Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

[Fun Thread] Security Configuration Feedback


  • Please log in to reply
7 replies to this topic

#1 Guest_Kaosu_*

Guest_Kaosu_*

  • Guests
  • OFFLINE
  •  

Posted 26 June 2014 - 04:00 PM

Abstract

I thought this could be an all-in-one thread where members could compare their security configurations with one another. This would provide more experienced users a platform to exchange ideas, and also provide novice users with a general idea of what is preferred/popular in regards to anti-malware software, operating system configurations, optimal configurations for specific security tools, etc.

 

Here are a few baseline rules you should consider before participating in this discussion:

 

  • Only post here if you are open to all forms of feedback;
  • Give as little or as much information about your configuration;
  • Show respect to all members participating and try to focus on solutions rather than placing emphasis on problems;

The overall goal of this discussion will be to help people find weaknesses in their current configurations, help people optimize their current software for better protection, identify rogue software and bad security advice users may be using/following.

 

Feel free to use my configuration as a general template when participating, but don't feel obligated to. Like I said above, share as little or as much information as you want. Also, don't blindly follow my configuration, because it will not work for all users. This isn't a guide to securing your computer, but what worked best for me,

 

Operating System (Windows 8,1 PRO)

I follow the rule of least privilege, which means I try to only run services and operating system features that I actually need. For every service or operating system feature I am able to disable, it decreases my overall attack surface and helps safeguard me against unknown vulnerabilities within those services/features. Specifically, here are the changes that I make after a clean installation:

 

  • Tune UAC to use the highest security settings

UAC at its highest security setting is extremely useful when you want better control over how applications/installers handle events which require administrative rights.

 

  • Set the Windows Firewall profile to Public

Using the public profile will disable network discovery, public shares, and other networking features that are on by default in Windows.

 

Microsoft thought it would be a great idea to create tunnels for IPv6-to-IPv4 traffic to help out with network compatibility and to make the IPv6 transition easier. However, if you're using a router which only

makes use of IPv4 then it won't be able to correctly use these tunnels and negates the usefulness of your router's firewall/NAT capabilities. I leave IPv6 enabled if the networking equipment supports it.

 

  • Modify network adapters to uncheck: Client for Microsoft Networks, Printer and File Sharing for Microsoft Networks, Microsoft Network Adapter Multiplexor Protocol, Link Layer Topology Discovery I/O Driver, Link Layer Topology Discovery Responder, Internet Protocol Version 6. I also modify my Internet Protocol Version 4 advanced properties to disable NetBIOS over TCP/IP and uncheck DNS to "register this connections address in DNS"

At home I choose to disable all of those protocols because I do not need them. It is always good to understand what each of these protocols do and disable ones that your network really does not need. For example, most small networks don't gain much benefit from network mapping, so they could easily disable the discovery services and still have a functioning network. For each unused protocol you remove, the less of an attack surface a remote attacker has to play with.

 

I also disable IGMP, UPnP and SMB v1. You should only enable SMB v1 if you must have compatibility with older operating systems, otherwise disable it right away.

   

  • Disable unused devices in Device Manager

     I like to disable the Remote Desktop Device Redirector Bus and Microsoft Kernel Debug Network Adapter.

 

  • Disable services that I don't need using Services.msc (DO NOT BLINDLY DISABLE SERVICES UNLESS YOU ARE 100% POSITIVE THAT YOU DO NOT NEED THEM)

Check out http://www.blackviper.com/ if you want a (generally) safe list of services to disable for your specific version of Windows.

 

I won't list all of the services that I personally disable, because I am afraid a novice user may come along and try to copy my settings. If you're interested in this, please do the research and understand what a service does before you disable it.

 

  • Disconnect when installing Windows 8 so I don't have to link a Windows Live Account to my system

Linking a Windows Live Account to your Windows 8 installation is just asking for problems. It does offer a few neat features, but those features are not worth keeping a system account online where it is subject to constant brute force attempts, added vulnerabilities of Microsoft services, etc.

 

  • Disallow Remote Assistance/Connections

I have absolutely no use for remote assistance or remote desktop, so I just disable them. Even if I had a use for remote desktop, I wouldn't use that protocol unless it was secured using an SSH tunnel.

 

 

  • Disable AutoPlay on all devices

While I am generally careful about what I introduce into my computing environment, you never know when a loved one may try to share pictures with you using their thumb drive, a DVD, etc. So, better safe than sorry.

