Setting up Win7 for non-computer savvy relative. How to make as secure as possible?

[lizardboy]

Cliffs:
-Setting up laptop for non-computer savvy relative.
-Want to make Win7 as secure as possible.
-Put her on a limited (non-admin) account?
-???
-Profit

Longer version:
One of my relatives decided to buy my aunt (who is in her late 50's) a laptop for Christmas. He gave me a budget and I managed to snag a Dell Inspiron at a good price that will be more than adequate for what she will be doing (email, web, office apps). My question, since she is absolutely not computer savvy at all, is how to secure it as best as possible?

I'm already planning to put Nod32 on there with a 1-year subscription and make sure automatic updates are turned on. But I gave her an old PC 3-4 years ago (running XP with Norton & Spy-Bot & Auto Updates) and within a few months that poor PC was running Comet Cursor, Bonzai Buddy, and all kinds of spyware.

I was considering putting her on a limited (non-admin) account so that she theoretically can't do too much damage. Obviously this will require me to remote in when admin duties need to be done, but it should make the system that much more secure, right?

Any other suggestions people have? (other than, "Get her a Mac" or "Ubuntu!!!!).

Thanks

 

[soonerproud]

Putting them on a standard account is the best method to keep non-savvy people safe. Enable DEP for all programs and enable SEHOP. Just google those for instructions.

Edit:

Download and install Microsoft Security Essentials as the AV. It is light, fast, uses few resources and has one of the best detection rates in the industry. Best of all it is completely free.

 

[JackMDS]

If you have the computer in your hand first. In top of the above.

If he/she is on Broadband, make sure that a Router is installed even if only one computer is used.

You can consider Windows Security essentials instead of other commercial AVs.

So security can be comprised of, a Router, Win 7 Firewall, Win Defender, and Security Essential. ( http://www.microsoft.com/Security_Essentials/ ).

The money saved on the 3rd party security software would cover the Router’s cost.

The most important thing is to write a page or two with short precise info about functional safe use of the Internet.

Like, do Not open attachments from unknown people even if they promise you a millions $$$. If something, popup on the screen while on the Internet trying to check your computer, or announcing that you are infected switch it Off and o not do any thing.

Do not follow URLS in email form unknown source since what it says on the screen is Not necessarily the real url etc., etc.

Do not give the computer to the person before they read the paper.

If you are expected, or took upon yourself the keep supporting the person, configure the computer with some sort of remote Control (UltraVNC, Remote Desktop, LogMeIn, whatever else you like). In addition, open the ports (if needed) through the Software Firewall and the Router.

.

 

[lizardboy]

Thanks Jack & Sooner, good suggestions.

I should have mentioned that I was planning to setup an old WRT54G running Tomato (both for wireless access and for NAT protection) and I'll turn on WPA. I'm also going to install Firefox with Adblock and suggest she use that for her default broswer.

 

[MStele]

This probably won't be an issue, give the age of the person the computer is going to, but I wanted to share my experiences with being admin for relatives. Personally I've given up the job of being admin to my relatives computers, because no matter how much I try to keep them secure I can't save them from themselves. It never fails that about one month after I've redone a machine I would get a call saying that something was acting funny, and it never fails that I always find a mile high stack of virus/spyware infested ill-gotten media through p2p services. Even in those times where they weren't downloading shady software, they would still attemp to install every web game they came across, along with all the adware with them. Of course you can lock down their machines, but then you'll get calls all the time bugging you about how they can't play the latest <insert web puzzle game here> until you give them the admin password, which they ultimately get because they own the machine, which only starts the cycle again.

All I can say is good luck. Short of disconnecting the internet, there really isn't anything you can do to completely protect the machine, since I find the average non-computer savvy person is going to do more damage to their own machine through bad choices than any hacker, but hopefully you can weather the storm. Since you mention its an older person, p2p downloading is probably not going to be an issue, but just be wary that once people know you have computer knowlege, they milk you for it haha.

 

[VirtualLarry]

I'm surprised no-one has mentioned Windows Steady State yet. That might be an option here.

