[ale] PT 2 - ale OT Need to lock down a Windows laptop / (OR Linux)
Ron Frazier
atllinuxenthinfo at c3energy.com
Sun Jun 26 05:00:22 EDT 2011
This is part 2 of the message.
13) This applies to Windows and Linux. That covers most virus vectors
except a big one, email. Email is one of the biggest vectors. I
wouldn't give a child email unless you know they need it. Those
discussions on ground rules, and who it is appropriate to contact come
into play here. You could have all of the child's email copied to your
account, depending on their age. I don't use web based email, so I
cannot speak to security for that. You should thoroughly investigate
the security and privacy options available to you. I would suggest that
the parent should know the password to the email account, at least for
younger children. The child should understand that they need to protect
their password, not share it, log out of email when not using the PC,
and notify you of any strange issues. Please don't flame me about
parenting technique. Every parent has to make those decisions for
themselves. The object of this post is how to deal with the relevant
technology. I use an email client application rather than web mail. In
general, you want to turn off all automation, MAPI automation,
scripting, and java. In my case, it's Eudora OSE, both on Windows and
Linux. Here are the security options I use.
Under Tools, Options
Security category
Junk tab
I don't use automated junk filtering, but you may want to use it
for a child. I can't speak to how it works.
Email Scams tab
I have this on. It alerts me on suspected scams. Sometimes, it
erroneously flags good messages.
Anti-Virus tab
CHECK "Allow anti virus clients to quarantine individual incoming
messages"
Passwords tab
I never save passwords in applications, with the exception of my
bookmark synchronizer. There are no saved passwords here in the email.
I don't use a master password here, as it's not necessary. I do on
Firefox. I recommend something like LastPass or an encrypted set of
Evernote notes. That way, if you have to reinstall, you haven't lost
all your passwords.
Web Content tab
UNCHECK "Accept cookies from sites" - I see no reason for an
email program to accept cookies
Advanced Category
Update Tab
CHECK "Automatically check for updates to - Eudora OSE"
CHECK "Automatically check for updates to - Installed Add-Ons"
SELECT "When updates ... are found - Ask me what I want to do" -
The OS is the only thing I ever allow to auto update. I have Windows
set for auto update, which would include MS applications. For Linux, I
have the updater set to notify only, since I like to see the list of
updates, including the applications, before they run. A child needs to
be taught how to properly maintain the computer, which includes routine
updates.
Certificates tab
SELECT "When a server requests my personal certificate - Ask me
every time" - I've never used this, but when something security related
needs doing, I don't generally want it automated.
Extras Category
Mailboxes tab
UNCHECK "Show message preview pane" - Some people will hate
this. However, just previewing a malicious message can sometimes invoke
a virus. I keep it off. If I don't recognize the sender, recipient
address (I used different incoming addresses for different purposes.),
and a meaningful subject line, I don't open the message.
Miscellaneous tab
You can check or uncheck "Always display remote images". Images
in emails can be used to track you and invade your privacy. Say the
email pulls in a hidden image from doubleclick.net. Beyond, that,
images can be malicious and carry viruses. The down side to turning it
off is that many legitimate emails are HTML based and will have
legitimate images. Without them, the email is not as useful. I have
this option on, but I'm very careful about what I open.
Click OK to save all these. You might want to go back in and check that
they were saved properly.
Eudora likes to use a combined who column in which it tries to smartly
choose whether to display the sender or recipient. I don't like this.
I turn this column off and turn on both the sender and recipient
columns. That way, if I get an email claiming to be from Bank of
America, but it came to my incoming address for Amazon Orders, I know
right off the bat that it's fake and probably contains a virus.
I will deal with user psychology below, as a defense against threats.
14) This applies to Windows and Linux. You want to turn off Autorun and
/ or Autoexecute. This is the concept that, when you insert a CD or
memory stick or memory card, a program on the media will automatically
start up and run. This is a huge security risk and is a substantial
vector for viruses. 25 years ago, viruses were often spread in schools
and colleges by floppy disks. You get a cool picture from your friend
on a floppy, which also contains a virus. Once you boot from that
floppy, the virus spreads. Autorun is a giant step backwards, you don't
even have to boot it! Autorun should be turned off. Advise your child
not to put foreign memory sticks, CD's, or memory cards in the
computer. But, that advice probably won't work. Advise them not to
click on programs or executables and only access documents from trusted
sources.
In Windows Vista and 7 (XP requires jumping through more hoops)
Click Start
Click control panel
Click autoplay
The dialog box says to choose what happens when you insert different
types of media. Set EVERY option to "Take no action". You can actually
tab to each option and then hit the "T" key. Then, click Save to save
the settings.
As a double precaution, go back into the screen and UNCHECK "Use
autoplay for all media and devices" and Save it.
In Ubuntu
Start the Nautilus file explorer by opening a folder
Click Edit, Preferences
Click the Media tab
In the Media Handling section at the top, set each item to "Do Nothing"
In the Other Media section at the bottom, select each media type in
the first drop down box, and set its action below to "Do Nothing". You
have to do this for every media type individually in this section of the
dialog box.