 

  • Encrypt all storage devices using BitLocker

Not much to say about this. If someone does steal my computer or I lose a thumb drive, the data will remain safe.

 

  • Use a limited local account for daily tasks

Coming from a GNU/Linux and *BSD background, running with superuser rights just seems very wrong to me.

 

  • Weekly backups of important data

At the end of every week I make backups of all important data. It is stored on my 32GB thumb drive, encrypted and stored in a secure location. I don't create images at home since I keep such detailed backups. If I feel like I need to load up from a clean image, I would rather just reinstall and reload my backups manually. I also keep an identical copy of all backups on an internal storage drive that is also encrypted. Having more than one set of backups helps me sleep better at night.

 

 

Software

Not all of the security software that I use is listed here, but this is what I include in every single installation that I perform.

  •  Secunia PSI (Once a week)

Personal Software Inspector is a great program to help keep all of your programs up-to-date. It will also help you find security updates that Windows Update may have missed.

 

  • Enhanced Mitigation Experience Toolkit (EMET)

 I use the following settings: DEP: Always on, SEHOP: Always on, ASLR: Application opt-in

 

  • Sandboxie

I like sandboxing my web browser, IRC client, Pidgin and similar applications. I take it a step further and configure Sandboxie to only allow Internet and run access to specific groups of software, automatically delete the contents of the sandbox when an application closes, and drop the rights of the sandboxed application.

 

  • Kaspersky Internet Security 2014 (Real-Time and daily scheduled full scans)

Trusted Applications Mode is enabled, all protection settings are at their highest security settings, and I utilize the extra tools to help me keep my system secure.

 

  • SpywareBlaster (Once a week)

This program does not really require any additional tweaking. It is a prevention tool and is ran once a week.

 

  •  SuperAntiSpyware (Every other day)

While this may not be the best anti-spyware application out there, it is still free and useful, so I still use it as an on-demand scanner.

 

  • MalwareBytes Anti-Malware Free (Every other day)

Not much to say here. It is another great free on-demand scanner.

 

  •  Emsisoft Emergency Kit (Every other day)

I really love Emsisoft's anti-malware scanner. I have been using this since it was called A-Squared, and it has always been an amazing piece of software.

 

  •  CCleaner (Once a week)

Removing clutter and temporary Internet files is a wonderful thing, but I don't use the registry cleaning stuff

 

  •  KeePass2

Keeping track of accounts can become tiresome when you like using extremely long passwords, so I let KeePass2 do the tracking for me. It saves the password file inside of an AES encrypted database using a 256-bit key. It also generates passwords for me based on complexity rules that I set and I change all account passwords about once every few months.

 

  •  OpenDNS + Content Filtering

OpenDNS has great content filtering. They keep up-to-date malware blacklists and lots of other categories. Since I set my router to default to OpenDNS, all of my machines on the network benefit from the security that it provides.

 

  • Hosts File

Not much to say about this. I keep a well maintained hosts file using public blacklists to try and prevent myself from connecting to malicious hosts. I use to let my router handle this with custom firewall rules, but it slowed network traffic, so I just use an optimized hosts file which has given me much better performance.

 

  • Firefox + Addons

I use all of the compatible Kaspersky extensions, AdBlock Edge (Malware domains, Easylist, Easy Privacy, and Fanboy's social list), NoScript, Better Privacy, Self-destructing cookies, Disconnect, and HTTPS Everywhere. In addition to this, all plugins are set to "ask" before use and Firefox has had several security-related tweaks.

 

Other Thoughts

That is the gist of my baseline configuration for my home computer. I do a lot more than is listed, but this is always my method for providing myself with a good baseline to build on. All feedback is welcome!


Edited by Kaosu, 26 June 2014 - 08:48 PM.


BC AdBot (Login to Remove)

 


#2 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,570 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia

Posted 26 June 2014 - 06:02 PM

I run Linux.

UFW Firewall. Tweaked.

AppArmour.Tweaked.

No Anti Virus

Firefox With No script, Add Block, Pop up Blocker . And  Privacy badger.

 

 

I don't need all that other stuff.

 

Members please note.  I would not suggest anybody run's a Windows system online without protection.


Edited by NickAu1, 26 June 2014 - 06:07 PM.


