[ale] PT1 - ale OT Need to lock down a Windows laptop / (OR Linux)
Ron Frazier
atllinuxenthinfo at c3energy.com
Sun Jun 26 04:58:35 EDT 2011
TO my friends reading this and running Linux. It is no longer true that
Linux users don't have to worry about security and viruses, if it was
ever true. Now, the risk level may not be as great as Windows, but it
is there, and will increase as the usage numbers increase. Here, I
detail a number of steps to secure windows. However, many of them are
cross platform, and usable on Linux too. I detail which ones can be
done on Linux as well. When I give instructions for Linux, I'm
referring to Ubuntu 10.04, which is all I know. Users of other versions
will have to adapt. Trey's original inquiry is copied at the bottom.
Trey,
I was browsing through some old threads and saw this. I've been working
with Windows since it was a baby (v 3.0). While not a security expert,
I've studied it a bit, and have learned a lot from the school of hard
knocks. I wanted to elaborate on some of the things mentioned in this
thread and add a few. They question you asked cannot be answered in one
paragraph. Locking down a Windows system is not easy, and there are
many technical issues and many psychological issues. You can take a
paranoid or a lax approach. I prefer the former. I would use similar
procedures on the Linux side of the fence. There are starting to be
more attacks focused on Linux and Mac. Risks that relate to things like
Java and Flash are cross platform sometimes. Here are a number of items
in no particular order. I can help you with these issues, if desired.
Contact me privately. If there is an interest, I can post some more
specific details on the list.
0.5) Lock down your home router. Applies to Windows and Linux.
Disable remote administration (from the WAN), turn on its firewall and
NAT functions, set up WPA / WPA2 encryption for the wifi wiith a long
random password, and set up an administrative password which must be
used to configure or alter the router. Set the router to use OpenDNS
(as mentioned below) name servers, which will, at a minimum, provide
some phishing protection. More on this later. If you have other
devices which need to connect besides your computers, like game consoles
or your daughter's friends, and if the router supports it, set a guest
WPA / WPA2 connection with a memorable but hard to guess pass phrase.
Guests should have access to the internet only, and not anything on your
LAN. Do not use WEP encryption, it has been broken. It's usually a
good idea to update the router's firmware to the latest level and save
the firmware file as well as the configuration settings. Update the
firmware before you set the settings, as it will sometimes erase the
settings.
01) Set up a login on her laptop for her, which is a standard user.
Applies to Windows and Linux.
Password protect it, give her the password, and set up a screen saver
which locks the system after a timeout. Set up a boot password in the
BIOS and give it to her. These things will encourage her to keep
security issues in mind. They will also provide some protection if the
machine is sitting in public for any period of time, or if it's stolen.
Make sure she uses her login for normal activities.
02) Set up a DIFFERENT administrative login for yourself and don't give
her the password. Applies to Windows and Linux.
Let her know she's not allowed to install software without permission or
alter the configuration of the machine. Most of the system
configuration, you will have to do from your administrative account.
Most of her user applications will have to be configured from her user
account.
03) Applies to any child and any computer. Lay down ground rules about
what she can and cannot do with social networking, peer to peer file
sharing, contacting strangers, etc. Discuss the potential problems
involved in downloading illegal music and movies, etc. Advise her to
avoid that at all costs, and if she needs music or movies or books,
etc., to buy them legitimately. If she's younger, you may wish to not
give her the boot password, and to require that she do all her computer
usage in a common family room where you can monitor it. Your choice.
Instruct her not to do configuration changes or installations without
your prior approval.
04) Using Windows Updater, install all relevant patches on the machine.
Applies to Windows and Linux, except use the Linux Updater for Linux.
Reboot, and check again. Keep doing this until all recommended patches
are installed. If the machine is new, make sure you do this from behind
a home router with a firewall, so the machine doesn't get infected the
moment it's connected to the net. Do not connect it directly to the
cable or dsl modem. (As mentioned below) set the update settings to
notify you every time patches are needed. Also, make sure it's set to
get patches for all MS products. Set it for automatic updates every
night at 3 AM or whatever. However, this doesn't work if the system is
off. At least every month, after MS releases patches on the 2nd
Tuesday, check for and install new patches in case the auto update
didn't happen. Basically, ANYTHIHNG that connects to the Internet needs
to be updated at least monthly or whenever there is an urgent patch.
