Locked Down: Maximum Security

[czglory]

Hello, I am interested in ideas/thoughts on how to get the best security possible on a standard windows computer without being so impractical its frustrating to use.

My ideas so far, mostly just guessing here:

1. Internet security suite (whats the best? Kaspersky?)
2. secondary security software that is compatible with the first (malware bytes or superantispyware running side-by-side with Kaspersky internet security or other suite)
3. Software firewall if not included in the suite to protect from intrusions within the network
4. Hardware firewall via router
5. Microsoft auto updating
6. Secunia PSI run daily
7. uninstalling JAVA (is there a better route for compatibility?)
8. uninstalling (is this possible?) adobe and using alternative PDF readers, etc.
9. Setting a password protected administrator account and using a standard user account with a password.
10. Computer locks after several minutes requiring password
11. disabling auto-play/run
12. disabling remote registry
13. setting certain possible risky applications to lower user rights
14. using firefox with noscript
15. setting emails to text-only and never clicking email links
16. not using any programs like skype, aim (any secure solution?)
17. running any newly downloaded file in sandbox
18. trip wire
19. Minimal internet browsing with WOT, avg link (dont remember the name) addon.
20. connect to internet via a VPN (this seems like a pretty large hassle to me but I have never really used a VPN or proxy)
21. Windows 8(?) over 7?
22. in before run linux
23. UAC control to maximum
24. Using keepass database with USB key and salty PW
25. Biodefense seems impractical and expensive.

any better ideas for physical security than tripwire, passwords, and disabling autorun? An ability to wipe a stolen hard drive remotely would be handy, also I suppose a locked drive bay could help a bit.

I can't think of anything else off the top of my head, but I need to make my computer as secure as I can without too much sacrifice. Any thoughts, additions, removals, or comments are appreciated!

 

[Chiefcrowe]

This is a pretty good list so far.

I would also encrypt the entire HD.

8. there are many alternatives to adobe reader which you can use with no problem.

16. not sure if there is a really secure IM program out there, someone else may know?

17. sandboxie is good for this.

20. VPN could be a good idea when connecting to a bank or other secure sites.

21. Win8 is more secure than 7, so if you can get used to it that would be good.

24. That would be great to use Keepass. If you use keepass you should consider making a backup copy if it is only on 1 usb

 

[Ayah]

4. doesn't exist. All firewalls are done in software.

I'm surprised you don't have IDS/IPS on your list, snort is my choice for it.

16. If you run programs from within a VM, it should be mostly secure, as far as I know.

3. Why do you need to protect yourself from within your network?

 

[blackangst1]

4. doesn't exist. All firewalls are done in software.

huh?

 

[czglory]

I believe pidgin IM has some sort of encryption plugin but requires both parties to have it I believe, and its not that much of a help. Running any IM program through a VM sounds safe. That router looks to be the most BAMF affordable personal router I've seen.

 

[mechBgon]

1. use Win8 Pro 64-bit and a motherboard that supports Secure Boot (and has it enabled in the BIOS).

2. use a CPU with an Ivy Bridge core, which combined with Win8 gets you Supervisor Mode Execution Prevention.

3. set up a Software Restriction Policy and audit for loopholes. Instructions: http://www.mechbgon.com/srp This is pretty easy to live with.

4. disable the Current Working Directory DLL-loading feature/vulnerability/whatever-you-want-to-call it. See the very end of my SRP guide linked above for more about CWD.

5. biometrics are practical and useful. Get an Authentec fingerprint scanner and the free Authentec Protector Suite download. See towards the bottom of http://www.mechbgon.com/security for more on this. It allows you to use very long, complex, secure and unique passwords for all your site log-ins, as well as for Windows itself.

6. Microsoft EMET. Enable the Unsafe Settings option and see if it boots OK.

7. Use the built-in Win8 PDF/XPS reader (named "Reader"), which is not burdened with tons of features to abuse, plus it's heavily sandboxed in a Win8 AppContainer.

