Slashdot Mirror
Ask Slashdot: Securing a Windows Laptop, For the Windows Newbie?
madsdyd writes "I am a long-time user of Linux (since 1997) and have not been using Windows since 1998. All PCs at home (mine, wife's, kids') run Linux. I work professionally as a software developer with Linux, but the Windows installs at my workplace are quite limited, so my current/working knowledge of Windows is almost nil. At home we have all been happy with this arrangement, and the kids have been using their Nintendos, PS2/3's and mobile phones up until now. However, my oldest kid (12) now wants to play World of Warcraft and League of Legends with his friends. I have spent more hours than I like to admit getting this to work with Wine, with limited success — seems to always fail at the last moment. I considered an Apple machine, but they seem to be quite expensive.
So, I am going to bite the bullet, and install Windows 7 on a spare Lenovo T400 laptop, which I estimate will be able to run both Windows 7 and the games in question." Read on for more about the questions this raises, for someone who wants to ensure that a game-focused machine stays secure.
madsdyd continues: "Getting Windows 7 from a shop is surprisingly expensive, but I have found a place where they sell used software (legally) and can live with that one-time cost. However, I understand that I need to protect the Windows installation against viruses and malware and whatnot. The problem is, I have no clue how. One shop wants to sell me a subscription-based solution from Norton, but this cost will take a huge dip into my kid's monthly allowance — he is required to cover the costs of playing himself, so given that playing WoW is not exactly free, this is a non-trivial expense for him. On the other hand, he has plenty of time, so I guess he could use that time to learn something, and protect his system at the same time.
How do other Slashdotters provide Windows installations for their kids? What kind of protection is needed? Are there any open source/free protection systems that can be used? Should the security issues be ignored, and instead dump the Windows install to an external disk, and restore every two weeks? Is there a 'Windows for Linux users' guide somewhere? What should we do, given that we need to keep the cost low and preferably the steps simple enough for a 12-year-old kid to perform?"
How do other Slashdotters provide Windows installations for their kids? What kind of protection is needed? Are there any open source/free protection systems that can be used? Should the security issues be ignored, and instead dump the Windows install to an external disk, and restore every two weeks? Is there a 'Windows for Linux users' guide somewhere? What should we do, given that we need to keep the cost low and preferably the steps simple enough for a 12-year-old kid to perform?"
Install Microsoft Security Essentials and forget about it.
Run it through your regular NAT router setup and tell your kid not to download nasty stuff!
And consider the educational value of having him get viruses. And the joy of reinstalling the OS.
Maybe he will appreciate dad's wisdom to date ;)
I know you asked about securing, but there is more than just security that is often overlooked in windows, that can be learned from the *nix world.
First, don't give anyone admin privileges with their default account. You are just asking for trouble if you do.
Second, the swap file should have its own partition. In *nix this is pretty much dogma, and it well should be in windows as well. Everyone knows that windows loves to fragment the hell out of its own file system, and the windows swap (paging) file is no exception. If you put it on its own partition you will make defragmentation a lot easier later when you have to do it.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
How did you learn? By making mistakes. Let him run his Windows 7. With admin rights. If he gets viruses, trojans, adware, malware, so be it. If he needs to reinstall every 3 months as you probably did when you had Win 95, so be it. That's how he'll learn.
Your kid might not be satisfied with the way WoW works on an old T400 laptop. Check the graphics specs vs. the game recommendations. And for security, I'd just use Microsoft Security Essentials. It's free, probably works as well as any of the subscription-based anti-virus products and how much do you really care if your kid's game platform gets a virus?
If your machines have the power for it. you may be able to get away with running Windows in a VM. Install everything, get it set up properly, then snapshot it and restore to that point at the end of every gaming session. It's one fairly sure way of keeping Windows safe.
1) Install a free antivirus program like Microsoft Security Essential or AVG. Most free antivirus programs are close enough to paid software as long as you pick the better ones.
2) Run the computers network through a filtering program or DNS server like OpenDNS with the filtering option enabled.
3) Limit user account for kid. Install the software he needs for him. This would be a major improvement in security with limited hassles as it's usually the user that is the cause of many security issue.
