Main Nav

Message from dsarazen@umassp.edu

Hi All,

 

We have some folks who’d like to see Deepfreeze installed on all lab PCs, but the IT department is balking. What do people think is the best reason to not install deepfreeze? Is there one?

 

Thanks,

 

Dan

 

 

 

 

Comments

In labs…?  It'd be crazy not to install DeepFreeze.  Aside from the obvious risks of not, there are many cost-efficiencies as a result of using the tool.

--
Gregory T. Crary
Director, Customer Support Systems
Office of information Technology
Eastern Washington University
gcrary@ewu.edu | 509.359.2375


From: "Sarazen, Daniel" <dsarazen@UMASSP.EDU>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY@LISTSERV.EDUCAUSE.EDU>
Date: Thu, 17 Nov 2011 13:05:25 -0800
To: "SECURITY@LISTSERV.EDUCAUSE.EDU" <SECURITY@LISTSERV.EDUCAUSE.EDU>
Subject: [SECURITY] Deepfreeze - Why not?

Hi All,

 

We have some folks who’d like to see Deepfreeze installed on all lab PCs, but the IT department is balking. What do people think is the best reason to not install deepfreeze? Is there one?

 

Thanks,

 

Dan

 

 

 

 

Message from awood@hillcollege.edu

We use DeepFreeze in select labs, not all of them. 

 

Reasons for not loading it on all machines-

1.      A reboot makes it much harder to complete any type of forensic investigation on that computer.

2.      Updates (Plugins, Virus Definitions, OS updates, etc.) are much harder to manage… same goes for any software deployed by GPO, SMS, etc.

 

Allen

 

 

Message from sstelfox@vtc.vsc.edu

When I went down this course the most prominent answer was patches. Yes there is a way to boot into an override mode which will allow you to permanently install patches but there isn't any way to automate that. It means you have to go to each individual machine reboot it into the unprotected mode, run all of the patches (if a service pack comes out this can easily take an hour on a machine that isn't brandy new), then reboot and make sure DeepFreeze is still working. Now personally I haven't looked at it in a few years so it's possible they put out some sort of management tool to handle this. It doesn't really buy you much security in my opinion though if you don't give your users administrative privileges over the machines, blow away their user profiles, have an up to date anti-virus/spyware/malware program on there, and re-image your labs on a semester to semester (or even a year to year basis). On 11/17/2011 04:05 PM, Sarazen, Daniel wrote: > Hi All, > > We have some folks who’d like to see Deepfreeze installed on all lab > PCs, but the IT department is balking. What do people think is the best > reason to not install deepfreeze? Is there one? > > Thanks, > > Dan > -- Regards, Sam Stelfox Network Administrator Vermont Technical College
Message from mclaugkl@ucmail.uc.edu

Hi All:

 

This being the security forum I wouldn’t say it would be crazy not to install DeepFreeze – I would agree that discussions about it should take place but keep in mind that if someone uses one of those systems to commit a crime or commit activity that is short of criminal but that the University would still want to determine who the culprit was DeepFreeze makes that discovery much more difficult if not impossible.

 

- Kevin

 

 

Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, CRISC, PMP, ITIL Master Certified

Assistant Vice President, Information Security & Special Projects

University of Cincinnati

513-556-9177

 

The University of Cincinnati is one of America's top public research institutions and the region's largest employer, with a student population of more than 41,000.

 

 

Message from markm196@netscape.net

We have it on all of our lab and class computers.. about 1200 systems or so.. plus in some other areas where we have "shared" systems. Patching is done through thaw cycles when the labs and classes are closed in the middle of the night from the wsus server. Very handy when drive by java exploits go around or infected usb drives come on campus. Reboot and all is clean. You can thaw them at will from a central console too if you need to. Some times we do this if we have a special piece of software that needs to go on in the middle of the semester. Like tax prep software in March or something.

Mark

On 11/17/2011 3:05 PM, Sarazen, Daniel wrote:

Hi All,

 

We have some folks who’d like to see Deepfreeze installed on all lab PCs, but the IT department is balking. What do people think is the best reason to not install deepfreeze? Is there one?

 

Thanks,

 

Dan

 

 

 

 


We run Deepfreeze in our labs. I can see patching being a problem, but I'm not sure how our PC service group is managing it. I could ask them if you like.
-- <b>Heath Barnhart, CCNA</b> Network Administrator Information Systems Services Washburn University Topeka, KS

On 11/17/2011 3:05 PM, Sarazen, Daniel wrote:

Hi All,

 

We have some folks who’d like to see Deepfreeze installed on all lab PCs, but the IT department is balking. What do people think is the best reason to not install deepfreeze? Is there one?

 

Thanks,

 

Dan

 

 

 

 



Message from nathan-gibson@ouhsc.edu

Have you looked at Virtual Desktops. Best thing since sliced bread! J

 

Not sure why you wouldn't as long as you stick with Windows machines. We have had some odd things happen on Mac's but with the new release we plan to get back to them and get them frozen as well (who knows what Lion will bring us). As far as automating the updates, this has been addressed. We can schedule a thaw in the middle of the night, apply the patches and then schedule them to freeze again before students arrive the next day. In a pinch we can thaw an entire lab, push a package for installation, and freeze the machine again in a very short period of time. And thawing a single machine is as easy as launching the Deep Freeze control panel on the machine, logging in and rebooting thawed. We also schedule a reboot of all frozen machines at 2AM to clear the machine and set it back to original image. Its not perfect in any respect but it has saved us allot of work in viruses and re-imaging machines. As far as forensics - If we know we need to look for something and the machine wasn't rebooted we can pull whatever we need but if its been rebooted the log files etc are gone. This hasn't caused us much of an issue since we installed it. Planning: You have to build your image and test all kinds of situations with it before you make it production and freeze the machine since you could freeze a problem inside the system without knowing. We have been using it for about 6 years now. ___________________________________ Charles Keeler Mitchell College Office of Information Technology Chief Technology Officer (860) 701-5254

Putting Deep freeze on our mac labs reduced support by 80%

Rob Whalen

Network Analyst, St. Mary’s College

 

Message from mclaugkl@ucmail.uc.edu

Hi Again Everyone:

 

Not trying to be a pain here, really I’m not,  I do understand all the benefits that can be obtained through this type of technology but this is a security forum so I’m just going to have to say this.  Apologies up-front to anyone I may offend or upset – that is not my intent…..

 

IMO - Products like DeepFreeze, from a Security point of view, basically allow a smart attacker an anonymous attack vector into your organization that bypasses most of your perimeter defenses.  I’m not saying that is a show stopper but for our world it should definitely be something that is considered and discussed in detail.  I can do what I want,  launch my attack, pull the plug on the machine, plug it back in and restart it,  exit stage left….   Or am I missing something obvious that prevents this from happening?

 

 

 

- Kevin

 

 

Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, CRISC, PMP, ITIL Master Certified

Assistant Vice President, Information Security & Special Projects

University of Cincinnati

513-556-9177

 

The University of Cincinnati is one of America's top public research institutions and the region's largest employer, with a student population of more than 41,000.

 

 

Kevin,

 

I think from a security perspective that deep freeze is just another potential layer of the defense in depth model.  Deep freeze is not a panacea to resolve all security woes and still should be used in conjunction with good desktop based group policy.  I cant perceive (although I could be wrong) an organization would just install deep freeze with a “set it and forget mentality” without using it conjunction with the obvious security practices of anti-virus/malware applications, host based firewall etc.  Yes it does create a vector for malfeasance but again, assuming some degree of additional layers of security are in place (logging perhaps), the notion of the end user disappearing like a thief in the night may be mitigated to some degree.  At the end of the day, deep freeze is just like any other tool/device we place on the network.  It has positive and potential negative benefits and these tradeoffs need to be evaluated to determine if it is best suited for deployment. 

 

With that said, we have used deepfreeze for a good decade now, but as others have mentioned have moved forward with a VDI implementation which creates its own sets of benefits and challenges.    Just my two cents…

 

mike.sana.

 

Michael C. Sana MSIA, CISSP, CISM, CISA

Information Security Officer

Information Technology Services Division

 

Hawai`i Pacific University

1164 Bishop St. Suite 900

Honolulu, Hawai`i 96813

Telephone: (808) 687-7034

Fax: (808) 544-1404

Email: msana@hpu.edu

 

"Quis custodiet ipsos custodes?"

 

 

Kevin,

 

If the system(s) are configured to log remotely, or if the authentications to a remote (centralized) server are logged, one could still identify the credentials that were used to log on to a system protected with DeepFreeze.  That is to say: You’re right, a conversation is necessary so that appropriate controls can be put in place to mitigate the risks presented by this software (just like any other piece of software).