UNCHECK the "Browse media when inserted" box
Close the Window
As a double precaution, go back into the window and CHECK the "Never
prompt or start programs on media insertion" box, then close the window.
15) Facebook. Applies to Windows and Linux.
Aah ... Facebook. My child is 18 and has never expressed an interest in
Facebook. He prefers cell phone text messages. I'm quite glad.
Facebook is a huge security risk. If you have a choice, don't go
there. I don't use Facebook for this reason. It's against Facebook
terms of service for anyone under 13 to be on it, by the way. Anyone
can post anything on there, and anything they post can be malicious.
This applies to all sites with user content, but the extreme volume of
Facebook makes it a great hacker target. Facebook applets and
applications are well known to be a great source for viruses.
If you must use Facebook, get a book which talks about the parental,
privacy, and security issues involved. Dig into and understand the
security and privacy settings thoroughly. If you're using Facebook and
NoScript, you'll probably have to trust the Facebook site for it to
work. I would not trust any third part sites unless they are absolutely
mandatory for functionality. Avoid Facebook applications and applets if
at all possible. If you go down this road, I do not envy you. Did I
say, if you have a choice, don't go there? Yeah.
16) Windows likes to hide things from you. Sometimes, this is a
security problem. I don't know about Linux in this regard. In
particular, it likes to hide file extensions by default - the last 3
characters after the period in the file name. These can be critical for
security, as they give an indication when a file is executable. A
computer user, even a child, needs to get used to seeing these, and to
avoid accessing them if anything looks strange. They should avoid
running anything that says .EXE, .COM, and .DLL like the plague, unless
they know exactly what they're doing. (I know, that's a simplified
list, and I know sometimes bad things can hide, but this is just a basic
precaution. Tell Windows to stop hiding them as follows.
Start Windows Explorer
Click Tools, Folder Options
Click the View tab
UNCHECK "Hide extensions for known file types"
Click OK to save
17) Turn on DEP, Data Execution Prevention. Applies to Windows Vista
and previous. I think it applies to 7 as well, but haven't figured out
how to do it yet. Not sure about an analog to this in Linux. Data
Execution Prevention is a feature that attempts to disallow parts of
program memory which should be only data from having executable code
which gets executed. This is a tactic some malware uses to crash the
system and execute it's code. Some older programs fail with this on,
but I've never had a problem. All modern programs should accommodate
this security feature. Turn it on as follows.
Click Start
Click control panel
Click system
(This may vary by version.) On Vista click advanced system settings
The system properties dialog pops up.
Click the advanced tab
Click the settings button under the performance section
Click the Data Execution Prevention Tab
SELECT "Turn on DEP for all programs and services except those I select"
The exception list should be empty.
Click OK to save
Click OK to acknowledge the message that you must restart
Restart the machine
18) This applies to any PC. Forgive me if you already now this. User
psychology is key in protecting the PC from risks. This requires user
training. Users should avoid clicking on links that link to executable
content, unless they know what they're doing. You can set the Firefox
settings to prevent Javascript applications from changing the status
bar. That way, when you hover the mouse over a link, you can tell where
it will link to. That's a good habit to be in. Don't download things
from a site you don't have reason to trust. If anything, and I mean
anything, pops up in your face that scares you, STOP, get an expert on
the phone and determine what's going on. My sister encountered a popup
message recently which APPEARED to be doing a virus scan and then said
"your system is infected, click here to clean it" or something. In the
5 seconds before she really thought about it, she clicked it, which
actually invited the virus in. The message was totally fake, and was
probably triggered by JavaScript or Java. This is very easy to do, and
it's human nature, which is why the bad hackers use it. Then, she
called me. I spent the next week backing up data, wiping the hard
drive, building the system from scratch, doing most of what's listed in
this message, and restoring data. I don't blame her, these social
engineering attacks are very authentic looking and clever. You should
have your power settings to shut down, not standby, when the power
button is pressed. If something pops up and scares you, DON'T CLICK ON
IT, NOT EVEN THE "X" BUTTON. Hit CTL-ALT-DEL to bring up task manager
and forcibly terminate the program you were running, like Firefox, or
just press the physical power button and instruct the system to shut
down immediately.
Users should not click links in email that they don't absolutely know
are legitimate and from trusted sources. Better yet, don't click them
at all. Don't open attachments that were not expected by prior
arrangement, or better yet, don't open them at all. If you don't
recognize the sender of a message (which could be fake by the way), or
the subject line doesn't make sense, don't open the message. Almost all
messages with attachments, that you don't specifically know to expect,
are viruses. Just delete them. Avoid opening messages which scare you,
which talk about suspended accounts, dire financial circumstances, or
problems with your vendors, even if they look legit. If you get a
message from Bank of America, and if you are their customer, and they
say there is a problem, go get your statement and call their toll free
number or get the web address from there and log into your account
separately. Never click links in such an email, or enter any account
data or credit card numbers there. Likewise, any email that says you've
won a lottery or contest is almost certainly fake. Don't click them.