Bonus) Occasionally keep a backup image of the hard drive. If the computer does get infected, it's easy and faster to recover from.
Two comments -
1. If you're going to use Wine, go purchase Codeweaver's Crossover version. It's much better than the standard Wine. Plus, you can get a warm fuzzy feeling you're paying to support open source. PlayOnLinux is an option too.
2. However, do expose your children to Windows. It's what they're going to learn in school and possibly what they'll need in the workplace. (Oh, I'm sure some people would like to point out why I'm wrong, people have been predicting the demise of Windows for decades. It's still the de facto standard.)
Finally, just go download something like MIcrosoft Security Essentials or Avast for your antivirus. They're free and work.
----- obSig
Dont protect the machine. Let him taste windows the way Microsoft serves it. What does not kill him will make him stronger. Either he learns to protect the machine on his own and stays in Windows camp. Or learns that the few things in the Windows world is not worth the pain and suffering comes home to a real OS. At best you throw him a nickel and ask him to buy a real OS. [Growing a beard before throwing that nickel is optional.]
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
...one word: Proxy.
Run your kid's network connection through it (enforce it via the home router if necessary), and whitelist what he is allowed to visit. Here is an example of how to set up SQUID to do that.
That by itself will knock out virtually all threats from the network.
As for the machine itself, install CCleaner and AVG (which IMHO is among the least intrusive of the A/V solutions), maybe tweak RDP so you can sniff around in there from time to time remotely w/o his knowledge, and that should cover practically everything you really need to protect and control your kid's computer.
Quo usque tandem abutere, Nimbus, patientia nostra?
and it runs on Linux natively. http://www.heroesofnewerth.com/
Obviously if his friends are already playing LoL it might be difficult to switch.
You do want to do two other things. 1) Keep that install disc, and make sure the kid knows how to install Windows himself, plus install his games himself. I think WOW and probably LOL are both cloud-based saves so wiping the HDD is no issue. Reinstalling Windows is generally 1/4 the time and hassle of actually fixing a malware problem.
2) Let him know that he is only likely to get viruses doing things he shouldn't. Drive-by downloads on legit sites are rare. Drive-by-downloads on warez, gold sellers (for WOW), and porn are a lot more common. If he is going to do that stuff (you can't stop him) at least make sure he knows that those are dangerous sites. If his computer is acting funny after visiting one, and a reboot doesn't fix it, then wipe the install.
What free antivirus do you install on windows
Install Windows Security Essentials and you'll be fine. Seriously, it's not like by putting Windows 7 on a computer your house is immediately going to be invaded by zombies dragging every virus or malware known to man. Install WSE (or one of the other recommendations from the above thread), run with standard (not admin) rights, and that's pretty much all you need to do.
Neil
1) Install Microsoft Security Essentials. It's free and works as well as any paid Anti-Virus that I've used.
2) Educate your kids on the types of website to avoid. Sites like Limewire (where kids get free MP3's from) are full of viruses and spyware.
3) Set them up with a non-Admin account. That way if something bad happens the damage is minimized.
4) Install some add ons for the browser. No Script is a good one. It blocks Java Script and the bad guys love to use that to wreck havoc.
5) Consider creating a separate partition for the OS. If something goes wrong it's nice to have the OS separate from your own files.
6) Consider something like Norton Ghost (there are free alternatives as well) that can create a full image of your HD. Take snapshots before doing major system updates. If something goes wrong you can just restore the image and everything is as it was.
7) Running Windows as a VM on top of Linux is a good idea. If something goes south you can simply copy the pristine image back over the corrupted one.
8) Stay on top of the System Updates. Microsoft has "patch Tuesday" where they typically release system patches. Some of them are important and fix known vulnerabilities.
Why not make the kid do it? That way instead of learning that there will always be people out there to do things for him, he will learn to rely on himself(and google of course).
$550 is quite a bit for a used computer.
You want to keep the laptop secure. You want a 12 year old to use it. You want it to run Windows.
There is no solution. There will always be security risks and in some cases a negative time-frame to deal with them. Doesn't matter how good your AV is or what utilities you put on there, if it's connected to the Internet and there's a user at the keyboard then it is inherently insecure.
