Ideally, all computer usage should be transparent to the task the end user is performing. However, in practice there ends up being a balance game between usability and security. This guide leans towards the security side and sacrifices usability.
Modularity (good) versus interdependencies (bad)
[applies to network, server, workstation, life]
But what about consolidated management? ie one license for MS office, MS AD,?
It is possible to have integrated management of modular components. How? Standards. RFCs.
We'll assume the user needs to access to external internet, local server, and other workstations.
As a preference, all software should be free and open source. (Cheaper; if bugs found,
then they can be fixed)
run linux as host OS, then use virtualbox to run work boxes (ubuntu if possible, but
more likely non-FOSS Windows. guest boxes: test, prod. Each virtualbox
guest uses shared folders to point to the data on the host. If a compromise is found, the
guest boxes can be discarded, reset to a known good point.
$ VBoxManage startvm <vmname>
a linux equivilent of AutoIt would be necessary to send <host>-f for full screen
The above setup also makes backup easy, but the guest OS needs to be shut down to access
the vdi.
Ideally, the users workstation should be disposable (nothing on the hard drive is important). Unfortunately,
Outlook, My Documents are local. A work around for this is to set Outlook.pst and My Documents to point
to a network drive. Downside to this approach is that networked drives need to be extremely reliable (which
they are not). Also, if your documents are stored on a network drive and you delete a file, that file is gone
semi-permanently (does not go to trash). While still hypothetically recoverable on the server, it's not as easy
as just moving a file out of the trash. Ideally, files deleted from the network drive should have the option of
being moved to the local trash (that solution does not exist, as far as I know).
check sites that are visited using google's safe browsing report