Plankton Windows
A short note on the experience of Windows recovery automation.
One of the jobs I currently have is accompanying a small computer park in a private firm. The company's direction is retail: warehouses, a couple of supermarkets at three and four cash desks, as well as four small stores. The contingent of users is traditional: accounting, cashiers, management. Computers (45 in total) are geographically distant from each other, some programs (not all) need administrative rights for a number of reasons. So just historically. Not the point. The network architecture and management policy of all these facilities can be described in one word: vinaigrette. But I am a newcomer; I cannot and do not want to change the current system.
It is quite clear that all this economy is destroyed over time by various trojans and viruses, the most powerful, merciless and unpredictable of which has a little different DNA from yours or mine. Running the EXE directly from the mail marked as SPAM is one of the most innocuous activities. Everyone is sitting on the Internet, of course (except for the box office). Persuading and demonstrative whipping does not help any, the explanation of the term office plankton did not have the slightest effect. Some ladies are especially vigorous. Something needs to be done cardinal, not to drive in fact for every fact to manually restore the OS. Moreover, there is practically no budget per se, the entire budget - savings on the possible cancellation of a KAV subscription. Yes, and from the main work can not be distracted categorically, this is just a part-time job.
')
The rest is obvious in many ways. For ordinary users, Windows is frozen using Deep Freeze purchased in the right amount (the utility has already been described on Habré), which allows you to get a pristine clean OS after a reboot and most importantly saves you on antivirus, firewalls and hardware updates. You can use a similar program - it is a matter of taste. For servers, regular system disk images are performed. I drove mail into Google Apps, the client trayos.com - after all, GMail protects itself from viruses very well. However, with workstations we have a number of problems. Further, in order of increasing complexity.
First, after the restart My documents, desktop, favorites are lost. This trouble is treated simply. My documents can be tritely moved to another disk, the desktop and favorites are also not a problem to register in the registry. Favorites then it turned out and not necessary. It is important not to transfer the entire user profile, only what is really required and, in principle, cannot participate in autoloading, otherwise the effect of freezing Windows is lost after the first virus.
Secondly, a number of programs are tightly tied to the profile. For example, the same Chrome after each reboot immediately begins to update, restore the user profile from your site and do other obscenities. With Opera everything is even worse - the last profile is simply lost there and that's all. It is clear that there are portable versions, but as a rule, the browser update does not work in them, and the task is to remind you of the total absence of the admin for a long time (ideally, after setting up the admin there is none at all). In the example, only browsers, in fact, such programs are much more.
In this case, all disks are converted to NTFS and the most painful directories are transferred to the neighboring logical drive from the profile. Finally, these same directories are placed back to their original place via NTFS Junction Point: in FAR, this is Alt + F6, but of course there are more modern solutions.
Thirdly , the most unpleasant problem with running programs on behalf of the administrator. There are only 12 of them, all self-made authors are absolutely impossible to find. The main abomination of these handicrafts is that they interact with the server under admin rights. To rewrite them again, to train users again is not an option, it is easier to quit right away.
Therefore, we need Runas, but not the usual one, but such that our office-plankton user does not enter the administrator password at every launch, and if possible he did not know it. The solution was found in a completely unexpected (for me at least) place - JavaScript.
Create a start.js file with the following content:
With JS syntax, the first line may be in single quotes, if necessary
Next, skip the resulting code through the service dean.edwards.name/packer or similar, we get
It remains to place this JS-file in the desired directory and make a launch shortcut for it. For greater reliability, you can play around and finely try to configure NTFS, then the cunning plankton will not be able to pick out the password from here, but in my case it was not required, the admin password and so many people know. JS obfuscation is done more for the beauty of the solution and a little bit like protecting the password from stray trojans. This is all that is left to clear and defragment the system. Then Deep Freeze and give it to the consumer.
The measures described are certainly trivial, but in combination have proven to be very effective. Half a year has passed, the flight is normal and the workstations do not even have viruses on the disk for data, they have recently scanned for interest. I only deal with two servers, it’s not so smooth with them yet. Attentions require weekly, but this aspect is also in the process.
For freezing there are free alternatives to SteadyState. and Comodo Time Machine , and instead of RunAs, the MS App Compatibility Toolkit or the admilink utility comes in handy . Thanks to all who expressed their opinions.
Introduction
One of the jobs I currently have is accompanying a small computer park in a private firm. The company's direction is retail: warehouses, a couple of supermarkets at three and four cash desks, as well as four small stores. The contingent of users is traditional: accounting, cashiers, management. Computers (45 in total) are geographically distant from each other, some programs (not all) need administrative rights for a number of reasons. So just historically. Not the point. The network architecture and management policy of all these facilities can be described in one word: vinaigrette. But I am a newcomer; I cannot and do not want to change the current system.