Now, how "secure" do you need it to be? If you're ok with putting that laptop on a separate subnet from everything else and teach the kiddo to do a proper update check every couple of days you should be able to mitigate most of the 'risk'.... but that seems a bit much to ask.
No mod points here. I played WoW for 3 years on Linux using Crossover Games. Codeweavers has merged all of their Wine forks into one product so it's even more worthwhile to buy it now. There have been a few issues (such as memory problems on 64-bit Linux hosts), but overall it works pretty well. I had no trouble doing end-game raids (Vent works fine too).
WoW runs perfectly under Wine, even under a dirty prefix, and has for like 5 years, maybe longer. League of Legends you must clean Prefix, and install dx9, dotnet2.0, and vcrun2008. Then LoL will work. I know from experience that this shit works.
and went all Linux in house. Told the kid to suck it up for any games that were not available on console. 5 years later I get a couple of complaints here and there but sure as hell beats reinstalling windows every 6 months. You can tell the kids to not download all you want but they're kids so it takes a few times to learn not to download files from all over the places.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
As a log term windows admin who's cleaned up more home computers than I care to count, here are my tips:
1. Ensure windows updates are set to download and install automatically.
2. Install AVG Free, sure MS essentials is good, but I guarantee every virus is written to avoid it, I go with 3rd party AV wherever possible.
3. Install Chrome for web browsing, sync the account to google
4. Setup his account as a regular user, don't give him the admin password
5. Setup something to backup Warcraft, it's a huge download, you don't want to be doing it again if you need to reinstall
And that's it, it's basic security but win7 is pretty good, the above has been enough to keep our home XP machine safe for many years.
Ultimately it's a kids computer and they're going to click anything shiny, sooner or later it will get a virus. There are a few key points to bear in mind here:
1. It's going to happen, preventing it is pretty much impossible.
2. Your other computers are Linux, so the risk to them is negligible.
3. Most viruses these days are botnets or phishing, so long as he's not spending a fortune on a debit card, the risk to him is minimal.
4. All the software I recommended will update itself, so it's zero maintenance. That's a major factor in keeping windows secure.
5. If it does end up riddled with viruses, a quick re-install over the top, followed by a sync to google and it's all back to normal, including your files and settings.
See title. I feel it important to point out that the Lenovo T400 does not meet World of Warcraft's minimum requirements. The Intel GMA 4500 GPU that this laptop has is specifically listed on Blizzard's website as not being supported. What this means is that even if you manage to get it to run, performance will be poor and the game really won't be any fun. In fact, I have to wonder if the problems you've had related to getting it to run in wine are more hardware-related - the computers you are trying to do this on simply aren't beefy enough.
Other specs on the system are borderline bottom for barely meeting the requirements. Don't subject your kids to that. Get them a new computer with Windows 7 preinstalled. For virus protection, Microsoft Security Essentials does fine (free with Windows 7, though it is a separate download).
You may prefer Linux, and it may even work for you, and for you that is fine. But we live in a Windows world - you are doing your kids a serious disservice by not giving them Windows exposure now. They'll need that experience in 10 years when they are trying to get a job - any job - that isn't Linux development.
Intelligent responses welcome, flames will be met with marshmallows.
Translating - you aren't a windows guy, and you aren't going to become one for this, but you don't want to waste time reinstalling every couple of weeks or listen to your kid crying his account got hacked.
With that premise
- Set Windows updates to nightly download and install automatically.
- MSE (AV from MS) is fine, oddly enough. Its even light enough you can run a second one such as Avast! if you wish.
- NAT router in front assumed
- Leave the Windows Firewall on, don't enable file sharing
- Install Firefox, make it the default browser, load two addons - NOSCRIPT and AdBlock Plus. Remove the IE icon from the desktop.
- Council the kid that this is NOT his general internet browsing/use machine. It is dedicated for the games. Continue to browse etc. on the systems you know how to maintain.
With the above, you have no cost, minimal maintenance and the machine is very likely to stay secure for years.
--- Mercutio was right.
Do you have broadband?
