Slashdot Mirror
Administering a PC in a Vacation Rental Home?
mrn121 asks: "Some relatives of mine are preparing their beach house for rental, and they have asked me to assist in setting up some of the on-site technology. One of my ideas was to add a computer with high-speed internet access to the house, but security issues may be overwhelming. I have administered campus computing labs in the past, so I am familiar with locking systems down, but I am curious about what level of security readers might suggest, and how to go about achieving an appropriate balance between security and usability for such an application. On one hand, I don't want renters to clutter the computer with software and useless bookmarks, but on the other hand, I don't want the system to be utterly useless. One major difference between this computer and a lab computer is that I will not have access to the machine for the entire summer, while the house is being rented."
If you make the removable drive have boot priority, you can even make it an automated process, where the vacationers or the rental agent are told they can restore the computer to "fresh state" themselves by sliding the drive in, turning the key, powering up, waiting for it to do the copy, then shutting down, unlocking the drive bay, and putting the drive away again.
Aside from that, set up Windows update to install automatically, use a DSL/cable router box that blocks pretty much everything inbound, and hope for the best.
As to the first 'W'...What OS? As to the second 'w' WHO???? Since it's likely you won't know who the hell your renting to, security of the type you seek is nearly impossible to determine. If the name on the rental agreement. is "Bea, Aunt", you might be a-okay. If the name is "Kevin, Mitnick", you might some larger issues. Also, you don't mention what, if any screening process you may want to enact. Even there, screening might not be enough. If it's the name on the renter's agreement is "Average, Joe", but joe doesn't list that he was the BOFH of a large University you are hosed. NT or Linux. If it's NOT some BOFH, but just some dude who knows how to download ebcd froma .ru site or how to throw vmlinuz onto a floppy...hosed again.
Sorry, but you simply don't list enough specifics for any of us to help you with 'w' #1 and 'w' #2. 'w' # 3 matters not in any case. How the heck did this one get by the editors???
Quod scripsi, scripsi.
If you're going to do it with Windows, use XP and let everyone create their own limited account. All the "clutter" goes into their personal storage, not the whole system.
LOAD "SIG",8,1
I'd leave it completely diskless and put a Knoppix CD in.
-- Don't Tase me, bro!
If I were you, I'd go *only* as far as supplying a broadband connection, a cable/DSL router (which should block *most* crap by default) with DHCP enabled, a hub/switch (if necessary) in a closet somewhere. Then, in plain view, ethernet wall jack and a one-page sheet of instructions on how to make it work with *their* computer. Maybe a spare ethernet cable or two.
The way I figger it, if they can afford to rent a beach house, they can probably afford their own laptop if they wanna get some work done. And the most you'll have to do to service it *should* be to tell them to recycle the power on the router or cable modem, and you don't have to worry about the PC.
Ed R.Zahurak
You know, oblivion keeps looking better every day.
Just give them enough permissions to open mozilla and vncviewer and mount and burn a cd. It's a vacation house - what else would they need?
Along with a good Wifi firewall, and rent the place out as "WiFi enabled high speed internet access". That way, you can just give the WAP passwords to the rental agent, and people are responsible for their own machines.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
You should use some sort of Image program, such as Acronis, ghost, etc. You should be able to set it up to image the system upon boot. That way, whatever the renters do, the system will be imaged, and all will be well.
Sig!
If it's a Windows PC, I suggest using Symantec Norton Ghost. They can do whatever they like to the computer, but when it reboots, it goes back to its original condition. It's perfect for applications like these.
Or, you could do as another poster suggested and just make an install image for periodic recovery using Ghost.
Or, you could just figure that any renters who *need* a computer will be able to provide for themselves.
There are 10 kinds of people: ones who understand ternary, ones who don't, and ones who think this joke is about binary
Configure it with a largeish partition for ghost files. Install Windows on the other partition and configure it however much or little security you'd like. Enable the firewall. Install automated spyware & virus protection. Do windows update.
Ghost the machine as it is, properly configured, to the ghost partition. Later, after they've fucked everything up, you can restore from the ghost file.
Isn't that how you ran your labs?
There are no trails. There are no trees out here.
Maybe I'm missing something, but the obvious solution to me is just to create a guest accout without admin priviledges. Let the renters know when they move in that if they want to install any special programs (if they want to use the computer to play some game, for example) that they have to let you know at the beginning of the summer so you can install it. As long as it's clear in advance what they can and can't use the computer for I don't see a problem. Also, if you aren't going to be around to administer the computer make sure they know that - preferably in writing, since if they come with the expectation of being able to use the computer for work, and something goes wrong, they will be looking for someone to blame.
http://www.macosxlabs.org/presentations/other/Harv ard_SIG_Part_2.pdf
You do what for a living?
If you're going to be stuck using a Windows box, use software like SiteKiosk (www.sitekiosk.com), which is designed to lock Windows boxes used in public places.
My prefered method of securing a computer in this situation would be a Boot ROM that quickly restores the system to a pristine state every time its rebooted. Look at some of the solutions offered by Rembo, such as BpBatch.
Properly set up, the loader in the boot rom can validate the user-accessible partition against a reference copy on a hidden partition, then syncronize it rapidly in a manner similar to that of rsync. The renter has nearly unrestricted use of the system, but the second they reboot, its a clean system. If you want to be less anal, you could configure it so the wipe is only performed "on demand", or performed at the request of an off-premises master server, allowing the renter to store files while they are there, and have them wiped when they leave.
By using all of these (including a BIOS scheduled powerup at 5am), you can have control over when you wish to wipe the main partition. You could schedule a weekly image dump, or whenever they called with a problem VNC in(the image dump and reboot shouldn't take more than an hour), and you could give them free reign over the system otherwise, so they could install their own games, or download all the spyware/virii they wish.
-Christopher Wu
http://www.christopherwu.net/
An internet cafe I know achieves this very simply: Every night after they close, they just restore every PC to it's original state from a backup on a hidden partition.
Takes them practically zero time or effort -- all they have to do is open the admin program, enter a password, and click 'Okay'. No disks or tapes to insert, and users can do anything the like to the machine during the day. (well... it might be awkward if they managed to delete the backup program, but I don't think that's happened yet.. and anyway, they keep proper backups too, just in case)
(Spudley Strikes Again!)
From your point of view, putting a computer in a beach house could be a headache anyway, for physical reasons. Everything in a rental property takes a beating. I'd just get a wireless router, hide it in a locked closet, and maybe put a few ethernet jacks where your guests can find them. Let them bring their laptops if they're geeky enough.
You might also make them sign something saying that they're responsible for whatever gets downloaded during the time they're in the house. That way, if you have a guest who downloads something that attracts the wrong sort of attention, maybe they'll get in trouble instead of you.
Am I part of the core demographic for Swedish Fish?
What do you mean you 'won't have access' to it for the summer. Just use one of the remote desktop systems if it's a Windows box or -better yet- if you set it up as a Linux box you can just SSH into it. If the dynamic IP is an issue, register a free dynamic hostname at (for example) dyndns.org and install the IP auto-updater. That way you can just ssh to 'beach-house.dyndns.org'.
As others have suggested, create limited user accounts. Make sure they've got all they need for web surfing, movie watching, music and so on, and lock everything else down, and just leave them a limited-space directory to save stuff into. If you're afraid they may need more software, just create a crap e-mail account for 'support requests' and use the remote desktop/ssh with admin privileges to install new software if you deem it to be ok.
Marxist evolution is just N generations away!
One copy of deep freeze will set you back $25. What it does, is basically gives you 1 gig of "Thawspace" and "Freeze" the rest of the system. When frozen, you reboot the system and everything is restored to the original configuration (last time it was frozen.
You can then basically map your thawspace to My Documents, and give the tenants a place to store their downloads. The only drawback I have seen is signficant slowdown on older machines.
/^([Ss]ame [Bb]at (time, |channel.)){2}$/
The question is what will they really be using it for? I don't see anything wrong with providing "just the basics" on a system that's pretty locked down..
For example, you should be able to install Windows XP Pro and create a user acocunt with very limited rights. Give them access to Internet Explorer, Word (or AbiWord), and some other basics. Other than that, keep pretty much everything else locked down.
Also, leverage XP's Remote Desktop so you can connect as Administrator to tweak or fix things.
No, they won't be able to install new stuff, and they will be very limited to what they have at their disposal, but really, this is a vacation house. If they want full functionmality, they can bring their own laptop and jack in.
My mom always said, "Jim, you're 1 in a million." Given the current population, there are 7000 of me. God help us all!
Don't bother putting a computer up. Get a decent, cheap 802.11g wireless router, and perhaps hook up a couple of jacks for hardwire LAN access.
If somebody wants a computer on their vacation, let them bring their own.
There's so little difference between politics and jihad lately...
One simple method I can think of uses two hard disks;
Boot disk with backup image (read-only)
Basic OS with a few apps (no login)
That way, the cleaning crew or the management company can repair the computer after the renters leave by selecting "Wipe clean and restore computer".
