Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Protecting Home Computers From Guests?

Posted by timothy on from the quick-name-an-os-that's-never-been-compromised dept.

An anonymous reader writes "We frequently have guests in our home who ask to use our computer for various reasons such as checking their email or showing us websites. We are happy to oblige, but the problem is many of these guests have high risk computing habits and have more than once infested one of our computers with malware, despite having antivirus and the usual computer security precautions. We have tried using a Linux boot CD but usually get funny looks or confused users. We've thought about buying an iPad for guests to use, but decided it wasn't right to knowingly let others use a computing platform that may have been compromised. What tips do you have to overcome this problem, technologically or otherwise?"

7 of 572 comments (clear)

  1. Boot to the guest account by AlphaBit · · Score: 5, Informative

    The media PC in my living room boots directly into the Guest account. Under the guest account I can USE almost all the programs I have installed seamlessly. There are some minor issues with software updates, XBOX controllers, and a complete inability to configure network settings, but that's about it. If I need to do anything that requires more rights I can deal with the UAC prompts that show up or simply log out and back in as an admin.

    I know it's not flawless but I still feel pretty comfortable letting my tech savvy (e.g. dangerous) friends stay over unattended. It wouldn't hold up to anyone seriously determined to break the security but they have access to the physical machine and can't really be stopped anyway.

  2. Re:Virtual Machine by Erioll · · Score: 5, Informative

    I agree. Fullscreen the VM, and they'll probably never even know that they weren't using your "actual" PC.

  3. Re:Hey, I'm lazy too! by gagol · · Score: 4, Informative

    Solutions evolve with time, in order for Google to index relevant pages, we have to create content. That is happening as we speak!

    --
    Tomorrow is another day...
  4. Re:Virtual Machine by steveg · · Score: 4, Informative

    Why go to all the trouble of reverting the snapshot?

    Just set the disk to "non-persistent" and nothing they do will modify the system. Each time the VM is restarted it's back to its default state.

    I don't have any experience with VirtualBox, but with VMware include a line something like this in the .vmx file:

    ide0:0.mode = "independent-nonpersistent"

    When you want to make changes, shut down the VM and change that line to:

    ide0:0.mode = "persistent"

    then change it back when it's the way you want it.

    I'm sure VirtualBox has something similar.

    --
    Ignorance killed the cat. Curiosity was framed.
  5. Guest account on a Mac is perfect for this by DavidinAla · · Score: 4, Informative

    If you have a Mac, there's a standard user account called Guest. This account has privileges to do normal user things, but can't install apps or make other changes to the computer. (And the account has no access to other users' data.) No matter what the guest user does in that account, it can't hurt you —and the entire Guest account is in a fresh state each time you log in to it. It's designed exactly for something such as this, and it works very, very well in real use.

  6. Re:Guest wifi... by immaterial · · Score: 5, Informative

    Windows may be a problem here, but the built-in guest account on OS X is perfect for this purpose. Enable it, and guests can log in the guest account (no password), which acts like a standard user account (they have full access to the browser and any other globally-installed apps) except that at logout, the entire account is wiped clean. Since your guests don't have administrator access to your computer they can't mess up anything outside the guest account, and anything they do inside that account is automatically cleaned up for you when they're done.

  7. Re:Virtual Machine by dissy · · Score: 4, Informative

    For VirtualBox, the method I use is slightly different but gives similar results in the end.
    This must be done from the command line with the vboxmanage.exe tool, I'm not aware of a GUI way to do it.

    I have a 'template' VM with fully setup windows and configured how I want it.
    Then I make a new 'guest' VM (from scratch) and copy the template disk image to a new name (cloned, from virtual media manager), from template.vdi to guestbox.vdi, and then I use a command line tool to set the new disk image immutable, so it can not be changed again.

    vboxmanage modifyhd whereever/guestbox.vdi --type immutable

    Then point the guest vm to the guestbox.vdi image under settings -> storage.

    Each time the VM boots, disk writes go into a seperate copy-on-write file, which gets deleted once the VM is powered down. A "revert" action takes as long as a delete command unlinking an inode.

    When I need to make updates, I do that in my template vm, then copy over the vdi setting it immutable again. Copy the new guest image over the old one, and the VM is updated.