Locking down elderly grandparent's computer

[HarryNyquist]

So my grandfather has fallen for the "windows support had detected virus" scam twice now. Neither he nor any of my family would like that to keep happening, so we'd like to lock down what exactly he can do on the computer. He uses it for email and browsing the internet, and probably Office or something as well.

 

I'm already planning to lockout command prompt, task manager, and regedit via the registry as he doesn't use those things, nor does he have a need to. I'm also planning on creating a limited account for him so that he (or rather, the scammers) do not have access to change system settings or things of that sort. I'm likely also going to install Chrome and uBlock to hopefully mitigate the number of said scam popups that appear.

 

I'm wondering if I'm missing anything else that would be a good idea to lockout. I would like to avoid scammers having any sort of access to something that looks like convincing evidence of a "virus".

[Shiv78]

Install ChromeOS and be free. Done.

[Princess Luna]

Isn't it easier to just advise him to wait on you or someone else to give it a look whenever such thing happens without him trying to solve it by himself?

[HarryNyquist]

Just now, Princess Cadence said:

Isn't it easier to just advise him to wait on you or someone else to give it a look whenever such thing happens without him trying to solve it by himself?

We have. This time he called us after he'd agreed to pay. We impressed it upon him but we'd like to be sure.

 

7 minutes ago, Shiv78 said:

Install ChromeOS and be free. Done.

He's 88 years old. A drastic change is not an option.

[paddy-stone]

2 minutes ago, Princess Cadence said:

Isn't it easier to just advise him to wait on you or someone else to give it a look whenever such thing happens without him trying to solve it by himself?

Agreed, if people aren't sure of something then get advice before clicking on something, especially if you've been caught out before. I have never seen any of those scams on my PCs/laptops.

 

You could:-

install malwarebytes and teach him how to run a scan on it once a week, or buy the premium one where you can set a schedule.

Get him a VPN, the VPNs have some advanced measures to block out loads of crap.

Use adblocker, and stuff like that. Can prevent these popups (guessing that's how he got scammed by clicking on an ad that is supposed to look like warnings) - also VPN can block those too, PIA can anyway.

 

If you want the cheapest route, do the malwarebytes suggestion and teach him how to run a scan, teach him about pop-ups, that most of them are either redirects to other webpages and possibly scams... put an adblocker for sure too, use firefox browser and block pop-ups too in settings... it won't block everything, but most will get blocked.

 

Drastic measure, install sandboxie, which will disalow changes to the OS settings etc, so every time he connects it'll be the same as when you set it up for him.

[Wild Penquin]

5 minutes ago, paddy-stone said:

 

Drastic measure, install sandboxie, which will disalow changes to the OS settings etc, so every time he connects it'll be the same as when you set it up for him.

This is interesting. If any kind of UI change is out of the question (i.e. changing to something that makes "locking out" more trivial, as in practically any distribution of Linux with your / his choice of DE), then I'd consider running a Windows under some VM (and make it auto-boot it, so he won't even notice). Restore the setting / OS from an image at every bootup, and you're done.

 

That doesn't rule out becoming a victim of scammers, say by typing a credit card number somewhere it should not be typed (I'm not sure anything exist that could do that).

[paddy-stone]

4 minutes ago, Wild Penquin said:

This is interesting. If any kind of UI change is out of the question (i.e. changing to something that makes "locking out" more trivial, as in practically any distribution of Linux with your / his choice of DE), then I'd consider running a Windows under some VM (and make it auto-boot it, so he won't even notice). Restore the setting / OS from an image at every bootup, and you're done.

 

That doesn't rule out becoming a victim of scammers, say by typing a credit card number somewhere it should not be typed (I'm not sure anything exist that could do that).

Yeah, VM is an option I'll agree, but I'd go with sandboxie, will also start automatically on login... user does have the option of allowing chnages to happen though, so might be good or bad thing I guess. If he literally only uses certain progs, then install sandboxie and lock it down so he can't write changes to OS disk (he could have a seperate disk/usb etc to write files to anyway IIRC). Haven't used it in a long while personally, but back like 10 years ago maybe IIRC, but good software if you need it.

[Zodiark1593]

Deepfreeze?

[HarryNyquist]

3 hours ago, paddy-stone said:

If you want the cheapest route, do the malwarebytes suggestion and teach him how to run a scan, teach him about pop-ups, that most of them are either redirects to other webpages and possibly scams... put an adblocker for sure too, use firefox browser and block pop-ups too in settings... it won't block everything, but most will get blocked.

I am planning to talk to him and demonstrate how 'viruses' can infest his computer by doing something like showing the event log, but he's not got the best track record of telling us when things are going wrong, hence my worry.

3 hours ago, Wild Penquin said:

-snip re VMs-

3 hours ago, paddy-stone said:

-snip re Sandboxie-

VMs probably aren't an option either since the computers he purchases aren't even close to the grade required to run that kind of thing.

 

Sandboxie might work but I'm more worried about the information & money loss than actually being infected by viruses. From what I've seen these people are out to make a quick buck off lack of knowledge, and I'm looking to disable the routes they commonly use to show off the 'viruses.' So when they log in and try to open up eventvwr to show the 'errors', or cmd to show a red-colored tree command, it won't work.

44 minutes ago, Zodiark1593 said:

Deepfreeze?

Same sort of thing as Sandboxie, though they have another software called WINSelect...hmm...

[paddy-stone]

12 minutes ago, HarryNyquist said:

I am planning to talk to him and demonstrate how 'viruses' can infest his computer by doing something like showing the event log, but he's not got the best track record of telling us when things are going wrong, hence my worry.

VMs probably aren't an option either since the computers he purchases aren't even close to the grade required to run that kind of thing.

 

Sandboxie might work but I'm more worried about the information & money loss than actually being infected by viruses. From what I've seen these people are out to make a quick buck off lack of knowledge, and I'm looking to disable the routes they commonly use to show off the 'viruses.' So when they log in and try to open up eventvwr to show the 'errors', or cmd to show a red-colored tree command, it won't work.

Same sort of thing as Sandboxie, though they have another software called WINSelect...hmm...

Yeah, it's hard with people that areb't as knowledgeable or tech savvy, I can't even remember the amount of times I've shown my sister or whoever how to do something, and still next time she visits my house she's asking the same thing again... drives me mad, lol.

With that situation you have, I think the only thing you can do is try to limit the effect an infection would have, or try to prevent it. As for the money loss, there's not really anyhting you can do on the PC to prevent that as he's handing out his credit card info etc I guess. In a way he's been lucky as it could be much worse witht he criminals that like to wipe your accounts instead if just paying to unlock your PC. I can't think of anything that would help with the financial side of it, as even if he swaps to using a "go between" type card system he'd still be handing it out and not telling anyone until it's too late from the info you gave previously. I wish you all the luck in this, as it's a horrible situation.

[Akolyte]

Normally, for my parents I will just set up an antivirus and put a password on it.  My advice is if you really want to lock it down, and you're grandparent's computer is only used for basic tasks is to set up Windows Firewall to a default-deny incoming & outgoing setting or even better set it on the rotuer itself.  You can manually add rules for outgoing connections such as HTTP 8080, etc etc and it might take a little while to configure it if you are new to networking, but it will by far be the best way to TOTALLY lock down the system.  And turn of UPnP on the router as well to make sure no system software gets a free pass to receive incoming connections through the NAT.  

 

Other than that, setup good security software on the computer like Sophos Home which is free and you can monitor it and control it from your own computer remotely.  Another good idea is to install some remote access software so you can access his computer, that you have to manually port forward, and set the port to something obscure.

 

Another option is to setup a VPN Server in your home network and setup a VPN client on his computer, and prevent any outgoing or incoming connections explicitly except through the VPN.  Then you will have control over the rules and the security of the connection.

 

Finally, the easiest but also most controversial solution is to either setup an Administrator Account on the machine that your grandparent's don't have the password to, or install Linux, setup a custom user and group for your grandparent's and customize permissions and in the end only you have the root password. 

 

(as a bonus, most scammers read from a script, the higher level ones having the skill of a level-1 helpdesk.  So they probably won't even know how to sudo, and will try to download teamviewer only to find it requires dependencies they don't know how to install. That would be a hilarious site to see!)

 

I know these might seem complicated.  But these are great ways of maximizing the security of your grandparent's computer.  And are also free of cost for the solutions themselves. 

[desertcomputer]

This is what i do for my parents or children computer i have setup. Set up a secondary account with limited access, usually I install window enterprise as you will have more control. Install the basic browsers with ad-blocker and malwarebtyes and enable window defender (W10) or another third party anti-virus depending on client.

 

Personally setting a adblock will block pretty much 99% of popups in chrome, you should also enable it incognito mode. You never know what your grandpa does with his free time. 

You could enable this, and create a normal user with basic control and it won't allow them to change settings or remove extensions. Also a limited window users won't allow them to install a new brower so they are force to use chrome. 

https://chrome.google.com/manage/su

 

Also you should install a remote desktop for further problems, personally i just use a personally modified .RAT as it doesn't go through any other people servers and in most case have better latency.   

 

VPN is really not necessary for your case, and it will cost more money. The above options is pretty much free.