Eli Hodapp’s large collection of words.

It’s no secret that I have a strong preference to Apple software and hardware. Originally a victim of the 3rd generation iPod halo effect, I’ve slowly replaced nearly all my computing hardware with Apple equivalents over the years. When you switch to a Mac running OS X from a PC running some flavor of Windows, your computing habits undergo a strange transformation- You spend more time using your computer, and almost no time maintaining your computer.

Most Windows users outside of a corporate environment with someone managing their computers for them have what could be best described as maintenance ritual where various animals are sacrificed along side the spyware/virus scanning and removal process in hopes that they don’t have to make an emergency call to Geek Squad. (Not to mention defragmenting, registry sweeping, near-daily Windows updates, and everything else.) With a Mac I can actually focus on the project I’m working on or whatever I’m using my computer for and not have to worry about anything else.

Because of this, I, like most Mac OS X users have slowly developed a disdain for Windows as a whole which grows closer and closer to raw hatred with every phone call received from someone asking how to fix (insert random Windows problem here). Unfortunately, especially for someone like myself who is recognized as the “computer guy” by literally hundreds of people I know personally and professionally, it is impossible to escape Windows problems.

So imagine my surprise when I discovered how unbelievably awesome Microsoft’s SteadyState is for Windows XP.

The problem small businesses have, and probably always will have, is immense corner-cutting in any IT related area of their business. When you have a small office with under a dozen employees, you’re almost never going to have an IT “staff” by any means, or even a support contract with a local computer repair business. Instead, most small business IT infrastructures are administered by some college punk that someone there knows who gets defaulted in to the role of “computer guy.” This poor sap gets paid next to nothing and knows little more than how to accurately search for something in Google and kludge through whatever solution the internet suggests.

The problem starts with the original purchasing of the PC’s. I think I can count on one hand the number of offices I’ve been to where their users are using something more than the absolute cheapest bottom-end sub-$300 Dell PC with CRT monitor included running Windows XP Home secured with the Dell Security Suite powered by McAfee. The problem isn’t with the hardware as much as it is with the mentality of “OK, how little can we spend” instead of “OK, how little can we spend to do things right.”

Inevitably the entire office network will be brought to its knees by one or more people downloading mystery email attachments, visiting malicious websites, or better yet, willfully installing obvious spyware because they absolutely cannot go another day using a computer without a woodland waterfalls screen saver. This will almost always happen within the first year, but more often than not, within the first six months of upgrading to $300 Dell internet-ready PC’s. The temptation to open every possible email attachment and install programs which display the weather in the system tray is practically irresistible for most Windows users.

So what solutions are there? The best would be to set all of the local users up on a domain with Active Directory. This requires both a substantial software and hardware investment. All the PC’s would need to be upgraded to Windows XP Professional to log on to the Active Directory server, along with the actual server software (and hardware) itself. Since the entire network would practically be useless if the Active Directory server is down, the server would also require redundancy, an un-interruptible power source, and a data backup system. On top of all this, you would need someone qualified to administer the Active Directory server and set up all the clients since it is undoubtedly out of the realm of knowledge of the “computer guy” we talked about earlier.

Other options to explore are the various high-end hardware devices which go in between the users and the internet to filter out malicious traffic. These feature-rich firewalls and web proxies don’t come cheap, and do nothing for the existing problem of having an office network which was rendered useless by virus and spyware infestations. On the other hand, decent client side software exists that could be installed on every PC that would have a similar function and probably would be cheaper than a hardware client- especially in a situation with a dozen users. Again this does nothing for our existing problem, and once compromised, prevention software is generally rendered ineffective.

The open source route always exists, and gets five stars for remote administration potential… but without the specific Windows and Office interface that everyone is familiar with, implementing an entire new user interface would without a doubt create a mountain of problems all stemming from things like KDE/Gnome not looking like Windows and OpenOffice having different icons. Most people I’ve worked with can barely deal with the interface change between Internet Explorer 6 and Internet Explorer 7. I cringe thinking about what would happen if I pulled the Windows rug out from under your average office employee and replaced it with Ubuntu.

This leaves us with reformatting the office computers and re-installing a fresh copy of Windows to ensure the complete elimination of spyware and virus threats and restricting Windows features to the point of simply not allowing users to do things which would harm their computer- Exactly where Microsoft SteadyState comes in. SteadyState allows us to restrict Windows users in a similar fashion as Active Directory, without requiring any additional hardware of software since all the security is handled on the individual PC- and better yet, it’s a free download for anyone with an authentic copy of any flavor of Windows XP. It even features reassuring icons with lots of locks like the one to the left, pictures of happy users like the one to the right, and Ron Popeil’s famous slogan, “Set it and forget it” on the “What is it?” page.

