User account restrictions question

[hedrex]

Hi Guys
I would have thought this is fairly straight forward but googling doesnt come up with any decent suggestions, well the ones that do seem viable are for xp pro and the machine im working on is home.

Basically my little nephew has been downloading all the usual crap 13 yr old boys download, smiley packs, wow hacks etc etc

A recent cleanup found 8 keyloggers amongst other stuff. Anyway, the issues have been resolved and ive set him up his own account so this doesnt happen again. But it could, because using his account i can still download and install anything.

things ive found online are, as i say, either for pro or are a little bit out of my league. Im quite happy tinkering round in the registry, if i know exactly what im looking for etc.

tl:dr

How do i make a limited account truly limited so the account can't install anything

Cheers guys

[bad_brain]

hm, will be hard to do that within just a single account...the easiest option might be to disallow file downloads in the browser. which browser is used?

and how is it possible that lots of malware is installed, is there no AV running?

[hpprinter100]

If its a good pc I would recommend you use VirtualBox and install a copy of windows XP and just let him go on the virtualbox.

Then you dont have to worry what he is doing to the computer.

[hedrex]

He has made all the browsers kind of inoperable tbh. Firefox just crashes when started, i think chrome was working last time i looked at it, ie seems to be what he uses, but it was riddled with toolbars etc. I could fix the firefox issue easily i know, but he doesnt stick to one browser anyway, plus if he worked out i had blocked downloads on one browser he would use the others.

We have nod32 on there i think the immunize function on spybot is up to date and sygate for firewall, but as you all know no anti virus can stop everything and especially with a persistent and inexperienced kid at the helm saying yes to anything without reading it.

As for a virtual box solution, the specs are roughly 2.4 core2, 2gb ram, bog standard 8 series nvidia card.

Ive not used that sort of software before, so i wouldnt really know where to start. Coincidentally, the last time i came here asking for help it was about virtual boxes, vmwear etc etc. Seems like i need to learn more about them.

[bad_brain]

well, virtualbox would be a very elegant way because he could keep using the virtual system as usual without the danger of causing harm to the host system...and the system specs should good enough to grant a good performance.

the only other option that can be set up without needing a lot of experience would be to set up a fresh system with everything installed he needs (but only IE as browser) and then disallow file downloads (can be done pretty easy in IE). the danger is of course that software can still be installed from CDs and USB devices and harm the system....and well, as 13 year old boy you surely have friends that download stuff for you and burn it to CD.

personally I would work with a Linux system that acts as gateway and content filter, of course the setup is nothing that can be done in a few minutes and if also needs a 2nd computer.

I have no experience with NOD32, but I can recommend Kaspersky....it is highly configurable and allows VERY strict settings that even make installs impossible.
Spybot: forget it. I've been using it too years ago, but I realized it's pointless because it only "helps" when it's too late already anyway....additionally it slows down the browsing experience a lot by bloating the hosts file.


so yes, the best candidate for you is VirtualBox I would say.

[skulldragon_001]

Kaspersky costs, you can get COMODO Internet Security for free, because it is freeware.
Learn to configure COMODO to kill everything unwanted automatically and then set a parental control password to prevent any changes to CIS configuration.
As far as I know, there's nothing that can kill CIS fully. You can crash it's configuration panel, but its engine still remains and keeps on doing its job.
NOD32 is a really bad choice! While Kaspersky and COMODO give 100% protection, the latest NOD32 gives only 6%!

And Spybot ain't really that bad. Malwarebytes' and SUPERAntiSpyware are actually even worser resource hogs and, well they do find things that Spybot can't, but Spybot can fix some rare things, that I couldn't fix with anything on the net.
Bloating the HOSTS file and lags browsing? Well, not an issue - if you don't need DNS Client service, you can disable that service. I haven't noticed any lags after that. And, well, I as a typical home user, I never yet needed DNS Client service either.

But what you need to do first: you need to format C: and reinstall your Windows, because there may be already a lot of crap that may cause a lot of trouble.

Virtalization is good only, when you DON'T have anything sensitive on Guest OS aka good for making "War Polygons".

Also, this might interest you:
http://www.faronics.com/en/Products/Dee ... orate.aspx" onclick="window.open(this.href);return false;

[bad_brain]

right Kaspersky costs money, BUT not if you are using XP and are willing to learn just a few words in german... there is a special edition of Kaspersky 7 that can be used 1 year for free with 100% functionality....and actually Kaspersky 7 is the best one anyway, the following ones were missing the awesome firewall configuration (like training mode, etc.).
sadly I can not guarantee if there might be a problem with IPs from outside of germany, if anyone is willing to try let me know.

I remember I have used the Comodo firewall years ago, and it was a really good one (configuration much like the Kaspersky 7 one), so CIS might be a good recommendation.

when not using the DNS blacklist thingy (which is bloating the hosts file), there is of course nothing wrong with using Spybot, I simply got used to configure lots of stuff manually in XP...and no software is always more resource friendly than the most lightweight one...

[lilrofl]

I don't know that anything is 100% effective, and I would equally question a 6% verdict without a little source citing. What I do know however is that Comodo killed my malware collection... completely... didn't even warn me first

[DNR]

The real solution is to set him up with his own box. Then you can just rely on reformatting and reinstalling if things get bad. And since its his box, if its down - he will learn not to fuck it up again.

restrict physical access to your machine, build a network.

DNR

[DNR]

also - if you keep your malware tools on a stick - then you should only get the malware warning when the stick is in use. This way, if you get a malware warning on your computer when the stick is NOT in use (unplugged) - you can feel better allowing it to remove or clean your computer and its not erasing your study/work tools.

DNR

[CommonStray]

wait....the "usual" downloads of a 13yr old boy are smiley packs & wow hacks?

my teen downloading habits were much more sinister and dirty....anyways

While everyone else's solutions here are viable and good a good solution to go with all that would be to teach him responsible downloading habits. This doesn't mean sitting him down and telling him he can't download what you might consider crap, it means teaching him how to go about identifying reliable and safe content to download. Because the web is so chock full of hundreds of versions of the same thing being provided by a whole slew of legit and illegit providers means that the first few Google results for a query can retrieve bad listings. And this is true for any search engine. He needs to know how to identify a legitimate content source for the things that he wants to download and use.

What can help?

Communities of people generally have the habit of saying something about a bad program if they've identified it. If the download has a user comments section to it, browse through it, if even one person says their anti-virus picked it up - don't download it.

Another thing is to be observant of the place the item is being downloaded from. Is it a filesharing host like RapidShare? Is it a repository site like SourceForge? Or is it a well designed website promoting the item with a fairly decent community surrounding it? Its important to try and find out what other people are saying about it, and equally important for him to do the same if a mistake is made - and mistakes do happen.

Who made the item? Where is the artist or developers website, and do they have an md5 checksum you can check your download against? It's always better to download a product straight from an artist or developer. Is the product is open source or free? A product that's open source being provided on another website can be a red flag (unless its an official mirror).

Warez sites, torrents and all the other miscellaneous Filesharing and P2P networks are full of baddies. If you must download something that he may have a doubt about, then you should teach him to sandbox it first. If you don't know what sandboxing is, its like taking an untested robot and putting it in an indestructable box to watch what it does before letting it run in the open. VirtualBox is an excellent free and open source Virtual Machine(sandbox) software that lets you run an operating system within your operating system.

Also, tell him what different malicious programs do and why he needs to be wary of them. This is something that's important to your home network and the privacy of others in your family using it. Security is something that starts with the user - no matter how many types of anti-virus applications or restrictions you put in place , you'll continue to have problems unless you teach responsible downloading habits.