Unless you KNOW they're legit, avoid emails that sell drugs, enlarge or
shrink body parts, sell mortgages, ask you to download anything, have
attachments, talk about your accounts, sound scary in any way, discuss
financial matters or taxes, or talk about a package or shipment you are
or are not getting. If you have some of these spam messages on file, I
would show some of them to your child. Even if the offer looks
enticing, a new Pearl necklace for $29, don't click it.
The user should run the PC with a non administrative password and
login. If the User Account Control window (or the Linux equivalent)
ever pops up and asks for an administrative password, even if the user
knows it, DO NOT ENTER IT unless you conclusively prove that it is
something you asked for or an expected and legitimate automated
process. It's much better to deny the request and reboot the machine.
If it pops up again without you going to a website or reading email, it
is likely a legitimate item. Nevertheless, never enter the password
unless you know what is going on.
At this point, this has taken many hours to write, so I'm getting more
tired and more brief.
19) This applies to any PC. You need to be able to do maintenance on
the machine such as troubleshooting, virus scans, and backups, even if
the machine won't boot. You must be able to boot CD's and / or memory
sticks, if you desire to. Set the BIOS such that these things are
bootable, but only do so if you select them. I would set the boot order
to HDD, CD / DVD, USB, then maybe network. Most PC's require you to
press a key to get a boot menu, then you can pick these options. I do
NOT recommend having the CD / DVD or USB first in the boot order, as
inadvertently having a malicious CD or DVD or memory stick in place at
boot can infect the machine.
20) This applies to Windows or Linux. I would do a full image backup
weekly or monthly. I don't like data backups. Reinstalling the OS and
repeating all the things documented in this message is a royal pain. If
I have to restore a backup, I want to do one thing to restore to the way
it was on that day that I saved it, walk away for 4 hours, then resume
using the machine. I use Acronis True Image on Windows to clone the
entire hard drive onto an external USB drive after booting the backup
CD. This gets the Linux partitions as well. I'm not sure how to do
this with a GUI in Linux.
21) I use JungleDisk to backup off site to Amazon's S3 servers. Setup
procedures would add several more pages to this message, so just contact
me if interested. You can run JungleDisk on either Windows or Linux.
22) This applies to Windows or Linux, but I don't know how to do it in
Linux. It's a good idea to have remote access software installed so you
can log in remotely, with the user's permission, and diagnose problems
when they're far away. Check out CrossLoop at http://www.crossloop.com/
. You can use the basic functions for free.
23) This applies to Windows, not sure about Linux. You could use
something like Deep Freeze http://www.faronics.com/standard/deep-freeze/
to freeze the computer and prevent changes. Whenever you reboot, it
goes back to the previous state, including eliminating any collected
viruses, and new user data. It's not free, and can be a pain to set up
properly, but is an option. Special provisions need to be made for user
data and updates.
24) Miscellaneous. You ALWAYS have to check your applications settings
for security and privacy. They are almost NEVER right by default.
Every time you reinstall and periodically after an update, you should
recheck them, since they way have changed. All these apps need to be
patched at least monthly or whenever a critical update occurs. Most
user apps keep their configuration linked to the user account.
Therefore, the setup and configuration must be done for EACH user
account. For a new computer install, or a reinstall without an image
backup, all this has to be done from scratch over again. Even with an
image backup, changes since the backup must be redone.
Normally, I would proofread this before sending, but since I've been
working on it for hours, out it goes. I apologize for any typos and
will correct them later.
I hope this will be helpful to Trey and others who read it. Almost all
of it applies to Windows and Linux, and I've rarely, if ever, seen this
documented elsewhere all in one place.
Others may use this information as they wish for non commercial
purposes. If you republish it somewhere, please give me credit and
mention my email address.
Sincerely,
Ron
On 4/11/2011 6:36 PM, Preston Boyington wrote:
> Trey Sizemore wrote:
>> Hi all-
>>
>> Off-topic for the list, but I know there's tremendous knowledge and
>> experience here when it comes to tightening a Windows machine.
>>
>> I've got my daughter's laptop dual-booting Windows 7 and Ubuntu.
>> I've encouraged her to use Ubuntu as much as possible, but realize
>> there are some programs that are not able to run on Linux at this
>> point (tried Wine and others).
>>
>> So for the times she does log in to Windows, I want to have
>> up-to-date anti-virus installed and am looking for some advice on
>> what to use. Also, any other software that would be good to install
>> to help keep the nasties off.
>>
> Microsoft Security Essentials (for anti-virus)
> Mozlla Firefox with the following:
> *Adblock Plus (speeds up things by blocking ads, etc.)
> *NoScript (to block what Adblock doesn't)
> *Firefox Sync (bookmark& password sync)
> *Update Notifier (to keep add-ons updated)
>
> there are also proxy servers to route through to help protect from some
> nasties and optionally filter content you don't care about. OpenDNS has
> a 'FamilyShield' that does this.
>
> those would get you started I think.
--
(PS - If you email me and don't get a quick response, you might want to
call on the phone. I get about 300 emails per day from alternate energy
mailing lists and such. I don't always see new messages very quickly.)
Ron Frazier
770-205-9422 (O) Leave a message.
linuxdude AT c3energy.com
More information about the Ale
mailing list