How can i protect my internet cafe from infected flash drives etc...


  1. Posts : 20
    Windows 7 64bit, Windows 8 64bits
       #1

    How can i protect my internet cafe from infected flash drives etc...


    So my buddies and i recently opened a small internet cafe, we're now getting started. and i was wondering how will we protect our systems on our network from infected flash drives, micro SD etc the people will want to use on the computer. we have AVG Antivirus on all of our system and the firewall the router came with, but im still not quite sure as yet. is there any program you guys can recommend that will scan the USB as they plug in?
      My Computer


  2. Posts : 143
    Windows 7 Home Premium 64 bit
       #2

    You can password protect the BIOS, and, disable the USB ports within the BIOS. Anyone has something they want to introduce, have thenm bring it to whichever employee is supervising the café at the time.

    (However, 360TS certainly autoscans inserted USB drives, as do most AV's these days, most likely.)
      My Computer


  3. Posts : 2,465
    Windows 7 Ultimate x64
       #3

    You for sure want strong security in place. USBs are the least of your concerns (while certainly an attack vector). The users must have internet access, from which they can download literally anything and run in the computer, without the need of a removable device.
    The best option is to harden the whole security of the system and take permissions away from the user as much as you can. After all, running a browser doesn't needs too much system access

    A few things I would implement:

    Run as standard user. There must be an user account dedicated for customers, which must of course NOT be administrator. This account thus cannot do any system-level changes, as well as remove protection mechanisms installed elsewhere. It can be set to autologin into this account. When an employee needs to perform maintenance he can simply log out and enter with a second, admin-level account or even better just use UAC to elevate what's needed. Make sure the admin account is strong enough.

    AppLocker. This Windows feature limits what is allowed to run, basically letting just a few things to run and everything else just getting an error. It could be a good idea to configure it to let run the basic tools you need for your users (like browsers, games, maybe a media player, etc.), as well as the Windows normal tools and deny permissions on everything else. This works great to prevent infected USBs to run, as well as any downloaded thing. As it's "whitelist-based" approach, you need to configure it carefully for things you need, but after that it disallows any unknown thing. Infected USBs can then be safely plugged as they won't run. Only available on Ultimate, but Professional has Software Restriction Policies instead.

    Firewall. It's also nice to have a firewall that only lets specific programs internet access, while blocking everything else. Few routers actually have a nice firewall, and even less have it configured to do something meaningful. A software firewall is often better at filtering out bad things. Windows firewall is a nice, built-in option, but again you must configure it to be restrictive enough to add some protection (it's mere presence does nothing, and by default Windows Firewall is almost disabled).

    Imaging. Another thing to consider is to use software like Deep Freeze or similar. Those things create a backup and restore it automatically on each boot, literally "freezing" the system from changes. The added security it provides is that the computer always boot from a known-good point, undoing any potentially malicious change users might do. Also serves as a privacy thing, as it cleans the browser history, temp files, any password people might leave there, protecting no only the system but users from each other. Best if you reboot after each customer leaves.

    Control software. Most likely you already have some of this, but use of specialized programs to control the computers from a central server is a nice addition. That lets you control usage time, messaging and maybe log users out, lock/unlock PCs or reboot remotely. This mostly serves an informational use more than security, but worth having while possible.

    Antivirus. As a last resort, putting antiviruses in computers might give little benefits. While generally those are now considered mostly ineffective and useless, from time to time they can flag malicious downloads or even phishing websites from careless users, giving some protections against online frauds. Otherwise they generally do little to protect the computer itself. Make sure you set them to auto-update their databases very frequently.


    mdd1963 said:
    You can password protect the BIOS, and, disable the USB ports within the BIOS. Anyone has something they want to introduce, have thenm bring it to whichever employee is supervising the café at the time.
    Good tip! Forgot about that completely. I would, however, not disable USBs, as the computer can be protected in other more effective ways without sacrificing functionality. Having an employee copying the files over would also risk exposing the server to a malicious device, instead of the computers that are highly secured and limited.
    What I would do is to disable booting from USB and CD in the BIOS (so reboots cannot put an external OS), then password protect it.
      My Computer


