Unruly user does dangerous things...

[Guest]

I'm rebuilding a WinXP Home (SP2) for a friend of my sister who needs to run
web-based email and maintain updates for WinXP, AdAware, AntiVir, SpybotSD,
Spyware Blaster and Windows Defender (probably ZoneAlarm as well).

I've convinced him to let me assign him a limited account on his computer,
while I retain an Administrator logon, due to the numerous viral and malware
infections he has sustained by careless surfing, others using his system and
absolute lack of any OS updates or patches.

I would like for him to have access to perform these updates, and if
possible, I would prefer to automate the update process to occurr without his
involvement. However, he's on dial-up and has an extremely dusty home where
it's better that he shut his PC down when not in use. It's a Dell Dimension
4400 (in case that matters).

Is there a way have the system power up at 3AM (or so), download updates for
all the above items, and shut back down? I could set this up under my
Administrator account if necessary. If automated, i would need to have log
files produced, which preferrably would be automatically emailed to me.

Or, is there a way I can use Group Policy Editor (or similar) to give him
access to manually update these packages? Could I get an auto-generated
email to verify his compliance?

Keeping in mind this is WinXP Home, I am not sure any of this can be done.
Please advise... I thank you in advance for any suggestions, ideas or
possible solutionis!

--Tom

 

[Guest]

No, XP Home doesn't support limited accounts.

For general surfing and email, I'd install Firefox and Thunderbird (or
Mozilla suite) and disable OE/IE. That will take care of most of the attack
vectors.

I'd then think in terms of making a 'recovery disc' using Ghost or Drive
Image so it can be reinstated easily if it does get broken.

Automatic Updates.. well, from my experience they don't help all that much,
there are so many vulnerabilities in XP that they can't keep up with them
anyway. Main thing is to use secure email and web clients, and install
self-updating antivirus, and a better firewall. That should cover most
attack-routes.

Other point is that for broadband, an Ethernet router is much more secure
than a USB modem. Since they cost very little now, it's folly not to have
one.

If you want to keep an eye on the computer you could install VNC. (privacy
considerations aside) If so, set the firewall (and router if present) to
allow inbound connections from your IP only to port 5900.

 

[Guest]

Thank you Ian for your reply. I should point out I have already set up
a limited account in WinXP Home, and switched him over to Yahoo! for
email. My concern about doing this was whether he'd be able to update
the anti-malware apps. Switching him to another browser is not an
option because he still can't handle double-clicking the mouse to
follow a hyperlink (please pray for my soul!) -- I'd never get a moment
of peace if I changed his browser (and may not, yet!). I wouldn't even
mess with this project except I'm trying to bail-out my sister who
tried to help him with bad anti-malware and express installs of WinUpdt,
which made things much worse than they already were. She thought she
could 'clean' an extremely hosed system back to functionality -- she's
learning... and she does have great potential.

The recovery disc option is a great idea, but does not address the
need to stay current with updates. As I said, this guy has big trouble
mousing and refuses to play Solitaire -- even though I've explained to
him time and again why he should do that. I'm not sure I trust him to
insert a CD-ROM. However, I am planning to set him up with automated
backups using Task Scheduler and NT Backup. For this I need a means to
power the system on and back off -- unattended (tall order, I know...).

I'm also slipstreaming SP2 (his Dell is several years old) and possibly
the 'useful' updates (ones that don't break the system) since SP2 was
released, if I can figure out how to do so... I'm still researching.
This way I can rebuild his system a lot easier than this 'go-round'.

I don't like AutoUpdt either, since most of the 'breaks' I have
encountered in WinXP came from installing those MS updates!

As far as a better firewall, he was running nothing previously so
ZoneAlarm should definitely be an improvement. He still hasn't paid me
back for the hard drive I had to order to replace the crappy Maxtor
which was dropping sectors, and has no money to spend on security.

Also, being in an extremely rural section of southern West Virginia,
there is no cable or DSL -- or other broadband option (save satellite,
which because of cost and latency issues, is not an option). He and my
sister both are stuck on dial-up until there's enough people on the
mountain to sign a petition to prod the local telco to put in a
repeater office to be able to offer DSL this far out. I'm thinking of
calling the power company to ask them about Powerline DSL, if I can
ever get *this* project done.

I hope this is enough detail without going overboard. My questions at
this point are:

1. Can I schedule power on and off to get updates daily, and how?
[I'm trying to keep the PC guts from looking like a vacuum
bag by instructing him to NOT leave the system running all
the time.]

2. If I cannot schedule power cycling, and if the limited account
in WinXP prevents him from making changes (applying updates),
how can I set up an exception to permit update activities?

3. Failing 1 & 2 (above) as viable options, I guess the only
remaining option is to move his PC to a cleaner space and leave
it powered on all the time. I would like to have him set up to
automatically dial in and download all the updates starting at
3AM, and disable the automatic update feature in all apps --
being on dial-up is extremely annoying to try to work and
download simultaneously, and some apps don't leave any useable
bandwidth when downloading. Anybody have other ideas?

4. Within the limitations of dial-up (changing IP address), is there
a way to generate a unified report of all download logs each day
and email that report to myself? I know he cannot follow screen
prompts and God knows he'd have an aneurysm trying to deal with
a "virus found" message on his screen.

5. Should a problem arise, can I access his system remotely while
still providing security from malicious hackers? Is the remote
desktop feature in WinXP secure and robust enough to be useful?

6. What is this 'VNC' you mentioned? What does it do and how does
it work? (Virtual Netowrk Connection??? -- just a guess...)

To make matters worse, I'm laid-up with a broken leg (which is why I
don't want to be driving over there -- AND he makes me NUTZZZO. Plus,
having just gone back on Lithium, I'm having a really hard time
staying awake and alert.

I thank you in advance for your time and attention. All ideas and
suggestions are greatly appreciated! And hopefully, this 'cry for
help' isn't nearly as painful for you as it is proving to be for me (grin).
--Tom