 

[Rhonda the Sly]

Run Windows Update on a schedule that automatically downloads and installs updates or they will never get installed. I learned that with my relatives a while back. Run MSE on a schedule, too.

Maybe consider the following:
Remote desktop - only allow connections with NLA (Windows 7 only)
Type "Remote" into the start menu, it should appear as "Allow remote access to your computer" or a few other similarly named options.

Turn on secure logon
Start menu &#187; "netplwiz" > advanced [tab]

Turn UAC up to the max
Type "UAC" into the Start menu

 

[Fox5]

Limited user account.
Microsoft Security Essentials.
Remove Internet Explorer. Set them up with Firefox with Adblock Plus and Web of Trust installed.
Consider using OpenDNS to block bad domains.
Automatic updates.

 

[soonerproud]

Limited user account.
Microsoft Security Essentials.
Remove Internet Explorer. Set them up with Firefox with Adblock Plus and Web of Trust installed.
Consider using OpenDNS to block bad domains.
Automatic updates.

I disagree on changing to Firefox. IE8 is proven more secure for the less tech savvy. It takes a knowledgeable person to properly secure Firefox and FF lacks sandboxing, which IE8 has.

 

[Fox5]

I disagree on changing to Firefox. IE8 is proven more secure for the less tech savvy. It takes a knowledgeable person to properly secure Firefox and FF lacks sandboxing, which IE8 has.

But Interet Explorer is almost exclusively the only browser targetted by malware and exploits. Just switching browsers greatly reduces the number of attacks.

 

[JackMDS]

But Interet Explorer is almost exclusively the only browser targetted by malware and exploits. Just switching browsers greatly reduces the number of attacks.

Regular mundane users are not usually the targets of attacks hackers have No real interest in them (unless it is High School Kids playing hackers against their own friends).

The majority of the infestations gets to End-Users computers get there on their own Ignorant volition.

I.e., Logging to questionable sites, open unsafe mail, believing that there are people in the world that there sole existence is to dispense through the Internet Millions of $$ in exchange for nothing.

Major damage is done by sending to people emails that look like a Banks, and other financial institutions, asking for updating info of credit cards and other account id. People click on the URLs, and voluntary surrender their data.

From that perspective it really does not matter which Browser you use.

The slight differences in synthetic measure of software account to very little variance in the Internet security problems.

 

[NetGuySC]

....

 

[Binky]

Make her write this by hand 100 times: "I will not install 'FREE' software, ever."

 

[mechBgon]

But Interet Explorer is almost exclusively the only browser targeted by malware and exploits. Just switching browsers greatly reduces the number of attacks.

Whoa, you're badly misled. Read the Security Intelligence Report and note what's actually targeted in Internet-driven attacks on Vista/7 systems. Of the top ten, nine are third-party add-ons/extensions, e.g. Flash Player, RealPlayer, Adobe Reader, etc. Sites that are running an attack suite (MPACK, Icepack, Webattacker, etc) will use different sets of exploits depending on your browser, too. I think IE8 is the best pick here since it provides Protected Mode as "damage containment" against successful exploits of that stuff too, not just of itself alone. Its malware filtration is also best-of-breed. This isn't your father's Oldsmobile...

Keeping the third-party software up-to-date never hurts, but it can be difficult to keep up on. Try the Secunia Personal Software Inspector on them and see if they can handle it. They will need to log into their Admin account to run the PSI, or else use the Run As Administrator option.

If the version of Win7 happens to be Professional or Ultimate, I would also enable Software Restriction Policy, which is even better on 7 than on Vista or WinXP. This is a massive blanket defense against many attack vectors even with a working exploit. Fully enabling Data Execution Prevention (pic) and enabling SEHOP are also well worth it.

And school them on what's up with scareware... here's a YouTube vid where I recorded one, if you need a visual aid: http://www.youtube.com/watch?v=j2VraJfBBn0 Drill them on how to "break out" of an endless-loop situation by using Task Manager to kill their browser.