The hard part (for you): Check the pinouts on the IDE cable to the read-only drive. After everything works properly, "nip" the wire that performs the write function. Check online for what to cut.
Alternately, a backup/restore CD could be used, though this is another thing to get lost and dammaged.
...a can of worms best left unopened.
Renter starts computer. Renter logs onto Kazaa. Renter shares thousands of files off his/her iPod. RIAA traces back the IP. You get sued/extorted by the RIAA.
Just one of far too many potentially nasty scenarios. A quick mental benefit/risk analysis says, to me at least, it just isn't worth it.
1. Remove the harddrive
2. Put the following BASIC program on a boot floppy
10 PRINT "TURN OFF THE COMPUTER AND GO OUTSIDE YOU LAZY SHIT"
20 GOTO 10
....but how about leaving an ssh server running and remotely add a new user every time it's rented and delete that user when they're done. With a nicely set up /etc/skel it should pretty seamless.
I have found there are just two ways to go.
It all comes down to livin' fast or dyin' slow. -REK, Jr.
Fill it up like 99% full with pr0n, there won't be room to download anything else, and they probably wouldn't go online then anyway.
1. Ghosting drives and locking down user accounts are okay ideas.
2. Only providing net access is a much, much better idea. People who want a computer at the lake will probably have their own machine, and will just want access.
Provide cable/DSL and wireless or wall jacks, and instructions for configuring a PC/Mac to use the network. Physically lock the network equipment (router/switch/firewall) up.
3. Have the owner include a lease clause about network access rules and responsibilities. You're in essense becoming a small ISP for the renter, and should enact an AUP (in the lease terms).
4. Eat the cost (or cover it with rent) of a business class Internet account. IANAL, but I'm guessing that it would be easier to prove in court that a business account is an internet service provided to renters with full contractual (lease) terms covering civil and criminal liability--and your lack thereof--regarding its use.
From a purely technical perspective, a business account would also ease remote access problems caused by dynamic addresses.
5. Firewall this network. Get a Fortigate 50. It does IDS, AV, stateful firewalling, and even web content-filtering, in hardware at wirespeed, for $300 bucks. I love mine. This, and your lease terms, will prevent the, "I hooked up my computer and picked up 2 virii, 3 bots, other spyware and now it bluescreens every time I try to boot," lawsuits.
6. Screw the net access. Buy a widescreen TV and a home-theater-in-a-box, some cheap DVDs, and, "Presto!" ultra-cool rainy-day entertainment you don't have to worry about. You can get this combo for under $2K too.
Get one of those net appliances with small solid state storage, and the ability to lock down the configuration with a password, then bold the whole thing to the wall.
Since you won't have access to it for the summer, this is really the only way to guarantee people can't break it. Also, lessen the chance some jerk will give you an imprompty 'downgrade'.
UPS. Depending on where this is, beach houses suffer from enough storms and power outages to make this a necessity.
Sand and water. This is at the beach. Little Jimmy will start pecking away with sandy fingers. A weatherproof keyboard, at the very least. Sealed cabinet for the case, maybe.
Personally, I'd just give them access, and not the actual PC.
Can't use it for much, but hey...at least they can't screw anything up with it.
... and never did they have a computer in them. If I wanted a computer, I brought my laptop.
Anybody really wanting to access the internet on their beach vacation has the equipment to do so anyway. Seriously, laptops are common among business travellers, and all netheads have them or something like them.
If you want to advertise high speed internet access, few people will be expecting there to be an actual computer there. An ethernet jack hooked to a cable modem (out of sight.. like in a closet or wall or other locked area) is good enough. If you want to provide wireless, drop an access point back there hooked to the cable modem as well. Beyond that, I wouldn't put in one single bit of equipment. No computer, no monitor, nothing. Maybe a power protector on the cable modem/access point, but that's it.
Leave an instruction sheet on how to hook up their ethernet or 802.11b wireless (use a 802.11b access point, as the cable modem is slower than 11 mbits and b is cheaper/more compatible) and wash your hands of it. Nobody expects an entire configured system to be there, realistically. If you go to a nice hotel with connectivity, you don't get a computer in the room, you get a place to hook up your computer and that's it. That's expected. Leaving a whole system there just invites people to rewire the thing to hook up *their* system.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
If your cable modem company or other ISP does "lock in", where they give out addresses via DHCP by taking your MAC Address and putting it into their system, then you'll need to add a cable/DSL router into the picture. Get one with the built in 802.11b wireless, like many of the Linksys models. This way, the cable company sees only the router, your guests get their address via DHCP from the router and don't have to call you when it fails to work.
