I thought this could be an all-in-one thread where members could compare their security configurations with one another. This would provide more experienced users a platform to exchange ideas, and also provide novice users with a general idea of what is preferred/popular in regards to anti-malware software, operating system configurations, optimal configurations for specific security tools, etc.
Here are a few baseline rules you should consider before participating in this discussion:
- Only post here if you are open to all forms of feedback;
- Give as little or as much information about your configuration;
- Show respect to all members participating and try to focus on solutions rather than placing emphasis on problems;
The overall goal of this discussion will be to help people find weaknesses in their current configurations, help people optimize their current software for better protection, identify rogue software and bad security advice users may be using/following.
Feel free to use my configuration as a general template when participating, but don't feel obligated to. Like I said above, share as little or as much information as you want. Also, don't blindly follow my configuration, because it will not work for all users. This isn't a guide to securing your computer, but what worked best for me,
Operating System (Windows 8,1 PRO)
I follow the rule of least privilege, which means I try to only run services and operating system features that I actually need. For every service or operating system feature I am able to disable, it decreases my overall attack surface and helps safeguard me against unknown vulnerabilities within those services/features. Specifically, here are the changes that I make after a clean installation:
- Tune UAC to use the highest security settings
UAC at its highest security setting is extremely useful when you want better control over how applications/installers handle events which require administrative rights.
- Set the Windows Firewall profile to Public
Using the public profile will disable network discovery, public shares, and other networking features that are on by default in Windows.
- Completely disable IPv6 (http://support.microsoft.com/kb/929852)
Microsoft thought it would be a great idea to create tunnels for IPv6-to-IPv4 traffic to help out with network compatibility and to make the IPv6 transition easier. However, if you're using a router which only
makes use of IPv4 then it won't be able to correctly use these tunnels and negates the usefulness of your router's firewall/NAT capabilities. I leave IPv6 enabled if the networking equipment supports it.
- Modify network adapters to uncheck: Client for Microsoft Networks, Printer and File Sharing for Microsoft Networks, Microsoft Network Adapter Multiplexor Protocol, Link Layer Topology Discovery I/O Driver, Link Layer Topology Discovery Responder, Internet Protocol Version 6. I also modify my Internet Protocol Version 4 advanced properties to disable NetBIOS over TCP/IP and uncheck DNS to "register this connections address in DNS"
At home I choose to disable all of those protocols because I do not need them. It is always good to understand what each of these protocols do and disable ones that your network really does not need. For example, most small networks don't gain much benefit from network mapping, so they could easily disable the discovery services and still have a functioning network. For each unused protocol you remove, the less of an attack surface a remote attacker has to play with.
I also disable IGMP, UPnP and SMB v1. You should only enable SMB v1 if you must have compatibility with older operating systems, otherwise disable it right away.
- Disable unused devices in Device Manager
I like to disable the Remote Desktop Device Redirector Bus and Microsoft Kernel Debug Network Adapter.
- Disable services that I don't need using Services.msc (DO NOT BLINDLY DISABLE SERVICES UNLESS YOU ARE 100% POSITIVE THAT YOU DO NOT NEED THEM)
Check out http://www.blackviper.com/ if you want a (generally) safe list of services to disable for your specific version of Windows.
I won't list all of the services that I personally disable, because I am afraid a novice user may come along and try to copy my settings. If you're interested in this, please do the research and understand what a service does before you disable it.
- Disconnect when installing Windows 8 so I don't have to link a Windows Live Account to my system
Linking a Windows Live Account to your Windows 8 installation is just asking for problems. It does offer a few neat features, but those features are not worth keeping a system account online where it is subject to constant brute force attempts, added vulnerabilities of Microsoft services, etc.
- Disallow Remote Assistance/Connections
I have absolutely no use for remote assistance or remote desktop, so I just disable them. Even if I had a use for remote desktop, I wouldn't use that protocol unless it was secured using an SSH tunnel.
- Disable AutoPlay on all devices
While I am generally careful about what I introduce into my computing environment, you never know when a loved one may try to share pictures with you using their thumb drive, a DVD, etc. So, better safe than sorry.
- Encrypt all storage devices using BitLocker
Not much to say about this. If someone does steal my computer or I lose a thumb drive, the data will remain safe.
- Use a limited local account for daily tasks
Coming from a GNU/Linux and *BSD background, running with superuser rights just seems very wrong to me.
- Weekly backups of important data
At the end of every week I make backups of all important data. It is stored on my 32GB thumb drive, encrypted and stored in a secure location. I don't create images at home since I keep such detailed backups. If I feel like I need to load up from a clean image, I would rather just reinstall and reload my backups manually. I also keep an identical copy of all backups on an internal storage drive that is also encrypted. Having more than one set of backups helps me sleep better at night.
Not all of the security software that I use is listed here, but this is what I include in every single installation that I perform.
- Secunia PSI (Once a week)
Personal Software Inspector is a great program to help keep all of your programs up-to-date. It will also help you find security updates that Windows Update may have missed.
- Enhanced Mitigation Experience Toolkit (EMET)
I use the following settings: DEP: Always on, SEHOP: Always on, ASLR: Application opt-in
I like sandboxing my web browser, IRC client, Pidgin and similar applications. I take it a step further and configure Sandboxie to only allow Internet and run access to specific groups of software, automatically delete the contents of the sandbox when an application closes, and drop the rights of the sandboxed application.
- Kaspersky Internet Security 2014 (Real-Time and daily scheduled full scans)
Trusted Applications Mode is enabled, all protection settings are at their highest security settings, and I utilize the extra tools to help me keep my system secure.
- SpywareBlaster (Once a week)
This program does not really require any additional tweaking. It is a prevention tool and is ran once a week.
- SuperAntiSpyware (Every other day)
While this may not be the best anti-spyware application out there, it is still free and useful, so I still use it as an on-demand scanner.
- MalwareBytes Anti-Malware Free (Every other day)
Not much to say here. It is another great free on-demand scanner.
- Emsisoft Emergency Kit (Every other day)
I really love Emsisoft's anti-malware scanner. I have been using this since it was called A-Squared, and it has always been an amazing piece of software.
- CCleaner (Once a week)
Removing clutter and temporary Internet files is a wonderful thing, but I don't use the registry cleaning stuff
Keeping track of accounts can become tiresome when you like using extremely long passwords, so I let KeePass2 do the tracking for me. It saves the password file inside of an AES encrypted database using a 256-bit key. It also generates passwords for me based on complexity rules that I set and I change all account passwords about once every few months.
- OpenDNS + Content Filtering
OpenDNS has great content filtering. They keep up-to-date malware blacklists and lots of other categories. Since I set my router to default to OpenDNS, all of my machines on the network benefit from the security that it provides.
- Hosts File
Not much to say about this. I keep a well maintained hosts file using public blacklists to try and prevent myself from connecting to malicious hosts. I use to let my router handle this with custom firewall rules, but it slowed network traffic, so I just use an optimized hosts file which has given me much better performance.
- Firefox + Addons
I use all of the compatible Kaspersky extensions, AdBlock Edge (Malware domains, Easylist, Easy Privacy, and Fanboy's social list), NoScript, Better Privacy, Self-destructing cookies, Disconnect, and HTTPS Everywhere. In addition to this, all plugins are set to "ask" before use and Firefox has had several security-related tweaks.
That is the gist of my baseline configuration for my home computer. I do a lot more than is listed, but this is always my method for providing myself with a good baseline to build on. All feedback is welcome!
Edited by Kaosu, 26 June 2014 - 08:48 PM.