Slashdot Mirror

http://www.faronics.com/ has a program called deep freeze, its not free, but after implementing it in several of our public labs it cut down just about all the troubles. Just reboot and the thing is exactly how it was when you froze it.
Please note i'm not associated with faronics or deep freeze in any way, just found the program useful and thought it might help you out.

It could well be all you need.

http://www.faronics.com/html/deepfreeze.asp

Others have pointed me towards Faronics Deep Freeze, but it's not cheap, and not aimed at keeping your dad's machine clean. It more of an enterprise level thing.

I happen to think what the submitter wants is a Windows PC (if he's familiar with Windows, that is) with Deep Freeze. This way, the submitter could set the PC up the "way it should be" for pop, pop can play around on 'teh intartubes', and upon reboot, the machine is back "to normal", no matter what pop does to it.

You can even set up what DF calls a "thawed space", where pop could store the .PDF's he needs access to, any documents he creates, etc.

When the PC needs updates, son can come over, thaw the machine, update the software, and freeze the PC again.

We use it in my place of work for several laptops that get checked out to students. They complain about losing doucments they create, but if they'd read the freakin' desktop background (which warns them to use a USB key, a CD-R, or the thawed space), they wouldn't have that problem.

I don't know how much this software would cost for an individual (heck, I don't even know how much my employer paid for it), but it would do what he is wanting. There should even be a demo available at the linked page so the submitter (or anyone else, for that matter) can test it out before they buy.

I'm suprised that no-one has mentioned Deep Freeze yet. This seems to be almost exactly what you're looking for. Images are pushed out to clients, and the computer starts from the fresh image each time the user reboots. Deep Freeze

I can't speak about that computer configuration, but I can speak for where I work at, and that's an internet café which gets 100, 150 different persons a day, doing all kinds of stuff.

We don't use any kind of restrictive software (like CyberCafé Pro, or similar), or anything else that blocks or stops the user from doing something. It's in our policy or similar. Apart from the normal apps (Office, MSN Messenger, etc...) there's only one other program that's installed and most people don't even notice it.

It's called Deepfreeze, and according to their http://www.faronics.com/html/deepfreeze.asp#Standa rd:

"Deep Freeze instantly protects and preserves baseline computer configurations. No matter what changes a user makes to a workstation, simply restart to eradicate all changes and reset the computer to its original state - right down to the last byte. Expensive computer assets are kept running at 100% capacity and technical support time is reduced or eliminated completely. The result is consistent trouble-free computing on a truly protected and parallel network, completely free of harmful viruses and unwanted programs."

It'll set you back around 30USD, that for sure. But from our experience here at the cybercafé, it saves us from reformatting it each month. Just a reboot and voilá, just as it was 3 or 5 months ago. Just set up a "ThawSpace" drive, with sufficient space for her saved documents, mp3, what ever and instruct your family to save their stuff there. It'll be there in the next reboot, and forever (until they decide to delete it of course). Windows configuration, virii, trojans, insert malicious piece of code here) will have a REALLY bad time from there on.

I've been using it for almost 10 months now... and I haven't reformatted a computer since (apart from hardware failures.) Need to change something? Just push the magic key combo (CTRL+ALT+F6 default) and input the password, set it to off on the next reboot and change what you need. After you finish just reboot it once more and the changes you did will be kept.. forever.

This is why we have Deep Freeze.

First off, I'd like to actually THANK everyone who replied. All of the information was very helpful. I'll be looking into WSUS to fulfill my needs. We currently have an in house server running good ol' Windows NT (no internet connection to it, so we're not worried about security exploits or anything). I thought about using that computer to try WSUS, but then I remembered an unused Windows 2000 Server lisence we have laying around since pulling a machine out of the loop! And with some money in the budget, I can put together a new machine that will serve this job perfect. 2nd, a reason I couldn't just do scheduled or 'automatic updates' with these computers is because I use a program called "Deep Freeze" from Faronics (see: http://faronics.com/index.asp). It basically keeps the computers in a specific state until you tell te software to "thaw" and then reboot. Then, you have to "freeze" the partition and reboot again once changes are finished. Automating some tasks can be a pain - but the benefits of this software in our work environment far outweigh any annoyances. Autopatcher sounds like it'll be nice for home use... sort of a single download and deploy method, rather than having to wait for Windows Update to do its long winded tasks. Thanks for the info, everyone, it's been great, and I'm sure you've all given ideas to many others in my same situation! Garrett C. a.k.a. NuAngel of WinBreak.

