Sunday, May 1, 2011

Securing Windows 7 from Offspring

Commentary and How to: Lock down a child's computer.

My youngest daughter nonchalantly said, "Dad, my laptop is infected with a virus." This is the first time this particular child had trashed the machine and 3 years was a good run without major problems. This made me wonder about the wisdom of giving her administrative rights on the computer.

The Virus
When the virus attacked, both Vista and Windows 7 prompts with permission screen (UAC - commonly called the Nag). The virus presents itself by enticing the victim with a game or some other program of interest. Most people will see the UAC Nag screen and click "Allow." You've probably done this yourself -- clicking Allow -- without giving it a second thought. In other words, people purposely install the virus, not realizing the payload.

Here is the sneaky part: The virus installs the program you want (usually a game), then it slips-in the malware -- where it waits a few days before showing itself. This way you won't remember where you caught the bug.

Especially with Vista, many computer owners disabled the UAC and they get their viruses installed automatically, without any prompts. Disabling UAC is somewhat foolish but at the same time the feature is useless if everyone mindlessly clicks Allow. My rule is simple: do not allow any program to install itself from the web unless you are confident of the vendor. How much you pay for the content is an indicator on how safe it is; free may not be safe.

Administrator vs Standard Users


As I looked at my daughter's computer, I realized it was running an ancient copy of A-VG anti-virus (no longer recommended) and was behind in other maintenance. It was also running Windows Vista. Rather than clean the virus, I decided to salvage the data, format the hard disk and install Windows 7.

With Windows 7, I contemplated a change to security. Windows allows users to be an "Administrator" or a "Standard User". By default, Administrator gives the user near-full control of the PC. Because my daughter had administrator rights, she was free to do as she pleased.

What would happen if I changed her to a Standard User? For a child's computer, this may be a good solution. With a non-administrative account, when she attempts to install an application, by accident or by design, she will be presented with an Administrator's login and cannot proceed. When the administrator logs in, they will be presented with the UAC nag, as expected. Doing this essentially locks-down the PC. This design works in Windows Vista and Windows 7, but does not work well in XP.


The Setup

Follow these steps to configure a child's secured desktop.

1. Ideally and optionally, install all needed programs, service packs and other updates, getting the computer into a good state before setting new security.

2. Important - Build an Administrator Account:

Before doing any of this work, you must make a new Administrator's account -- one where you do not tell the child the password. You must complete this before locking down the child's account or you will lock yourself out of the computer. You can make more than one administrator's account, if desired.

a. Start, Control Panel, User Accounts, "Manage another Account"
b. Click "Create a new Account"
c. Name the account "Admin" (or other name); mark as "Administrator"
d. Click the newly-created account; choose "Create a password". Be sure to fill out the password hint; this is a password you do not want to loose.

3. Login to the new account:

a. Click Start, (Shutdown: submenu); "Log off"
b. Login as Administrator

4. Change the child's account:

a. Start, Control Panel, User Accounts, "Manage another account"
b. Select the child's account
c. "Change the account type"; set to Standard User.

Results:
Your child will be prompted for an administrator's account before he can install any software or make any system-wide changes. If you were wise, you would not tell them the password. You can log in any time and install things as you-please.

Windows system updates will still run as-before (if set to automatic, they will install on their normal schedule), but applications will prompt for permission before updating, which can be a nuisance. Because of this, you should periodically login to the device and complete various updates for Java, Firefox, etc.

Update:

I still recommend these changes for children's accounts.  But with this said, my Niece managed to install a new virus, even though she was a defined as a standard user.  I am still trying to determine how she did this.  But there was one bright side to this setting, the virus was not able to install itself in all of the places it would normally have rights.  I suspect the cleanup was a easier than it would have been otherwise.

Finally, one closing note: Having a backdoor administrative account -- even if it is different than your own personal administrative account, is useful for cleaning some of the more simple viruses your machine might catch. Simple viruses may only infect the current user and the backdoor account is one way to clean up the mess.


See these Keyliner articles for other virus articles:
Microsoft System Sweeper - Bootable Antivirus - Highly Recommended
Removing Win32 Cryptor
Removing Win7 Anti-Virus
Removing Personal Security Virus
Securing Windows 7 from your Children
Microsoft Security Essentials

No comments:

Post a Comment

Comments are moderated and published upon review.