05) Make sure the Windows Firewall is on. Applies to Windows and
Linux. Use Firestarter or something similar for Linux.
Every month, check it's exception list and purge anything that's
unnecessary as both legitimate and malicious programs can sometimes
change it.
06) Find the settings for User Account Control. Applies to Windows and
sort of Linux. This is pretty much the default behavior in Ubuntu.
Crank it up to the max and save the settings. This will require the
administrative password when programs try to install software or make
changes to the computer or you change fundamental Windows settings.
This will include routine software updates, so you'll have to do those.
When your daughter is older, and you think she's mature enough to take
over system maintenance, you could give here the password. However,
neither of you should ever enter this password unless you know that it's
for a valid administrative purpose that you requested or that you know
is automated. Otherwise, you're probably under an attempted virus attack.
07) (As mentioned below) MS Security Essentials is a good option for
Anti Virus. Applies to Windows and Linux (in my opinion). You can use
ClamAV or similar for Linux.
It's free, and they update it. If you want to pay for a package, Eset
NOD32 (as someone else mentioned) is a good choice. It's usually a bad
idea to use multiple packages. They fight with each other. If the
machine came with AV, you may have to uninstall it to use these. Always
check the settings of these type of programs. The defaults, while
adequate, may not match what you want the machine to do.
By the way, based on the current knowledge of numerous tech and security
experts I listen to on podcasts, forget about cleaning out viruses.
Modern viruses are very sophisticated. Once they get their hooks into a
system, they have a way of coming back and back, or hiding in such a way
that you'll never know it. Once a system is infected with a virus, you
can never trust it with sensitive information, like your credit card
number, again. If it gets a confirmed virus, back up the data, wipe the
hard drive, and reinstall everything. I know this is a pain in the
butt. I just did it recently to my sister's machine. However, it's the
only way to know for sure that it's clean.
08) (As mentioned below) Firefox is a good alternative for a web
browser. Applies to Windows and Linux.
I would not use Internet Explorer, as it has historically had many
security problems. Many exploits take advantage of ActiveX, which is
part of IE. If you want to know more about locking down IE, contact
me. Noscript is a great plugin. Configuration is a bit complex, and I
can help with that. The bottom line is that you don't want any active
content to run, or any scripting, unless you have a credible reason to
trust the website. Scripting should be off by default. Then, if you
have to trust your bank for their site to work, then you turn it on.
Advise your daughter not to trust sites just because they don't work.
She needs some reason to believe they're credible. Preventing scripting
prevents many exploits. The Firefox Sync plugin (mentioned below) backs
up your bookmarks, and passwords if you want, and optionally lets you
synchronize them to other computers or restore them if needed. It
crashed and corrupted my bookmarks once and lost many of them. I read
similar complaints from other users. I recommend Xmarks instead, which
seems to be more reliable.
08.5) There are a number of Firefox settings which I would change from
the defaults. Applies to Windows and Linux.
Some of these relate to security and some relate to privacy. I could
discuss these privately or post on the list if there is an interest.
These relate to things like whether you clear history and cache data
when exiting, whether you use a master password, whether you store
passwords, etc. Everyone probably has different preferences here. For
privacy protection purposes, consider the Better Privacy and Ghostery
plugins. Firefox should generally be updated when requested. However,
Firefox 4 broke a lot of my plugins which live in the status bar, so I'm
still on 3.6.18. You also have to separately update the plugins
(addons) even though this sometimes happens automatically. WARNING, the
FIREFOX and PLUGINS settings have to be done in EACH user account on the
machine, including the administrative account, and have to be updated in
EACH user account every time they change.
09) Java applies to Windows and Linux. See note after this paragraph.
As JD wrote in his 05/10/11 post entitled "Should I keep Java on my PC",
the top 4 attack vectors you can easily control are: Adobe PDF's, Java,
Adobe Flash, and MS Office documents. We'll address each of these
separately. The general security rule is don't run what you don't
need. Many sites don't need Java to run. Many exploits do. While I
need it, I may delete it from my son's machine and my Dad's. Java is
different from JavaScript, which is widely used. If you need it, get it
from Oracle / Sun at http://www.java.com rather than using an
alternative. This is the most widely used and most updated Java
system. You must keep it updated whenever they issue a patch. If you
don't need it, don't install it or uninstall it from the control panel.
For Linux (Ubuntu), you need to add the PPA to the Synaptic repositories
screen. I cannot locate the procedure or link at the moment. Then,
reload the database. Search for java6 and install java6-fonts,
java6-bin, java6-jre, and java6-plugin from Sun. Don't use a direct
download from Sun / Oracle. By using the PPA, you'll get auto updates,
although they may be a bit older than the current Java release. You
should remove the open jdk and icedtea as well as old java -bin, -fonts,
-jre, and -plugin as all these are out of date compared to Sun's Java;
unless you have a specific reason to use these older items. If you want
to remove Java completely, you can do so from Synaptic. Search for
words like java6, open jdk (or maybe openjdk), icedtea, etc. Make sure
you're removing actual Java stuff, and not just something else that
happens to end in -bin.
10) Your daughter will probably need the Adobe PDF Reader on her PC in a
Windows environment. Applies to Windows and MAY apply to Linux, if you
run Adobe's reader in Linux. With other readers, you should take
similar steps to disable features which may be a security risk,
including Java, JavaScript, embedded automation, etc.
PDF's are widely used, but can be malicious. Make sure you have
installed Adobe Reader X (ten) from http://www.adobe.com . If the
machine has Reader 9 on it, uninstall it and install X. Version 9 has
some significant security holes. After installing, you must change some
settings to maximize security. You must do this in EACH user account,
just as with Firefox, since this is a user application, not a system
application. You should check these settings after every update or new
reader install, since sometimes they will get reset to defaults. Start
Reader X, then select Edit, Preferences and set the following:
Click the JavaScript category, UNCHECK the "Enable Acrobat
JavaScript" box. There is almost never a need, outside of specific
corporate usage, to need JavaScript in a PDF, and it is often used for
attack.
Click the Multimedia Trust (legacy) category, UNCHECK the "Allow
multimedia operations" box. This prevents multimedia files from being
triggered by PDF's (I think).
Click the Security (Enhanced) category, CHECK the "Enable Enhanced
Security" box. Don't know what it does, but I want it on.
In the same Security (Enhanced) category, UNCHECK the
"Automatically trust sites from my Win OS security zones box. I don't
want any "automatic trusting" of anything.
Click the Trust Manager category, UNCHECK the "Allow opening of
non-PDF file attachments with external applications" box. This prevents
an XLS file, for example, from being attached to a PDF file, which could
be a vector for attack.
Click OK to save the changes.
Then, go back into preferences and make sure these are all set as
required.
You may then click OK to exit the preferences and then exit the
program.
Do this same setup in EACH user login including the administrative
one.
By the way, when you installed Adobe Reader X, you probably also got
Adobe Air. Go to control panel and uninstall it unless you know you
need it. Also, every time you run one of the installers, watch out for
things like a check box (defaults to on) that says Install the Yahoo
toolbar, etc. (Actually, that might be the Java installer.) Make sure
you read everything on the screen before clicking any button.
11) She'll probably need Adobe Flash too. Applies to Windows and Linux
if you use Flash in Linux, as I do, and many others.
YouTube runs on it, as does Pandora, and many others. Facebook probably
uses it. Flash, too, is a major attack vector. You'll need the latest
Flash. As with the other things, you must update it whenever there's a
patch. All these things should be checked at least monthly. As with
the other USER apps, you have to configure flash in EACH user account.
The default settings are NOT conducive to security and privacy, and the
way to change them is not obvious.
WARNING, there have been exploits, sometimes using flash, sometimes not,
which use the computer's web camera and microphone to spy on people and
take pictures of them or record their conversations. We will set these
flash settings accordingly. However, I would recommend disabling the
built in microphone and web camera if you don't need them. At the very
least, I would place a piece of dark thick tape over the web camera when
I'm not using it. I intend to do just that with the new laptop. If I
want a mic, I'll plug in a headset. If I want a camera, I'll either
re-enable it or plug an external one in.
