OT: Inhibiting persistent changes to a workstation

Hi,

Well, today I was formally told that W7 will be installed on these machines (see "OT: Disk 'imaging' SW" thread).

*And*, I've been asked to set up 10 machines in a "lab" for students to "drop in", as needed. [For the record, I don't run W7 so have only casual experience with it and its capabilities]

This has got to be an even bigger nightmare to deal with! Bobby comes in at noon and changes something on machine X. Mary comes in at 4PM and "discovers" those changes, much to her chagrin.

(The clientele number ~1000 so creating accounts for each student is just not realistic)

So, I'm looking for something that will "discard" any changes made to a system (W7) after a login session terminates.

How effective is "PC Safeguard" in this regard? Is it worth pursuing a 3rd party product, instead (e.g., "DeepFreeze")? Any other suggestions?

[Again, I *really* want to keep myself out of the maintenance loop. So, should be able to make the sorts of "normal" changes to such a system without fear of them being "discarded" at the end of the session]

Thx,

--don

Reply to
Don Y
Loading thread data ...

Den lørdag den 28. september 2013 04.59.07 UTC+2 skrev Don Y:

don't they each have separate logins?

-Lasse

Reply to
Lasse Langwadt Christensen

-------------------------^^^^^

No. The machines are intended to be for use by "anyone" (instead of having to administer ~1000 logins). I.e., Joe Student may *never* avail himself of any of these "lab" machines -- while Mary Student may opt to do her homework there each evening!

So, I envision a "guest" or "student" account ("Guest" may have special significance to Windows?) that allows them to surf the web (research), type up reports (saving them to a personal thumb drive), etc.

And, once they leave, there is no sign that they were ever there!

[This is how the machines at the local library work. I will be inquiring there as well]
Reply to
Don Y

I remember at my old school they had something which would reset the HD to a prestine state after every reboot. Had some benefits, but most students can't read the signs that say not to save anything on the drive, as it will be lost.

I can't remember the name of it now, and it was part hardware and part software if I recall.

Reply to
Daniel Pitts

Our local library follows this "everything discarded on reboot" (and, they force a reboot whenever you "log out"). People don't seem to have a problem remembering to copy stuff onto "external media". Rather, they tend to *forget* to unplug those devices and take them as they depart! :-/

With modern OS's, there should be no need for any hardware in the loop.

E.g., I can run apps in a sandbox and get this behavior. What I want is for the entire login session to be sandboxed!

Reply to
Don Y

School library had machines with BlackIce on them.

Tim

--
Deep Friar: a very philosophical monk. 
Website: http://seventransistorlabs.com 
 Click to see the full signature
Reply to
Tim Williams

Isn't this what cloud servers are for? Students could access their personal stuff from anywhere???

Reply to
mike

I use the Windows "Enhanced Write Filter" (EWF) on XPe machines running off of compact flash to make them stateless: the boot medium is write-inhibited with "changes" written to a RAM cache.

It looks like some folks are using it successfully with Windows 7

Downside: it's "boot" based not "login" based. It's also possible to disable EWF, make changes, and re-enable EWF. That's good, making it possible to upgrade/modify the base system but, of course, it's also vulnerable to hacking if somebody really wanted to get at it.

Reply to
Rich Webb

Thanks, I'll look for it. First attempt turned up no pertinent hits...

Reply to
Don Y

They still need machines *at* the "anywhere". And, have to hope the services provided in the cloud are compatible with whatever their school system requires.

E.g., some schools, here, equip each student with a *Mac*. Others expect students to supply their own *PC*. Are the cloud services compatible with which? neither??

[And I thought I had it bad when teachers insisted on certain colors of *ink*... or, prohibited certain types of *paper*! Sheesh, do they declare what *typefaces* and point sizes students have to use, nowadays??]
Reply to
Don Y

This must be similar to how the various sandboxes are implemented: intercept the writes and divert them elsewhere (RAM or a chunk of disk set aside for this purpose).

So, it's not something "Administrator" controlled? I.e., could I create an unprivileged "Student" user and enforce this on his actions -- while letting a privileged user avoid it entirely?

Reply to
Don Y

Google for "Kiosk Software". Lots of available packages (that cost money). I did a series of car wash computers (so the customers don't get bored watching their car get washed). The local library and skool computah lab have similar software to keep their computahs from getting trashed by the kids. Type in a password, and you can do updates. Reboot after each session is another common feature. Remote desktop is another useful feature. Most vendors have educational discounts.

