program's scheduler (some still demand using their own) to schedule them to run when the computer is expected to be idle. For a restore, either it will reboot to run it as the startup OS or using boot media so he is out of the picture or the backup product allows in-place restores but will still disconnect him when the subsequent reboot is required. |
#12
|
|||
|
|||
Protecting a computer that is 2000 miles away
Char Jackson wrote:
On Sat, 13 Feb 2016 21:10:42 -0500, Paul wrote: I would call that article an "illustration", rather than a practical solution. But consider that your public library uses similar software, to keep the library machines in good shape. Every time a patron reboots a public library machine (as part of the logon procedure), they're getting a fresh copy of C: , with the malware from the previous patron removed. A library computer that can be rebooted by a patron? I've seen quite a few library PCs, but never one that could be rebooted, at least in any normal way. I suppose a patron could yank the power cord. All I can tell you, is there is a long delay from the logout (end of session) until a login prompt appears again. The delay seemed too long to be logout, and it was long enough to reboot. http://mediawiki.middlebury.edu/wiki/LIS/SteadyState And the setup is engineered to not give away details, as there were no hints while I was using it, as to what commercial product was involved. I wasn't there to haxor the machine, merely use it. This was at a time when I hadn't wasted the money on an inkjet printer. (Prints at the library are five cents a sheet or so.) I own an inkjet now, but with the amount I use it, I can never be sure the cartridges won't be dried up. I go to the library so seldom, I end up getting a new library card every time. Paul |
#13
|
|||
|
|||
Protecting a computer that is 2000 miles away
On Sat, 13 Feb 2016 14:47:58 -0600, VanguardLH wrote:
Use disk virtualizing software where all changes to the virtual disk are wiped on a reboot. She might be a little annoyed to find photos, emails, and the like vanishing. -- Stan Brown, Oak Road Systems, Tompkins County, New York, USA http://BrownMath.com/ http://OakRoadSystems.com/ Shikata ga nai... |
#14
|
|||
|
|||
Protecting a computer that is 2000 miles away
In message , Stan Brown
writes: On Sat, 13 Feb 2016 14:47:58 -0600, VanguardLH wrote: Use disk virtualizing software where all changes to the virtual disk are wiped on a reboot. (Does it have to be virtualising? Is that what machines in public libraries, internet cafes, etc., do?) She might be a little annoyed to find photos, emails, and the like vanishing. One would _hope_ it could be set up so that software (including email) _resided_ on (say) C: which got the resets, but saved files to D: (including indexing etc. files for the email). -- J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf A perfectionist takes infinite pains and often gives them to others |
#15
|
|||
|
|||
Protecting a computer that is 2000 miles away
Stan Brown wrote:
On Sat, 13 Feb 2016 14:47:58 -0600, VanguardLH wrote: Use disk virtualizing software where all changes to the virtual disk are wiped on a reboot. She might be a little annoyed to find photos, emails, and the like vanishing. You'd keep the user folders on a second disk, the OS portion on the virtualized one. Just as, in a similar sense, a Linux on a USB key keeps a read-only portion for the OS, and any "diffs" are contained in a persistent store. To make a "totally locked down" environment useful, you have to give the user some sort of persistent storage. While a paranoid person might be happy to lose everything at the end of a compute/surf session, most normal people would be quite upset if not able to keep anything. I at least need my bookmarks :-) Paul |
Thread Tools | |
Display Modes | Rate This Thread |
|
|