Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: How can i protect my internet cafe from infected flash drives etc...

14 Oct 2015   #1
Vishal Hardeo

Windows 7 64bit, Windows 8 64bits
 
 
How can i protect my internet cafe from infected flash drives etc...

So my buddies and i recently opened a small internet cafe, we're now getting started. and i was wondering how will we protect our systems on our network from infected flash drives, micro SD etc the people will want to use on the computer. we have AVG Antivirus on all of our system and the firewall the router came with, but im still not quite sure as yet. is there any program you guys can recommend that will scan the USB as they plug in?


My System SpecsSystem Spec
.
16 Oct 2015   #2
mdd1963

Windows 7 Home Premium 64 bit
 
 

You can password protect the BIOS, and, disable the USB ports within the BIOS. Anyone has something they want to introduce, have thenm bring it to whichever employee is supervising the café at the time.

(However, 360TS certainly autoscans inserted USB drives, as do most AV's these days, most likely.)
My System SpecsSystem Spec
16 Oct 2015   #3
Alejandro85

Windows 7 Ultimate x64
 
 

You for sure want strong security in place. USBs are the least of your concerns (while certainly an attack vector). The users must have internet access, from which they can download literally anything and run in the computer, without the need of a removable device.
The best option is to harden the whole security of the system and take permissions away from the user as much as you can. After all, running a browser doesn't needs too much system access

A few things I would implement:

Run as standard user. There must be an user account dedicated for customers, which must of course NOT be administrator. This account thus cannot do any system-level changes, as well as remove protection mechanisms installed elsewhere. It can be set to autologin into this account. When an employee needs to perform maintenance he can simply log out and enter with a second, admin-level account or even better just use UAC to elevate what's needed. Make sure the admin account is strong enough.

AppLocker. This Windows feature limits what is allowed to run, basically letting just a few things to run and everything else just getting an error. It could be a good idea to configure it to let run the basic tools you need for your users (like browsers, games, maybe a media player, etc.), as well as the Windows normal tools and deny permissions on everything else. This works great to prevent infected USBs to run, as well as any downloaded thing. As it's "whitelist-based" approach, you need to configure it carefully for things you need, but after that it disallows any unknown thing. Infected USBs can then be safely plugged as they won't run. Only available on Ultimate, but Professional has Software Restriction Policies instead.

Firewall. It's also nice to have a firewall that only lets specific programs internet access, while blocking everything else. Few routers actually have a nice firewall, and even less have it configured to do something meaningful. A software firewall is often better at filtering out bad things. Windows firewall is a nice, built-in option, but again you must configure it to be restrictive enough to add some protection (it's mere presence does nothing, and by default Windows Firewall is almost disabled).

Imaging. Another thing to consider is to use software like Deep Freeze or similar. Those things create a backup and restore it automatically on each boot, literally "freezing" the system from changes. The added security it provides is that the computer always boot from a known-good point, undoing any potentially malicious change users might do. Also serves as a privacy thing, as it cleans the browser history, temp files, any password people might leave there, protecting no only the system but users from each other. Best if you reboot after each customer leaves.

Control software. Most likely you already have some of this, but use of specialized programs to control the computers from a central server is a nice addition. That lets you control usage time, messaging and maybe log users out, lock/unlock PCs or reboot remotely. This mostly serves an informational use more than security, but worth having while possible.

Antivirus. As a last resort, putting antiviruses in computers might give little benefits. While generally those are now considered mostly ineffective and useless, from time to time they can flag malicious downloads or even phishing websites from careless users, giving some protections against online frauds. Otherwise they generally do little to protect the computer itself. Make sure you set them to auto-update their databases very frequently.


Quote   Quote: Originally Posted by mdd1963 View Post
You can password protect the BIOS, and, disable the USB ports within the BIOS. Anyone has something they want to introduce, have thenm bring it to whichever employee is supervising the café at the time.
Good tip! Forgot about that completely. I would, however, not disable USBs, as the computer can be protected in other more effective ways without sacrificing functionality. Having an employee copying the files over would also risk exposing the server to a malicious device, instead of the computers that are highly secured and limited.
What I would do is to disable booting from USB and CD in the BIOS (so reboots cannot put an external OS), then password protect it.
My System SpecsSystem Spec
.

16 Oct 2015   #4
sml156

Microsoft Windows 7 Ultimate 32-bit 7601
 
 

I found your question very interesting and decided to read up on it, Right now I am reading Group Policy Settings for Creating a Steady State (TechNet. Microsoft)
Documents related to steady state from Microsoft
Creating a Steady State by Using Microsoft Technologies
Group Policy Settings for Creating a Steady State

What you are looking to do is set the computer up to be in kiosk mode and from the little that I have read so far you can do this in windows seven but it is hacky and not very secure if you could upgrade the computer to Windows 8 or 10 they have an easy way to set it up and is more secure. Their is also third party software to do this in Windows 7. With kiosk mode you can select what programs can run and although I have not read the whole document I am sure that you could set the USB ports to do whatever you want or don't want them to do.

If I was going to setup a computer for public use I would buy a all in one touch screen computer without a mouse or keyboard.
My System SpecsSystem Spec
17 Oct 2015   #5
Vishal Hardeo

Windows 7 64bit, Windows 8 64bits
 
 

Quote   Quote: Originally Posted by Alejandro85 View Post
You for sure want strong security in place. USBs are the least of your concerns (while certainly an attack vector). The users must have internet access, from which they can download literally anything and run in the computer, without the need of a removable device.
The best option is to harden the whole security of the system and take permissions away from the user as much as you can. After all, running a browser doesn't needs too much system access

A few things I would implement:

Run as standard user. There must be an user account dedicated for customers, which must of course NOT be administrator. This account thus cannot do any system-level changes, as well as remove protection mechanisms installed elsewhere. It can be set to autologin into this account. When an employee needs to perform maintenance he can simply log out and enter with a second, admin-level account or even better just use UAC to elevate what's needed. Make sure the admin account is strong enough.

AppLocker. This Windows feature limits what is allowed to run, basically letting just a few things to run and everything else just getting an error. It could be a good idea to configure it to let run the basic tools you need for your users (like browsers, games, maybe a media player, etc.), as well as the Windows normal tools and deny permissions on everything else. This works great to prevent infected USBs to run, as well as any downloaded thing. As it's "whitelist-based" approach, you need to configure it carefully for things you need, but after that it disallows any unknown thing. Infected USBs can then be safely plugged as they won't run. Only available on Ultimate, but Professional has Software Restriction Policies instead.

Firewall. It's also nice to have a firewall that only lets specific programs internet access, while blocking everything else. Few routers actually have a nice firewall, and even less have it configured to do something meaningful. A software firewall is often better at filtering out bad things. Windows firewall is a nice, built-in option, but again you must configure it to be restrictive enough to add some protection (it's mere presence does nothing, and by default Windows Firewall is almost disabled).

Imaging. Another thing to consider is to use software like Deep Freeze or similar. Those things create a backup and restore it automatically on each boot, literally "freezing" the system from changes. The added security it provides is that the computer always boot from a known-good point, undoing any potentially malicious change users might do. Also serves as a privacy thing, as it cleans the browser history, temp files, any password people might leave there, protecting no only the system but users from each other. Best if you reboot after each customer leaves.

Control software. Most likely you already have some of this, but use of specialized programs to control the computers from a central server is a nice addition. That lets you control usage time, messaging and maybe log users out, lock/unlock PCs or reboot remotely. This mostly serves an informational use more than security, but worth having while possible.

Antivirus. As a last resort, putting antiviruses in computers might give little benefits. While generally those are now considered mostly ineffective and useless, from time to time they can flag malicious downloads or even phishing websites from careless users, giving some protections against online frauds. Otherwise they generally do little to protect the computer itself. Make sure you set them to auto-update their databases very frequently.


Quote   Quote: Originally Posted by mdd1963 View Post
You can password protect the BIOS, and, disable the USB ports within the BIOS. Anyone has something they want to introduce, have thenm bring it to whichever employee is supervising the café at the time.
Good tip! Forgot about that completely. I would, however, not disable USBs, as the computer can be protected in other more effective ways without sacrificing functionality. Having an employee copying the files over would also risk exposing the server to a malicious device, instead of the computers that are highly secured and limited.
What I would do is to disable booting from USB and CD in the BIOS (so reboots cannot put an external OS), then password protect it.
Thanks alot!! Ill be using your advise
My System SpecsSystem Spec
Reply

 How can i protect my internet cafe from infected flash drives etc...




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Choosing a Windows 7/8 Internet Cafe/Kiosk or Customize the built in?
Hi there! I am a newb and I am hoping that I put this thread in the right category. I was wondering if you could point me in the direction of a really great kiosk/internet cafe software, or provide me with specific customization specs for the built in software for Windows 7 and 8? I work...
Software
Internet Cafe Network
Hi, just wondering if how is the network setup of an internet cafe, is it peer to peer o client/server? Do you need an actual server and Window Server OS? I saw this layouts after i searched some forums, which of these are correct? Which of these are applicable in using internet cafe management...
Network & Sharing
Internet cafe wants computers to revert to virgin at midnight
We are a charitable trust running an internet cafe to raise money for the community. We would like our computers to restore to a "clean" restore point automatically at midnight. Updates to software would have to be done once a week and a new restore point set. Is this possible with win7 64bit?...
Backup and Restore
Windows 7 Tweaks for Internet Cafe.
I know many here are experts on windows customization, i need some more tips in modifying settings of the windows. ok here we go :D i am planning to buy 8 new units for my new iCafe, Core i3 2100 Intel DPH61WWB3 chipset 4GB DDR3 Memory 250 GB HDD Nvidia GT 440 1GB 128bit DDR5
General Discussion
Need Free Software to Password Protect USB Flash Drives
Can anyone recommend any free software available to load onto and Password Protect USB Flash Drives. Recommendations for Microsoft XP / Vista / Windows 7 operating systems please
Software


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 15:07.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App