Security configurations, may 2015

[Trolleri]

What are your up-to-date ideas on how to secure a clean install of Windows 7 the most? :devil:

Discussion 1 - Internal configurations:
Besides constantly updating the system, using a regular user account instead of an administrator account for everyday use, setting UAC settings to maximum, and securing the web browser (https://www.us-cert.gov/publications/securing-your-web-browser#Mozilla_Firefox), do you recommend a "fsutil behavior set encryptpagingfile 1" or maybe use BitLocker to encrypt the whole system drive entirely. Any other ideas on how to secure the system?

Discussion 2 - Third party security programs:
What programs and add-ons do you recommend? Will a local antivirus program ever be as good as virustotal.com or metascan-online.com? I believe the real security is in a proactive element. Comodo Internet Security is a good choice, and free (Results and comments - www.matousec.com). Regarding Firefox, I am a fan of Ghostery as well as Adblock Plus add-ons, but is it worth to install the NoScript add-on as well? In Windows firewall, is it worth to block all incoming connections, including those in the list of allowed programs, or should I simply use the firewall Comodo supplies?

My intentions for the system is all-round use, and I will be using Redo to make complete images of the system drive. While I try to keep the number of installed programs at a minimum, Secunia PSI counts around 50 programs currently installed on my system.

 

[ThrashZone]

Hi and welcome to SevenForums,
I believe this subject has been beat to death
http://www.sevenforums.com/system-security/72070-whats-best-anti-virus.html

See system spec's for what I use,
Cheers.

 

[Trolleri]

Thanks for the link about anti-virus. Instead of waiting for any suite to be able to detect the malware once the damage is done, I am however more interested in how to secure the system itself, and avoid malware in the first place. Maybe Windows 7 have some hidden functions to tighten the security?

 

[ThrashZone]

Hi,
Read the thread it's a rabbit hole of information don't let the title throw you off,
Start at the end if you wish

 

[Tookeri]

I am however more interested in how to secure the system itself, and avoid malware in the first place. Maybe Windows 7 have some hidden functions to tighten the security?

In Win 7 Pro you have SRP(Software Restriction Policies) that is a great protection! Read this: http://www.sevenforums.com/system-security/359832-best-protection-against-malware.html

Encrypting page file, sure, I've done that. And disabled hibernate.

Bitlocker or other full drive encryptions are mainly to protect against physical theft of the PC. For a home PC that's maybe not that important. But why not?
I use a fingerprint boot program + encryption of certain folders with the Windows built-in EFS.

About NoScript, it has an option to allow Scripts globally, which is followed by the word "(dangerous)". That dangerous mode is the default mode in all popular browsers. It's not named dangerous for nothing.
And since FF also doesn't have any sandbox I run it with Sandboxie.

I think Ghostery does a great job together with NoScript so I have no need for an adblocker.

What else? An anti-exploit like EMET, MBAE(Malwarebytes) or HitmanPro.Alert 3

You shouldn't trust any anti-virus product too much. Nor Virustotal. Use good, multiple and different security layers. For example as mentioned above

 

[Trolleri]

Thank you for your great suggestions Tookeri. I will look a bit into Software Restriction Policies

 

[Victor S]

If you don't want to waste many hours of your time, do this:
1. Keep your system partition small, and image it.
2. Back up important data to an external hard drive, then unplug it.
3. Don't buy anti-virus software. Just use MSE.
4. If ANYTHING seems unusual or suspicious about how your computer is acting - restore your image.

Takes 5 minutes.

 

[Trolleri]

Yes, I will do harddrive imaging with Redo, which can recover the system partition even if Windows cannot boot.

I also decided to try Epic Browser, since Firefox is not sandboxed, and Epic supports the only plugins I use. Epic have Adblock Plus included in the browser itself, and is accessed through the umbrella icon.

 

[Tookeri]

I think Epic is more about privacy so still no sandbox I assume.

I use Firefox with private browsing mode always on, and I've made these tweaks(mostly privacy related). Click button to view.

 

browser.cache.disk.enable = false
browser.cache.disk_cache_ssl = false
browser.cache.memory.enable = false
browser.cache.offline.enable = false
browser.safebrowsing.enabled = false
browser.safebrowsing.malware.enabled = false
browser.sessionstore.privacy_level = 2 (default=0)
browser.urlbar.trimURL = false
datareporting.healthreport.uploadEnabled = false
dom.battery.enabled = false // fingerprinting
dom.event.clipboardevents.enabled = false
dom.indexedDB.enabled = false
dom.network.enabled = false // fingerprinting
dom.storage.enabled = false
geo.enabled = false
geo.wifi.uri = localhost
media.peerconnection.enabled = false //WebRTC
network.cookie.cookieBehavior = 1 (no 3rd party)
network.dns.disablePrefetch = true
network.http.sendRefererHeader = 0 (default=2)
network.http.sendSecureXSiteReferrer = false
network.predictor.enabled = false //prefetch
network.prefetch-next = false
webgl.disabled = true (or in NoScript)

Another great thing with Firefox + Sandboxie is that I disable all plugins. If I need to enable one when run through Sandboxie it means it's only temporary. When I close the sandboxed browser and it deletes the sandbox contents all changes are discarded. So next time I open the browser all plugins remain disabled. Plugins are high risk objects when it comes to exploits.

And NoScript doesn't just block scripts, but also plugins and attempts to access local resources like your router etc.

 

[Trolleri]

Epic is based on Chromium which has somewhat a sandbox feature between tabs:
Sandbox - The Chromium Projects

I will consider your method with Sandboxie. Is it possible to try the program before buying?
Another solution is Browser in the Box | Sirrix Aktiengesellschaft

 

[Tookeri]

Ok. My mistake, I'm always thinking of Firefox when it comes to browsers

You can use Sandboxie for free, no problem! It shows a 5 second window once every day. And some blocked features. But no important ones, at least not for me.