Locking down Windows 7?

Lethal` · 28 Dec 2010 at 16:20

Right, basically every few months I'm having to spend hours removing various viruses and rootkits that my brother has managed to download on this laptop. UAC is on etc but still some programs seem to be installed, is there any software I can use to lock down the system to prevent him installing software and just use the basic features. Internet etc...

Thanks!

hohum · 28 Dec 2010 at 16:22

Create a standard user account for him to use, and put a password on your main account. He won't be able to install or run anything that requires elevation/admin rights without your password then. Failing that, chop his hands off.

Ev0 · 28 Dec 2010 at 16:27

Have his account run as a standard user is a good start.

Depending on the version of 7 you have you can also set local security policies on his account to lock things down further.

Lethal` · 28 Dec 2010 at 16:52

Yeah the account is standard user. Version is Home Premium.

Currently trying to boot windows, it's in the startup repair loop and I have no access to a PC to access the hard drive externally with.

Fire Wizard · 28 Dec 2010 at 17:04

As has already been highlighted, make sure he is using a standard user account. If he needs to perform an operation which requires administrator rights, say for instance, installing a game, it will ask for the credentials of an administrator user of the system, which he hopefully wouldn't know.

However, something to be aware of is, if you're elevating from an account which has been infected with malware, there are opportunities for it to gain administrator rights. If you would like to completely block that avenue of attack, when ever he needs to perform an administrative operation and you can verify is legitimate, switch to a dedicated administrator account to do so. This way, with the exception of security vulnerabilities, malware which may have infected the account will only ever be constrained to standard user rights. If you have suspicions that the account has been infected with malware, an easy way to clean it up is to simply delete the entire account. All though, any data which has been saved under that account will be lost.

Lethal` · 28 Dec 2010 at 17:12

Yeah, the problem is I suspect the malware has infected the MBR and therefore Windows will not boot.

I have no idea if he had gained administrator access or not, I only seem to use this laptop when I'm fixing it.

Say I had Windows 7 Professional, what sort of local security policies would I be able to apply to help here?

Mana · 28 Dec 2010 at 18:05

educating him on safer internet usage an option?

eggcup · 28 Dec 2010 at 18:15

dont let the little git use it!

Lethal` · 28 Dec 2010 at 18:28

Mana said:
educating him on safer internet usage an option?

Really doesn't work, he doesn't listen to anything.

I read before about some form of guest account which doesn't have personal directories and wipes everything clean everytime it is logged into. This would be good, if there were personal folders.