  4. Posts : 399
    Microsoft Windows 7 Ultimate 32-bit 7601
       #4

    I found your question very interesting and decided to read up on it, Right now I am reading Group Policy Settings for Creating a Steady State (TechNet. Microsoft)
    Documents related to steady state from Microsoft
    Creating a Steady State by Using Microsoft Technologies
    Group Policy Settings for Creating a Steady State

    What you are looking to do is set the computer up to be in kiosk mode and from the little that I have read so far you can do this in windows seven but it is hacky and not very secure if you could upgrade the computer to Windows 8 or 10 they have an easy way to set it up and is more secure. Their is also third party software to do this in Windows 7. With kiosk mode you can select what programs can run and although I have not read the whole document I am sure that you could set the USB ports to do whatever you want or don't want them to do.

    If I was going to setup a computer for public use I would buy a all in one touch screen computer without a mouse or keyboard.
      My Computer


  5. Posts : 20
    Windows 7 64bit, Windows 8 64bits
    Thread Starter
       #5

    Alejandro85 said:
    You for sure want strong security in place. USBs are the least of your concerns (while certainly an attack vector). The users must have internet access, from which they can download literally anything and run in the computer, without the need of a removable device.
    The best option is to harden the whole security of the system and take permissions away from the user as much as you can. After all, running a browser doesn't needs too much system access

    A few things I would implement:

    Run as standard user. There must be an user account dedicated for customers, which must of course NOT be administrator. This account thus cannot do any system-level changes, as well as remove protection mechanisms installed elsewhere. It can be set to autologin into this account. When an employee needs to perform maintenance he can simply log out and enter with a second, admin-level account or even better just use UAC to elevate what's needed. Make sure the admin account is strong enough.

    AppLocker. This Windows feature limits what is allowed to run, basically letting just a few things to run and everything else just getting an error. It could be a good idea to configure it to let run the basic tools you need for your users (like browsers, games, maybe a media player, etc.), as well as the Windows normal tools and deny permissions on everything else. This works great to prevent infected USBs to run, as well as any downloaded thing. As it's "whitelist-based" approach, you need to configure it carefully for things you need, but after that it disallows any unknown thing. Infected USBs can then be safely plugged as they won't run. Only available on Ultimate, but Professional has Software Restriction Policies instead.

    Firewall. It's also nice to have a firewall that only lets specific programs internet access, while blocking everything else. Few routers actually have a nice firewall, and even less have it configured to do something meaningful. A software firewall is often better at filtering out bad things. Windows firewall is a nice, built-in option, but again you must configure it to be restrictive enough to add some protection (it's mere presence does nothing, and by default Windows Firewall is almost disabled).

    Imaging. Another thing to consider is to use software like Deep Freeze or similar. Those things create a backup and restore it automatically on each boot, literally "freezing" the system from changes. The added security it provides is that the computer always boot from a known-good point, undoing any potentially malicious change users might do. Also serves as a privacy thing, as it cleans the browser history, temp files, any password people might leave there, protecting no only the system but users from each other. Best if you reboot after each customer leaves.

    Control software. Most likely you already have some of this, but use of specialized programs to control the computers from a central server is a nice addition. That lets you control usage time, messaging and maybe log users out, lock/unlock PCs or reboot remotely. This mostly serves an informational use more than security, but worth having while possible.

    Antivirus. As a last resort, putting antiviruses in computers might give little benefits. While generally those are now considered mostly ineffective and useless, from time to time they can flag malicious downloads or even phishing websites from careless users, giving some protections against online frauds. Otherwise they generally do little to protect the computer itself. Make sure you set them to auto-update their databases very frequently.


    mdd1963 said:
    You can password protect the BIOS, and, disable the USB ports within the BIOS. Anyone has something they want to introduce, have thenm bring it to whichever employee is supervising the café at the time.
    Good tip! Forgot about that completely. I would, however, not disable USBs, as the computer can be protected in other more effective ways without sacrificing functionality. Having an employee copying the files over would also risk exposing the server to a malicious device, instead of the computers that are highly secured and limited.
    What I would do is to disable booting from USB and CD in the BIOS (so reboots cannot put an external OS), then password protect it.
    Thanks alot!! Ill be using your advise :)
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 08:40.
Find Us