They all come with a free security suite.
http://xfinity.comcast.net/constantguard/Products/CGPS/norton/
http://www.cox.com/css
www.att.com/esupport/article.jsp?sid=KB402441
http://www.rr.com/security
http://www22.verizon.com/home/utilities/security-backup
The design of the registry makes it very difficult to tell what is "bloat" and what is not. Various optimizations in XP and more recent versions mean that any performance enhancements should be negligible. Unless those few hundred kilobytes are important, and the possibility of breaking software components of your system is not, you should not use CCleaner or any other registry cleaning tool.
Why would you want to have a limited browser cache anyway? Do you like longer access times?
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
By and large, real gamers are pretty clueless about software, know less about OSes, and nothing about security. What they know of hardware comes straight from benchmarking websites.
Generally speaking, you get ugly results when you run out of RAM with no swap file. Windows of course has notoriously aggressive paging, and changing this behavior is not as simple as on other OSes. There are a couple of registry settings, however, that govern how large the filesystem cache is and whether drivers and core components can be swapped to disk. You can also lock the process in memory if you really must.
Yes, you can more simply set the swap size to zero. Yes, many people don't have stability problems with this. Yes, you can use a wrench instead of a hammer if you have to.
If your system is having issues with paging, don't disable paging: just buy more RAM.
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
It maybe true that the programs are not WOW and LOL. Perhaps he made that part up to not reveal what he really wants to run. Maybe something more like World of Big-Breasted Whores. Whatever. Give the guy a break and instead of busting his chops for his protecting his provacy answer the question huh?
Submitter here:
Step 1: There is no windows to uninstall. There are literally no Windows installations in this house, (and actually never have been, as we built the house in 2004, but that is another story). The kid in question - my 12 year old son - does run Linux (Kubuntu 12.04) and uses e.g. Scratch from MIT for programming, libreoffice for school work, minecraft for, well, minecraft and so on, and so on. Oh, and he runs his own minecraft server.
But, no, I can't get WoW and LOL to work with/under Linux (neither can he). Starting point is some semi-old laptop (not the T400, which have just become available recently), running Kubuntu 12.04. Been through various permutations of Wine, Crossover and some "just install this, guaranteed to work, autoinstall Wow" permutation of crossover (I think, have forgotten the details). For all, it looks as "the right thing" happens, but eventually it turns out something or other does not work, e.g. the system is left for 24 hours to download the last 1% and it just does not happen. I think the last approach we tried, we ended up installing a US version (?) and beeing in Europe, this apparently (eventually) failed to start. Or something. I have lost count of the hours we have used. I simply can not make it work, and I do not know any persons that can. I could possibly hire someone to do it, but I have no idea if it ends there. What if all his friends plays "FunkyNewGame" next year, that only runs under Windws? What then? Make no mistake: I consider Windows in this context simply a console, much like the PS3 - but a console that needs a lot more handhelding than the PS3 (And, I understand that WoW does not run on the Xbox).
Now, beside that I personally have other things to use my time on, all this fidling is also a very frustrating experience for my kid. I do not expect you to understand this, especially not, if you have no kids, but he gets his hopes up high, and sort of thinks his dad is "the shit" for finally making this work, and then, after 4-5 hours of reading, installing, downloading, and whatnot, it just does not work. And, another day/week/month has gone by with him still not beeing able to play WoW/LOL with his friends. So, as I stated, I am going to bite the bullet and get Windows. For this particular purpose. (Oh, and possibly to reprogram the properitary house control system of this house, which was the only legal option to install, according to Danish Law, when the house was built - but again, that is another story).
You may argue that my linux skills are inadequeate because of this - you may be perfectly right. The sad truth is then, that my Windows skills are even worse.
1) install Windows 7 and set a password for your account.
2) Install all MS Service packs, patches and MSE.
3) Make a Limited user account, and log into it. This is your Kids account
4) Install Chrome for that user, give him a Gmail account to backup settings (in case something does happen to the system) and install Adblock plus with the Easylist filter on it. Set it as the default browser. Hide or disable IE afterwards. This also sandboxes the browser even further and gives him flash player and PDF functionality without having to worrying about updating those.