8. Since Firefox still has no sandboxing and runs at Medium integrity, I'd put it in third place behind IE10 (particularly with EPM enabled) or Google Chrome. They're doing a great job competing with IE6, I'll give them that much :biggrin:


Additional suggestion: if you're planning to do something you consider risky, do it from a separate "risky behavior only" user account, and make sure that user account is specifically NOT allowed access to whatever you consider valuable, like your documents, photos, storage drives, and so forth.

You can also lock unauthorized USB devices out completely using Group Policy, another reason to choose Win8 Pro instead of Win8 vanilla. More info:
http://msdn.microsoft.com/en-us/library/bb530324.aspx This is a double-edged sword, especially the first time you try swapping keyboards or mice and discover you've painted yourself into a corner, so do your homework

Another related topic: mandatory profiles. See the Win7 SP1 Security Guide at Microsoft, I believe they cover it in there. I have a system at work set up for public use that uses a mandatory user profile that reverts itself at every logon. Obviously this is not a suitable setup for a home user, though.

You can also download the free Microsoft Security Compliance Manager and generate/apply a custom high-security Group Policy that you can apply to the local system using the included LocalGPO tool. You'll be engoggled the first time you see how many security options it can tweak. Hundreds of them, for Windows, IE, and Office. And speaking of office software, get at least Office 2010 and use Microsoft SCM and EMET to harden it.

Setting UAC to maximum is a good idea. If you can handle it, then what's even more secure is to completely forbid your Standard User account from elevating ANYTHING, which is accomplished by your Local Security Policy > Security Settings > Local Policies > Security Options > User Account Control: Behavior of the elevation prompt for Standard Users setting (set it to deny all elevation). This forces all Admin work to be done from the Admin account (what a concept!).

Oh, and NEVER EVER install Java. Anything that requires Java, throw it away.

 

[Rakehellion]

26. Disconnect from the internet.

 

[KeithP]

Too many sites ask you to use an email address as a user ID. You probably should have a separate email address for sensitive sites such as financial institutions or medical insurance. The email address the world sees should not be used for those things.

Also, most of your web browsing could be done inside a virtual machine or even a completely separate machine.

-KeithP

 

[bononos]

.......

any better ideas for physical security than tripwire, passwords, and disabling autorun? An ability to wipe a stolen hard drive remotely would be handy, also I suppose a locked drive bay could help a bit.

I can't think of anything else off the top of my head, but I need to make my computer as secure as I can without too much sacrifice. Any thoughts, additions, removals, or comments are appreciated!

Controlling access to USB ports would the key since malware can come from flash drives. Its possible to configure usb ports to require passwords in windows by fiddling around the registry I think. Or install some kind of usb security software.

And for you own flash drives - immunize them to disable autoruns which would prevent malware from infecting your thumb drives.

And I'm surprised that VMs aren't at the top of your list. No point in all the fancy apps when you've got a keylogger or some java exploit. Its better to run your password manager in another VM and switch over when you need to refresh your memory. Or am I mistaken about this?

 

[Ayah]

huh?

This is (basically) a computer which runs an OS which has a firewall component. If you open one of these, you'll find either a SoC or some kind of CPU along with some RAM, NVM along with networking attachments and other various components.

pfSense on the myth of hardware firewalls
You will not find a component whose sole function is to firewall.

 

[Danimal1209]

9. Create a "dummy" admin account that does not have admin rights with a password.

 

[dawks]

Change your DNS servers to OpenDNS (208.67.222.222, 208.67.220.220) or Google (8.8.8.8, 8.8.4.4). Both of these services offer some level of security by filtering known bad domains. OpenDNS actually blocked a bunch of domains that one virus was using to contact its Command & Control servers, rendering it dead in the water effectively since it couldn't update its payload, or return any stolen information.

Use a Virtual Machine configured to dump any changes each time its run. You can almost forget about a ton of extra security that way since simply rebooting will clear it out of any infection. The biggest worry is that if the VM gets infected with a worm, that worm then has LAN access to your other systems, so running a software firewall on all computers is still a good idea. You could place the VM in a separate subnet or even in the DMZ for slightly more security.

Use Foxit reader or the built-in chrome/firefox PDF viewer. Dump Adobe.

I like running Chrome and keeping flash uninstalled since chrome handles flash updates and runs it sandboxed. Chrome also runs each tab in a separate process while firefox is still running everything under one process (except for plugins).

Just drop java all together. its just way to insecure for any normal use.

Use two-factor authentication where possible.

Not sure about keepass but I really like last pass. It has two-factor authentication (can use Google authenticator), and lets you limit geographic locations where your account can be logged into. So you might say I only want to be able to access my lastpass account from Bermuda, and no where else. And dis-allow logins from TOR.

Running no-script with disallow: * to start is incredibly frustrating and breaks the 'impractical or frustrating' part.

 

[Tuffrabbit]

mechBgon Quote "Oh, and NEVER EVER install Java. Anything that requires Java, throw it away".

Some of the work I do requires "Java Script " to be enabled... ( ie Real Estate listing photo's)

Have not found a way around this...

 

[Chiefcrowe]

Javascript should be ok in general and you can whitelist sites if you'd like using the noscript Firefox addon.

 

[mechBgon]

Yeah, JavaScript and Java are two different things, despite the similar names. They should rename JavaScript to HotChocolateScript, that would ease the confusion :biggrin:

 

[dawks]

Yeah, JavaScript and Java are two different things, despite the similar names. They should rename JavaScript to HotChocolateScript, that would ease the confusion :biggrin:

It actually has a technical name, ECMA Script. Terrible, yes.

 

[TheReaWarmonger]

1. Time Freeze

Welcome to the world of being immune to infections and never having to re-install windows. Tho even this wont stop you from being infected with malware, and them keylogging your data or another. Tho a simple reboot of the machine, and all possible infections will be gone (reboot before entering mission critical information).

 

[bononos]

9. Create a "dummy" admin account that does not have admin rights with a password.

Thats sneaky.

 

[z28dreams]

I don't see much mentioned on encryption.

I keep all financial related documents in a small truecrypt file.

Full disk encryption would probably be better.

I use LastPass for non-critical websites (no financial, email, etc), but would worry if someone got in.

I also use Prey on my laptop in case it is stolen.

 

[Tuffrabbit]

Latest patch still lacking...

http://www.bitdefender.com/security/patched-java-vulnerability-still-used-by-attackers.html

 

[debian0001]

Or just use a Linux OS.

 

[BUTCH1]

Or just use a Linux OS.

Is Linux that much better security-wise or is it that no one bothers writing malware for Linux because of the small installed base vs Win8/7/XP?

 

[lxskllr]

Is Linux that much better security-wise or is it that no one bothers writing malware for Linux because of the small installed base vs Win8/7/XP?

Both. It's more secure than Windows, and it doesn't have a big bullseye on it's back. In the end, most security(or lack thereof) comes down to the user. GNU/Linux has a small market share, and users that are more technical than average. There would be a lot more issues if many "normal" people started running it, and it would usually be due to people pwning themselves, same as Windows.

 

[pcunite]

Is Linux that much better security-wise or is it that no one bothers writing malware for Linux because of the small installed base vs Win8/7/XP?

Nothing is secure ... get that in your head. Linux has been exploitable for years because of CVE-2013-2094. The best you can do is only run trusted code and only allow network access through a series of layers.

Have a seperate machine and account that is automatically restored when you're finished with it for anything serious.

Windows is the simplest way to be secure day in and day out (unless you're concerned about government back doors) because of SRP.

 

[John Connor]

All are good advice and I use Noscript and like it. It has a software like Firewall built in too! I use Avira and Comodo. Be sure to install Avira first as it will complain about Comodo. I use DD-WRT in the router and have Active X off and have several IPtables. Read about those. Plus I have a built in SSH tunnel in the router where IPtables block brute forcing it. I also use a port besides 22. It's like 15432. I use OpenDNS. Most of my browsing is done in portable Firefox in a Truecrypt container and the cache is in RAM. All cookies and cache are dumped on exit.