SteadyState allows us to restrict absolutely every avenue malicious software has to getting on a computer. Currently, the clients I have running this only have access to Internet Explorer with a small white list of accessible sites and the Microsoft Office Suite. Explorer right clicking is disabled, all of the Microsoft Office security holes that allow for things to be opened/executed are disabled, and the only drive accessible by the user is the D:\ partition, which thanks to NTFS does not have execute privileges so even if the user was somehow able to download/copy a program, they wouldn’t be able to run it. As an extra measure of security, SteadyState itself will only allow users to execute problems found inside of C:\Program Files\ and C:\Windows\.

On top of that, at 3:00 AM it automatically handles all Windows updates Windows Defender definitions, and offers support for the execution of additional updates done through a custom batch file I wrote. (Useful for updating anti-virus definitions if your anti-virus program is not supported by Windows’ built in updater.) In addition, entire user profiles can be locked to prevent any permanent changes to any settings.

But probably the coolest feature is the built in hard drive protection. In a situation where a user was able to circumvent the various SteadyState security measures and installed something on the C:\ drive or modified their user profile somehow, all it takes is a reboot to completely and automatically revert all the changes. With hard drive protection enabled, Windows creates a cache file with all the modifications to any file on the C:\ partition, only by logging on with an Administrator account can you commit these changes. Otherwise, they’re all lost. I was skeptical at first, so one of the first tests I did when I was fooling around with SteadyState to see if it worked how I wanted it to was visit the absolute most Windows-unfriendly web sites on the internet.

With nothing more than Windows XP Service Pack 2 and Microsoft SteadyState installed, I went to Google and searched for things like “free adobe photoshop”, “download warez”, “spyware help” and a bunch of other queries which had me winding up on sites that had me downloading file after file, ActiveX controls, and other random browser plugins. I gladly clicked “yes” and “install” to everything that popped up. It only took about ten minutes for my test computer to be rendered completely useless. I rebooted, and it was good as new. There wasn’t even a trace of any of the malicious software I had installed, registry keys that the software had edited/created, and the additional browser bars spawned. I was pretty amazed, the only negative to the hard drive protection is the significant increase in load time to get to the Windows desktop… but once you’re at the desktop, it’s all smooth sailing.

The major caveat with Windows SteadyState is that I’m putting an awful lot of faith in Microsoft to keep their product secure. It has never made sense to me why they would develop entire applications like Windows Defender and now Microsoft SteadyState instead of just fixing the various inherent security flaws Windows has always had. But, either way, I’m cautiously optimistic about Windows SteadyState keeping the eight computers I installed it on over the weekend working well for quite some time.

The main down side to Microsoft SteadyState is the sheer amount of mind-numbingly long reboots it requires to configure. Once the hard drive protection has been enabled, the only account which can make any changes is the Administrator. Adding a new default printer to a SteadyState protected PC involves:

• Log out current user and reboot the PC.
• Log in to the Administrator account by pressing CTRL+ALT+DELETE twice on the Welcome screen.
• Wait six years for the desktop to load.
• Open Windows SteadyState.
• Disable hard drive protection.
• Open user profile.
• Unlock profile.
• Remove all security restrictions which involve accessing the start menu, modifying system settings, adding printers, and changing defaults.
• Save user profile.
• Reboot.
• Log in to the user we just unrestricted.
• Wait another six years for the desktop to load.
• Add printer.
• Set printer to default printer.
• Test to verify we can print to the printer and programs are recognizing it by default to avoid having to repeat this process if for some reason he changes didn’t take.
• Log out.
• Reboot.
• Log in to the Administrator account by pressing CTRL+ALT+DELETE twice on the Welcome screen.
• Yet again wait six years for the desktop to load.
• Open Windows SteadyState.
• Open user profile.
• Re-enable all security restrictions.
• Lock user profile.
• Save user profile.
• Re-enable hard drive protection.
• Reboot.
• When asked, confirm that you would like the changes you made to the C:\ drive to be permanent.
• Windows reboots and commits the changes to the hard drive.
• When the changes are saved, the computer reboots again.
• Log in to user on welcome screen.
• Reflect upon how much of your life you’ve wasted waiting for the desktop to load.
• Check and make sure all the changes stuck and the new printer you added works once the user account is restricted.
• Success.

Thirty three steps. To add a printer.

Like I said though, I’m cautiously optimistic that Microsoft’s SteadyState will solve the problem of small business network security. We’ll see how long the PC’s I configured make it before getting completely destroyed. Instead of fixing the blaring security holes Windows features, SteadyState simply does not allow the user to access said holes. It’s interesting logic from a security standpoint.

We’ll see how long it lasts.

Share this post! ^