I used the word 'hardened' because I see it used on this forum and I think that this is what I wish to do.

One of my system got clobbered with MS Anti-virus - etc.. running AVAST & super anti spyware.. my son playing a game (WOW) accepted it and bingo...re-installed XP sp3 and want to harden to basically lock down installations & mods without me reviewing first.. The user needs to be a admin for the game to work so changing the user setting isn't an option.

open for suggestions..

Thank you for taking the time.

Stephen

There would be many ways to harden it.

Perhaps consider that using LUA is alone a method to make it harder for problems to arise.

Perhaps you can harden the OS by turning off services that are exploitable. Many services open ports to the outside world, so by controlling your services you can close certain ports that may be targeted.

If you exist behind a router, you have been hardened already unless you port forward in the router.

Hardening might be something so simple as using Sandboxie to do your surfing in. If you are running as admin, and cannot switch to LUA, perhaps you should consider using SRP and then starting network facing applications AS a user. This too can harden your system.

There are many ways. I think the objective should be to make it 'HARD' for malware/virii to get installed in the first place. Short of a HIPS type approach, being a User aka LUA is probably the best bet.

Sul.

i will say a hips program and or anti-executable app;)

Currently behind router, no forwarding


At this point I don't believe that LUA is an option - however SRP maybe - but forcing users to sandbox the browser may be the current alternative (correct?)
Suggestions for sandbox programs - I have heard of but never used sandboxie, are there others?

thanks

jmonge..

any program in particular?

-{ Quote: "jmonge..

any program in particular?" }-
malware defender,put this baby in silent mode and blocks all the unknown in real time:thumb:

Hardening tools:
Invincible Windows
Harden-It
Secure-It
SafeXP
XPantispy
Security & Privacy Complete
Seconfig XP
Samurai
Windows Worms Doors Cleaner

-{ Quote: "It will block everything (not just the unknown) if you don't configure it properly haha. And then there's the issue with pop-ups when you update a trusted program. Lots of switching in and out of training mode (which seems risky to me) if you ask me...either that, or spending lots of time manually configuring or re-configuring it every time you update a trusted program etc. Best to just stick with having a good "security approach" really.

Anti-Executable 2.3 would be a good one though. I am probably going to use this in future to lock my system down when other people start using my computer." }-
dah;D ofcourse white list the safe applications(your faves)and then anythin new that wants to be introduce to your system is block;)

G1111's list is a good one, but some of those do require you to know exactly what will happen when you engage some of them.

Think about your threats first. If you are primarily worried about browser and email issues, you can:

A) use LUA, where browser/email cannot touch system areas without admins approval -- this is probably the best route

B) use SRP to start browser/email AS user, essentially creating the same thing LUA does but you are still admin. Maybe not as secure because IF anything else happens, you are not as protected because Admin has root.

C) use Sandboxie on browser/email. Purchase it and you can then force the browser/email to open in SBIE every time. Additionally you can state that in this sandbox, ONLY browser/email have access to internet or run at all.

If you percieve other threats, such as games or another computer in the LAN, you will want to probably run as LUA. Employing SRP while in LUA to create a default-deny scenario is very restrictive. If you desire only what you permit to run, then the inclusion of SRP in LUA may well serve your needs.

It may be that you don't desire much configuration or interaction with your security. Again, LUA would probably be best. If you are knowledgable, wish to learn, or just plain want to know everything that is happening, some sort of HIPS would be your approach. You can definately lock your system down if you so desire. It all depends on what you think your threats come from and how much energy you wish to devote to the process.

Security itself is only an abstract as you can never achieve absolute. You must decide what you are willing to pay for it. Some pay much in clicking many options from thier HIPS and are happy. Others pay little by using imaging. Some pay partially by using LUA with SRP and/or SuRun. It really does take digging a little into the differing philosophies and thier ramifications to decide which scheme will best suite you.

For myself, imaging alone would probably be enough. It is easy enough to do. But I feel I am knowledgable enough to know when I am compromised without relying on too many other tools. But I have paid the price of years of learning. Not everyone wants to go that route. Although around here, I daresay many are happy to pay the price of learning HIPS and Firewalls because it lets them eventually not have to use as much because of the knowledge gained.

Good luck.

Sul.

Defensewall would be another good option. Set it and forget it and virtually foolproof with very little learning curve. Alternatively, Malware Defender left in learning mode for a few days, then switched to silent mode....but there's a much steeper learning curve...though it is a great HIPS :)

-{ Quote: "Defensewall would be another good option. Set it and forget it and virtually foolproof with very little learning curve. Alternatively, Malware Defender left in learning mode for a few days, then switched to silent mode....but there's a much steeper learning curve...though it is a great HIPS :)" }-agree with you buddy;)

-{ Quote: "Defensewall would be another good option. Set it and forget it and virtually foolproof with very little learning curve. Alternatively, Malware Defender left in learning mode for a few days, then switched to silent mode....but there's a much steeper learning curve...though it is a great HIPS :)" }-

-{ Quote: "agree with you buddy;)" }-

Absolutely.

