AntiVirus Software for Family History Center

[jdlessley]

How are you locking this? It sounds like a lock at the user interface rather then at the file level.

Group policy - which is a user interface control and not a file level control. This is to control the user's from making changes to the computer. It does not prevent other sources from making changes. Therefore a properly written attack can install objects to any of the connected user's area of access (<user>My Documents, <user>Desktop, and so on). An example is a patron sees a graphic on-line and right clicks the mouse for the shortcut menu and selects Save as Background. The graphic is now saved as the displayed wallpaper for the user. --- Ooops, bad example. I just remembered I can lock that out too. Well I hope you get the idea.

Which suggests that maybe it would be a good idea to set up a second user with the privileges needed to browse the Patron files but without having admin rights.

Must have admin rights to access another user profile and the sub folders.

I'm just saying in my other posts is that having a good anti-virus is a very good idea if you want to protect your computer. Going without is risky business.

[russellhltn]

Group policy - which is a user interface control and not a file level control. This is to control the user's from making changes to the computer. It does not prevent other sources from making changes.

There you go. I think you've answered your own question about where the security needs to be.

Therefore a properly written attack can install objects to any of the connected user's area of access (<user>My Documents, <user>Desktop, and so on)

And then what? Typically things written to that area can only be run by that user. The user has very little power to alter the computer. Because, if something has the power to write those things it has the power to try and do it's dirty work. But it lacks the ability to hook into processes that start on bootup, so it has a hard time surviving a reboot. Not impossible, but I'd bet there's fewer Windows users running as "user" then there are Mac OS users. So which one is a virus writer going to work on?

Must have admin rights to access another user profile and the sub folders.

By default, yes. But I'm sure that can be changed. On a WinXP Pro machine: Windows Explorer > Tools > Folder Options > "View" tab. Scroll down to the bottom and uncheck "Use simple file sharing".

Now, as admin, right-click the folder C:\Documents and Settings\Patron and grant someone else rights to see that folder. It may take a few rounds, but you should be able to get another non-admin to see the Patrons stuff. Likewise you can go into the Patrons Desktop folder and remove the Patrons ability to make any changes to the folder. Now it's going to take a lot more for anything to plop down an icon on the Patron's desktop.

I'm just saying in my other posts is that having a good anti-virus is a very good idea if you want to protect your computer. Going without is risky business.

I don't disagree, and since the church provides it for the official FHC computers, I have no problem using it. I just don't consider it a front line of defense in a properly administered machine.

[jdlessley]

Thank you for the pointers. I am aware of the steps you mentioned and have used them - except I had to leave the My Documents open to the user for a place to store files. The problem is will my successor? Quite frankly I did lock down all the computers and used a semi-hidden user account to tie everything up. By doing so I became the only person who could make changes to the computers. Even our FHC computer specialist had to call me to make simple changes. Instead of making my job easier it added more work. After serious thought about what might happen after I was suddenly gone I decided to take another approach. I installed the Church provided DeepFreeze program and opened everything back up. With DeepFreeze it does not matter what happens to the computer. Everything is set back to the way it was following a reboot. Since there is a DeepFreeze OTSS to call at the BSD my successor will have someone he can call. The only thing I can't do is track inappropriate internet usage. But that's another issue.

[russellhltn]

The only thing I can't do is track inappropriate internet usage. But that's another issue.

There may be a registry entry to point Temporary Internet Files to a unfrozen partition. That would solve that problem. In fact

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folder\Cache
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folder\Cache

looks like good ones to try and tinker with.

[jdlessley]

Thanks, I'll try that.