Microsoft had free kiosk software for XP and Vista called "Windows SteadyState", but didn't update it for Win7 or Win8. I used SteadyState for the car wash computers:

Configuring Your Own Kiosk Machine

How to Setup Windows Vista and 7 as a Kiosk

How to Build an Internet Kiosk

--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
 Click to see the full signature
Reply to
Jeff Liebermann

That's the way it's normally done with kiosk software. Type in a password and you effectively bypass the restrictions. That's needed for installing updates and new software. Same idea with "parental control" software.

I don't recall the package name, but I ran into a problem with printers and kiosk software. The default user privileges did not include controlling the printer. Some user queued up hundreds of pages of printing before he realized that sitting on P was a bad idea. However, he wasn't allow to cancel his own print jobs. I couldn't do anything without the admin password which the local high priest refused to provide. The workstation was down until he showed up a few days later. What was needed were several levels of user privileges.

Also, you can't just deploy and run. The local (Scotts Valley) KMart tried that and failed. They contracted with some kiosk provider to supply 8 Dell GX620 computers with XP and kiosk software and internet access for the store. It was a big draw for people checking their email and comparison shopping. However, KMart didn't bother with a maintenance contract, leaving the machines to free run. One by one, they slowly destroyed themselves over a period of about a year. Hard disk failures were the major culprit, but malware from hijacked web sites was an equally bad problem. For example, major updates to Microsoft Security Essentials) required user interaction, which wasn't available without admin access to bypass the kiosk software. (I guess MS isn't interested in unattended computers). I tried to take over service of the machines, but got mired in Sears/Kmart/vendor politics. The bottom line is that someone has to be responsible for keeping the machines updated, running, and clean.

Incidentally, another screwup that I precipitated was not bothering to do an image backup of the kiosk machine. Reloading everything from scratch using saved config files was theoretically simple, but took many hours to deal with the myriad of updates. The only way that seemed practical was to have a spare machine available.

--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
 Click to see the full signature
Reply to
Jeff Liebermann

Oh... because I recalled the wrong metaphor. I meant:

formatting link

Tim

--
Deep Friar: a very philosophical monk. 
Website: http://seventransistorlabs.com
Reply to
Tim Williams

Something else that comes to mind: might be able to write-protect the OS drive and put all user data on a RAM drive. Computer shuts down, ppht, it's gone.

Tim

--
Deep Friar: a very philosophical monk. 
Website: http://seventransistorlabs.com 
 Click to see the full signature
Reply to
Tim Williams

I mistakenly thought that a school could set up their own cloud servers and deal with compatibility any way they choose???

Reply to
mike

A *school* can do whatever they want, I guess.

In my case, I have to set up 10 PC's running Win7 (because has decided that this is what the students that they are servicing need/use). But, do it in such a way that Jimmy's use of the machine doesn't impact Betty's use later.

[To be clear, this "lab" is not at/for a particular school and is probably used by kids from many different schools. That seems a safe bet as their clientele number ~1000]
Reply to
Don Y

Ah, OK. I had referenced that in my original post. But, have no first-hand experience with it.

Presumably, *yours* is only as a "user"? I.e., no idea what lies behind the curtain?

Reply to
Don Y

I expect there to be a single physical drive so I'd have to create an OS partition and a "User" partition. And, ensure the paging file resided on the User partition, etc.

Not sure what *other* things that might involve. E.g., I think the registry needs to be writable -- even the user's portion of the hive. Yet you would want those changes to be "undone" on logout.

Nor do I know how it would react if the user tried to save something where he shouldn't (error? panic??)

MS is always a PITA. Too much hidden detail. I figured someone (company) would have invested the necessary time to figure out all these details and just provide "me" with a turnkey solution -- that doesn't require an IT department to maintain! (I.e., I have no idea how much work it takes to keep the local library's systems running)

Reply to
Don Y

Depends on School District/Education Authority/etc.. If IT services have been contracted out or internal. Dependsif they have centralised servers and login credentials or not.

Have seen in UK schools with all sorts of setups.

Could just be ONE school, in UK secondary schools (11 to 18 year olds) have a typical number of students of 1000 to 1500 pupils for EACH school.

--
Paul Carpenter          | paul@pcserviceselectronics.co.uk 
    PC Services 
 Click to see the full signature
Reply to
Paul

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.