 

[Modelworks]

The only way to really protect a pc from a user is not to let them touch it. Other than that setting up a pc in kiosk mode where they cannot install anything, cannot make changes and can only run the software installed is the only other way.

Consider looking at windows stready state
http://www.microsoft.com/windows/products/winfamily/sharedaccess/whatis/default.mspx

 

[soonerproud]

But Interet Explorer is almost exclusively the only browser targetted by malware and exploits. Just switching browsers greatly reduces the number of attacks.

That is absolutely untrue. Firefox is exploited more right now than IE 8. You do not get the market share Firefox has and not be targeted.

 

[Fox5]

That is absolutely untrue. Firefox is exploited more right now than IE 8. You do not get the market share Firefox has and not be targeted.

Maybe it's different on Windows Vista and 7, but both my parents run XP (which doesn't have protected mode iirc). For the longest time, I had them on Internet Explorer 8 since they were most comfortable with IE. Every month or so, their computers would be full of infections I had to clean out.
Eventually, I just uninstalled IE and left only Firefox on their computers and they haven't had an infection since. Not a scientific test at all, but from my personal experience, IE, even IE8, is easily infected on XP, while Firefox is not.

 

[abaez]

If the version of Win7 happens to be Professional or Ultimate, I would also enable Software Restriction Policy, which is even better on 7 than on Vista or WinXP. This is a massive blanket defense against many attack vectors even with a working exploit. Fully enabling Data Execution Prevention (pic) and enabling SEHOP are also well worth it.

This is what I've done with my parents. They used to have all of these problems but with the limited user account, Restriction Policy, DEP and antivirus I have not had one issue. I actually have them use Chrome. I tried to get her to IE but my mom could not stand the slowness.

Now I get complaints that they can't install anything, but I just essentially ignore them because everything they need is already installed.

 

[mechBgon]

Maybe it's different on Windows Vista and 7, but both my parents run XP (which doesn't have protected mode iirc). For the longest time, I had them on Internet Explorer 8 since they were most comfortable with IE. Every month or so, their computers would be full of infections I had to clean out.
Eventually, I just uninstalled IE and left only Firefox on their computers and they haven't had an infection since. Not a scientific test at all, but from my personal experience, IE, even IE8, is easily infected on XP, while Firefox is not.

Your parents' system might've been getting attacked by something as rudimentary as an out-of-date Flash Player plug-in, which installing a different browser does indirectly fix... temporarily. Given what I know from personally hunting malware in the wild on extremely malicious websites, and from having a Win2000/XP fleet in the hands of about 80 employees for several years, my top recommendations are to

1) separate the Admin powers from the daily-driver user account. Easily done, just make a new Admin-level account, then switch the established one down to a non-Admin. On a stand-alone WinXP box, that's a Limited account.

2) harden the system by enabling DEP, especially if the CPU has hardware DEP onboard. On Win7/Vista systems, also enable SEHOP.

3) remove software that you don't need.

4) the software that remains should be kept up-to-date. Get the Microsoft Update engine, get the Secunia PSI, get the Microsoft Baseline Security Analyzer, and check the system over.

5) now you're ready to pick a browser. Having seen what Protected Mode can do, IE will continue to be my pick.

Now I get complaints that they can't install anything, but I just essentially ignore them because everything they need is already installed.

Hehe It definitely works at keeping them out of trouble, despite themselves. Makes ya wonder what they're trying to install, and what they think they need it for.

 

[soonerproud]

Maybe it's different on Windows Vista and 7, but both my parents run XP (which doesn't have protected mode iirc). For the longest time, I had them on Internet Explorer 8 since they were most comfortable with IE. Every month or so, their computers would be full of infections I had to clean out.
Eventually, I just uninstalled IE and left only Firefox on their computers and they haven't had an infection since. Not a scientific test at all, but from my personal experience, IE, even IE8, is easily infected on XP, while Firefox is not.

You are correct on one thing, it is hardly scientific.

All the major security firms, including securina list FF as one of the least secure browsers on the market. It has more holes and no sandboxing making it less secure than any other browser besides safari.