Formulation of the problem
It is quite clear that all this economy is destroyed over time by various trojans and viruses, the most powerful, merciless and unpredictable of which has a little different DNA from yours or mine. Running the EXE directly from the mail marked as SPAM is one of the most innocuous activities. Everyone is sitting on the Internet, of course (except for the box office). Persuading and demonstrative whipping does not help any, the explanation of the term office plankton did not have the slightest effect. Some ladies are especially vigorous. Something needs to be done cardinal, not to drive in fact for every fact to manually restore the OS. Moreover, there is practically no budget per se, the entire budget - savings on the possible cancellation of a KAV subscription. Yes, and from the main work can not be distracted categorically, this is just a part-time job.
')
Taken measures
The rest is obvious in many ways. For ordinary users, Windows is frozen using Deep Freeze purchased in the right amount (the utility has already been described on Habré), which allows you to get a pristine clean OS after a reboot and most importantly saves you on antivirus, firewalls and hardware updates. You can use a similar program - it is a matter of taste. For servers, regular system disk images are performed. I drove mail into Google Apps, the client trayos.com - after all, GMail protects itself from viruses very well. However, with workstations we have a number of problems. Further, in order of increasing complexity.
First, after the restart My documents, desktop, favorites are lost. This trouble is treated simply. My documents can be tritely moved to another disk, the desktop and favorites are also not a problem to register in the registry. Favorites then it turned out and not necessary. It is important not to transfer the entire user profile, only what is really required and, in principle, cannot participate in autoloading, otherwise the effect of freezing Windows is lost after the first virus.
Secondly, a number of programs are tightly tied to the profile. For example, the same Chrome after each reboot immediately begins to update, restore the user profile from your site and do other obscenities. With Opera everything is even worse - the last profile is simply lost there and that's all. It is clear that there are portable versions, but as a rule, the browser update does not work in them, and the task is to remind you of the total absence of the admin for a long time (ideally, after setting up the admin there is none at all). In the example, only browsers, in fact, such programs are much more.
In this case, all disks are converted to NTFS and the most painful directories are transferred to the neighboring logical drive from the profile. Finally, these same directories are placed back to their original place via NTFS Junction Point: in FAR, this is Alt + F6, but of course there are more modern solutions.
Thirdly , the most unpleasant problem with running programs on behalf of the administrator. There are only 12 of them, all self-made authors are absolutely impossible to find. The main abomination of these handicrafts is that they interact with the server under admin rights. To rewrite them again, to train users again is not an option, it is easier to quit right away.
Therefore, we need Runas, but not the usual one, but such that our office-plankton user does not enter the administrator password at every launch, and if possible he did not know it. The solution was found in a completely unexpected (for me at least) place - JavaScript.
Create a start.js file with the following content:
var prg = "runas /user:Login c:\\path\\filename.exe";
var WshShell = WScript.CreateObject("WScript.Shell");
WshShell.Run(prg,1);
WScript.Sleep(250);
WshShell.SendKeys("p"); //
WshShell.SendKeys("a"); // +,-,%,^,~,(,) {}
WshShell.SendKeys("s");
WshShell.SendKeys("s");
WshShell.SendKeys("w");
WshShell.SendKeys("o");
WshShell.SendKeys("r");
WshShell.SendKeys("d");
WshShell.SendKeys("{.}");
WshShell.SendKeys("{ENTER}");With JS syntax, the first line may be in single quotes, if necessary
var prg = 'runas /user:Login "c:\\path \\filename.exe"';Next, skip the resulting code through the service dean.edwards.name/packer or similar, we get
eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('k 4="b /j:lc:\\\\6\\\\7.8";9 0=3.e("3.f");0.g(4,1);3.h(i);0.2("p");0.2("a");0.2("5");0.2("5");0.2("m");0.2("o");0.2("n");0.2("d");0.2("{.}");0.2("{q}");',27,27,'WshShell||SendKeys|WScript|prg|s|path|filename|exe|var||runas|||CreateObject|Shell|Run|Sleep|250|user|ar|Login|w|r|||ENTER'.split('|'),0,{}))It remains to place this JS-file in the desired directory and make a launch shortcut for it. For greater reliability, you can play around and finely try to configure NTFS, then the cunning plankton will not be able to pick out the password from here, but in my case it was not required, the admin password and so many people know. JS obfuscation is done more for the beauty of the solution and a little bit like protecting the password from stray trojans. This is all that is left to clear and defragment the system. Then Deep Freeze and give it to the consumer.
Total
The measures described are certainly trivial, but in combination have proven to be very effective. Half a year has passed, the flight is normal and the workstations do not even have viruses on the disk for data, they have recently scanned for interest. I only deal with two servers, it’s not so smooth with them yet. Attentions require weekly, but this aspect is also in the process.
02/10/2011 Results of the discussion
For freezing there are free alternatives to SteadyState. and Comodo Time Machine , and instead of RunAs, the MS App Compatibility Toolkit or the admilink utility comes in handy . Thanks to all who expressed their opinions.
Source: https://habr.com/ru/post/113390/
All Articles