Hi all and happy new year.


I have some security fears. I will try to explain with one example.

For my security needs I have only two important requirements:
1) my private data to be protected. In this example it is: all
programs, data and network traffic related to e-banking activities.
2) all other activities must be separated. Security here is not top
priority but daily backups are required.


At least two environments must be present:
1. "bank" environment.
2. environment for everything else. I will call it "chat" environment.

Question is - how to create and keep separated these two environments.


One idea is multi users environment:
1) PC with Windows and three users - "administrator", "bank" and
"chat". Security setup for Windows and users is done.
2) "bank" user have private data in his private folders. He is
restricted to run only web browser. His web browser is allowed to
visit only bank web site.
3) "chat" user will be used for chatting.


Now, I need to install chat program "X-Chat" for "chat" user. I must
not reduce security for "bank" user. Installation procedure require
"administrator" access. Installation procedure will install:
a) "X-chat" main program
b) "X-toolbar" in web browser (regarding help file, toolbar will help
you to start easily the main chat program inside browser)
c) "X-service" (regarding help file, service will start main chat
program when network is available)
d) "X-driver" (regarding help file, you need driver to show your
desktop to the other chat users)


Finally, because installation is done with "administrator" user, I
need to be sure the security status of "bank" user: "bank" user have
private data in his private folders. He is restricted to run only web
browser. His web browser is allowed to visit only bank web site.

And here my problems begin. I need:
1. to know all new drivers, new services and new programs
2. to check access rights of these new drivers, new services and new
programs

How to do it? What tools to use?


Next: if security status of "bank" user is changed, then I have to
change access rights of these new drivers, new services and new
programs like: "X-Chat" to be available and working for "chat" user;
"X-Chat" not available and not working for "bank" user
1) For this task I must not login and I must not use "bank" user
2) For new programs - I have to enumerate and ensure access rights to
all "bank" user resources.
3) For new services - I do not know. Do I have to create new user?
What restrictions I need for this new user in order to protect "bank"
user. Note: access to "bank" user private folders and "bank" user
private resources must be forbidden for every body, forbidden for
every program except: web browser started from "bank" user.
4) For new drivers, I need new hardware profile. Do I have other
options? Because first we have one compromise - to reboot before using
"bank" user. Second, I need to use exact hardware profile with exact
user account, other way, my mistake could be fatal.

What is right procedure, right settings? What tools could help me here
to check "bank" user security easy and quickly after installing new
programs? Other option is to do installation with kind of limited
"install" user, but not very limited because this user must be able to
do proper installation.


Do you think this is possible? Is it difficult? Do you think it is
wrong example?
I think it is regular example, I do not see easy way to accomplish it.
We have 1000 security settings. Even when initial settings are
perfect, after that risk from mistake is very big. One mistake and
private data is exposed on risk. There must be way to accomplish this
task, if it is difficult and takes time, then some tool could help me
maybe.


I have few other ideas like:
1) using different PC for "bank" and for "chat" activities, but I
can't carry two laptops with me all the time.
2) using different virtual machines for "bank" and for "chat"
activities, to wrap MS OS inside VMWare in order to get correct
security (and to restrict internet and new installations inside host
OS). In fact using VMWare have positives:
- easy backup out of the box
- single security rule - do not touch settings in "bank" virtual
machine, do not install in host OS
- no reboot needed when I want to switch to "bank" virtual machine


Thank you in advance. All notes and advices will be very much
appreciated.

Kind regards.