Freeze it! How to use Windows steady state

Does this sound familiar? “All I did was click this link in an e-mail that looked like it was from my daughter, but it took me to a weird website, and then I got a bunch of pop-ups and to get rid of them, I said Yes or OK or whatever that made them go away.”

Cue the awful feeling in the pit of your stomach you get when you realize that someone in your company is in for a “nuke and pave” — a complete rebuilding of an operating system, reinstalling all applications and restoring documents and other user data from backup.

Every time you get one of these calls, you probably think: “There has to be a better way. I don’t want to spend an hour putting things back the way they were. The user doesn’t want to spend hours getting his or her data back. And what’s to prevent this sort of occurrence from happening again?”

There is a better way, and it is a solution long used by lab administrators and public kiosk owners: The steady state. In this piece, I will give you an overview of what these solutions do, what is available as part of any old standard Windows license and then look at a third-party product that in my opinion is best-in-class in this area. Let’s dive in.

An overview of deep freeze

The concept of a deep freeze, or steady state, solution is to take a known good image of Windows along with all required applications — configured properly and patched and really just ready to go for daily use — and take a snapshot of it. Then, when users operate on that snapshotted image, their changes are erased at the end of their session, and the known good snapshotted image is then returned for use at the start of the next session.

This is not virtualized technology; this operates in real time on a real installation of Windows or another operating system (more on supported OSes later on).

Users can save files and their other data on network drives or certain areas of the disk that are configured by you as the administrator to be “unprotected” so that their areas are not erased and rewritten after each session.

At educational institutions — and in particular in libraries and other public kiosk locations — these solutions keep users from taking down systems all the time. (I’m basing this on my experience when I worked for North Carolina State University.)

Personally, I think such steady state solutions — along with application whitelisting — are the only ways we will keep desktop and laptop computers secure going forward. For some reason the concept of deep freeze has been stuck in labs and kiosks for a while, probably because many administrators do not see a path toward using these solutions on everyday machines that their users personalize and perform their usual work on. They’re afraid that the technology is not smart enough to keep in mind that some settings and changes should persist through reboots, and they are afraid of the configuration hassles that might crop up with this sort of solution.

It may take a little more time for this technology to catch on, but here are the problems it solves, as I see it:

• Users are always going to be users. They will always click on things they should not. They will always click the button that looks like it will make whatever is interrupting their flow go away. They will always fall victim to phishing attempts. They will always ignore security certificate warnings. You cannot fix this problem; you can attempt to mitigate it by using endpoint protection, education, restricting administrative rights and more, but at the end of the day the user in the chair is the one who is going to get infected.
• Antivirus products or antimalware software to some extent are always playing catch up. Heuristic analysis is helpful and gets a lot right, but it misses zero-day threats. Cryptolocker and other ransomware gets right by these solutions, even those that live in the cloud and perform e-mail hygiene.
• The cleanup process for infections and restorations takes far too long. Your users lose productivity while they wait for you to flatten and rebuild a system. They lose their preferences. They might have lost some of their most recent data before the infection. Also, you probably don’t have a perfect golden master image so you get to spend time playing patch and reboot to get to the most recent level (so that the machine doesn’t get infected again). Lather, rinse, repeat.

One way around malware is whitelisting applications, which is also a really effective solution; you are defining the proper applications that should be allowed to run on a system and then Windows basically blocks everything else from running. This stops malware dead in its tracks because of course you will not whitelist a piece of malware.

However, whitelisting is a major pain to set up, because you have to generate and deploy signatures for all known good applications and distribute them to all of your machines under management. Upgrades are made more difficult because you have to generate new signatures for these applications, and even some patches will trigger the blocking function to go off. It is a proper solution once it is set up, and in deployments that require the most sensitive security settings, whitelisting is the way to go.

But for most other situations, frankly I find the idea of steady state solutions much more interesting. You take some time to define what a given operating system image should look like — including installed applications — and then you let the user go off and do his or her business. You don’t have to fiddle with whitelisting and generating signatures.

If something bad happens, there are no worries, as it is all undone upon a cold restart. With the right steady state software, your users can install and test applications as necessary and even make their own configuration changes, such as temporarily switching to large fonts or setting up a plug-in, secure in the knowledge that a reboot will cure any problem or infection that comes up without destroying their personalized settings. In other words, the stuff they want to keep will stick and persist past the reboot. It is only the unwanted material that would be erased upon reboot.