The best thing you could do on XP to prevent infection on any browser is to set up limited accounts for daily use. It is a pain to do in XP, but entirely possible if you are willing to do the work.

 

[Fox5]

Your parents' system might've been getting attacked by something as rudimentary as an out-of-date Flash Player plug-in, which installing a different browser does indirectly fix... temporarily. Given what I know from personally hunting malware in the wild on extremely malicious websites, and from having a Win2000/XP fleet in the hands of about 80 employees for several years, my top recommendations are to

1) separate the Admin powers from the daily-driver user account. Easily done, just make a new Admin-level account, then switch the established one down to a non-Admin. On a stand-alone WinXP box, that's a Limited account.

2) harden the system by enabling DEP, especially if the CPU has hardware DEP onboard. On Win7/Vista systems, also enable SEHOP.

3) remove software that you don't need.

4) the software that remains should be kept up-to-date. Get the Microsoft Update engine, get the Secunia PSI, get the Microsoft Baseline Security Analyzer, and check the system over.

5) now you're ready to pick a browser. Having seen what Protected Mode can do, IE will continue to be my pick.

Well, to be fair, it wasn't a stock firefox versus IE comparison, it was firefox + adblock + flashblock + web of trust. Still, IE's plugin system is a pain to work with, and I don't know if it has equivalents of all 3 of those.

1. Tried a limited account, but not all their programs work properly on a limited account. Windows XP kind of fails at that.

2. No hardware DEP, I don't think they're getting attacked by buffer overflows though.

3. My parents are big on using software that they don't need, and they're hard to retrain.

4. Argh, windows update isn't good enough?

5. If I was going for protected mode, I'd go for Chrome which features something similar. Sadly, I think most of the spyware that gets installed is from tricking the users, so adblock and flashblock are huge savers there, which chrome doesn't offer. I do have microsoft security essentials installed, which in my experience has been better at cleaning crap out than any other virus scanner I've tried, and I've tried norton, mcafee, trend, avg, and all the other popular ones.

I've yet to see a computer user who used firefox get infected as badly as one who uses Internet Explorer (most of my experience is only with IE however). That could just be a difference in user knowledge, but whenever someone's system had been spywared/virused past the point of usability in college, it was always an IE system. The tech department (unofficially) recommended students not to use IE anymore.

Firefox may have the most security holes, but it doesn't mean it's the most exploited. It's lack of a 'run this now' option for exes alone could be what's saving it, again, I expect home users to be tricked into installing software they shouldn't. Corporate security measures won't work, it doesn't matter much when most users expect to run as admin and follow unsafe practices.

 

[mechBgon]

Corporate security measures won't work, it doesn't matter much when most users expect to run as admin and follow unsafe practices.

I have never had any home user ask me to undo their non-Admin user account after I got it set up for them on WinXP. I also can't remember a single instance where I had to de-infect the computer afterwards. It's too bad your parents have software that doesn't cooperate with a Limited account. Next thing I'd try is Vista or Win7, which can trick rebellious I-must-be-Admin-or-else software into thinking it's got Admin privileges without actually letting it have them.

Argh, windows update isn't good enough?

No. Because of the top ten most-exploited items on a Vista/7 box, only one of them is a Microsoft vulnerability, according to the latest SIR. The rest are third-party. You need to patch that stuff or your perfectly-secure browser can still be used to get at it and pwn your box anyway, so use the Secunia dealiebob for that. And if there's any Microsoft stuff on the system that didn't come with Windows itself (Office, Works, Silverlight, viewers for Office files, .NET, etc) then you need the Microsoft Update engine to keep it updated automagically.

As a footnote: the bad guys adapt. The usual scareware scams are being adapted to run in non-Admin accounts, for example. And an enlightened attacker can do plenty of harm if they can get an attack running even with non-Admin privileges (for example, they could encrypt your account's files and hold them for ransom). This is one reason I'm a big fan of Software Restriction Policy and would always pick a version of Windows that has the capability (meaning, not Home versions).