Securing a new Win 7 Laptop

[PrinceXizor]

Just purchased a new laptop and my OS security knowledge ends with XP SP3. So....any suggestions on how to properly secure this laptop? I have a broadband modem going to a wireless gateway/router.

P-X

 

[Binky]

Install any of the free virus scanners, the free version of malwarebytes or superantispyware (not both), and maybe sandboxie if you regularly open files that are likely to be infected.

 

[PrinceXizor]

I have avast free on there and I used malwarebytes on my old pc. So the windows firewall in Win 7 is okay? I have home premium.

 

[mechBgon]

I have a list of baseline steps here: http://www.mechbgon.com/security

The big picture: eliminate unnecessary attack surface, make the remaining attack surface harder to exploit, make a successful exploit worth less by limiting how much privilege it could get the attacker, and make it extremely difficult for an exploit to launch an actual payload even if it manages to deliver one.

That last step (blocking the execution of payloads) can be done using the Parental Controls feature on Win7 Home Premium. Use a Standard User account as your "daily driver," and apply Parental Controls to it. Use Parental Controls to limit what software can be run, whitelist all the existing software on the system, and then you'll be prompted before new stuff can execute on your Standard User account.

On Win7 Pro or Ultimate, I still prefer Software Restriction Policy instead of Parental Controls.

 

[PrinceXizor]

Thanks! Great guide! Will be implementing most of the suggestions if not all of them.

P-X

 

[PrinceXizor]

Side question....while configuring my netgear wireless router my friends wireless devices (first his Ipad then his work netbook) kept "stealing" my access to the router. He wasn't doing anything with them, they were just on.

I would be browsed to the wireless router and then it would say "Device is being managed by http://10.0.0.2" or whater the assigned IP was of the device. It was a little disconcerting although as I said, they didn't appear to be actively doing anything. The note wouldn't go away until the device was turned off, then I could browse to the router address again.

Anyone know what was going on?

P-X

 

[mechBgon]

One possibility is that the devices are compromised and are hax0ring your router. It's a good practice to change the router's password from the default, if you haven't done that already.

 

[PrinceXizor]

They've been changed already but it sure wouldn't hurt to change it again.

P-X

 

[copeman]

i like downloading MBSA (From Microsoft)

 

[Iron Woode]

install SP1 if you haven't already.

use a limited access log-in to reduce risk.

make sure your firewall is on.

install the latest MSE and Malwarebytes Anti-malware.

use a secure browser like Firefox or Chrome.

make sure to update with windows update.

the biggest security risk is risky surfing and downloading. Use common sense here and you should have little if any issues.

 

[PrinceXizor]

Thanks for the all of the input and special kudos to mechbgon for his awesome security guide. Reading it and messing with this laptop makes me feel like I have a much better grasp of Win7 and how it is put together which always makes me feel like I actually know what I'm doing (a little anyway) as opposed to just clicking buttons and letting the computer tell me what's best.

So, next issue...

Since I'm used to XP, it was a royal pain to use different accounts. Tried it and it just didn't work for my family. However, it seems Win7 should be a different story. So, a few questions.

1. If I install a program (say Firefox), should I be logged in as a normal user or as an administrator?

2. How do I allow all users to use Firefox?

3. If I allow all users to use Firefox are bookmarks, saved passwords and the like user independent and secure?

4. If I already have a program installed using the administrator account, how do I transfer, reconfigure that for my daily use account (I already d/l'd and configured Thunderbird before I setup the separate accounts).

5. I configured my router per mechbgon's guide to block all other ports except for a select few used for http, ftp, etc. I must have done something incorrectly (not totally as I can use HTTP fine with all service blocking enabled). When I went to d/l the Secunia software it didn't let me ftp to their site. When I went into the router settings and disabled service blocking I could d/l the program w/o a problem. Here are the ports I have blocked: 1-19, 26-52, 54-79, 81-109, 111-122, 124-442, 444-65534. Any thoughts?

P-X

 

[PrinceXizor]

So, I figured a few things out. Thunderbird is installed for both accounts but I managed to get the profile over to the non-admin account. It was a pain to figure out how to show hidden folders which is where the user app data was located. Just growing pains with a new OS I guess.

Also, I see now that Win7 will prompt me for my admin password if I'm trying to do something as a non-admin so that is handy.

I'd like to balance out system responsiveness (i.e. number of service running at startup) versus system security. Any good guide on customizing services (there are QUITE a few to review).

I'd also still like to know just how secure the files are in a non-admin user especially as regards search and index.

Thanks!

P-X

 

[mechBgon]

use a secure browser like Firefox or Chrome.

Ooops, you accidentally included FireFox there A browser with no sandboxing capabilities? NO. Use IE9 (with Protected Mode) or Chrome (with sandboxing).

I'd also still like to know just how secure the files are in a non-admin user especially as regards search and index.

Exploits most commonly gain the same rights you're currently wielding yourself. So what you can do, they might be able to do. That includes encrypting your files and holding them for ransom, which is the "ransomware" branch of the malware spectrum. For this reason, as well as the possibility of a drive failure/etc, a working backup & recovery strategy is a good idea. And like I mentioned before, you can block the execution of exploit payloads with Parental Controls or Software Restriction Policy to put a nasty hurdle in the way. Sometimes it'll be in your way too, but you get used to it.

If you plan to engage in high-risk activities, you can create a separate non-Admin user account just for that role. It won't have access to your regular account's profile, including your music, documents, and other stuff that's stored in your user profile. But it could still access stuff that's available to all users, such as a storage drive, unless you edit the permissions to forbid that.

 

[notposting]

Just as an aside, the security stuff you've gotten plenty of info on, I have seen no need to dig into services really on 7. Keep the number of startup garbage down (msconfig if necessary) and that's about it. Any new machine generally has way more than enough horsepower to not worry about it.

 

[PrinceXizor]

mechbgon,

My thoughts on file security or less about being hacked and more about what kind of access will a standard non-admin "visitor" account that I create (say for my wife in a pinch) have to files in the library section of my own non-admin user account. I will have sensitive documents that even the filename could reveal confidential information, so I would like these not to appear in any search or indexing that Win7 may do.

P-X

 

[mechBgon]

mechbgon,

My thoughts on file security or less about being hacked and more about what kind of access will a standard non-admin "visitor" account that I create (say for my wife in a pinch) have to files in the library section of my own non-admin user account. I will have sensitive documents that even the filename could reveal confidential information, so I would like these not to appear in any search or indexing that Win7 may do.

P-X

That makes sense. The "visitor" account (or something exploiting it) wouldn't be able to get any further than viewing C:\Users\ without Admin-level escalation. So it could determine the usernames of your other accounts, but that's all. If you move the libraries to another location, like if you have an SSD for boot/apps and a HDD for your libraries, then they might inherit the permissions of the drive they've been stored on... you'd want to do a reality check and limit the permissions on their parent folder if they're not doing what you want.

 

[PrinceXizor]

So, I would assume then that means that if you are using the search feature that those files won't pop up either. Its simple enough to test but I just haven't set up the visitor account yet.

P-x

 

[PrinceXizor]

Just as an aside, the security stuff you've gotten plenty of info on, I have seen no need to dig into services really on 7. Keep the number of startup garbage down (msconfig if necessary) and that's about it. Any new machine generally has way more than enough horsepower to not worry about it.

It isn't really the horsepower that is the problem. Its maximizing battery life. I already can notice a difference in battery life as I've installed more apps I need.

P-X

 

[TBSN]

I followed (most) of what was on your guide MechBgon, thanks!

I'm wondering, now that I have to install software with the Administrator account (which I had to "un-hide" with "net user administrator /active:yes" how do I make sure the software is installed for my standard user? I don't want all the app data installed in an inaccessible Administrator directory...

 

[mechBgon]

I followed (most) of what was on your guide MechBgon, thanks!

I'm wondering, now that I have to install software with the Administrator account (which I had to "un-hide" with "net user administrator /active:yes" how do I make sure the software is installed for my standard user? I don't want all the app data installed in an inaccessible Administrator directory...

An easier way to handle that, is to create your own Admin account, and leave your "daily driver" account as a Standard User (a non-admin). Then if you want to install software, you can do it from your daily-driver account. Right-click it, choose "run as Administrator," and your own Admin account will be the key. If you don't see "run as Administrator" when you right-click, hold down the Shift key while right-clicking it.

A minor convolution occurs if you're using Software Restriction Policy and installing something that uses a .MSI installer. MSI files don't have a "run as Administrator" option, so you can't bust out of the SRP directly. In that case, one straightforward workaround is to move the .MSI file to a place that's exempt from the SRP, like in Program Files. Or you can start a command-line box with Run As Administrator, then use the command line to launch the MSI file.

Most software I've installed ends up being available to all users with no hassles. Just make sure it's not being installed to the user's profile, you want it in Program Files.

 

[TBSN]

Oh, "run as administrator"! I should have guessed that...

Thanks!

 

[weovpac]

I have a list of baseline steps here: http://www.mechbgon.com/security

Thanks for tips, will share with my Windows users.