Kids Laptops - Win10 - LockDown Dilemma
Discussion
I've obtained a pair of Lenovo Miix 310's for the kids to have/use for school work and general become inseparable from.
I'm debating how much, if at all i should lock their systems down.
One one hand, I feel that i should just take a copy of the W10 Reg Key from each and just let them run riot whilst periodically re-installing the OS when it gets tooo borked. This is because they have BBC Microbits and a raspberry pi zero each and id love them to be able to hack around with them without have to run to me every 30 secs for an admin pass.
On another hand, i feel very slight locking down by refusing them an admin account should be sufficient to keeping them out of trouble whilst still allowing enough freedom to explore and try stuff within reason.
the last option is to completely screw the thing down to the floorboards with local policy and not allow anything to run except edge and MS office with edge only able to access a small white-list of sites
this last option i do not feel will help their development or assist them is setting themselves boundaries. they may even just stop using them entirely as whats the point.. they cant do anything on it. besides.. their mum has already given them cheap android phones that they can pretty much do what they like on.
suggestions?
I'm debating how much, if at all i should lock their systems down.
One one hand, I feel that i should just take a copy of the W10 Reg Key from each and just let them run riot whilst periodically re-installing the OS when it gets tooo borked. This is because they have BBC Microbits and a raspberry pi zero each and id love them to be able to hack around with them without have to run to me every 30 secs for an admin pass.
On another hand, i feel very slight locking down by refusing them an admin account should be sufficient to keeping them out of trouble whilst still allowing enough freedom to explore and try stuff within reason.
the last option is to completely screw the thing down to the floorboards with local policy and not allow anything to run except edge and MS office with edge only able to access a small white-list of sites
this last option i do not feel will help their development or assist them is setting themselves boundaries. they may even just stop using them entirely as whats the point.. they cant do anything on it. besides.. their mum has already given them cheap android phones that they can pretty much do what they like on.
suggestions?
I’m not sure how old your kids are but the Internet represents the biggest risk than anything. So sensible acces controls/supervision/trust are probably the most important thing.
If they are computer literate, and it sounds like they are given they’re into rpi etc, they’ll probably be able to stay on top of maintenance.
Keep the key, make sure they have some sensible way of backing up schoolwork, and ensure they understand that as soon as they bork it, daddy won’t spend any time fixing it, he’ll just reinstall Windows with a clean disk. They’ll soon learn!
If they are computer literate, and it sounds like they are given they’re into rpi etc, they’ll probably be able to stay on top of maintenance.
Keep the key, make sure they have some sensible way of backing up schoolwork, and ensure they understand that as soon as they bork it, daddy won’t spend any time fixing it, he’ll just reinstall Windows with a clean disk. They’ll soon learn!
They're both 11
Ive looked into microsoft 'family' but id rather not rely on that.
Until now, they will have only ever used Linux at home.. they have had Bunsen labs linux on a usb for the past couple of years to use wherever they want and overall seem pretty responsible.
I just want to keep them away from social media and porn for as long as possible
Supervision is a problem... mum wont supervise, and i only see the kids for a few days every week. so assume absolutely no supervision, and unlimited access to broadband!
If i add group policy to their machines, and prevent them being able to clear their internet history.. will that also prevent them from removing it from other browsers or only edge ?
ETA:
On the USB linux dongles they have, i have them setup VPN back to my home server and run all traffic via my squid proxy invisibly in the background. ( they also run autossh to create a reverse SSH bridge that i can dial into at anytime to get a live feed from the desktop )
can windows do this without leaving a visual clue in the taskbar?
Edit:
I suppose i could just monitor them via OpenDNS and keep it simple. but that pretty easy to circumvent, and they could even bypass it accidentally when messing with network settings for whatever reason
Ive looked into microsoft 'family' but id rather not rely on that.
Until now, they will have only ever used Linux at home.. they have had Bunsen labs linux on a usb for the past couple of years to use wherever they want and overall seem pretty responsible.
I just want to keep them away from social media and porn for as long as possible
Supervision is a problem... mum wont supervise, and i only see the kids for a few days every week. so assume absolutely no supervision, and unlimited access to broadband!
If i add group policy to their machines, and prevent them being able to clear their internet history.. will that also prevent them from removing it from other browsers or only edge ?
ETA:
On the USB linux dongles they have, i have them setup VPN back to my home server and run all traffic via my squid proxy invisibly in the background. ( they also run autossh to create a reverse SSH bridge that i can dial into at anytime to get a live feed from the desktop )
can windows do this without leaving a visual clue in the taskbar?
Edited by SystemParanoia on Thursday 21st September 10:01
Edit:
I suppose i could just monitor them via OpenDNS and keep it simple. but that pretty easy to circumvent, and they could even bypass it accidentally when messing with network settings for whatever reason
Edited by SystemParanoia on Thursday 21st September 10:06
probably,
One has successfully created a system image of itself... the other has failed 4 times claiming the network location is unreadable
It then cannot restart the backup as the files are 'in use' and you cant delete the failed backup for the same reason.
on the 4th attempt i even changed the destination folder to chmod 777 permissions
Each time I could only remove the failed backup from my server with a root rm -rf *
So it seems the built in backup system is dogs
t 
what a surprise!
Ill grab a win10 ISO and use that instead
One has successfully created a system image of itself... the other has failed 4 times claiming the network location is unreadable
It then cannot restart the backup as the files are 'in use' and you cant delete the failed backup for the same reason.
on the 4th attempt i even changed the destination folder to chmod 777 permissions
Each time I could only remove the failed backup from my server with a root rm -rf *
So it seems the built in backup system is dogs
t what a surprise!Ill grab a win10 ISO and use that instead
Tried the powershell trick to get the key;
(Get-WmiObject -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey
but that didn't work, so being wary of introducing virii ( viruses? ) to my network i had a quick read around for a reputable prod key extractor..
