Make sure the VM has no write access to anything outside it's own space.

I have a test VM for examining things set up this way--it's got *READ* access to most of my data storage but no write access anywhere other than it's own volume and when testing things in it I normally have it's internet access turned off besides. If something goes wrong I just restore the backup.

That's a good idea. That should solve most of my concerns.

You can turn off the windows network client if you can use a network printer or print server and not have to use windows printer sharing.

I didn't know that. Yes, all my printers are network printers. Does turning off the network client effect internet access?

Or as I suggested, a separate USFF (Ultra-small-form-factor) PC with a KVM switch. The Intel NUC is a whopping 31 cubic inches (Chassis Dimension: 4.59" x 4.41" x 1.55") and will VESA mount to the back of the monitor, velcro onto the wall, or sit happily on the back corner of most towers. The basic (Celeron) model is very cheap, although it's bare-bones: you need to add a minimal amount of RAM, a small SSD, and a power cord. The whole thing is under $300 with the Celeron, a little over $400 with the i3.

I can understand not wanting to spend the money, but the space is smaller than a hardback novel, and there are some nice inexpensive HDMI KVM switches where the mechanism takes up a couple of cubic inches (and no surface space) inline with the cabling.

I know that unbinding the client and server services from the network interface doesn't effect internet access -- in the days before built-in firewalls, I did so routinely. I don't think disabling the service entirely will be a problem, either.

Xen and ESX definitely do; we use both very heavily at work.

For KVM, VirtualBox, VMWare Workstation/Player, and other similar ones, you can set up a virtual NIC with tagging that is then attached to the guest system in bridged mode (this is what Xen does under the skin, actually.) In some of the cases you can also use a NAT-mode virtual NIC with a software firewall on the host machine, no VLANs needed, although that would not protect you on the limited allowed outgoing ports.

Assuming everything will stay 100% secure on the other systems is a dangerous bet -- especially with Windows, and the fact that he's doing some file sharing.

Segregating trusted and untrusted traffic, either via VLAN, or better yet, physically segregating the untrusted LAN, is a good idea.

No separate user logins??? The "switch user" feature in current versions of Windows is a good thing; my wife is reasonably technical, and she still gets separate logins.

...and I'm guessing requiring a reboot between her use and your use would take too much time? Otherwise, her use could be in a VM on a standalone hypervisor, and your use could be on bare metal. It's not hard to set up dual-boot.

I wasn't suggesting you use it...

I don't care for it either, but something a bit more locked-down might be a good thing for someone like your wife who is managing to malware-up Windows. (Ditto a version of Linux focused on end-user usability.)

If you don't feel like paying Apple for the privilege, it's not exactly hard to avoid it and run their OS on commodity hardware. :D

It's not that much more expensive anymore; the Mac Mini is about half again more expensive than the i3 NUC, but that's hardly apples-to-apples comparison.

Hence my suggestion of a KVM. If your space is truly so small you can't find space for a USFF machine on the scale of the NUC or Mac Mini, well, that's a tiny space indeed, but I can't imagine it.

A mid-tower is a whole lot bigger than a USFF machine, and if the KVM adds an appreciable amount of space, you've got a bulky professional one not a nice simple two-machine model that should be no bigger than a deck of cards with two cables sticking out of it.

Does she use any Windows applications other than a browser? Ubuntu (or ChromeOS, which is basically just a very cut down version of Linux) is pretty dead easy at the sit-down-and-pull-up-a-browser level.

It sounds like you're trying to do stuff that's a good deal more complicated than set-it-and-forget-it machines that someone does browsing on, and maybe some light office tasks (assuming LibreOffice and/or Calligra is an adequate replacement for Office.) In that sense, GUIs are fungible. But this one isn't for the power-user, it's for the dangerous non-technical one.

(Linux, and potentially in some cases, the MacOS, may be a non-starter if the videos she's watching online are DRMed.)

That's a good reason to use a VM, regardless of what OS it runs on (and per

Sure, if she picks up the wrong malware. But the an awfully large group of malware out there is still the "trojan horse" kind that depends on the user letting something run that they oughtn't, and a fair chunk of that WILL be caught by running in a non-privileged account. Probably no longer a majority of it (or of all malware) -- although prior to Win 7 catching on, it was.

Yes, but . . . I've got to draw the line somewhere between security and convenience. My primary computer is a true general purpose machine -- I might be surfing while rendering audio while watching my Slingbox. When security gets to the point that I can't really work the way I like, well, that's my line. That's why I have 2 NASes for backup, along with the off-site backup server. In 30 years of personal computing, the recent incident was the first and only time I've encountered malware that got past my defenses and actually caused some problems. It's a risk/benefit analysis, and I'm willing to incur some risk as long as my critical data remains safe.

Separate log-ins won't give me protection against rootkits and malware that can infect other machines over the LAN. The problem isn't my wife mucking around in the machine where she shouldn't, but clicking on the wrong thing on a website or, for that matter, just visiting the wrong website. She uses FireFox exclusively, and I'm pretty happy with my new installation of WebRoot, which seems pretty effective.

Yep. She'll jump on if I go out of the room for a cigarette or some more coffee.

I'm not at all familiar with hypervisors -- I had to look up the term. They seem to be environments that run virtual machines. Is that right? If so, I guess I don't see the difference between running a VM under hypervisor and running one under Win7 (other than the latter is free and the former isn't. :)).

Understood.

BTW, thank you, everyone, for taking the time to make suggestions. I'm just a dilettante when it comes to computer systems and I really appreciate the advice from the pros.

The problem with Linux is actually my problem with Linux. I'm conversant enough with the Windows OS to have a fair idea of what's going on under the hood, and how to make it do what I want. Linux is another story altogether. As I've mentioned, I've worked in it before, but I'm not comfortable doing so because I really don't have the knowledge or experience to use it confidently.

Sure, but there's that money thing again. :) I also really don't like the OS. My writing partner uses Macs and, whenever I work with her at her house, I always kid her about how a "real computer" wouldn't have any problems doing what she wants to do. Seriously, though, though I enjoy playing with machines, I expect them to do real work and a fair amount of what I do either involves specialized hardware/software combinations (for music work), specialized software (for video editing), etc. I read the audio and video forums and there are just too many problems with MacOS versions of these tools that simply don't exist in the PC versions. I think the main reason Macs persist in the creative fields is because Mac had a significant head start in these areas. Now, there's nothing a Mac can do that a PC can't, and for less money, with more choice of software and hardware tools, and far fewer problems.

Frankly, for what my wife does, an i3 would be overkill. I've got an old P4 box that, aside from taking forever to boot up, would work just fine.

It's not so much that it's a tiny space, as a fully loaded one. Our second bedroom houses my desk on which sits my primary computer,along with a USB DAC, a KRG room equalizer, two 8" near-field monitors and a film scanner, three monitors (one of them a 37"), two filing cabinets, two keyboards, my music computer which has two 24" monitors, a pseudo-rack that houses the two NASes, a thin client that I use as a VNC and FTP server, another thin client that is a phone server for a MagicJack. There's also a wide-carriage photo printer, a color laser printer, another inkjet printer for printing CDs, a scanner, a UPS, a bunch of bins for cables, a rolling file cabinet that I use as a work bench, two mike stands, including one with a large ambient noise filter, 4 book cases, the Cisco SPA8800, a 24-port unmanaged router, about a billion miles of cable collecting everything, and a bunch of boxes for storing overflow. :) There's barely room for me in there.

I've got two KVMs that are of the deck of card-cable sticking out variety. They have remote switches which would have to go on my desk, they would have to sit under it, and I'd still have to find room for the computer. I've got extra thin clients which are pretty and might be good enough for my wife to use, but I have no open space near enough to the desk to make that work.

Nope. She can barely use a browser. :)

Sure, but I either need a dedicated machine for them, or VM software that will support them under Win7. Right now, money is really, really, really tight.

I want my wife to start learning how to use computers, rather than just playing with browsers. Towards that end, I want her to use software that she'd encounter in a work environment (and, specifically, my work environment -- I want her to start helping me out at the office). I work in a law office, which is an all-Microsoft Office Suite shop.

I'm sure they are. I didn't know DRM was a specific problem for Linux and MacOS.

Sure, but the trojan horse stuff will also be stopped cold by a VM (or, at least, have to be a lot more sophisticated to get to the underlying machine). That's why I'm concerned about safeguarding the NASes and other connected computers on my network.

Nope!

In the connection properties, leave TCP/IP (v4) checked but UNCHECK the client for microsoft networking. This will disable windows file sharing client (and should automatically uncheck the server box when you do that). I do this on a VM I use as a web server, among my other precautions. You could still use a TCP/IP based printer / print server as well as any other web browsing software.

Excellent! I'll do this as soon as I get home. The NASes would still be accessible, but I can block access by specific IP addresses in the NAS software, so that will handle the VM trying to get to them.

Thanks!

I'm still unclear on what disabling Windows file sharing will accomplish. You won't be able to access your NAS (which sounds like the point - but it would be just as easy to block access from the VM IP in your NAS).

I want to block access, not only to the NAS, but to the other computers on the LAN which, in last month's malware attack, became infected.

Get a router that can do VLANs

I'm pretty sure that my router can. I'll have to look.

If it's wifi router, check this link if your model is listed. It will give you some extra info ;)

http://wiki.openwrt.org/toh/start

It won't give full protection, but I think you underestimate the utility of layered protection; a lot of things will be blocked by a combination of very low-tech measures (DNS proxy or hosts file, ad-blocking, click-to-play on plugins, user account control.) Some won't, but why not get the easy stuff the easy way?

Yeah, definitely not getting a reboot in there. Locking the machine and requiring her to log in as herself is probably practical, though.

In essence; the main advantage would be for her that there isn't an initial required step of going through the OS to get to her stuff. I wonder whether, with a separate user account, you could have her login go straight into the VM with one of Virtual PC or VirtualBox or VMWare Player.

More general advantages of hypervisors are that the performance is often better, and the flexibility with which you can assign the underlying hardware to the VMs are often greater. These would be bigger advantages in your case if (for example) you were running your own instance in parallel with hers.

The main thing with my original suggestion is that there's no outer OS environment for her to get caught in, or to muck up. If she's amenable enough to using the VM environment without being forced into it, that may not matter.

Off the top of my, head every VM environment I'm aware of that will run on a PC is available in a free-as-in-beer edition, with commercial/supported up-sells you're unlikely to care about.

If you care about FOSS, VirtualBox is available in an Open Source edition. It's somewhat more flexible than VirtualPC or the (free) version of VMWare Player. It's somewhat less flexible than VMWare workstation.

One trick which used to work nicely was to get a free 30-day trial of VMWare workstation to enable features in your saved vm that aren't enabled in VMWare Player, then just use VMWare player once the setup is the way you want it.

Oh, https://www.virtualbox.org/

Once again, there's the whole his/hers environment thing you've got going: just because she might be using it to browse (and do other stuff) more securely doesn't mean you need to know more about it than is necessary to set it up for her.

It's also really dead easy to understand what's under the hood, compared to Windows. :)

Well, that rules out the Mac Mini (which until more recently when there were some decent USFF PCs from other people, was the one Mac model I was attracted to for running non-Apple OSes on.)

Once you're running the MacOS unlicensed on a PC, you're running it unlicensed on a PC -- doesn't make much sense to have paid for it. I have on very good account that it runs well in VirtualBox. :D

Sounds like she's pretty patient of a slow browsing experience, and a P4 would be pretty bad on the electrical bill, but (ignoring the cost issue) sound like the Celeron NUC wouldn't be a bad way to go.

Here's an idea: what about setting up a VM on a different machine, wired outside the main firewall, and having her use remote desktop from your machine to get to it? If your wiring is all gigabit, she should be able to still watch videos on it... then the only traffic you have to worry about is the single RDP port outbound from the machine she's accessing it from.

As an added plus, she'd be able to get to her browsing/etc environment not just from your one desktop, but from any of your other machines.

Sounds like Linux (either Ubuntu or Chrome OS) might be a great choice

Any of the VM software will run Linux, including VirtualPC although it's not ideal for it. I mostly use VirtualBox, which is free (depending on which features you use, either as in beer, or open-source) and dead easy.

GUIs are fungible. If someone doesn't get the basic concept enough to understand that the basic metaphors are there, and that they can go from Linux to Windows XP to Windows 7 to Mac interchangeably, they need to work on the basics, but once they have the basics any WIMP UI should be usable.

Ditto, for that matter, the basics of office suites; pretty much all GUI word processors and spreadsheets work pretty much the same. An Office power user is more likely to notice the differences between LibreOffice than MS Office (or Office up to 2003 and Office 2007 and later, given the awful ribbon) than a duffer.

Once you're stuck needing office, you're pretty much stuck on Windows or Mac. You might see to what degree you can interchangeably use LibreOffice, but while it's fine for individual use IME the document interchange capabilities are not there.

I've yet to get Netflix working on Linux, for the main example.

Will be stopped cold in the sense of "gone again when you blow away the VM," but if you can avoid her getting them in the first place, that's still work you're saving yourself.

In theory, it is possible to have privilege escalation attacks out of a VM onto the underlying host system. In practice, I'm not aware of any working yet in the wild, and if there were, it would probably be aimed at large cloud infrastructure things ("I break into someones AWS instance, try to get into Amazon's infrastructure from there") and not individuals futzing with VirtualPC/VirtualBox/VMWare workstation on their own systems.

That may change if later Win8.x moves to more Hyper-V-based sandboxing (like some of the BYOD proposals where work apps are a segregated VM) but even there, it's far from clear whether any attack would be general as opposed to specific to Hyper-V.

--

BTW, I'd be terribly curious for a picture of the work room.