You can easily test if your high speed ISP does lock in.. Have them hook it up, and later, once it's working, plug a different computer in to see if it can get an IP via DHCP. If it can't put a router in there. You can change the MAC on the WAN side of the router to be the one the cable company is expecting. All of the cheap home routers have this feature. That way it gets an IP from the ISP and you give out local IPs like 192.168.1.100 or some such.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
We're forgetting the fact that the computer may make the house a lot more markeatable. I would have a main computer with a dummy client in the kitchen. Maybe a smallish LCD screen, a keyboard, and mouse. Make it obvious that this is for checking email, etc. Get remote access to the main computer so you can create accounts for each new renter ("The Johnsons"). Keep backups, maybe in a partition. Casual users can use the small PC for email, news, weather (Important for a beach house!). Power users can bring in their own hardware.
Small potatoes make the steak look bigger.
have broadband access, make sure it's locked down with a firewall, but open up ports for VNC, and configure it to work with SSH. Then use something like DYNDNS.org and give it a name my mycottage.homeip.net so you always have access to it. Simple.
Cyberbite Networks - Web Hosting, Dedicated Servers & Colocati
Put the hard drive in a removable IDE enclosure. Take it with you. Leave a Knoppix CDROM in the computer. Provide a DSL/Cable router with DHCP. An 802.11[abg] access point would also be a plus.
Ghost the disk between renters.
Get a simple firewall that blocks ports both ways; restrict what can come and go. Use your judgement, try to allow games and anything that might be helpful if some poor worker has a business emergency on vacation, but not much else.
--Matthew
If it's a Windows machine, I'd suggest putting DeepFreeze on it. It basically resets the computer back to its original state whenever you reboot the box. I've used this on many student workstations and it works like a charm. Unfortunately it won't stop some smartypants from booting off a cd and installing Linux or something like that ;-)
Just install Xandros 2.0, give them user access and let them have at it. It is as easy to use as Windows XP and I doubt they can break it.
If a person has unfettered physical access to a machine there is NO security. I would suggest locking down the computer just as you would in a lab, but that alone is not enough. You would need to re-image the machine on a regular basis. It also couldn't hurt to physically lock the case shut.
It would be a lot less trouble to just offer a ethernet and WiFi hookup and let guests use their own laptop.
use Deep Freeze on the comp. setup a schedules to reboot every morning and to defrag in the background. have a remote access like remote admin or tightvnc to fix or update the computer.
a slut did tulsa
For about 50 quid (dont know in dollars, but reckon these should be available over there) you can get a little card that goes in the PCI slot.
It can be set up to reload the partition every reboot, every day, or on scheduled times. It has a "flash" version that saves up to 1G of changes to the OS/Partition or you can just have a complete backup on the same drive that it copies over.
The ones ive used are:
http://www.lodestar.co.uk/.
Site looks a bit outdated, but they work fine. I have a couple of them in different places, including a youth hostel and it means i VERY rarely get called to fix up the computers.
...if they use that connection to do anything illegal or nasty. your name'll be on the ISP's billing system...
A good friend of mine has a nice beach rental in N.C. - If you have a nice house with a nice deposit and a healthy rental fee, people take care of things fairly well.
Another aspect is that most improvements increase the rental value. I helped them finish an addition to the kitchen which made it possible for 8 people to eat dinner at the same table. Rental fees are higher, and the renters are HAPPIER!
I just don't get people who insist that since THEY don't want a computer on vacation, NOBODY SHOULD BE ALLOWED TO!! If you want to install a computer with high speed access, that probably will attract a new set of customers that realize you want them taken care of in every way!
As for the backup restore - my OPINION is to not start fresh on every boot. Especially if you're using Windoze. I would be REALLY annoyed if the stuff I wrote up last night (since the kids were playing on my laptop) is TOAST!!
When the cleaning person comes in after the renters leave, one of their duties could be to log in to an ADMIN account and double click the icon that says "RESTORE".
It would be nice of you to install LINUX with a guest account and leave a Knoppix CD for them to take home.
ANOTHER OPTION:
Remove all furniture and carpet, put in 3 keg fridges, make the bathroom into another bedroom and rent a Port-A-Potty. That way those lousy worthless renters can't hurt much, and they can drink all the beer they want. Just turn the fire sprinklers on high at the end of the week.
