Public access endpoints are among the hardest endpoints to secure. Anyone can use them, and every session can leave something behind. Reboot-to-restore technology addresses this challenge by automatically resetting systems to a known-good state.
Read on as we cover why conventional endpoint security falls short on these systems and expand on how reboot-to-restore technology closes those gaps.
Security Challenges of Public Access Endpoints
A public access endpoint is defined by the very thing that makes it useful: it’s open to many different people. That openness creates security problems that rarely arise on a single user’s assigned device:
- Unrestricted user access: Public machines are meant to be used freely, often without individual logins (or accountability). Each visitor can install software, change settings, and download files. There is no straightforward way to trace a harmful action back to the person who took it.
- Configuration drift: Over many sessions, small changes accumulate. It’s a setting altered here and a program added there. These residues gradually move a machine away from its intended baseline, which degrades performance and leaves every device subtly different from the next.
- High attack surface from shared use: A computer used by hundreds of people is exposed to far more risk than one assigned to a single employee. Each session is a fresh chance for malware to arrive, whether introduced deliberately or by accident. The constant turnover of users keeps that exposure continuous.
These conditions are not occasional lapses but the normal state of a shared system. Securing such a machine therefore means planning for constant, unpredictable change rather than expecting to prevent it.
Limits of Traditional Endpoint Security
Most endpoint security is built to identify threats and stop them. On public access systems, that model runs into three primary structural limits.
-
Detection-Based Limitations
Conventional tools (from signature-based antivirus to behavioral endpoint detection) work by recognizing something as malicious and then acting on it. The weakness is built in because a tool can only stop what it manages to identify. Signature-based antivirus cannot catch a threat it has never encountered, which leaves zero-day exploits and novel malware free to pass through.
Behavioral detection goes further by monitoring for suspicious activity rather than relying on known files. However, it is still a detection method and can be fooled by techniques designed to appear ordinary. On a shared machine that meets unfamiliar threats in every session, anything that depends on recognition will eventually miss one.
-
Inability to Reverse System Changes
Traditional security tools are built to detect threats, not to reverse their effects. A tool may flag or block a threat, but it does little to undo changes already made—and not every damaging change involves malware.
A user who makes changes (whether altering a system setting, deleting a needed file, or installing an unwanted program) leaves the machine in a worse state. Detection-based tools are not designed to notice that kind of harm, let alone reverse it. Returning a compromised or misconfigured machine to a known-good state usually falls to manual cleanup or full reimaging, which is slow, labor-intensive, and frequently incomplete.
-
Maintenance and Update Dependencies
Signature databases and detection rules have to be refreshed continually, so this protection is only ever as current as its last update, and any gap between updates is a gap in coverage. Keeping that protection current across a fleet of shared machines is a recurring burden in itself. It sits on top of the separate work of applying operating system and application patches to every device.
Configuration drift makes the task harder, since each machine slowly diverges from the rest. As a result, maintenance cannot be applied uniformly and must instead account for the specific state each device has drifted into. What remains is a heavy, unfinished workload that grows with every endpoint added.
How Reboot-to-Restore Fills the Gaps
Reboot-to-restore approaches the problem from the opposite direction. Rather than trying to recognize and block every threat, it makes change impossible to keep. An administrator sets a known-good baseline and freezes it, after which the system treats every write to the disk as temporary.
Whatever happens during a session is discarded when the machine restarts. Malware infections, accidental deletions, configuration changes—none of it survives a reboot. The endpoint returns to the exact state the administrator defined.
Because nothing has to be identified for this to work, a zero-day attack is handled as readily as a known one, and configuration drift is erased on every reboot. It does not replace detection-based tools, which still matter for stopping data theft during a session. But it removes the burden of restoration and guarantees a clean system for the next user.
Discover Deep Freeze
Faronics Deep Freeze applies patented reboot-to-restore technology to public access endpoints, returning each computer to its frozen baseline with a simple restart. It keeps shared machines consistent and available while freeing IT teams from manual cleanup.
Discover how Deep Freeze can protect your public access systems.
your Deep Freeze license count and free for up to 3 years