The website for anyone who is interested: http://www.faronics.com/index.asp

I haven't used it since version 4, but the overhead for DeepFreeze was not at all noticeable. I know there was some small amount of overhead since there were at least two processes associated with the program, however a human couldn't tell any difference between a machine with DeepFreeze versus a machine without it. And these weren't souped up machines...they ran Windows 2000 with an 800mgz Athlon and 256MB of RAM. There's no way they could have run Win2K on VMWare running on X running on a stripped down version of Linux at anywhere near the same speed as native Win2K with DeepFreeze. It's pure speculation since I'm not around them anymore, but I'd guess 50% overhead but someone is welcome to contradict me. In addition, back in the day VMWare licenses would have been cost prohibitive but that's obviously changeing. And with cheap memory and fancy dual and quad core processors, the system overhead cost of using VMWare on top of Linux would be a much smaller portion of the system's resources.

When I was in school, I worked as 'student support'.
We used to have a program named DeepFreeze installed. We would give students admin rights (because a few computers still ran Windows 98), and it worked great. Each time the computer was booted, it would mirror back to the original setup. If a teacher needed a certain program for his/her class, we would just turn off deep freeze, install it on the computer, and run Ghost to get it mirrored. Faster than installing the cd on each computer.
The biggest problem we ever faced was a student that found a pc in the library, which was turned on 24x7. He installed Kazaa and started downloading via the 100 mbit connection. :-) He even stored it on a network share, and unfortunately accessed that particular account logged on as himself. He had a nice little talk with the principal while we booted the computer.

Deep Freeze and it's competitor products are looking better and better.

If only there were an open source version!

Why don't more organizations use a lock-down tool such as DeepFreeze (http://www.faronics.com/)? With DeepFreeze on a machine, you simply reboot and the malware is gone. There is the capability in DeepFreeze to allow "thawed space" so if you need to keep anything around between reboots you can put it there (or use a network drive). Windows allows you to remap directories, so "My Documents" and other necessary folders can be mapped to the thaw space. When you are dealing with large institutions (education, government, etc...), the time saved cleaning or rebuilding machines will more than offset the licensing costs. You can even automate the process to have a machine thaw itself, install updates, and refreeze itself overnight. Machines can also be rebooted (or thawed) remotely. It's a very useful program to have.

I've used Deep Freeze a few times when I've needed to setup a Windows machine for public use or in a lab. Users can do whatever they want on the computer including installing programs, make registry changes whatever and it's all gone, back to normal on reboot. Deep Freeze is a commercial app, but it's pretty reasonably priced and works great.

Might I suggest this instead

If I am understanding the original poster, they have users that move around a lot. They want it so everything comes up as company set default everytime so there is no confusion.

Well you could always try what we do. Setup the computers as company specs, set everything as you need/want them. Put in a mapped drive for storage. Then install Deep Freeze http://www.faronics.com/index.asp/.
This will ensure after every reboot the computer is back to the way it was. The network mapped drive is used for all their document storage/whatever storage. It took a bit to educate our employee's to not save anything to the desktop, as after the next reboot its gone.

Hope this helps.

We use Ghost 8 where I work for rolling out new machines. It's a lifesaver when we replace a lab (I work in Higher Ed). However once the machines are in the lab, we "freeze" them with Deep Freeze. Unless the hard drive fails we never have to reimage them again. I don't know how the pricing for Deep Freeze will compare to the pricing for Ghost, but if you don't have to reimage them, don't. The URL for Deep Freeze is http://www.faronics.com/index.asp

A good product for public places like schools/libraries...etc

If you actualy wanted to use such a product I guess it is possible (although probably annoying) to use it on a personal computer (idealy for kids).

When I tested this out for a client (public library) I browsed around and obtained several viruses/spyware variants, rebooted and all was fine :)

Actually, i think there is a configuration to allow it to make changes to a certain folder, ie, c:\data that will not be wiped on reboot. Lots of fun for viruses too.. Had a lab machine infected with something, (never did look), rebooted the pc, and the virus went away...

Faronics sells this.

The laptops are going to be the biggest hassle, as people tend to take them home and who knows what crap they do there. Set up a NATD gateway with DansGuardian, ClamAV, Squid, and whatever other proxies for your systems to direct their traffic out. The NAT will protect them from worms and viruses randomly scanning for IP addresses and the other programs will filter for viruses if they check Hotmail, POP, or whatever else they might use. You can set up SMB-scanning with ClamAV to randomly check the computers on your network for viruses. If you have the option, I'd recommend Deep Freeze for your Windows XP computers. If more information is desired about anything I've said, please leave a message and I'll dig up information on how to configure said programs.

1. Start making things more reliable on the backend. For starters, put IPCop in as a firewall, place all the machines behind it. On the backend you can use the best tool for the job, and no one knows you're running Linux/FreeBSD/OS X.
2. Once that is working well, move e-mail to something web based like SquirrelMail. SquirrelMail acts like an IMAP client, so all you have to do is turn on imap on exchange and you can start using SquirrelMail with it. This help immensely with setting people up with e-mail, and users can still use any client they would like if they prefer.
3. Set up the mail server to drop anything with an executable extension and .zip extension.
4. Set up an online trouble ticket system. Do not fix anything unless it is put in the system. This helps in several ways, you automatically have a written record of everything you've done, and you can more easily prioritize what needs to be done. It also stops people from stopping you in the hall to fix "just this one quick thing". When they say they couldn't put it in the help desk because their computer wasn't working, show them that there is always another classroom/computer that is closer than the phone.
5. Lock the computers down. Do not allow anyone to install anything. Show them the SPA website and how the district is liable for $150,000 for each infringement of illegally installed software. This should help you convince the superintendent and BOE of the policy.
6. Setup file server and accounts for every person. Allow any person to use any computer and have their documents and settings follow them.
7. Learn Ghost or your favorite imaging software and Windows RIS. Tie this in with the step above, if you can't fix the problem in 15 minutes, re-image the machine. DeepFreeze might be another product to look into.
8. You must have a filtering solution put in place to be compliant with e-rate and COPA. We use SquidGuard, but there is also Dan's Guardian, which can be plugged into IPCop. Block all Active X controls with filtering. Once people get tired of IE not working, they might be more acceptable to Firefox.
9. The easiest way to get them to use Firefox is to install it on the machine, remove Internet Explorer. Put the Firefox shortcut on the desktop, but replace the icon with the one from Internet Explorer and rename the shortcut Internet Explorer. This also works to migrate people to OpenOffice.org. :-)

The fastest way to gain the respect of others is to start writing grants. Once you are bringing in new equipment and monies from grants, people will start to trust you.

No matter how stable and secure the network and computers are, staff will still believe they are unstable. It's just something you have to shrug off.

BMO - two words, DEEP FREEZE. This is what I use to protect the school and public library computers from the users. It works great, just reboot for a clean machine.

I'm in a similar situation to yours, maintaining ~200 lab PCs for the ITE program at a Community College. Like you, I put a lot more work into creating a clean, stable image on the front end. But one piece of software has made my maintenance/ virus/ spyware/ user error worries dissapear:

Faronics Deep Freeze

Deep Freeze works by "freezing" a workstation after you've imaged it (with remote console functions in the Enterprise version). All changes after that point are journaled (?) and the journal is flushed on reboot.

If something is wrong (in software)...reboot! Problem is gone :o)

Of course...your images had better well be perfect before you deploy, because this does make small after-the-fact changes a bit more difficult.

I did that very thing. And you know what? I agree. These students were, franky, idiots. On the other hand, that password should have been changed at the first sign of a problem. In addition, only one password protecting all the admin priviledges is equally idiotic as those that exploited it. At our school, what we do is install a Deep Freeze, ( http://www.faronics.com/index.asp ), which restores the hard drive to a set image at every reboot. Only four people have access priviledges high enough to edit that, and none of them are students.

Nice, but not exactly practical or well-supported.

There's a product called DeepFreeze commonly used in academic computer labs that effectively has the same effect. Any changes written to disk are lost at the next reboot. You don't have the RAM limitations of a LiveCD, and you're immune to any virus or spyware under the sun.

As far as I know, it's a very secure piece of software. The company used to have a challange that they'd pay $500 anyone who could disable the software without the password or booting off of a floppy and reformatting the hard drive.

As you can imagine, it's a godsend for K-8 computer labs. Students can experiment and install whatever the heck they want, and if they screw something up, just shut down and reboot.

Your complaints about configuration are largely subjective and I won't bother arguing arguing those points, regardless of whether they're closer to "right" or "wrong". And honestly, I can understand that Linux isn't perfect for everything, and I realize that there is some very weird hardware that probably won't ever be supported under Linux and such problems really outweigh the benefits... But "Too difficult to secure." leads me to believe that you're either assuming nobody will read this post because it's several replies down, that you haven't considered Linux at all, or both.

Whether it's security from local users or security from remote attacks (even though your cash registers shouldn't be exposed to the internet directly...), I find it difficult to believe that Windows is easier to secure. Through the years, I have used a number of Windows computers that have been "protected" in a myriad of ways from malicious users, but I have yet to find a system that isn't trivially easy to circumvent, top honours going to Deep Freeze which doesn't do anything in of itself to prevent you from messing with the computer, but simply restores the entire drive image upon every reboot, with the obvious effect of having a fresh system every time.

Being a security minded individual and running Linux on all of my computers, I would make the guess that setting up a secure cash register that uses Linux would be exponentially easier than the same task under Windows. To just have a barebones install of Linux that simply fires up an empty X11 session with no WM/DE and immediately runs the cash register app you're using is trivially easy, run that session with a nobody user that has write access to nothing and use the database of your choice to control data access, throw on a firewall for paranoia, note that you're running exactly 0 services, hardware concerns aside (boot from a floppy, etc, none of which have anything to do with the OS), and you're all set. With Windows, you're stuck with the majority of it whether you like it or not (IE in particular, but there are many other offenders in this respect), unless you'd like to spend several days attempting to clean things up, and perhaps getting mediocre results (I thought this was about ease in the first place?) I don't see how Windows even comes close to Linux in terms of security.

One word for you Deep Freeze

This program is simply amazing. It will "lock" your partition but let things save settings or users "think they broke" the drive. Using Deep Freeze you can delete the entire HDD and windows actually thinks you did then simply reboot and it's fixed. So what you do is simply install all the shit you need too then boom. When your using it ... all the spyware / garbage that goes on the computer gets wiped out with a click of the reboot button.

No clue how this works tho ... im sure someone here has some insight on it ?

Deep Freeze is much simpler.

I suppose you could install Deep Freeze and have it reboot nightly. A really big "Thaw Space" and their windows install is (relatively) secure, as it won't be able to keep viruses/bugs, and will reset nightly/rebootly.

It's askin to having a small windows partition and a large data partition, except the windows partition resets itself every reboot.

Maybe something like Deep Freeze would solve your problem.

Each restart eradicates all changes and resets the computer to its original state, right down to the last byte.

There'd still be risks during a session of course. Then again, most of the truly evil stuff I see doesn't turn up until after the system has been rebooted and all the user-installed trash in registry gets launched.

Stop fighting your customers. Let them do whatever they want, and have a nightly process replace the hard drive with a ghost image of a fresh install. New computer every day.

I'm going to school at Baker College and at my campus, they've got Deep Freeze on all the computers. You are logged on as admin* and can install whatever you want, but when the computer is restarted it goes back to its original condition. It installs a filter driver that keeps track of all writes to the main disk, logs them and prepares to undo them upon restart. All your documents/files you want to keep are put on removable media (they'll get undone upon restart otherwise). Authorized admins can disable this temporairily to make permanent changes. Turn on a computer and it is in pristene condition; no crap, regardless of what the previous user did. This might not be so good for home use, but for the pre-installed standard lab environment needed for the computers, it works beautifully.
I would definately recommend Deep Freeze for any place with requirements like this. Put all the user profiles and documents on a central server, cluster or removable media and make permanent local changes impossible.
Viruses on the document storage area should be the only malware left; if you put it on a server, it can be scanned easily.

* It's not quite full admin, as you can't install new services or drivers; they might mess with Deep Freeze.

You might be interested in a Windows program that allows the same "daily fresh start" that having your permanent OS be a live-cd gives: DeepFreeze. Nice little software, starts intercepting writes to the drive at NTLDR, I believe. You can allow a password-less administrator account if you want; as long as no one gets the program password, the system will come back up in a digital Groundhog's Day of cleanliness. Protects all the way down to a low-level format while the OS is running. (Note: I don't work for these people, but I've seen this in use, and it's quite nice.)

A good alternative to re-ghosting every week would be Deep Freeze. Once it is installed, a simple reboot erases any changes the users have made to the system... including installing spyware, moving icons, or deleting files.

You could setup a system like Deep Freeze and then restart the computer when someone logs off...simple

besides freezing them?

DeepFreeze by Farconics Software

This goes beyond what you're asking for, but certainly will do the trick. Every time the computer is rebooted, it's set to a known configuration with everything that was done previously erased. This option is more powerfull that stopping installation of ChatZilla as it prevents installation of any non-approved software after a reboot. Note that I have never used it personally, just have read a lot of good reviews about it.

Deep Freeze home page

ugh Faronics main page

That's what I get for not hitting preview.

You needn't treat them like a threat to their face, that is just rude. Most people are "too busy" or don't care enough to learn about computer security. So nod and just listen to *their* problems and lock down their system against the big threat.

We had to deal with this more often than not ... so we set out to prevent user folly. In so doing we created the IT tech's dream.

First off you start at the network layer, and make sure via firewalls that people can't get anywhere or use any application that will cause you grief.(p2p/streaming etc.) Then you transparently proxy all your traffic so that the guy who checks out classic-cars.com all day for backgrounds can do his thing and not screw everyone else.

Then you take every user system and you lock them down. You start out by moving all their dynamic data (that you wanna keep) to a file server. Mapping the winblows appdata/my documents gives you a wannabe roaming profile without all the garbage.

After you make all that effort you either impliment a mandatory PXE re-imaging overnight (too much of a headache for us) or you use something like Deep Freeze and lock down the system entirely. Due to Deep Freeze even the most zealous surfer can only horribly damage their system once a day.

Now you have an ideal environment. All changes on a system that need a reboot *must* involve a contact to the IT department, and those you think are savvy enough not to need a frozen system can do 90% of their own support.

Ok sure so your level of responsibility goes up. The pristine environment means you have plenty of opportunity to script away your work. Not to mention silly things like virus outbreaks are really limited because a frozen system need only reboot to remove the virus.

Think *pro-active.*

That sounds a lot like deep freeze, which the school I go to uses. I believe that because of the way it works, if someone boots off a floppy or a CD they can make permanent changes to the hard drive, but I've never actually tested that.

An invaluable tool for PCs that are "public access" or even boot-partitions of computers at work:

DeepFreeze

Just one reboot, and any malware infection is obliterated. (There are alternatives, too, but I like DeepFreeze the best)

Absolutely. Faronic's Deep Freeze is the way to go. You can give patrons complete access as an admin on the box to do whatever they want. Download, install, infect with trojans or virii - it doesn't matter. To revert, just press the reset button and all is well. Very convenient.

there is a program called deepfreeze, you install it onto a drive and from that point on any changes made to the drive will be lost on reset. give the user full admin rights, it will be fine, you can just restart and all is well again. "Incorporating patent-pending, proven technology, Deep Freeze is the benchmark for bulletproof workstation protection. Deep Freeze is simple, easy to use and installs in seconds as configuration only requires a password. All computers are completely restored to their original software configuration by simply restarting the computer. Deep Freeze instantly protects and preserves original workstation configurations. Deep Freeze is 100% successful at restoring the computer on every restart down to the last bit or byte. Deep Freeze completely eliminates software support issues." I've used it, I like it.

I run 11 computer labs of various sizes at recreation centers in Oakland. As we have no money, however, all of the computers in our labs are refurbished Windows 98 boxes. We use Deep Freeze to protect our computers from the students; it functions in a very similar manner to DriveShield, and it has cut the maintenance time for our machines by 90%.

We also use Linux boxes running DansGuardian as content-filtering routers. I cannot emphasize enough what a great boon this is to anyone trying to administer Internet-ready computer labs for kids.

Even better, just ghost the install over the network every night; reformat & reinstall automatically.

Winselect