But that's only if you don't repect others...
install linux
/home with noexec
lock it down
give each resident their own user account so activities can be traced.
mount
use one of those net anomynisers (a proxy hosted somewhere else, so if they do anything bad, you wont get done for it.
install gnome or KDE and give them nice desktop icons so its not too different from windows (like "check email" for whatever mail app you choose, etc)
And make sure the deposit is enough to cover whatever a RIAA/MPAA lawsuit cost you.
And hope they don't do anything worse..
Just provide a live ethernet port. Let your guests hook up their laptops.
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
If they want to have a PC at the beach, odds are they have their own laptop. Just get a pipe into the place (cable/DSL), put in a hub/access point (insert Your Prefered Vendor here - Linksys, Netgear, SMC, etc.), configure it fairly tight, wire up a coupla wall jacks and leave instructions. Given it's a beach house in summer, put a good surge protector on it; the units sold for DSS users will protect both power, phone and coax lines. The folks suggesting a commercial account for liability protection are probably a little too paranoid, though; if your renters download enough stuff to bring the MPAA/RIAA down on you, the type of account you set up with is unlikely to matter to the Overpriced Suits across from you in the courtroom.
Boot the system off of a write protected CF card version of Knoppix, and provide a USB key for configuration and storage which the guest can keep afterwards (incorporate the cost in the price of the rental).
The added benefit is that each member of party renting the house can get their own key and have their own configuration and files.
Unless you know the users well you can open yourself to a world of hurt. The Internet is wide open to people downloading and uploading things. You don't want to waste your life explaining it wasn't you
You can spend quite a lot of time creating legal paperwork to cover your ass beforehand but unless you are/will be an ISP/hotel it's not really worth it businesswise.
Know your pads. One time pad: good for cryptography. Two timing pad: where to take your mistress.
Here's what I would do.
Have a firwall/gateway PC in a locked cupboard with a UPS.
Have RJ45 sockets throughout the house for tenants to plug their own laptops into.
You could make a diskless (boot-from-LAN) LTSP client available for tenants who don't bring their own computer. Once they get past the xdm(or kdm or gdm) login screen (guest login username and password supplied when they pick up the keys for the house) they will get a customised desktop with an icon labeled "Surf the web" - anyone who has used any modern gui will be able to work out what to do next.
You make the mistake of thinking you can educate the fundamental stupidity out of people. You can't.
Well, here's the thing:
Knoppix and other CD boot distro's basically take a long time to boot. If for some reason the CD fouls due to condensation or something else, the system just won't boot.
The people will also not be able to download PDF files/etc if they are bigger than the temp space available from memory.
With a boot CD, you are basically going to want/need more ram and a fast CD drive to make it bearable.
The same issues of boot times and downloadables applies to Ghost/disk state keepers. If people are going to be there for a few days, it is unreasonable to wipe the system if it needs to boot or to boot it in the middle of the night since the guests might still be using it.
Before you look at the software, you have to look at the needs of the guests.
We're talking about vacationing guests, right? So what do people who are visiting do with a computer?
So you basically need to provide a locked down system with a good web browser, a SSH client, and maybe some tools like openoffice/etc.
Okay, how would I do it?
1) Use Linux. You have more options as to how to setup and restrict the system. Since you are connected to the internet, even if you lock down your box, you could be hit by a virus. Since you aren't there during the summer, this is a big issue. Use Linux. (A mac would be cost prohibitive, in my mind.)
2) Have Linux boot and make just about everything read-only. The only thing which should be possible to write to would by the guest home account and /tmp.
3) Have the machine be hard to mess with:
4) Have a recovery CD handy which can rebuild the entire system just by booting from the CD.
5) Put the machine behind a firewall. Yes, it's Linux, but put it behind a firewall. Even a cheap $50 firewall/switch/hub will work. That way, the Linux box won't have a real IP address, but will be NAT'ing to the outside world.
6) Have a laminated howto cheat sheet near the computer terminal for people to use.
7) Wipe the system only AFTER guests have checked out, if at all. This should only involve wiping and rebuilding the guest account to prevent web caches, keys, and passwords from being seen by the next guest.
Why Linux? Because you can get a cheapo X86 box with good performance and put Linux on it by downloading it off of the web. You can customize and lock it down to a good level and script almost all of the "clean system", "rebuild system", etc functions you need. You will have little to worry about in the case of virii and you will have a relatively low-zero maintenance system once it has been simplified.
I'd steer clear of booting the OS from a CD because it is slow and the system is less responsive. Use the CD option for "fixing" the linux box when it goes down with a "boot to rebuild" CD. Hard disks are cheap, fast, and offer more storage than a CD can. That means more software options and even internal backup images of the working system.
In either case, good luck! ^_^
Winged Power Photography