Steady state with just Windows

Microsoft used to believe in this, too, so much so that it had a freeware tool called Windows SteadyState that it supported Windows XP and Windows Vista on 32-bit machines. This little tool would automatically set up a defense shield that restricted users from changing settings and made it very difficult to malware to actually get enough screen time to install itself.

However, Microsoft stopped supporting the Windows SteadyState tool in June 2011, and now recommends simply using the Microsoft Deployment Toolkit and Windows Deployment Services (WDS) to quickly reimage computers that get infected or thrown out of whack for any reason. Of course, this doesn’t immediately help remote users, those who are traveling or any computer that cannot access your WDS server. And you are still in the nuking and paving business.

For those who are inclined to tinker or who resist using third-party tools for whatever reason, Microsoft at least has documented the settings that the free Windows SteadyState tool changed. If you go to TechNet, there is a spreadsheet from September 2010 that lists the correct Group Policy settings that you can use to configure a computer and user account to resist any sorts of changes to settings.

There is also a pretty comprehensive list of all of the settings involved that you would need to tweak in Web format. If you are still running Windows XP or Windows Vista, you can use Windows SteadyState as long as you already have a copy of it; I could not find it for new download anywhere on a public-facing Microsoft website, sadly.

A third-party solution: Centurion SmartShield

With Windows SteadyState moribund, and given the current Microsoft recommendation to hack together a PC lockdown solution through group policy and robust reimaging when things go south, my view is that it is time to look at third-party solutions that actually achieve what we want directly without trying to piece it together with other parts.

A great third-party solution to help implement a steady state deployment is SmartShield, from Centurion Technologies. (Note: I have no financial relationship with this vendor other than as a paying user of their software.) Centurion itself has been around since 1996 and it has been playing in the steady state game ever since. SmartShield is its product and the mantra is “reboot to restore,” in which you simply reboot to erase all changes made to a computer and restore it to a fixed point where everything was working.

SmartShield works via a kernel-level driver. That driver, when the product is enabled and working on a known good image, takes changes that would typically be written to the hard drive and actually reroutes the file paths into a secured partition container. At the end of a session, or when the computer is restarted, those changes are dumped out.

SmartShield is not taking an image and then restoring that image, and is not using restore technology like restore points that have been built into Windows for a while. It avoids these techniques because backing up and restoring images can be very resource intensive, particularly over the network, and restore points are within Windows so there is the potential for malware to infest there.

Instead, SmartShield is actually a driver that is catching writes and changes to disk, shunting those off into another container and then erasing that container when a session is over. The recovery is instant: If a user is working on a spreadsheet or document and saves to a network folder, then goes to the Internet to do some further research and gets infected, a simple reboot takes care of getting rid of the malware, and the user can be right back at work in 30 seconds on the same document.

There is some configurability, however; an administrator or someone who can change the software can tell SmartShield that certain changes ought to be saved and should persist between sessions — like profile changes and data saved to My Documents folders, for instance, if those are local.

The administrative component, called SmartControl, works to configure SmartShield over the network and can push the SmartShield endpoint software down to clients, or you can include the endpoint in an imaging process you already have going. From the SmartControl app, you can configure the accepted directories where changes will be allowed, and you can also use the connection to run scripts, transfer files, run Windows Update and apply updates, monitor clients, perform Remote Desktop Connections to clients and more. It is, in effect, a poor person’s network monitoring system.

SmartShield supports all versions of Windows back to Windows XP and through to Windows 8.1. SmartControl supports being run on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2. There is also a SmartShield for Mac product that performs much the same functions as its Windows counterpart; it supports Mac OS X 10.6 through 10.10 Yosemite.

SmartShield starts at $55 per license plus a mandatory $11 per license per year maintenance fee, which includes Missouri-based support. The license is per user. You can request an evaluation copy.

The last word

We can argue all day about whether whitelisting is more effective, or why your users simply must have the ability to install their own programs and test things out, or other excuses. To me, it all comes down to cost. I would be willing to bet that between the loss of your users’ productivity and the use of your time as an administrator to nuke and repave machines that get infected, you are probably spending at least $66 whenever that happens. I would put the $66 toward a solution that basically means you do not have to worry about that scenario again.

Steady state and deep freeze solutions are the sweet spot between the unrestricted and vulnerable desktop world we live in and the excellent but time- and effort intensive world of application whitelisting. I believe steady state is Good Enough.