How to setup safe way to print from foreign USB sticks people bring in

Hello guys.

As of now, I work as a photocopier/printer technician. We have a few spots where people come with their stuff to print (big formats, technical drawings, posters, tickets, documentation, you name it). Just like in this video where Logan comes back unsatisfied from the print shop ^_^

I would love to hear your advice on how to setup foolproof and safe way to print form USB sticks.

I'm thinking Linux (OpenSUSE?/U-Kubuntu?/Fedora?/Mint?/Manjaro?) as main OS then virtual W7 (originally installed on that PC) on top of it. That way if it craps out, just reload virtual machine image and you're good to go.

Ideally it would have to somehow isolate some USB ports from the host OS and pass them through to the VM.
I think network communication like SMB scanning and network printing should be unaffected. Host OS should be transparent to the virtual machine. Am I right?

Could you guys point me in the right direction and I shall research the solutions? Any pros in the crowd?

PS. If you guys have any suggestions for a better topic title please share them. ^^

/backstory below:

All PCs (apart from the one I use back at the repair shop) are managed by an aggressive, blithering idiot clown co-worker. The guy seriously needs a beating (I'm not joking). Every time the PC for making prints is down it becomes a cause of big drama.

The problem is that people bring on their USB sticks all imaginable kinds of crap. There's no protection whatsoever. No isolation, no AV, no backup, no will to acknowledge that it is a problem. OS on that PC (W7) is held together by means like duct tape, super glue, crossed fingers and a magic spell. Every time a long forgotten, well known by now crap incapacitates that PC, the remedy is to put more of the above on top of it and hope for the best.

Or , way easier , set the hard drive to read only mode so nothing on the drive can change , seeing as you only need the machine to print things.

Make sure that uac is on. Set yourself as a standard user and have a local adm account for writing and executing. Then copy and paste into hyper v or whatever you're using.

Sounds like you could use something like Deep Freeze.

There are several alternatives including both free and paid products, but this one looks promising:

The company also makes a paid version of the same thing (Rollback Rx) so it's definitely worth comparing them, but if the print PC is a permanent fixture then it might be worthwhile.

Could also use a live USB,

1 Like

Or a live USB installed to the SSD/HDD... Would it be a live version of win7 or linux though? If linux i'd have to be a custom built live USB that isn't persitant but has the vm all set up and pre-installed built into it...

Or a network boot, where after a reboot it refreshes the OS from the network over ethernet!

Does the machine need a keyboard and mouse or can it just be used with the touchscreen (if it has one), then maybe you could disable USB HIDs to prevent usb sticks that are actually keyboards...

And disable autorun for both usb and cds (incase the usb emulates a cd rom as well and wants to go that route)

So basically there's two ways to go about this,
1. Let it be owned if it's going to be, and just be able to quickly recover it back to how it was with a quick reboot or something.
2. Try to prevent it from being owned, and incase it does get stomped on anyway the quick recovery from #1

Just some ideas :)

Thanks for your input.

Forgot to mention that this PC is also used for sending and receiving emails. They got stuck to Outlook pretty damn good.

Alongside that there's also AutoCAD '14 and Corel DRAW X4 suite but these programs are used almost exclusively to just open projects for printing on big formats.

I think maybe I shouldn't over complicate things and just go with what I use at home.
Good AV like KIS + system partition (with boot sector) backup. For the purpose of making backups I use Acronis True Image but do you guys know any free and reliable alternative for it? I used O&O for some time and didn't like it.

One deal is to install a piece of software such as DeepFreeze or something similar.
Another deal is to disable auto-run on the USB, reveal hidden & system files from the folder options and when the USB starts up, just delete anything which is "hidden". This helps you, and them. as well.

Do you manage this?

Is security your job? Are these your PC's or owned by a company?

If they aren't yours, and you aren't behind the security, then I wouldn't worry about it too much.

Let the asshat that sets up the PCs deal with it all.

just use a virtual machine for everything and pass through a pci-e USB adapter to it