Solved How can i protect my internet cafe from infected flash drives etc...

Vishal Hardeo

New member
Local time
5:36 AM
Messages
20
So my buddies and i recently opened a small internet cafe, we're now getting started. and i was wondering how will we protect our systems on our network from infected flash drives, micro SD etc the people will want to use on the computer. we have AVG Antivirus on all of our system and the firewall the router came with, but im still not quite sure as yet. is there any program you guys can recommend that will scan the USB as they plug in?
 

My Computer My Computer

At a glance

Windows 7 64bit, Windows 8 64bits
Computer type
PC/Desktop
OS
Windows 7 64bit, Windows 8 64bits
You can password protect the BIOS, and, disable the USB ports within the BIOS. Anyone has something they want to introduce, have thenm bring it to whichever employee is supervising the café at the time.

(However, 360TS certainly autoscans inserted USB drives, as do most AV's these days, most likely.)
 

My Computer My Computer

At a glance

Windows 7 Home Premium 64 bitAMD A45 GBIntegrated Radeon
Computer type
PC/Desktop
Computer Manufacturer/Model Number
HP
OS
Windows 7 Home Premium 64 bit
CPU
AMD A4
Memory
5 GB
Graphics Card(s)
Integrated Radeon
Hard Drives
500 gb WD
Antivirus
360 TS
Browser
IE
You for sure want strong security in place. USBs are the least of your concerns (while certainly an attack vector). The users must have internet access, from which they can download literally anything and run in the computer, without the need of a removable device.
The best option is to harden the whole security of the system and take permissions away from the user as much as you can. After all, running a browser doesn't needs too much system access :p

A few things I would implement:

Run as standard user. There must be an user account dedicated for customers, which must of course NOT be administrator. This account thus cannot do any system-level changes, as well as remove protection mechanisms installed elsewhere. It can be set to autologin into this account. When an employee needs to perform maintenance he can simply log out and enter with a second, admin-level account or even better just use UAC to elevate what's needed. Make sure the admin account is strong enough.

AppLocker. This Windows feature limits what is allowed to run, basically letting just a few things to run and everything else just getting an error. It could be a good idea to configure it to let run the basic tools you need for your users (like browsers, games, maybe a media player, etc.), as well as the Windows normal tools and deny permissions on everything else. This works great to prevent infected USBs to run, as well as any downloaded thing. As it's "whitelist-based" approach, you need to configure it carefully for things you need, but after that it disallows any unknown thing. Infected USBs can then be safely plugged as they won't run. Only available on Ultimate, but Professional has Software Restriction Policies instead.

Firewall. It's also nice to have a firewall that only lets specific programs internet access, while blocking everything else. Few routers actually have a nice firewall, and even less have it configured to do something meaningful. A software firewall is often better at filtering out bad things. Windows firewall is a nice, built-in option, but again you must configure it to be restrictive enough to add some protection (it's mere presence does nothing, and by default Windows Firewall is almost disabled).

Imaging. Another thing to consider is to use software like Deep Freeze or similar. Those things create a backup and restore it automatically on each boot, literally "freezing" the system from changes. The added security it provides is that the computer always boot from a known-good point, undoing any potentially malicious change users might do. Also serves as a privacy thing, as it cleans the browser history, temp files, any password people might leave there, protecting no only the system but users from each other. Best if you reboot after each customer leaves.

Control software. Most likely you already have some of this, but use of specialized programs to control the computers from a central server is a nice addition. That lets you control usage time, messaging and maybe log users out, lock/unlock PCs or reboot remotely. This mostly serves an informational use more than security, but worth having while possible.

Antivirus. As a last resort, putting antiviruses in computers might give little benefits. While generally those are now considered mostly ineffective and useless, from time to time they can flag malicious downloads or even phishing websites from careless users, giving some protections against online frauds. Otherwise they generally do little to protect the computer itself. Make sure you set them to auto-update their databases very frequently.


You can password protect the BIOS, and, disable the USB ports within the BIOS. Anyone has something they want to introduce, have thenm bring it to whichever employee is supervising the café at the time.

Good tip! Forgot about that completely. I would, however, not disable USBs, as the computer can be protected in other more effective ways without sacrificing functionality. Having an employee copying the files over would also risk exposing the server to a malicious device, instead of the computers that are highly secured and limited.
What I would do is to disable booting from USB and CD in the BIOS (so reboots cannot put an external OS), then password protect it.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64Intel Core i7-740QM8 GB DDR3NVIDIA GeForce 330GT
Computer type
Laptop
Computer Manufacturer/Model Number
Toshiba Sattelite A665-S6092
OS
Windows 7 Ultimate x64
CPU
Intel Core i7-740QM
Memory
8 GB DDR3
Graphics Card(s)
NVIDIA GeForce 330GT
Screen Resolution
1366x768
Hard Drives
Samsung 840 SSD 500GB
1TB USB3 external HD
Cooling
Coolermaster Notepal U3 notebook cooling pad
Internet Speed
3mbps ASDL
Antivirus
ClamWin 0.98.7
Browser
Opera 12.17 x86 (main), Firefox 38 (sec), IE11 (last resort)
I found your question very interesting and decided to read up on it, Right now I am reading Group Policy Settings for Creating a Steady State (TechNet. Microsoft)
Documents related to steady state from Microsoft
Creating a Steady State by Using Microsoft Technologies
Group Policy Settings for Creating a Steady State

What you are looking to do is set the computer up to be in kiosk mode and from the little that I have read so far you can do this in windows seven but it is hacky and not very secure if you could upgrade the computer to Windows 8 or 10 they have an easy way to set it up and is more secure. Their is also third party software to do this in Windows 7. With kiosk mode you can select what programs can run and although I have not read the whole document I am sure that you could set the USB ports to do whatever you want or don't want them to do.

If I was going to setup a computer for public use I would buy a all in one touch screen computer without a mouse or keyboard.
 

My Computer My Computer

At a glance

Microsoft Windows 7 Ultimate 32-bit 7601Intel(R) Pentium(R) Dual CPU E2160 @ 1.80GHz4.00 GB(1) VNC Mirror Driver (2) Intel(R) G33/G31 Ex...
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Compac
OS
Microsoft Windows 7 Ultimate 32-bit 7601
CPU
Intel(R) Pentium(R) Dual CPU E2160 @ 1.80GHz
Motherboard
MSI Boston
Memory
4.00 GB
Graphics Card(s)
(1) VNC Mirror Driver (2) Intel(R) G33/G31 Express Chipset
Sound Card
Disabled
Monitor(s) Displays
Headless
Screen Resolution
1280 x 960 x 32 bits (4294967296 colors) @ 60 Hz
Hard Drives
ST3320820AS ATA Device
Keyboard
Headless
Mouse
Headless
Antivirus
Malwarebytes pro
Other Info
Also
Windows 8.1 Laptop and Desktop both Acer
You for sure want strong security in place. USBs are the least of your concerns (while certainly an attack vector). The users must have internet access, from which they can download literally anything and run in the computer, without the need of a removable device.
The best option is to harden the whole security of the system and take permissions away from the user as much as you can. After all, running a browser doesn't needs too much system access :p

A few things I would implement:

Run as standard user. There must be an user account dedicated for customers, which must of course NOT be administrator. This account thus cannot do any system-level changes, as well as remove protection mechanisms installed elsewhere. It can be set to autologin into this account. When an employee needs to perform maintenance he can simply log out and enter with a second, admin-level account or even better just use UAC to elevate what's needed. Make sure the admin account is strong enough.

AppLocker. This Windows feature limits what is allowed to run, basically letting just a few things to run and everything else just getting an error. It could be a good idea to configure it to let run the basic tools you need for your users (like browsers, games, maybe a media player, etc.), as well as the Windows normal tools and deny permissions on everything else. This works great to prevent infected USBs to run, as well as any downloaded thing. As it's "whitelist-based" approach, you need to configure it carefully for things you need, but after that it disallows any unknown thing. Infected USBs can then be safely plugged as they won't run. Only available on Ultimate, but Professional has Software Restriction Policies instead.

Firewall. It's also nice to have a firewall that only lets specific programs internet access, while blocking everything else. Few routers actually have a nice firewall, and even less have it configured to do something meaningful. A software firewall is often better at filtering out bad things. Windows firewall is a nice, built-in option, but again you must configure it to be restrictive enough to add some protection (it's mere presence does nothing, and by default Windows Firewall is almost disabled).

Imaging. Another thing to consider is to use software like Deep Freeze or similar. Those things create a backup and restore it automatically on each boot, literally "freezing" the system from changes. The added security it provides is that the computer always boot from a known-good point, undoing any potentially malicious change users might do. Also serves as a privacy thing, as it cleans the browser history, temp files, any password people might leave there, protecting no only the system but users from each other. Best if you reboot after each customer leaves.

Control software. Most likely you already have some of this, but use of specialized programs to control the computers from a central server is a nice addition. That lets you control usage time, messaging and maybe log users out, lock/unlock PCs or reboot remotely. This mostly serves an informational use more than security, but worth having while possible.

Antivirus. As a last resort, putting antiviruses in computers might give little benefits. While generally those are now considered mostly ineffective and useless, from time to time they can flag malicious downloads or even phishing websites from careless users, giving some protections against online frauds. Otherwise they generally do little to protect the computer itself. Make sure you set them to auto-update their databases very frequently.


You can password protect the BIOS, and, disable the USB ports within the BIOS. Anyone has something they want to introduce, have thenm bring it to whichever employee is supervising the café at the time.

Good tip! Forgot about that completely. I would, however, not disable USBs, as the computer can be protected in other more effective ways without sacrificing functionality. Having an employee copying the files over would also risk exposing the server to a malicious device, instead of the computers that are highly secured and limited.
What I would do is to disable booting from USB and CD in the BIOS (so reboots cannot put an external OS), then password protect it.

Thanks alot!! Ill be using your advise :)
 

My Computer My Computer

At a glance

Windows 7 64bit, Windows 8 64bits
Computer type
PC/Desktop
OS
Windows 7 64bit, Windows 8 64bits
Back
Top