Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Safety for Elderly Parents with new Win 10 Laptop


  • Please log in to reply
9 replies to this topic

#1 mark paul

mark paul

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:CDT USA
  • Local time:03:10 AM

Posted 19 September 2017 - 01:06 PM

My parents moved into an assisted living facility.  They have free, Public, Wi-Fi used by all apartments.   
Using Belarc Advisor 8.5, I can see all of the computers, printers, and routers in the place. 
If I wanted to, I could click a link and get into the admin router.  Scary.
 
I have turned off network discovery and file and printer sharing, ran Belarc again, and how only see their computer and cell phones.
 
They have Sophos Home with Malwarebytes and Heimdal Pro all running.
 
Q: How do I secure their laptop so that banking and investment transactions as well as passwords are secure as practical?
 
The more advice the merrier....
 
Thank you,
Mark 

Edited by hamluis, 19 September 2017 - 01:09 PM.
Moved from W10 Discussion to Gen Security - Hamluis.


BC AdBot (Login to Remove)

 


#2 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:04:10 AM

Posted 19 September 2017 - 10:26 PM

First, you can't "get into" most routers in any meaningful sense without the administrator userid and password even if you can see the router and land on its main page.

 

You did the correct thing to turn off network discovery, but I'm wondering why that was necessary.  I am guessing that whoever connected to the WiFi thought "well, I'm at home, things should be discoverable," but that's not the case when the at home network is public (even if you have to have a password, which will encrypt your traffic, everyone's still on the same network if they've all got that password).

 

I like the HTTPS Everywhere add-on, but it's generally irrelevant when it comes to any website that uses https by default anyway, and I don't know of a single internet banking or investment management site that does not.

 

If you want to protect the computer as a whole, and your parents are not likely to need to install any software without assistance, make sure that the account or accounts that they use to log in are standard accounts, not admin accounts.  It makes it a lot harder for things that shouldn't be installing to install behind the scenes that way.

 

The best thing you can do, in my opinion, when dealing with passwords is to make sure that they've picked something that they will *always* be able to recall but that they *never* need to write down.   The address they grew up at, e.g., "135 Crestfield" (and many now allow embedded spaces, if not, skip it), is a 14 character password that no one who didn't know them "way back when" is ever likely to guess.   Other things like the city where they met accompanied by the year also fall into that sort of "easy to remember, very hard for any random stranger to guess" category and remove the need for writing them down.  Although it's always recommended to have a different password for every website even I find that impractical (although I have multiples) and for the elderly it's generally impossible.  A carefully held password that's long enough, but difficult to guess is typically more than sufficient.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

      Memory is a crazy woman that hoards rags and throws away food.

                    ~ Austin O'Malley

 

 

 

              

 


#3 mark paul

mark paul
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:CDT USA
  • Local time:03:10 AM

Posted 20 September 2017 - 08:44 AM

Thanks for the response. I especially like the idea of using a password from an address long ago but indelibly stamped in our minds.

I am asking on behalf of my siblings; The resident's of the center all share a common password for the Wi-Fi just like at Starbucks. We continuously, via the media, are warned about going to sensitive sites under threat of identity theft.
The concern is that a neighbor in the complex may have an enterprising 45 year old child that would like to get into a bank account.

Would you feel that our Parents are secure given the information layed out above?

Would a purchased vs free VPN be of any benefit?

BTW, I make changes to and update my folks pc via Teamviewer.

Thanks much, Mark

#4 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:04:10 AM

Posted 20 September 2017 - 09:11 AM

I have never had any hesitation to do internet banking, online purchasing, or similar on any public WiFi that is not also not password protected.

 

While there is no way that I can quickly check what security is being used, WPA/WPA2 has long ago become the default, as shipped, on the majority of modem-routers.  When this is used traffic is encrypted between the computer and the router for anyone who's connected via WiFi.  It would take an incredibly dedicated, enterprising, and time available anyone to hack into that traffic.  (This presumes that the password itself is not something that your random drive-by ne'er do well would guess and that the admin password for the modem-router itself is strong as well).

 

I personally don't see much of any benefit from the use of a VPN in relation to either account security or password security for the sorts of sites you refer to.

 

Another password option, if your parents are security minded and want to have different passwords, is what I call the "Portmanteau Method."  You use several fixed elements, with one site specific element that's easy for you to remember, in creating a password for each site.  Let's say that ancient address was, "135 Crestfield," that one's first child was born on April 3rd, and you like the special character '&'.   For each site your password would be 135{insert site specific element here}0403&.  So, for your bank if it's First Bank, you could do 1351st0403& or 135First0403& or 1351stBank0403&, etc.   This seems wildly complicated, but its not if the fixed parts are easy for you to remember and you always keep them in the same position in your created password.  You've got to remember what your choice of site specific element is, though.  They also become really fast to enter once those fixed elements enter muscle memory regardless of how many characters you choose to use and where.  The probability of anyone cracking a password such as those by guessing or brute force machine attempts is just incredibly small.

 

I do hope their accounts are standard accounts, though.  Some of the worst messes I've ever seen (I do home & small business tech support as part of my living) is when you have a user who responds to, say, a malicious pop-up saying they have a virus by clicking on the button, following the links, etc.  Depending on what's triggering same you may prevent its ever having gotten there to begin with by using a standard account.

 

I'm also big on ad blocking software (I'm using uBlock Origin these days in Chrome and Firefox) not just for the ad blocking but because it also acts both directly and indirectly as as a security shield.  I also like Spywareblaster software, which doesn't run anything in the background but tweaks the system hosts file based on known bad sites, which goes a long way from preventing people from stumbling into a site either by accident or malicious redirection.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

      Memory is a crazy woman that hoards rags and throws away food.

                    ~ Austin O'Malley

 

 

 

              

 


#5 mark paul

mark paul
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:CDT USA
  • Local time:03:10 AM

Posted 20 September 2017 - 01:11 PM

Brian, thanks for the reply, per the following quote:
"If you want to protect the computer as a whole, and your parents are not likely to need to install any software without assistance, make sure that the account or accounts that they use to log in are standard accounts, not admin accounts. It makes it a lot harder for things that shouldn't be installing to install behind the scenes that way." Potential issues and possible solutions?:
1. They are the Admin Account. Can I set them up as both Admin & User? Myself as Admin? What do I need to set to be sure the admin isn't used but still is accessible to me?
2. They do not log into the PC, just start it up and the desktop shows. For programs, once the PC is started, they use passwords, which per your advice I will help them change/adjust. It needs to be very simple for them. If I became the admin, could I be the one that needs to log in without messing with their "direct startup"?
3. Also If there was a BIG shutdown button available, Win10's is hard for them to see although they do use the magnifier.
4. With Spywareblaster, would it replace any of the 3 listed above? They have Sophos Home with Malwarebytes and Heimdal Pro all running. Do I just run Spywareblaster once, reboot, and just let it be?
Thanks ever so much!

Edited by mark paul, 20 September 2017 - 01:16 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,467 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:10 AM

Posted 20 September 2017 - 02:42 PM

Also see Answers to common security questions - Best Practices for Safe Computing.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:04:10 AM

Posted 20 September 2017 - 05:15 PM

Mark,

 

       When you say they're the admin account, I hope you don't mean the account with the userid "admin" that's in fact the super-super user.

 

       They should be set up as either Microsoft-account-linked Windows 10 Standard User account(s) or as local Windows 10 Standard User Account(s).  If you have more than one account [including the admin account] set up on the computer about the only difference will be that a main login screen will be presented.  You can set up the non-admin accounts such that no password entry is required to log in on the Windows 10 machine.  See:  

​I have needed to do this for a number of my clients who are blind or visually-impaired.  So long as they can see well enough to point and click on the account(s) they want to use to log in to, if you've set up the account(s) per the above that will take them straight to the desktop.

 

You can either set up the admin account with a password so that you are the only one that can access it or set up an account with admin privilege that only you know the password for.  I know of no way to set up a multi-account machine that will not involve an account selection screen at boot time since you've got to choose which account you want to use.  But if the account(s) for your parents have the password automatically entered by Windows itself, as outlined above, all they need to do is to select the account they want to use that you've set up that way.

 

If you need a "Big Shutdown Button" I would simply write a command prompt .bat file or a PowerShell .ps1 file that issues the Shutdown command (with the parameters you wish - and I would avoid Fast Startup - I always turn that feature off within Power Settings) you can then put a shortcut to same on the desktop and use whatever icon you prefer that would be easy for them to see.  They'd just double click on it and the machine will gracefully shut down.

 

Spywareblaster does not replace any of the products you mention.  It's just another layer that has about as light a footprint as anything can have.  You will want to do occasional updating of the definitions, but I seldom do this more than twice a year.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

      Memory is a crazy woman that hoards rags and throws away food.

                    ~ Austin O'Malley

 

 

 

              

 


#8 mark paul

mark paul
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:CDT USA
  • Local time:03:10 AM

Posted 21 September 2017 - 04:12 PM

Brian,
 
Here I is where I am hung up....It may be that I am confusing local user accounts with local system accounts…but I just don't know. Below is a cleaned up snippet from Belarc Advisor on the day I gave the computer to my father. Unfortunately, after that time I went into the Run dialog, typed "Netplwiz", and promptly locked them out of the computer. I named them as users but no one as admin (whoops), so I then called Microsoft for help. That was a lot of mis-communication so we just reloaded from scratch. 
Unfortunately I do not have a Belarc Advisor to show how that setup looked.
 
At their age, having two accounts to choose from, could be pose to be difficult for them. I have read the attachment on turning off password entry requirements. Is there a way that I can be the admin but set the computer up so that my parents have full "rights" to their computer as users? 
I hope you didn't cover this or that I missed it but I am just a little confused because I have never heard of not having the owner of the computer not be the admin. (no problem, but just new info for me, I learn something new twice every day!)
 
Are you basically suggesting that I should have myself as the (admin) and move my parents down to user accounts without admin but give them full privileges? If so, please let me know, I don't want to lock the computer out again as your caution states in the above link. Thanks again.
 
From Belarc Advisor:
Computer Profile Summary
Computer Name: DESKTOP-xQVDxxx (in WORKGROUP)
Profile Date: Thursday, August 24, 2017 1:51:25 PM
Advisor Version: 8.5c
Windows Logon: Walt and Mary   <<I Changed This on purpose
Operating System
Windows 10 Home (x64) Version 1703 (build 15063.540)
Install Language: English (United States)
System Locale: English (United States)
Installed: 8/22/2017 2:06:43 AM
Servicing Branch: Current Branch (CB)
Boot Mode: UEFI with successful Secure Boot
Users (mouse over user name for details)
local user accounts last logon
Walt and Mary 8/24/2017 9:45:21 AM   (admin)
local system accounts
X Administrator 6/5/2017 4:20:14 PM      (admin)
X DefaultAccount never
X Guest never
SophosSAUDESKTOPaaa never
 
X Marks a disabled account;


#9 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:04:10 AM

Posted 21 September 2017 - 06:15 PM

Mark,

 

        Local accounts are what their name implies:  strictly local to the machine with no link to a Microsoft account in the cloud.   Local accounts can be standard or have administrator privileges.  From the Belarc report the account, "Walt and Mary," is a local account that has administrator privileges.  If your parents cannot be relied upon to know what they're doing that account should be changed from having admin privileges to being a standard account.   There are untold thousands of articles out there that describe the differences between a standard account versus one with administrator privileges.  I actually liked what Microsoft used to show (these screens have changed since the introduction of Windows 10 during account creation, this bit is from the Windows 7 era, but the Win10 equivalent with similar terminology exists):

 

Attached File  Win7UserAcctType.jpg   65.23KB   0 downloads

 

 

The above partial screen capture comes from this article:  https://www.tomsguide.com/us/create-standard-user-account,news-18333.html, which predates Windows 10 but still gets at the heart of the differences between a standard account and one with administrator privilege.

 

It is clear from the Belarc report that the super-super user, which is the local Admin account, is not active.

 

If you have a Microsoft Account and are using a Windows 8 or Windows 10 user account linked to it you could just set yourself up with your Microsoft Account on their computer and grant your account admin privilege (initially using their account) and then after that's complete you can use your account to remove the admin privilege from the local account that your parents use.

 

If you want your parents to have full rights to do anything and everything then they should simply retain admin privileges.  Based on some of what you'd said I had presumed, possibly incorrectly, that you had anticipated problems with the system getting "messed up" by them trying to uninstall or install stuff or by their changing system settings that are not of a "personalizing one's own account and desktop" nature.  No one other than an admin has truly full privileges on a Windows machine since the Windows 7 era.  While the most common setup is for a computer's owner to be the computer's admin it is far from the only way to do it and most businesses don't have the machines on employees' desktops set up such that those employees have admin rights.  I know of many individuals in situations like yours who do not want their parents to have truly full privileges to make changes to the system but do want them to be able to personalize their environments (if they wish to) and to be able to do the things all of us commonly do like surfing the web, downloading files, word processing, e-mailing, etc.  Standard accounts can do all those things.

 

What I am suggesting is that you set yourself up on the machine as an administrator and have them as standard accounts.  You should be able to use Team Viewer or similar to log yourself in to that machine when you need to do something.  I still do not know of a way to not have the "list of users" show up on the main lock screen for Windows 10 when there are multiple accounts on the machine.  You can create a single account that they both use if that's what you and they wish.  But what I'm saying is that if you set up another adminstrator account it will show up as a choice at startup, but without the password they can't log in to it.  Unless their vision is really bad you can assign an avatar to their own account that is particularly eye catching (even if eye catching is a big red dot or similar) so they know where to point and click to log themselves on (which you can set up to avoid password entry).

 

 


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

      Memory is a crazy woman that hoards rags and throws away food.

                    ~ Austin O'Malley

 

 

 

              

 


#10 mark paul

mark paul
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:CDT USA
  • Local time:03:10 AM

Posted 21 September 2017 - 10:09 PM

Excellent Brian, our family does truly thank you for your help.  I'm glad I sent the Belarc because that helped you to help me clear up my confusion. Sometimes I need to hear things said several different ways in order for the light bulb to brighten. Thanks again to you and this forum for your patience and assistance. Mark 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users