Ended up using Produkey ... it worked flawlessly, and im currently reinstalling W10 on both devices to get away from all the lenovo bloatware crap.
Ill use the produkey to extract the Key from the W10 install that came with my main laptop before i cloned the drive and nuked it for Arch linux before i even booted it up the first time.
Should be useful in one of my VM's
(Get-WmiObject -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey
but that didn't work, so being wary of introducing virii ( viruses? ) to my network i had a quick read around for a reputable prod key extractor..
Ended up using Produkey ... it worked flawlessly, and im currently reinstalling W10 on both devices to get away from all the lenovo bloatware crap.
Ill use the produkey to extract the Key from the W10 install that came with my main laptop before i cloned the drive and nuked it for Arch linux before i even booted it up the first time.
Should be useful in one of my VM's
Fish said:
I have forced google safe search on all the PCs via the router at home and also pay for proper content filtering on the router... I'm then slightly more laid back over the PC's themselves...
That seems like a good approach. You don't want to completely lock a PC down so that only a small list of websites are available or have a huge banned site list as that will only encourage the kids to look for ways around it which may result in them downloading far worse bits of malware/viruses.Perhaps downloading a weekly snap shot of their internet history and going through it with them will be seen as enough of a deterrent and if they behave you can start increasing the snap shot to monthly reviews until you are all happy that they are not going off into dark horrible places...
edit to add, jellybean is a good bit of free software for extracting COA details for programs.
Edited by aka_kerrly on Thursday 21st September 19:37
I wouldn't bother trying to lock them down, simply take an image and restore it every time they bugger it up. If they are like my kids, they have access to iPhones and Playstations to access naughty stuff. My son did start torrenting films and we got a polite take down notice from our ISP. After that I blocked anything outside ports 80 and 443 via the router firewall rules. All good now.
They will access illegal content no matter what you do so best to educate rather than restrict them in my opinion. Anyway, what's wrong with wking?
They will access illegal content no matter what you do so best to educate rather than restrict them in my opinion. Anyway, what's wrong with w
king?wormus said:
They will access illegal content no matter what you do so best to educate rather than restrict them in my opinion. Anyway, what's wrong with wking?
Whilst this is true.. I want there to be at least some hurdles for them to overcome...king?I got my xxx content like this..
Ill be damed if they'll have it easier than me
I use dnsmasq on my lan, so forcing google to safe search has now been done, although ive modified it to whitelist my mac addresses ( if they spot that gap and take advantage, then they deserve to fill their boots to be fair. )
I still need to bake in the openDNS on their systems for when they're off my network though
Looks to be easy enough to change it on their phones.. although ill have to keep an eye on any new networks they add as ill need to change it for each one individually.
https://support.opendns.com/hc/en-us/articles/2280...
Edited by SystemParanoia on Thursday 21st September 22:12
I'd say if they both have a Pi at the age of 11 then they're probably able to be trusted, the internet has content which you can access no matter what, especially YouTube. On the flip side, if you put on tight lockdowns they're probably gonna try to break past them, which isn't a bad thing at all. It was me doing just that on our old school computers that got me into IT, and it sounds like they're already quite into it. Just be weary that there is always bad content for kids that can be accessed easily and quite often accidentally. I'd say you have pretty promising kids if they're into Pi's at 11 though.
everything i read about the miix 310, and all convertibles of this type says linux is a no-go without some pain. ( touch screen not working or non rotatable or both, and no wifi or bluetooth ) similar to the issues of linux on a laptop in the 90's and early 00's... such a chore finding the correct atheros wifi driver that would not only work, but allow switching to promiscuous mode for packet injection
unfortunately, i wouldn't know the first thing about writing device drivers from scratch!
But i will stick virtualbox on there with raspbian OS, or just install bash-on-ubuntu-on-windows-subsystem
I love linux, ive run it on every computer ive owned since highschool, including my phone(s)... the fact that windows costs so much for a legitimate copy helped with that decision
unfortunately, i wouldn't know the first thing about writing device drivers from scratch!
But i will stick virtualbox on there with raspbian OS, or just install bash-on-ubuntu-on-windows-subsystem
I love linux, ive run it on every computer ive owned since highschool, including my phone(s)... the fact that windows costs so much for a legitimate copy helped with that decision
Edited by SystemParanoia on Friday 22 September 08:52
Windows 10 already comes with the Linux subsystem baked into it 
https://msdn.microsoft.com/en-us/commandline/wsl/i...
https://msdn.microsoft.com/en-us/commandline/wsl/i...SystemParanoia said:
I use dnsmasq on my lan, so forcing google to safe search has now been done, although ive modified it to whitelist my mac addresses ( if they spot that gap and take advantage, then they deserve to fill their boots to be fair. )
Can't they just set static IPs and/or their own DNS servers to bypass dnsmasq/opendns? I had a running battle with my own kids for a couple of years trying to lock down what they could and couldn't do, even going as far as switching to WPA Enterprise so I could force a login via RADIUS to confirm their IP address and personal login details for the WiFi after they bypassed filtering first by IP then by MAC. That worked till they realised they could just tether their PC to their phone, so then I had to remember turn off their mobile data when they were at home (the vodafone app enabled me to do this remotely), and so on. Became a right PITA.
Group policy isn't a bad way to enforce settings, best to create a dummy admin account they can use that allows most things but not access to network settings and the like. At work we rename the administrator account and create a new administrator account so its less obvious what has been done. It isn't full proof though and you'll need to setup the group policy to update from a central source to make the most of it, otherwise it'll be painful to manage.
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff