Are my security measures adequate?

[Jester45]

Quick background for me is that im 18, love computer and currently the tech support for my family(close and extended), neighbors, family friends, etc etc. While I dont have the strictest policies I do try to keep my home network along with anyones computer i work on non-infected.

Some of my scheduled task are:

• Nightly backups to a WHS box.
• Nightly full system virus scans (Avast! home) on all desktops and the WHS. Laptops dont have scheduled taskes but my WHS warns me if i dont do either after a week.
• Automatic updates on Avast and Windows/linux(gentoo based so not completely automatic)

And general precautions:

• My servers(except WHS) are on a different subnet as my desktops.
• Servers are all linux except 1 and ssh is on non standard port with ssh only via keys
• Servers also do mail and that is scanned for viruses
• Router's UPnP is disabled, default password changed
• Only needed ports are forwarded
• Wifi clients can't communicate with desktops except for WHS.

I know this isnt completely Win7 related but i do have a few machines running it. i listen to a few security podcasts because they are interesting to me but I don't think im overly paranoid(no pseudo-random 265bit passwords).

Do you guys have any extra suggestions for me to do? Does windows7 introduce any "features" i should be on the lookout for?

 

[Dinesh]

Your security measures are excellent except that fact that you are using just 1 anti virus. there are many things that antivirus misses during scans. hence you should also use Malwarebytes.org alongwith avast.

 

[Creer]

Hi,

your configuration is mainly about Detection (AV) and Cure (backup plan) - it's not bad approach but on these days you should add also Prevention to your security arsenal - already you have FW/Router and you do OS updates.

Under term of Prevention I mean: HIPS softwares, virtualization, sandboxes, policy based-sandoboxes, SRP, LUA, UAC, DEP, and also FW - hardware/software or both.
Of course you don't need all of them, but to make a decision better will be give a try and test which meets your needs.

 

[Jester45]

while i understand the concepts behind visualization and sandboxes but i dont see the point for the most part. My linux systems have their daemons jailed but i do no sandboxing on Windows.

As for IDS ive heard of snort but is IDS really overkill for a large-ish home network? if a machine goes down not much if affected, backups are there so settings/programs are not lost and media is stored on WHS. If my WHS was lost i would have have a problem but i don't think that will happen as it doesn't connect to the internet except for updates.

UAC is enabled on my win7 machines and for linux boxes im the only person who can access them other than by the services they provide.

I'm not sure what you mean by SRP and LUA.

 

[gforce23]

I'm not sure what you mean by SRP and LUA.

SRP = Software Restriction Policy. For more information, click here.
LUA - Limited User Account, a non-admin, non-power user account with limited privileges. Also known as SUA (Standard User Account) in Vista and Win7.

 

[Jester45]

well i do LUA/SUA. along with that all windows based users need a "complex" password enforced by WHS which is 1 CAPTIAL letter, numbers, and >6 characters long. My linux boxes have root but only i have a normal user, and have to su to root.

and ill have to look into the SRP stuff, sounds real nice on the laptops. and SRP on the WHS would be a good thing too as i only use ~15 programs max (including system processes) so i could lock that down pretty tight.

 

[Creer]

well i do LUA/SUA. along with that all windows based users need a "complex" password enforced by WHS which is 1 CAPTIAL letter, numbers, and >6 characters long. My linux boxes have root but only i have a normal user, and have to su to root.

and ill have to look into the SRP stuff, sounds real nice on the laptops. and SRP on the WHS would be a good thing too as i only use ~15 programs max (including system processes) so i could lock that down pretty tight.

Here you find nice software to manage SRP:
http://mrwoojoo.com/PGS/PGS_index.htm
PGS Pretty Good Security by Sully from Wilders.