Go to this address to check if Flash is installed and what version it
is. (PS, I use the flashblock plugin in firefox to prevent flash from
running unless I want it to, even if the site is trusted by NoScript.)
Once you visit this site, it will tell you if flash is installed, and
what version it is. If you need the new one, get the installer from here:
http://get.adobe.com/flashplayer/ For Linux, install the flash-plugin
from the repository after enabling the various repositories.
It may try to install the Adobe Download Manager plugin into your
Firefox. Install it if you have to. Then uninstall it later.
Once you've got Flash installed, for each user account, go to this
address and make the changes outlined below:
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html
- This is where you set the settings from. There is also a control
panel applet, but it doesn't allow as much flexibility.
Click on Global Privacy Settings panel at the left.
The applet will appear which configures default settings for your camera
and microphone. Click Always Deny, then Confirm. Do this 3 times.
Then click on Global Privacy Settings panel again and do the same thing
3 times again. Sometimes, for whatever reason, the settings don't stick
initially.
Click on Global Storage Settings panel at the left.
Check all three check boxes, then click on Global Storage Settings panel
again and do the same thing again. Click on Global Storage Settings
panel again to make sure the settings were saved. This disallows sites
from storing Flash cookies on your computer by default, but will allow
it if you specifically ask to per site. Note that things like Pandora
won't work this way, but you can enable them specifically. Disabling
Flash storage enhances privacy.
Click on Global Security Settings panel at the left.
Click on Always Deny. This prevents sites from using an older security
system. Click on Global Security Settings panel again to see if the
setting stuck. If not, repeat and test again.
Click on Global Notifications Settings panel at left.
Set to notify you of updates and check every 7 days. Repeat as
necessary to make it stick.
Click on Website Privacy Settings panel at left.
Delete all the sites. As sites are visited, they will appear here.
After this point, any websites listed here deny symbol, a red circle
with a line through it. They will be denied access to the camera and
mic. If a site does need access to the camera and or mic, you can click
it's specific line and authorize it. Make sure you go back into the
screen to make sure your changes stick.
Click on the Website Storage Settings panel at left.
When you deleted the sites from the previous list, they were deleted
here. As sites are visited, they will populate this list, and it will
show how much flash storage is allocated. They should all say nothing.
No numbers shown. If a site has requested storage, it may say never
under the limit. If you go to Pandora, for example, it will fail and
complain about not having any Flash storage. You can come to this
screen, and select Pandora, which will now be in the list. Uncheck the
box that says never ask again, and slide the slider to set the limit of
storage for that website, for say 100 KB of storage. Then, you can go
back into the screen to make sure it stuck. Pandora should then work.
Click the Peer-Assisted Networking Panel at left.
Flash has some peer to peer features that can present security risks. I
just disable them. There should be no websites here unless you've
enabled them. Any that are there should have a deny symbol, the red
circle with a line through it. Also, check the box that says Disable
P2P Uplink for All. Go out of the screen and come back to see if it
stuck. If not, do it again.
Well, that's ALL that's required to properly secure Flash. Oh, just
remember to do it for EACH user login. And remember to check it after
each update, which you should do every time the version changes.
12) Office Documents were the other item on JD's list. Applies to
Windows and Linux. Linux users will probably have Open Office or Libre
Office. See below for that.
They can have macro viruses and Visual Basic applications embedded in
them, which can be malicious.
I'm not an expert in the new MS Office package. I don't own it or use
it. It costs too much $$$ when LibreOffice is free. I did get my wife
to boot her work computer long enough to print out the menu screens
related to security and privacy. I'll tell you how I'd set them for a
son or daughter. Remember, I take a paranoid philosophy. Turn off all
unneeded automation, and block all potentially malicious content unless
there is a good reason not to. You can do the following in Word 07.
There should be similar menus in Excel, Powerpoint, and Access. Do this
in each one, as relevant, and in EACH user account.
Click the start button within the app (the big circle).
Click Word Options (or Excel or PowerPoint or Access).
Click Trust Center.
Click Trust Center Options.
Click the Trusted Publishers category.