 

You make a perfectly valid point, and shouldn’t apologize to anyone (in my opinion),

 

-- KS

 

Keith Schoenefeld

Information Security Analyst

Baylor University

 

Message from ryan@ryanhiebert.com

Microsoft used to have a product called SteadyState, which in purpose was very similar to DeepFreeze. They discontinued SteadyState, and produced a whitepaper titled "Creating a Steady State by Using Microsoft Technologies." In particular, they suggest that the features provided by MS technologies, such as Roaming Profiles, Folder Redirection, Offline Folders, etc, and possibly App-V, VDI, and/or Remote Desktop Services. create a close enough replication that the overhead of a product like SteadyState or DeepFreeze is overkill. http://www.microsoft.com/download/en/details.aspx?id=24373 In my own environment, I have decided that the management overhead required by DeepFreeze is not worth the added effort when I already want to deploy Folder Redirection, Offline Folders, etc, and am not using DeepFreeze at all. I can see that others may have requirements that would warrant the extra work it would require, but for me, the added effort is disproportionate to the gain I'd receive. Ryan Hiebert Network Security Specialist Pacific Union College
Hi Kevin / All.  Allow me to throw my 2 cents in here.  Let me begin by saying, like many of you, I don't like this or similar products from a pure "Security" standpoint.

Your analysis of someone using such machines to hide their activity is spot on, from a forensics point of view.  However, depending upon your network configuration, anonymous may not be completely accurate  if those machine authenticate to domain controllers; you would at least have the who to match the when. Depending upon your IPS, proxies and other such systems, you may be able to piece together the bigger picture, but you are correct in that it requires much more work at different layers.

I suspect most organizations are looking at products like Deep Freeze, Smart Shield, Clean Slate, etc. not just in terms of a security context, but they are analyzing the organizational cost to risk ratios on lab machines.  As others have stated here, the organizational "support" costs are drastically reduced by such products, both in terms of IT resources constantly repairing machines, and also ensuring teaching labs are functional for course usage by faculty and students.  It is next to impossible to explain to a faculty member why someone using one of more computers visiting  malware sites made those resources unavailable during their course session.

So, to circle back to "security" before closing; I remember when Blaster and other such worms took entire campus networks out. At that time, even in our remote regional offices, they got through the storm because once machines got infected, a simply reboot resolved the issue. There is some merit in this aspect that I've not seen mentioned to date, not that it solves the issue, but it's better than dispatching resources to other off site areas when those resources are likely needed closer to home.

So, to me, the bottom line is that there is good and bad in everything, and no campus decision should be made by looking exclusively on any one aspect of a conversation, like security, at least in my opinion (even though this is the security list).  We must look at all factors to make the best decisions for our organizations.


On 11/17/2011 6:15 PM, Mclaughlin, Kevin (mclaugkl) wrote:

Hi Again Everyone:

 

Not trying to be a pain here, really I’m not,  I do understand all the benefits that can be obtained through this type of technology but this is a security forum so I’m just going to have to say this.  Apologies up-front to anyone I may offend or upset – that is not my intent…..

 

IMO - Products like DeepFreeze, from a Security point of view, basically allow a smart attacker an anonymous attack vector into your organization that bypasses most of your perimeter defenses.  I’m not saying that is a show stopper but for our world it should definitely be something that is considered and discussed in detail.  I can do what I want,  launch my attack, pull the plug on the machine, plug it back in and restart it,  exit stage left….   Or am I missing something obvious that prevents this from happening?

 

 

 

- Kevin

 

 

Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, CRISC, PMP, ITIL Master Certified

Assistant Vice President, Information Security & Special Projects

University of Cincinnati

513-556-9177

 

The University of Cincinnati is one of America's top public research institutions and the region's largest employer, with a student population of more than 41,000.

 

 

We use DeepFreeze - and if you balance any concerns about possible attack vectors against acceptable risk and the benefits afforded by having an product like DeepFreeze to minimize the risks.....sorry - I'm going stick with DF....and since we centralized the whole DF management hierarchy, we've been very pleased....and stable....

Michael

Sent from my Verizon Wireless Phone

----- Reply message -----
A skilled, motivated forensicator can recover data from a DeepFrozen machine. I've seen it done. Civilians would have to resort to file carving, but the company is willing to assist help enforcement understand how data is written.

In incidents of sufficient severity, security cameras and witnesses may be more important than digital evidence in placing a particular person at a particular keyboard.
-- 
Rich Graves http://claimid.com/rcgraves
Carleton.edu Sr UNIX and Security Admin
CMC135: 507-222-7079 Cell: 952-292-6529
Message from mclaugkl@ucmail.uc.edu

I wonder if it would be worthwhile to tie this thread into thought discussions on the large scale relatively undiscovered theft and siphoning off of intellectual property from IHE’s.    I guess what I am really stuck on and trying to figure out is whether or not we continue to make decisions of convenience to/for IT when those decisions may be ones that make it easier for the bad guys to access data and infrastructure that we don’t want them to access?   I’m not saying that this is happening but my gut tells me that it’s worth taking a good hard look at.