5) DO NOT INSTALL JAVA!! He doesn't need it, it's full of exploits, and every exploit kit on earth uses it to infect your box! If he needs Java for Minecraft (and seriously this is the only reason to install Java. Anything else say no.) then Install the 64 Bit version and run it from the minecraft executable on Mojang's site. The 64 bit version of Java doesn't work for browsers other than IE 64 (which you uninstalled) so just install that one and update it manually since the clueless idiots at Oracle hasn't figured out how to auto update 64 bit java for some reason..
As for games.
1) install the game as the admin. Try it on his user account. If it works, Great.
2) If that fails or if you just want to simplify setup, use UACTrust to make a shortcut that is pre-trusted. Since it's unlikely WOW or LOL will hack the machine directly, you can use this so he can play the game while the other stuff is user snadboxed.
Other notes:
You said you're letting him use a Lenovo T400. Ban him from using USB devices on the left USB ports unless you want to replace a Board for $300. If he must use USB, Only use the right USB port by the CD-Rom and use a Hub. That port never breaks.
In Soviet Russia, Trojan exploits YOU!
The cheapest price I have been able to find here in Denmark is kr. 1399,- which is $244,-. I was surprised by this.
A couple problems with what you're doing:
1. Games on a Lenovo?! Lenovo is Chinese for 'shitty laptop company' Their computers are for business, not gaming.
2. Norton? Norton's a scam. Just use Microsoft Security Essentials. Even if you get a virus, who cares? Worst case, reformat, start over.
It's not so complicated.
I maintain a machine much like the one to be used by your son. You are right to give up on trying to get these games working in Wine. Even if you succeed, the next patch might break it. It creates an unreasonable amount of recurring effort, which you can avoid entirely for the cost of an OEM Windows licence, which is really, really cheap in comparison. Sure, this is not what Stallman would say, but then he does not support PCs for a family.
Here are some suggestions:
1. Windows 7 on a new laptop.
2. Install Microsoft Security Essentials. It's free (beer). Don't bother with Norton.
3. Create a regular user account for your son. Ensure the account is not able to modify system files without asking for the admin password. This prevents most of the nasty things malware tries to do. WIndows security is actually really good these days.
4. Order a Blizzard authenticator to go with WoW. This excludes more nasty things that malware might do... just in case!
5. Back up the machine after you install the games but before you hand it over to your son. Use backup software that will generate a disk image like Macrium Reflect Free Edition. Restore this disk image from a live CD (Reflect can create one for you) if your son has any problems. You have to use a full disk image for Windows because restoring an install is not just a matter of copying the files and rerunning update-grub.
6. When working with Windows, use the same patience you have to use when working with an unfamiliar Linux distribution. Don't expect everything to be straightforward or logical, and be pleasantly surprised when it is. The only extra thing you need to beware of, but Linux users do not, is that there are scam sites which offer to "help" you with common problems, e.g. device driver issues, and serve up malware instead of help. Good practice is to research Windows problems on a Linux machine.
You're an immobile computer, remember?
What do you mean you "couldn't get wow to run on wine"?
WOW has a platinum rating on wine's appdb.
For those of you who don't know, platinum means that absolutely no tweaking is required at all.
If they want to game on wine though, make sure you get an nvidia card. It's the only way to go. Sure ATI/Intel are more open, bla bla, but if gaming's what you want, then it's your only choice.
Surprised I haven't seen this mentioned, but in addition to MSE, Microsoft also offers a second exploit prevention/mitigation tool called EMET http://www.microsoft.com/en-us/download/details.aspx?id=29851
I suspect that one of these choices is incorrect. Correct.
The Windows license on a Lenovo T400 is going to be for Windows Vista, unless you ordered one of the corporate oriented ones with XP. It will also be a pain in the ass to get that Windows partition working if it ever breaks. You don't get real install media from Lenovo, just their recovery program--which sucks and easily can break.
Just ignoring the whole thing, buying Windows 7, and installing that is absolutely the right thing to do. It's bad enough he's being force to have a Windows laptop in the house; saying he should have a Vista install is going way too far.