Windows Security and On-line Training Courses?

eggegick writes "My wife has taken a number of college courses over the last three years and many of the classes used on-line materials rather than books. The problem was these required IE along with Java, Active X and/or various plug-ins (the names of which escapes me), and occasionally I'd have to tweak our firewall to allow these apps to run. I don't think any of these training apps would work with Firefox. All of this made me cringe from a security point of view. Myself, I use Firefox, No-Script, our external firewall and common sense when using the web. I have a very old Windows 2000 machine that I keep up to date. To my knowledge, I've never had a virus or malware problem. Her computer is a relatively new XP machine, and at this point she feels her computer has something wrong. But now she prefers to use my old machine instead of hers since it seems to be more responsive. We plan to run the recovery disk on hers. Assuming the college course work applications were part of the cause, what recommendations do any of you have for running this kind of software? Is there a VMware solution that would work — that is, have a Windows image that is used temporarily for the course work and then discarded at the end of the semester (and how do you create such an image, and what does it cost?)."

vmware is free

[DragonTHC]

vmware is free, so is virtualbox and xen.

you would create the image yourself.

install a default XP machine and run IE on it.

Re:vmware is free

[Tibor+the+Hun]

Exactly. make known good snapshots and you're covered.
It's the best way to run windows nowdays.

Re:vmware is free

[isj]

Vmware Player is free. Vmware Workstation is not. But I doubt that for online courses that the extra funtionality in the workstation edition are needed.

Re:vmware is free

[MartijnL]

You can always install VMware Server (which is free) to make the image

Re:vmware is free

[QuantumRiff]

VMWare is free, however, you would have to check your licensing to ensure you can install a second copy of windows on it, without having to buy another license. (unless, of course, you put linux on the machine, and run windows inside vmware)

I think virtual machines are going to be the death of Microsoft. Its just too damn hard to keep track of in a VMAppliance world...

Re:vmware is free

The OEM Licence is non transferable and bound to the physical hardware.
AKA Intel Chipset/Broadcom Network and Intel Processor for example.

running windows inside vmware is running on Different VM Emulated hardware thus breaches the OEM licencing agreement.

If you bought retail and uninstalled it from your PC and reinstalled into a Linux Host VM then you are ok

Virtualization is your friend

[pwizard2]

I review software for a living (in addition to doing other things) so I've been using virtualized Windows XP installations for awhile now. (I prefer Virtualbox, but you can do this with any utility)

A long time ago, I created a virtual hard disk image of a Windows XP installation, got it the way I like it, and then backed it up. (storing a few GB long-term is trivial these days) When the current disk image I'm using gets overly cluttered after a few weeks or months, I just get rid of it and load a fresh copy from my backup and start over.

You could probably benefit from the same system.

Re:Virtualization is your friend

[mrphoton]

Don't know if this helps, but I use qemu-kvm under fedora. With qemu you can install XP or whatever base system you want to an image, then I generate an overaly file associated to the disk image. This means that all future changes to the disk image are stored in an external file. So if I think I have a virus or want to reset the system all I do is delete the changes disk image and I am back to a clean install of xp. This page details how to do it. http://wiki.archlinux.org/index.php/Qemu Also, I would use kvm part of qemu if you chip can do it (new pentiums can), it means that you are not doing emulation but running the OS as a native OS.

Why would it make you cringe?

[magamiako1]

all of this made me cringe from a security point of view.

Why would this make you cringe from a security standpoint? Security is only a problem with nefarious things are intended. The act of allowing these specific ActiveX controls to run within the context of the training courses has no bearing on whether or not you are permitting other ActiveX controls to run. If the prompts annoy you, rather than simply completely turning off ActiveX security features, you should add this site to your list of Trusted Sites.

There's nothing inherently wrong with enabling IE, using IE, or using ActiveX. And within the context of this single site there's not likely to be a problem. After all, if they were using their software for malicious deeds you surely have legal rights on your side.

Re:Why would it make you cringe?

[magamiako1]

Completely terrible analogy to make.

And yes, you can enable scripting per site. Or rather, on IE you have "zones". And you can set different security levels for each zone. You have your "Internet" Zone, "Trusted Sites", and even "Restricted Sites".

You can add sites and change security settings for each one of these. Trusted sites typically have less security requirements because you trust them. And that would be the proper solution to this question.

Windows SteadyState

[benjymouse]

is also an option. Can completely lock down a PC. All changes are written to a separate "log" partition which can be reverted. Logs can be kept separate for individual users and the system. For instance you can configure Windows SteadyState to discard all user changes at each boot but allows the system to update itself through Windows Update

It's available for XP and Vista (32 bit) free from Microsoft: http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx

Internet College web sites and virtual machines

[Orion+Blastar]

require you to turn off your firewall and pop-up blocker. Why they cannot write web software to work without needing pop-ups and can work with firewalls is beyond me.

Virtual PC 2007 is free. Use Pricewatch's operating system price search to find a version of Windows to run under it. Windows XP can be bought in OEM version for under $100.

Run all college web sites in a virtual machine.

Use Avast Home for Antivirus as it is free for home and non-profit use.

Can't you just fix the problem?

[diggitzz]

Virtualization is easy, but non-virtualization is even easier. There is a VMWare solution that will work: It's VMWare, and it works exactly like you think it does. The current price is listed on the VMWare website. I don't understand why this is a community-posed question, though, since you seem to have answered yourself in the question.

The free solution, on the other hand, is to just clean up the problems on the XP machine. If the other machines on the network continue to run trouble-free, just fix the one with trouble. You probably don't even need to recover or reinstall. Uninstall the ActiveX components, close the firewall back up, run anti-virus and anti-spyware apps (at least 3 different free ones) to remove anything that might have shown up, and if there are less than a handful of problems detected, you don't really need to reinstall. Run msconfig to check for extra crap at startup, and use HijackThis to check for any remaining browser toolbars, add-ons or other crap you don't want. Then make Firefox the default browser. Incidentally, there is a Firefox add-on available called IETabs which lets you run an IE-specific webpage from Firefox without starting IE and all its add-ons (it does use the base IE rendering engine tho).

If the machine hasn't had a fresh XP install in over a year, then it's time to reinstall anyway, and the sluggishness might have little to do with the extra ActiveX crap your wife had to use.

A cleanup might take you 2 hours. A reinstall could take longer, depending on how organized you and your wife have been about backing up data and how many programs you'll need to reinstall. VMWare works, but isn't free. These are the considerations to balance. Good Luck!

Sandbox software

[bakuun]

While running a virtual machine certainly would solve the problem, I think it might be more than a tad overkill.

Just get some sandboxing software (i.e. "sandboxie", which I've only heard good stuff about) and run internet explorer from within such a sandboxed environment.

Just like a VM it will keep IE (or anything spawned by IE) from messing with the rest of the system, but with the advantage that it is much more lightweight than a typical VM.

Re:Windows 2000 is out of support

[wjsteele]

Windows 2000 is not out of support. It is, in fact, still supported under the "Extended Support" model, where security fixes are still produced. It has left the mainstream support model where tech support was free. The difference between mainstream and extended is that you must pay for tech support calls instead of them being free.

According to this, Extended support doesn't end until July 13, 2010.

Bill