Windows 7 Public Access Computer project  
RSS
Threads [ Previous | Next ]
intro
Showing 3 results.
intro
Tags: computer security windows 7 windows disk protection
11:45 AM EDT 5/11/10
To All,

I've have been working on a process to secure windows 7(enterprise or ultimate editions) public access computers using Microsoft virtual hard drives, group policy. I made significant head way with the process but the decision was made to utilize a commercial product for locking down our organizations PAC's. So, I'm left with a body of work that has great potential but is incomplete. I would like to propose a group project to complete work on the process collaboratively. Then open up the resulting process for the community as a way around the "Windows 7 Steady State" quandary.

I have some of the documentations worked out and the idea is as follows:

Install windows 7 on a single partition

Using Windows 7 (e/u) create a VHD(Virtual Hard Drive) file(s)

Using Windows 7 (e/u) create a Difference Disk using diskpart

Using BCD modify the boot order options so the newly created difference disk is the default boot option

( This is the part I don't have worked out and definitely need help with)
Using VHD mounting switches or scripting; have the differencing disk discard all changes on dismount/reboot or copy and rename VHD file(s) that the difference disks refer to a copy of the "master" VHD file

The idea is that the original VHD file is the "master" and presumably write protected. A differently named copy of the "master" is then made and is referenced by the difference disk boot options and will be the active operating system during each session. Using VHD switches to discard changes or scripting another copy is made of the master during each session and will be renamed to the appropriate difference disk reference for the next session and the current difference disk file is deleted ( this is the bit where group input will help).

Simply put; the desktop is always running a fresh copy of the master VHD file. So, that any user changes, malware, virus' become less of a risk. Additionally, any major updates or changes can be handled by updating a "master" VHD file once and copying it to the client machines.

I think if we can complete this process the loss of Steady State functionality in windows 7 can be dealt with by group policy (either local or domain) and using VHD boot options.

Thank you,
David Sullivan
david.sullivan@lib.de.us
RE: intro
12:49 PM EDT 5/11/10 as a reply to David Sullivan.
Thank you, David for your introduction and for launching this excellent project!

I have to confess that you're in tech territory that's completely foreign to me (aside from the fact that I do know that Steady State isn't an option with Windows 7) but I'm happy to be here to help your group leverage the WJ tools for collaboration as you build out the documentation. The WJ User Guide has helpful tips on how to post documents and discussions: http://www.webjunction.org/membercenter/userguide

I encourage you all to use both the document and discussion tabs to share and discuss. I suggest that you add version numbers to the updated documents you post as a means of version control. Or there is also a WJ wiki that is available for members to use: http://wiki.webjunctionworks.org/index.php.

I'm happy to help however I can!

Thanks again, David for sharing the work you've already done on this and for spearheading the group.
RE: intro
Tags: computer security windows 7 windows disk protection
2:20 PM EDT 5/11/10 as a reply to David Sullivan.
As Jen suggested I am submitting the first revised copy of my document.
I added an additional assumption at the beginning:
**** This document assumes a Windows 7 Enterprise/Ultimate SINGLE partition basic installation
Attachments: VHD Diff disk procedure rev1 .doc (35.5k)