For a child's (non corporate) computer, I think this list should be
empty.
Click the Trusted Locations category.
I would think this should also be empty.
UNCHECK "Allow Trusted Locations on my network (not recommended)
CHECK "Disable all Trusted Locations ..."
Click the Add-Ins category.
CHECK "Require Application Add-Ins to be signed by Trusted Publisher"
CHECK "Disable all Application Add-Ins (may impair functionality)
Click the Active-X Settings category
SELECT "Disable all controls without notification" - You don't want
to bother a child with lots of strange pop-ups.
CHECK "Safe mode"
Click the Macro Settings category
SELECT "Disable all macros without notification"
UNSELECT "Trust access to the VBA project object model"
Click the Message Bar category.
SELECT "Never show information about blocked content"
Click the Privacy Options category.
Not sure what all these mean. The ones that look important are:
CHECK "Check Microsoft Office documents that are from or link to
suspicious Web Sites"
CHECK "Make hidden markup visible when opening or saving"
Click OK to save all this. Then, go back in and see if it saved.
I prefer to use LibreOffice. http://www.libreoffice.org/ For Linux
users, add their PPA to the repositories list in Synaptic and install
from there. This will allow for auto updates. If OpenOffice is already
on your system, you should uninstall it before installing LibreOffice.
I had a hard time doing that in Ubuntu, but don't remember the exact
procedure. At the moment, these steps will probably work for OpenOffice
too.
Here is how to set the options.
Start LibreOffice and open a blank text document.
Select the Tools, Options menu.
Open the LibreOffice category.
Click the Security sub category.
Click the Macro Security button.
Click the Security Level tab.
Select "Very High"
Click the Trusted Sources tab.
Both lists should be empty.
Add things only if you know what you're doing and you know
what you need.
Click OK to save these settings.
Click the Java sub category.
UNCHECK the "Use a Java runtime environment" button.
Click OK to save these settings.
Select the Tools, Options menu.
Open the Load / Save category.
Click the VBA Properties sub category.
Under the "Microsoft Word 97/2000/XP" section
UNCHECK "Executable Code"
UNCHECK "Load Basic Code"
UNCHECK "Save original Basic code"
Under the "Microsoft Excel 97/2000/XP" section
UNCHECK "Executable Code"
UNCHECK "Load Basic Code"
UNCHECK "Save original Basic code"
Under the "Microsoft PowerPoint 97/2000/XP" section
UNCHECK "Load Basic Code"
UNCHECK "Save original Basic code"
Click OK to save these options.
Go back into the menus again under the Java, Security, and VBA
properties sub categories and make sure that the settings are correct.
See part 2 for the rest of the message.
On 4/11/2011 6:36 PM, Preston Boyington wrote:
> Trey Sizemore wrote:
>> Hi all-
>>
>> Off-topic for the list, but I know there's tremendous knowledge and
>> experience here when it comes to tightening a Windows machine.
>>
>> I've got my daughter's laptop dual-booting Windows 7 and Ubuntu.
>> I've encouraged her to use Ubuntu as much as possible, but realize
>> there are some programs that are not able to run on Linux at this
>> point (tried Wine and others).
>>
>> So for the times she does log in to Windows, I want to have
>> up-to-date anti-virus installed and am looking for some advice on
>> what to use. Also, any other software that would be good to install
>> to help keep the nasties off.
>>
> Microsoft Security Essentials (for anti-virus)
> Mozlla Firefox with the following:
> *Adblock Plus (speeds up things by blocking ads, etc.)
> *NoScript (to block what Adblock doesn't)
> *Firefox Sync (bookmark& password sync)
> *Update Notifier (to keep add-ons updated)
>
> there are also proxy servers to route through to help protect from some
> nasties and optionally filter content you don't care about. OpenDNS has
> a 'FamilyShield' that does this.
>
> those would get you started I think.
--
(PS - If you email me and don't get a quick response, you might want to
call on the phone. I get about 300 emails per day from alternate energy
mailing lists and such. I don't always see new messages very quickly.)
Ron Frazier
770-205-9422 (O) Leave a message.
linuxdude AT c3energy.com
More information about the Ale
mailing list