Secure Computer For Child Use

[G-Stress]

Hey guys, I'm in the process of getting an 8 year old a laptop and I want to make sure it's being used securely and safely. I play with group policy a little bit and I'm learning. I'm curious though, how would one of you guys secure a machine for a child to prevent installation of software, block adult content sites, etc?

I've played with SteadyState and it's nice, but a bit buggy. It became more of a hassle then a admin tool.

What I'm thinking is setting up a domain and joining that laptop to the domain with applied domain policy and to block things such as cmd.exe and control panel. I pretty much want to only allow internet access, but safe. As I'm typing that I just remembered OpenDNS is pretty good as far as the safe browsing.

Another thing is, if I join it to the domain and create a policy, say away from home at school or at a friends house she uses the laptop or someone else even and the user tried to do something that required admin privileges or malicious, when logging back onto the laptop and onto the domain does it somehow "sync" reports of usage?

I haven't gotten that far yet in this trainsignal course I'm doing. That's one thing that confuses me about company issued laptops how they can log onto the computer when away from the domain controller and with no internet connection.

[Mr-Protocol]

Here is something I found that deals with Windows 7.

http://windows.microsoft.com/en-US/Windows7/Looking-for-web-filtering-and-activity-reports-in-Windows-Parental-Controls

[Infiltrator]

Hey guys, I'm in the process of getting an 8 year old a laptop and I want to make sure it's being used securely and safely. I play with group policy a little bit and I'm learning. I'm curious though, how would one of you guys secure a machine for a child to prevent installation of software, block adult content sites, etc?

Group policy is certainly a good solution for locking things down, while the workstation/laptop is attached to the domain. Once the laptop is off the domain, and if the person somehow finds out the local administrator account password, the group police will no longer have effect on the machine itself.

To ensure, your child can't install software, you will need to create an user account with limited access, also just limiting the privileges on the account itself, its not enough, anyone with a live CD can reset the local administrator account password on that computer, you will also need to disable the option that allows CD or USB booting in the BIOS.

Restricting access to certain websites, is not difficult, you could setup a proxy server in your DC with Squid, or change your router's DNS settings to the OpenDNS one. You will need to sign up with OpenDNS, so that you specify what websites to block.

Edited August 8, 2012 by Infiltrator

[digip]

I recently bought my child an aspire one. She is only six but is a bit advanced in her school studies. She uses it only for summer school stuff, and her school has a study program setup for students to keep her going all summer long. I setup the PC as normal with all my programs I wanted installed for all users, browsers, etc and locked down what needed to be. Then I created a new user with limited privileges for her account only. She can't logon as admin. I then log on as her and configure everything else that needs to be set and secured. When she is online, we only give her an hour or two at a time, just for the school website, and we monitor what she is doing the whole time. If she wants to play on something like Nick Jr, she has to ask us and isn't allowed to browse the web (nor really knows how to at this point). We use OpenDNS in the house as well, and I have a custom hosts file on there that blocks a lot of sites already, so not a whole lot she can do we can't see and we don't leave her alone with the machine at any time.

Its not so much of what you put on the machine to secure them, its if you have the time and patience to keep an eye on them really. When she gets older, I will probably edit the hosts file to restrict her even more from being able to reach specific sites that teens use, like Facebook and Myspace, etc, but for now, we just spend that time with her usually to make sure she isn't clicking or visiting anything she shouldn't be.

Kids are getting to be smart enough though to know how to evade roadblocks if not monitored in their usage, and they will pick things up from other kids they know on how to get around stuff you put in place. If you truly want your child locked down, try OpenDNS and set up filters for what can be allowed onto your network, but it would kind of do the same for everyone in the house if done via the router's DNS settings and an OpenDNS account for your external IP, which isn't always ideal, but you can restrict any domain, certain protocols and even use site ratings you want to allow/disallow. Unless they can change the OpenDNS settings on your network or the machine, they are pretty much are stuck unless they learn about tunnels and VPN's by which point, you won't be able to keep them from the internet without just taking away the laptop.

At some point, you just have to allow them to learn on their own, but that doesn't mean free reign access to whatever they want. I don't think they make a product though that a kid hasn't figured out how to bypass, so being involved as much as you can without stepping on their own privacy needs with friends is a balancing act I think every parent struggles with. Its not like they make a kids only internet.

Edited August 8, 2012 by digip

[G-Stress]

Thanks alot guys. I think I will go with OpenDNS per her machine, because that does work well. Now I've heard about squid and thought about playing with it so that will be something new to me and useful. I'm not too concerned with anyone using a liveCD to boot off of, I can just disable that in the bios. My main concerns were safety and security.

I really like what digip has done, that seems pretty useful for child use. Now another thing I thought about is, what if I were to setup the laptop to where it would need to be logged onto the domain via a vpn in order to access the internet so all the traffic was routed through the domain or some proxy behind it?

She would just have a simple shortcut on the desktop to connect to that once she has connected to the internet via wireless or wired. Would that be overkill? A

@ digip

What are you using to monitor the machine with? I don't really want to put no keylogger or nothing that will report as a trojan/backdoor. I want to keep it as clean as possible while also providing privacy. I'm hoping to find something that is "friendly" on the eyes and a nice gui would be sweet. I don't care to much for looking through numerous txt file's.

I tried that Microsoft Family Safety and didn't like it too well. I wonder if it's changed any, I might throw it in a VM and play with it again.

This is a challenge and a learning process I think for us parents, because alot of stuff we learn via trial an error they are now teaching in high school.

[Infiltrator]

Now another thing I thought about is, what if I were to setup the laptop to where it would need to be logged onto the domain via a vpn in order to access the internet so all the traffic was routed through the domain or some proxy behind it?

She would just have a simple shortcut on the desktop to connect to that once she has connected to the internet via wireless or wired. Would that be overkill? A

That isn't a bad idea, but kids are a lot smarter and they learn things a lot quicker than us. Even though, a VPN is good for securing the channel between the client and the server side, it would be a bit slow, additionally, she could just not choose to use the VPN at all and just use the normal internet connection (eg school, or public). Thus bypassing any restriction you have put in place.

[digip]

Squid is nice because you can require a parent to type the proxies password to gain internet access, and use it to filter whatever you want at the same time based on how you setup squid. Set the Browser to use the proxy by default, and depending how you set squid up, should promote them for a username and password to reach the internet. Thats what we had setup at work(although I was not part of the setup process, you would have to figure that end out on your own).

Right now, the only thing we use for monitoring, is either my wife or myself. We stay with her while she is working on the laptop, and she has no access to it without one of us there. She is only six, and still learning just to use computers in general so needs us half the time when she doesn't know how to turn up the volume and things like that, and she has no clue what google is or anything outside what sites we've put in for her to use.

Her home page is set to her school site, and she knows how to logon to that, and we don't let her do anything else but school work & occasionally nickjr or the disney site, like club penguin or tinkerbell. The most she gets to do outside of that, is occasionally skype to her cousin who lives out of state and they enjoy seeing each other on video so they can chat, and thats done with one of us in the room as well as my sister-in-law who keeps an eye on her kids when we let them chat.

Shes not given free reign yet over what shes allowed to play with or access yet and when she is done school work, we pack it back up in its box and put it away, so we're pretty comfortable just being in the room and keeping an eye on her at this point. Being a limited user, she can't really do anything to harm the machine for the most part anyway, and to install anything would require admin access. If I was really paranoid, I could use something like Deep Freeze, to keep the system partition intact, and would come back to the same state after every reboot, so if by some change she managed to get a virus(highly unlikely but not impossible) after a reboot, everything would be back to the same state. Not that she couldn't get hacked, but unless her school site gets targeted I think shes going to be ok for now. =)

[hexophrenic]

Low(er) tech, but I just use K9 web protection on the machines in the house the kids use. I also use OpenDNS for botnet and malware protection, but nothing for categorization/filtering otherwise.

[potato]

DNS Blocking doesn't work, your child can just download firefox portable and change the DNS servers that Firefox uses. Although there is a way of blocking portable browsers from running, my school did this. I think its done with a few group policys but IDK.

Edited August 10, 2012 by cscash241

[G-Stress]

I think I may play with squid, as much as I've heard about and as beneficial as it may be. Would it play nice for what I'm wanting in a VM or would a dedicated box be better?

I've used K9 before also. If I remember right it was free and it did do a pretty good job. I forgot about that though so thanks for the reminder, it may come in handy.

[G-Stress]

@cscash241

I plan on blocking her ability to change any of those settings as well as blocking control panel.

[G-Stress]

A friend of mine just messaged me telling me that her son (11) has been trying to look at adult content on her iphone. If possible I would also like suggestions on blocking adult content for that as well. I'm sure there is probably apps out there and all, I haven't looked yet. I just figured I would mention that being at some point I will be looking to do the same when I get my child a cell phone.

[potato]

A friend of mine just messaged me telling me that her son (11) has been trying to look at adult content on her iphone. If possible I would also like suggestions on blocking adult content for that as well. I'm sure there is probably apps out there and all, I haven't looked yet. I just figured I would mention that being at some point I will be looking to do the same when I get my child a cell phone.

Some gsm/cdma service providers can block adult content for you