This accomplishes a couple of things.
- Ubuntu is more secure by default and much less targeted to boot
- if something happens with my Win7 "machine" from an infection (less likely to happen with it being isolated in a VM) to just a bad IT change control (just as bad), I just rollback to the last known good snapshot. Much faster than Ghost (or in my case Clonezilla).
When I turn it off... poof, away goes everything. I think in light of this new malware, I'll also use the same setup to access FB (in a different session from above type stuff of course) for safety's sake.
Any of the bootable Linux distros will do for the purpose.
People it is going to get worse before it gets better. Just don't use facebook or other social media. I have been fixing PC's for 20yrs and have seen more infections through facebook than any other form of media. Case example - an older lady client of mine only emailed on her pc. She never knew what a virus was or what email spam was - NEVER. She signed up for facebook - within MINUTES she received spam... spam had links to viruses... infected.
Go get yourself a friend or two in real life, talk to them, and avoid social media.
If there is some magic wand to change that default I'd love to know it.
"A better step in the workplace is to lock out Facebook entirely, if it has no business use. There is an easy way to do this."
Banning Facebook in the enterprise is not an answer to the problem. As many I.T pro's of old would still tell you control is the admin's best friend, wrong, its a sure fire way to limit the users ability to work. Also preventing them from taking small 'social' breaks risks making the average employee even less productive.
I agree that limitations have to be set for those employees that will abuse any 'open' I.T policy but banning a social network completely will make you public enemy number 1.
A next generation firewall would be my first recommendation. A unified threat management (UTM) appliance that can anti-virus scan traffic at the gateway by using several different AV vendors offerings. Such a device can also be used to limit the time spent on social networks on an individual or group basis, with many UTM's linking with Active Directory for user management.
Its about time I.T departments and old school I.T Pro's realised that old school techniques no longer apply to a modern world.
"As many I.T pro's of old would still tell you control is the admin's best friend, wrong, its a sure fire way to limit the users ability to work."
I really don't care if you call me old school. Experience has shown me that if you remove control on the desktop, you decrease productivity.
Employees would install any application they wanted to create files and expect co-workers to have the expertise to use their application. Or worse, nobody could open the files their co-worker created. Then there are the games that get installed and the incompatible browsers, and the music players, and the file sharing applications, and the remote desktop sharing applications, and the stacks of toolbars in the browser.
Then they would complain that their computer was slow and ask for a replacement.
My Help Desk staff would spend most of their time undoing the mess that the users created on their desktops.
No, I don't miss those days one bit.
That being said, I don't mind it if users check in on Facebook every so often. As you say, you can put in controls (security appliances) to keep their computers out of harms way.
But remove other controls? I say absolutely not.
Your preferred system configuration: OPSYS and STORAGE. OPSYS contains OS and nothing else. Do I understand this correctly that all your application software (PROGRA~1), like word processor, spreadsheet, mail client, utilities etc. run on STORAGE? Or where you just not specific in your statement?
2. Run either Linux (Ubuntu is good) or another copy of Windows as your base OS, and run VirtualBox (or other) for hosting your Windows guest.
3. Immediately after creating your Windows VM, back up the (clean) VM to a safe place. Make it read-only. You'll need it to re-install, like Ghost -- which you won't have to purchase.
4. If Windows is your base OS, uninstall all web browsers, etc. so that you are NOT tempted to access the Internet from your base OS. (The idea is to keep your base OS free of viruses...)
5. If/when your Windows VM gets infected, quarantine it and re-install your read-only backup VM.
Note that you can spare yourself Step #4 and purchasing a second copy of Windows by using Linux as your base OS. You can surf the net with confidence from Linux. (At least for now... :^)
You can also also use a "second instance" of your backed-up VM to "test drive" a website / download / Facebook page / application -- if it brings in a nasty, you just delete the VM afterwards, and go back to "business as usual".
With that said, there is a fairly simple implementation that can really safeguard against viruses and make cleanup pretty easy. When you first load windows 7, the default account is an admin account. Create a second account that is a basic user account and use that. If you need to install something, it will prompt you for credentials if it is accessing a critical area and you can enter the admin credentials.
At that point, exercise common sense on what you install and you're fine. If you're merely using facebook and something prompts for your credentials, don't give them out.
If you do manage to get a virus in this configuration, just boot into safe mode and rename your profile to something else and let your profile rebuild. Copy your safe docs and favorites over and you're back up and running. All of the keys that kick off the virus in this config won't kick off if you blow away the profile and start over.
- Keyboard Shortcuts: