Windows vs Enikey

In response to the topic "In a room with a white ceiling . "

Introduction

In the topic , an effective solution was proposed to eliminate some problems with Enikey. Supplement and mean with their list:
  • The consequences of the work of viruses, and sometimes the consequences of the fight against viruses, lead to the state of the system in which it is "untreated" or "untreated";
  • Weak hardware or greed does not allow the use of serious anti-virus packages;
  • Errors of users or specialized programs lead to no less damage than malicious programs (the case when the program is difficult to pick up the root, but it does not work very well);
  • The system is subject to natural (for it) "littering" over time;
  • System administrator errors can lead to serious consequences (e.g. unsuccessful attempt to upgrade);
  • Lack of an automated system for backup (for example, there is Acronis, but not network);
  • and others ...


In the same place ( in the topic ), the author proposed an interesting and, of course, useful solution using the “freeze” system of the operating system's system partition with preliminary transfer of the Profile and “Program Files” to another partition. In the comment I would like to note some shortcomings.

The author writes that after installing the OS it is difficult to redirect the Profile and the “Program Files”. To solve this problem, he suggests using specialized utilities, a registry editor, and the process is complicated by rebooting from the media and changing important system files. In my opinion, it is worth considering the use of the popular utility nLite, which at the stage of creating a distribution disk image allows you to specify the future profiles folder and “Program Files” (the system will be installed immediately with the specified parameters).

Also, the author is forced to install all updates manually, because “Defrosting” the system disk is done manually by the administrator. This is completely inconvenient when the number of cars is more than, say, 20ti.
The author notes that it is advisable to use RAMDrive to store temporary folders like “Temp”, because upon rebooting, many malicious programs are destroyed along with all the data as a result of a power outage. This is a very effective way if the amount of RAM is excessive.
This topic will offer an alternative way to solve problems

Principle of operation

1. The computer boots with Windows, the default OS on Linux is changed in the bootloader config
  • if there are “tasks” from the administrator, then the task file (password-protected archive) is copied to the local disk from the “tasks” ftp server (the place where the archives are laid out by the administrator);
  • if the computer is started to complete the task, then at the very early stage of the boot, the network adapter is disconnected, the archive is unpacked and start.exe is launched (for example) to complete the task;

2. The computer boots from Linux, the default OS on Windows is changed in the bootloader config
  • if the computer at the previous start performed the administrator's task, then make a backup and mark it as the most relevant;
  • if the computer did not perform tasks at the last boot, then recover from the most current backup, mount sections with profiles, “Program Files” and check for viruses. Go to reboot.


Three-stage implementation

1. Installing Windows OS is performed from an image prepared by NLite, indicating the path to the profiles folder and “Program Files”.
* Before installation, you need to create two partitions: for the Windows system partition, for Profiles and “Program Files”.
2. Installing the Linux OS (I used Debian Lenny in a minimal build):
  • It is proposed to create an additional (for convenience) section on the disk where backups will be stored (the file system should not be supported by Windows, this will make it impossible to simply modify images / backups);
  • Grub is recommended to be installed on a partition dedicated to it (It is important that you can change the config for both Windows and Linux).

3. Adding scripts:
  • a program is added to Windows startup that changes the default operating system on Linux in the Grub’s config (it’s convenient to prepare the exe’s using BatchToExe from the bat, this will add functionality without programming knowledge with little blood);
  • in the "startup" Linux add a script to modify the Grub config to start Windows by default;
  • creation of other supporting scripts at the discretion of the administrator.


In my opinion, the most suspicious is the placement of Grub on the FAT partition (after all, the config can be changed unauthorized). The fact is that I just don’t remember how I forced Grab to conditionally run the OS. But it’s not difficult for habrozhiteli to be implemented differently ... for example, it would be more reasonable to use Grub2, and to implement the OS switcher in the hornbeam itself.

In this topic, an idea is formulated that has been successfully implemented in two companies. For us it was a salvation, because machines weak and active antivirus packages could not be used. If someone is interested in receiving more detailed information or clarifying specific implementations, then you are welcome to comment.

! In no case, this decision does not remove the obligation to correctly configure the OS, adequate assignment of user rights, etc. etc.

Also popular now: