Two seperate desktops for security, or can win7 help?

[czglory]

Hello, I am wondering if there is some way with windows 7 security and/or user accounts to create a secure account that is safe from anything that "happens" on a different account. IE, one computer/user account on maximum security, another that has possible security leaks like instant messaging programs, PDF readers, internet browsers, etc.

If possible, one account would have very limited programs and be safe "regardless" of what happens on the other account. If not, what is the best way to use two desktops sharing the same monitor, keyboard, mouse, headphones, etc? Is Windows 8 more secure?

Thanks

 

[alexoiu]

Hi,
Maybe installing Windows on two separate HDDs.
You can choose which one to boot from at startup.
Regarding security... hard to say. Just google for Windows 8 vs Windows 7 security. Some say it is more secure.

 

[casper1973]

My first suggestion was going to be as above - install them on 2 different hard drives in the same machine. Far more secure than 2 different user accounts but still far less secure than 2 different machines. If I have access to one instance of Windows I could easily move things over to the other drive. Some malware also propagates itself to any connected storage devices.

My second, and more secure, suggestion was going to be using 2 machines and a KVM switch.
A KVM switch is like a hub for everything to plug into. You plug your Keyboard, Mouse, Monitor and sometimes speakers into the switch. You then plug each computer into the switch with a VGA + USB cable. You can then switch between which computer using a button on the switch. This allows you to use 1 Monitor, Keyboard, Mouse and set of speakers for 2 or more machines.

Here is a video of some guy setting up a KVM switch. It might make things more clear - http://www.youtube.com/watch?v=7AbMgv74xUw

The leaves the biggest security issue as your network. If both machine are connected to the same LAN they can interact with each. Any interaction is a potential vulnerability and some malware can propagate over a network connection.

To combat this you could look into Access Control Lists (ACL) or putting the machines on a different subnet. I suppose you could also use firewall rules. This is something you will have to look into yourself though. It's far too complex to explain in a couple of posts.

 

[czglory]

I had never heard of a KVM switch but that sounds like a good solution, so does the dual hard drive OS boot. If I were to get windows on two different HDDs and use them on the same machine, perhaps I could also just unplug whichever drive/user is not being used to be equally as secure? I suppose if malware went undetected and it was capable of infecting all connected drives it would still never get to the other drive, as they are never connected at the same time? If this is easy/possible, perhaps with a hotswap bay, it would be much cheaper th an having to build another system just for the security and I would like to go that route.

Thank you for the responses I am already much more comfortable with my options and it is much appreciated : )

 

[alexoiu]

You can hide the other drive so that it can't be accessed:
http://techstrick.blogspot.ro/2012/06/how-to-hideunhide-hard-disk-partition.html
or edit the security rights and deny access.

 

[czglory]

thanks alexoiu, to clarify if I used two drives each with their own OS I could hide the drives from one another so only one could be accessed at the same time? That would be perfect and seems like it would be as secure as two desktops, so long as malware couldn't find it; if this is the case I will go that route I believe.

 

[casper1973]

Yes you could hide the drive but its not 100% secure. I have seen infections which target the hidden 'Recovery' partition you get on most laptops. If they can reach that, theoretically they can reach any hidden drive. Admittedly this type of malware is very rare but the fact is it's a possibility.

Also if you have a standard dual-boot scenario (where you choose the OS from a list at start-up) they are both sharing the same MBR. There are plenty of MBR rootkits going around.

The hot swappable drive method would eradicate these issues though as each drive would have its own MBR and they never interact.

 

[alexoiu]

He can separately install Windows on each drive (not dual boot) and choose the drive using F8 at startup.
I think that hiding the drive and denying access by editing security rights is enough.

 

[casper1973]

Yep a separate install on each drive is probably more than enough but that is down to czglory to decide. We don't know enough about the system to decide how secure it needs to be. He could have pictures of cats on there... hilarious pictures! That payload needs to be super secure. Or he could simply have his entire business records with bank details of 500 employees/associates. That stuff is fine no need for security.

I'm just stating the facts and he can make the decision himself on just how secure to go.