 

However, if forensic tools and carving still work on a DeepFreeze machine then most of my arguments and concerns are moot.  Would anyone on the thread who uses DeepFreeze be willing to run an image through FTK or send me an image to run through FTK so we could see what results we get?

 

- Kevin

 

 

Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, CRISC, PMP, ITIL Master Certified

Assistant Vice President, Information Security & Special Projects

University of Cincinnati

513-556-9177

 

The University of Cincinnati is one of America's top public research institutions and the region's largest employer, with a student population of more than 41,000.

 

 

I can the arguments on both sides, and I think the answer has to be balance. I've seen the benefits to having Deep Freeze in labs, and our PC Techs are a lot happier not having to spend one day out of a week fixing a lab computer that got hosed at a software level. If Deep Freeze is considered an acceptable risk then steps could be taken balance the risk/security equation out. Maybe segregate the labs into their own subnets and restrict access in and out?

-- Heath Barnhart, CCNA Network Administrator Information Systems Services Washburn University Topeka, KS

On 11/17/2011 8:41 PM, SCHALIP, MICHAEL wrote:
We use DeepFreeze - and if you balance any concerns about possible attack vectors against acceptable risk and the benefits afforded by having an product like DeepFreeze to minimize the risks.....sorry - I'm going stick with DF....and since we centralized the whole DF management hierarchy, we've been very pleased....and stable....

Michael

Sent from my Verizon Wireless Phone

----- Reply message -----
On Thu, 2011-11-17 at 22:17 -0500, Mclaughlin, Kevin (mclaugkl) wrote: > I wonder if it would be worthwhile to tie this thread into thought > discussions on the large scale relatively undiscovered theft and > siphoning off of intellectual property from IHE’s. In this context it would depend on what access to IP was possible through the lab machine and how would such activity be identified, substantiated and tracked. Our labs all require authentication (central logging provides tracking) and have no more access to IP than a random computer on the Internet excepting the journals. And access to the journals is tracked via network activity and tied to an account via authentication. None of which depends on the local machine (other than it being in our domain forcing use of our authentication). A greater risk from that view point is the fact that the network jacks are not secured and a miscreant can bring in their own computing device, connect it to the network, hand configure the MAC address to the computer they disconnected, take over its DHCP lease and leave us with no authentication records. (Though I've not seen or heard of anyone manipulating the dhcp client id which has allowed identifying the culprit when the culprit's system was normally used on our network, and some Windows systems end up being configured such that you get the user's name.) That approach is difficult to protect against. You can have cameras, but they are easily defeated (dark green hoodie, low light conditions) even if unintentional (there was a theft where the only precaution the person took was turning out the lights. Too bad for him we use IR cameras, too bad for us the resolution and framerate never quite matched up with a frame good enough for an identification.) > I guess what I am really stuck on and trying to figure out is whether > or not we continue to make decisions of convenience to/for IT when > those decisions may be ones that make it easier for the bad guys to > access data and infrastructure that we don’t want them to access? That is a good point. While I don't think that is so much an issue in this particular case, it is always one to consider. If convenience rules security is often the first victim, even if unintended. > I’m not saying that this is happening but my gut tells me that it’s > worth taking a good hard look at. We don't use DeepFreeze, but even if we did there are very few instances in which it would impact anything. There was an ediscovery, for example, that would have been less useful to the requestor. Not sure what impact it would really have made on the case as a whole, and certainly would have been something that they would have just accepted (at least in that case). Because we use roaming profiles in the labs and students don't have admin privileges files of interest are often not local to the machine and would be unaffected. Authentication is logged by the domain controllers so we can always tie account authentication to a system by time. Similarly, netflow provides a certain amount of tracking for network activity. Server logs and netflow are my best tools when tracking down misbehavior. > However, if forensic tools and carving still work on a DeepFreeze > machine then most of my arguments and concerns are moot. Would anyone > on the thread who uses DeepFreeze be willing to run an image through > FTK or send me an image to run through FTK so we could see what > results we get? That would be an interesting exercise. But in the end I just don't see DeepFreeze adding up to that much an issue for lab computers. Tim Doty
Even if you do not use DeepFeeze, which we do, all someone has to do is roam around until they find a logged on lab computer, do what bad things they want and then leave.  This is exactly what we found a student doing to cover his tracks.  I don't see how DF makes this worse.

--
Kevin Kelly
Director, Network Technology
Whitman College

Message from mclaugkl@ucmail.uc.edu

We've had the scenario you mention and as long as it's a normal machine we've found enough evidence using basic forensics to catch the bad guy.  My fear is that a deepfreeze reboot might delete that evidence.


Kevin L. McLaughlin
AVP, Information Security & Special Projects
University of Cincinnati


Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.