Will SteadyState restore to the original disk image? Where I'm going is if a user gets all infected and pwnd during their session, will it get completely restored? Then if so, how does it handle software patches?
Bill From: Gavin Wilby [mailto:gavin.wi...@gmail.com] Sent: Sunday, March 29, 2009 3:24 AM To: NT System Admin Issues Subject: Re: Internet cafe setup Seconded for Steady State, I use it a lot for this. Machine reboots at log off and resets itself - usually I just allow IE and msn messenger and a 30 minutes timeout. On Fri, Mar 27, 2009 at 2:27 AM, Ben Nordlander <bennordlan...@gmail.com> wrote: You might take a look at microsoft steadystae too if u do go windows. -BenN On Mar 26, 2009 9:53 AM, "Ben Scott" <mailvor...@gmail.com> wrote: On Thu, Mar 26, 2009 at 11:07 AM, James Rankin <kz2...@googlemail.com> wrote: > My initial idea, in ... I'd only use a VM if I wanted the users to be have relatively free reign on the machine during their session -- that way I could roll it back after. If you just want a web browser, I think it's prolly easier to just configure a restricted user. That way they can't even muck around with stuff *during* their session. I'd use something like LTSP (Linux Terminal Server Project) or ThinStation. I'd set-up one server to push DHCP, boot files, and (if needed) network file systems out to the clients. I'd use a user account on the client's that's got a mostly read-only user home directory. (Unlike Windows, Unix will generally work even if the user's home directory isn't owned or writable by them.) I think the only things that the user would *need* to be able to write to would be /tmp/ and the browser cache directory (typically something like $HOME/.mozilla/firefox/default/cache/). I'd suggest having them use USB flash drives if they want to be able to write or save files. If you have to provide a writable directory, just grant write to $HOME/Desktop or something like that. And warn them their work won't be saved between sessions. I'd configure conservative browser settings, and then lock them against changes. With Firefox, this is done by changing the user_pref() or pref() directive to lock_pref(). Possibly use a kiosk mode configuration. I'd mount the home and /tmp partitions with the "noexec" option, so if the user did manage to download a program, the system would refuse to execute it. It should be possible to tell the auto-mounter to add "noexec" to any USB drives as well. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.co. <http://www.sunbeltsoftware.co./> .. -- Gavin Wilby, Twitter: http://twitter.com/gavin_wilby GSXR Blog: http://www.stoof.co.uk ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