#3 Guest_Kaosu_*

Guest_Kaosu_*

  • Guests
  • OFFLINE
  •  

Posted 26 June 2014 - 07:43 PM

I run Linux.

UFW Firewall. Tweaked.

AppArmour.Tweaked.

No Anti Virus

Firefox With No script, Add Block, Pop up Blocker . And  Privacy badger.

 

 

I don't need all that other stuff.

 

Members please note.  I would not suggest anybody run's a Windows system online without protection.

 

I also run GNU/Linux systems at home. I recently submitted profile fixes for AppArmor when using a *buntu base to make it a little more usable. I will share the links, because maybe you can use them as examples to help with any issues you might have with proprietary video drivers and hardware acceleration features, etc.

 

Firefox + nVidia: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1325050

Firefox + XFCE: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1325048

 

If you're running Kubuntu (or any other *buntu) they should still apply with just minor modifications. Both of those fixes are being merged into upstream and will be applied on the next round of updates from the official maintainers of the affected package(s).


Edited by Kaosu, 26 June 2014 - 09:17 PM.


#4 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:02:13 AM

Posted 28 June 2014 - 11:17 PM

Though I had been running a 50/50 mix of Windows 7, 8 & 8.1 installs & Linux Mint about 50/50. that has turned more into 70/30 in favor of Linux MInt. Plus, as have noted all over the forum, don't make any transactions on Windows computers. One mistake can be costly & the thing is, one may not see it coming, even if protected to the gills. 

 

You know, like the 'hidden' apps, usually adware or spyware, that comes with many free Windows software & even a few paid ones. 

 

On Windows 7, 8 & 8.1, run a paid security, usually Emsisoft Anti Malware or NOD32 AV, along with MBAM Pro on all. That makes for 2 active security programs, each looking for different things. Paranoid Mode is activated within the Emsisoft Anti Malware (EAM) for better protection. 

 

Online Armor Firewall (by Emsisoft) is installed on the most frequently used OS's out of these, the Windows 7 installs. Being that I seldom use Windows 8 not 8.1, I don't bother with extra Firewall, just the Windows one, but MBAM Pro is installed. Have tight settings on the wireless router. No UP&P & remote administration is disabled. 

 

There is one last install of XP Home SP3, for the purpose of assisting others on this forum, in case an issue needs to be duplicated or for troubleshooting. For security, EAM & MBAM Pro are installed, as well as Online Armor Firewall. Because the notebook is 10 years old & the Pentium M runs more like a P3, MBAM Pro may be removed, it seems to be too much. Emsisoft can protect the notebook well, plus there always the free ESET Online Scanner. 

 

SuperAntiSpyware Pro Edition is on my main two Windows installs, the Free Edition on the rest. 

 

Finally Linux Mint 17 x64, Mate Edition. Thankfully, not a lot of extra security that does nothing but to slow the system is installed, though ClamTK is there & the ufw Firewall is active & enabled at Startup. The reason for ClamTK, is that both my Google Chrome & Firefox browsers are synced, the extensions, bookmarks & other settings are the same on Windows or Linux. Some of the things that ClamTK 'finds' are items from where Windows was synced, otherwise, why are there 'ActiveX' items in the browser. These don't come from Linux. 

 

If I were to run Mint all day, typically little or nothing would be found. But if my Windows computers are ran, even just for updating, ClamTK will catch more. So it has to be picking these up from Windows installs & that being the case, makes Windows safer by quarantining these. They're harmless to the Linux install. 

 

On Firefox, the extensions I use are AdBlock Plus, NoScript, Better Privacy, Disconnect (though may remove this). Down Them All, WOT, Flagfox & Ghostery, the latter of which have just learned of & blocks all kinds of junk. 

 

https://www.ghostery.com/en/

 

On Google Chrome I use, AdBlock Plus, Ghostery, Google Docs, Google +1, Mini Maps, WOT & Panic Button. Had Avast Online Security enabled, but was causing conflicts with Ghostery, which blocks a lot more. 

 

As added security against the unknown, my main Windows installs are imaged 2x weekly, to an external, which is removed afterwards. I still keep one on my Data drive, which is also imaged, but if one of those 'Crypto' infections were to strike, if that was the sole backup, would be out of luck. I'm not coughing up cash to thieves, this is like negotiating with terrorists. They hit one up for cash once, they will again. And there's no 100% guarantee that the data will be the same after paying the ransom. 

 

If Windows customers took a little more personal responsibility, weekly or 2x weekly backups would be taken, therefore no need to pay. Format the drive & go as nothing happened inside of an hour. What's so hard about that? Many backup apps requires no babysit once started & if using a portable USB drive for backup, all will shutdown when the backup is finished. 

 

Many Windows users are lazy in their habits & all they know is how to double click. The majority cannot run command line to scan or fix issues & even fewer has a Recovery Console installed. Click & Shoot, is how many Windows customers operates. 

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA

Posted 29 June 2014 - 07:13 AM

Many Windows users are lazy in their habits & all they know is how to double click. The majority cannot run command line to scan or fix issues & even fewer has a Recovery Console installed. Click & Shoot, is how many Windows customers operates.

Defines most Millennials and the iPad generation.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:11:13 AM

Posted 29 June 2014 - 11:01 PM

Yes, many of those are the ones I'm speaking of, as well as those who never owned a computer until XP became popular. The latter group includes those of varying generations, a few whom I assist within the family (in-laws) are from the 1930/early 1940 era. 

 

These folks, I don't count as being lazy, worked hard all or most of their working years & never had a computer until post-retirement. They don't mess with Facebook & other social sites, don't even shop online, just want to pay their bills & check the weather. I take these folks to heart & gladly assist them, have NOD32 & MBAM Pro setup on these. 

 

There is one notable difference in them & younger folks what I assist, the seniors will follow my advise in regards to how I setup a paid AV & AM software on their computers, letting the daily scheduled scans run as should. Seldom does further issues in regards to security take place. The younger ones will sway, sometimes they'll drop by or call, stating "something's wrong". Nearly every time, the scheduled scans are disabled or altered & it's always the same three. Really, the type of person that I am, don't mind helping others, but it's irritating at best to get a computer related call or visit from them.  Especially after I had installed security prior in MBAM Pro & their choice of security. 

 

But I still assist, mainly because they're family. In the end, am usually rewarded with a less than 3 year old computer or other perfectly working tech items that can be used, as they buy new with each release of Windows. They bring the new to me to setup & drop off their old when the new is picked up. Five years ago, I had a single computer & was thankful for that, today I have six, of which 4 was given to me. There were a couple more, one last month, that was donated to Hospice, after Windows was cleanly reloaded with recovery media, but not before the drives were nuked with DBAN. 

 

That's another area where the three that I mentioned above are sloppy, data protection. They drop these computers off & leave all sorts of personal data on them. No way would I sell or give away a computer with my data on it, but they don't give it a second thought. Fortunately for them, I'm not criminal minded. Normally I already have recovery media that was made prior, will nuke the drive & if it's a Windows 7 computer, will install an SSD & use that drive for data. 

 

It wouldn't surprise me that at some point in their lives, their sloppiness will cost them, way too loose with security as a whole. Including password management. I'm not going to use my phone number as my banking password, nor my year of birth for debit card access. 

 

Cat


Edited by cat1092, 30 June 2014 - 01:43 AM.

Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#7 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,570 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:11:13 AM

Posted 30 June 2014 - 12:19 AM

Slightly off topic here. And having tried to help a member who nuked his SSD incorrectly.

 

the drives were nuked with DBAN.

It is not safe to use DBAN Nuke or similar on SSDs. First, it's not good for the drive, and second, it wouldn't work properly anyway. Not good for the drive because it writes to the drive too many times. Wouldn't work properly because just like the OS, DBAN and similar cannot control where it writes to on the drive. The SSD's controller is responsible for that, and due to wear leveling algorithms, wouldn't get you the intended results. With an SSD, all you need is to perform a "secure erase."

 Source
 


Edited by NickAu1, 30 June 2014 - 12:19 AM.


#8 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:11:13 AM

Posted 30 June 2014 - 01:40 AM

 

 

Slightly off topic here. And having tried to help a member who nuked his SSD incorrectly.

No, I'd never use DBAN to nuke a SSD, that's for a spinner. I've never seen that recommended by someone whom knows about SSD's, nor did I recommend it above for a SSD. These were all spinners, some were replaced with SSD's, the ones that I keep. 

 

I use Secure Erase tools on SSD's, some of these OEM's has their own & I have a special one for those that doesn't in Parted Magic. Though it's no longer free, I still have a copy that was downloaded in 2012 & would use it if I had to. 

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users