-{ Quote: "
B) use SRP to start browser/email AS user, essentially creating the same thing LUA does but you are still admin. Maybe not as secure because IF anything else happens, you are not as protected because Admin has root.

Sul." }-

Hi Sully,
I have SRP's PolicyScope set at (0) running as Admin and really like it this way. I've noticed you mention adding browsers/email to 131072 for restriction. I've added IE and Firefox, checked with Process Explorer to see for sure if it was truly enabled and it was. IE and Firefox both work well being restricted so I guess my question is, how restricted are browsers/email when this is applied?

Sully..

recommended links for LUA or SRP tutorials to understand setting up? using either of these can I just open web & WOW - (just trying to get up and running quickly)
I have thought about imaging but haven't found an open source image app yet or purchased acronis yet
OR

-{ Quote: "It will block everything (not just the unknown) if you don't configure it properly haha. And then there's the issue with pop-ups when you update a trusted program. Lots of switching in and out of training mode (which seems risky to me) if you ask me...either that, or spending lots of time manually configuring or re-configuring it every time you update a trusted program etc. Best to just stick with having a good "security approach" really.
" }-

You don't need to keep switching in and out of training mode. You can lock down apps and deny all unknown executables from running when in training mode by applying this setting.

Quote
"In learning mode if explicit "deny" rule is found, do not create permit rule and do not permit the action"

So you can even stay in training mode forever. and have just as much protection as in normal mode.

-{ Quote: "Hardening tools:
Invincible Windows
Harden-It
Secure-It
SafeXP
XPantispy
Security & Privacy Complete
Seconfig XP
Samurai
Windows Worms Doors Cleaner" }-

+1
but I haven't heard of Invincible Windows where do I find this app. had no luck after a quick google search.

-{ Quote: "Sully..

recommended links for LUA or SRP tutorials to understand setting up? using either of these can I just open web & WOW - (just trying to get up and running quickly)
I have thought about imaging but haven't found an open source image app yet or purchased acronis yet
OR" }-
http://www.wilderssecurity.com/showthread.php?t=137918
This contains some good threads here by Tlu and Lucy. This should be more than enough to whet your appetite and provide you some anwers to if this route will provide what you need.

Everyone has thier favorite flavor for imaging. Mine is using Macrium Reflect Free. I keep my c: free of any large programs and make the image in about 3-4 minutes. The image compresses the real 8gb down to about 3gb. I have in my c: a boot.ini option so that I can boot bartPE into a ramdisk. This lets me very quickly (about 30 sec) be in a bartPE environment, and within about 5 minutes put my nice clean image back in place. Some like other methods, but this is free and fast and has been working exceedingly well.

Sul.

-{ Quote: "Hi Sully,
I have SRP's PolicyScope set at (0) running as Admin and really like it this way. I've noticed you mention adding browsers/email to 131072 for restriction. I've added IE and Firefox, checked with Process Explorer to see for sure if it was truly enabled and it was. IE and Firefox both work well being restricted so I guess my question is, how restricted are browsers/email when this is applied?" }-
First thing to understand is what restrictions a user has versus an admin. A user can only read and execute in c:\windows, c:\program files and c:\ . A user may only create/modify/delete in thier user profile directory OR any custom made directories such as c:\MyStuff. There are no default permissions in place for other drives, so a user can modify at will anything on other drives.

When SRP takes effect, it basically demotes the process created to a user level of rights intead of admin. So when you start IE as a user with SRP or with DMR, it effectively becomes a user. Anything in turn that IE starts INHERITS the same rights, those of a user. So in effect it is as restricted only as the user.

Note that Tlu gives good guidance in his SuRun thread on how to lock out certain registry areas for the user, esp. autostart areas the user CAN modify. It is helpful, even as admin, to do what he suggests, so that when you start IE as a user, those few other things Tlu mentions are locked down.

It is also of note that there are a few things that can compromise SRP. I cannot remember now, but somewhere in the last week or two someone mentioned using RunAs I believe to somehow negate the current restrictions and elevate to admin rights. There is also some POC things going on with SRP. So it is, like every other security feature in the world, in some way not fool-proof. However, until exploits against SRP/SAFER become more than just something to talk about, I am not going to worry about it and continue to use it.

If you have not tried out my tool PGS yet, I suggest you do so. I makes it much easier to apply your SRP settings. You can find it here www.mrwoojoo.com . You might also check out my tool called SaferZone, which is a DMR variation that I use when I don't want to make an SRP rule but still want to quickly and conveniently start something as a user.

Sul.

-{ Quote: "
+1
but I haven't heard of Invincible Windows where do I find this app. had no luck after a quick google search." }-

Not an application just some tips. http://invincible-windows.blogspot.com/
These are all listed here (where I copied them from) http://www.wilderssecurity.com/showpost.php?p=1528567&postcount=21

Id like to know what are some steps I could take to harden Vista? And G1111 which of those hardening tools applies to Vista as well?

-{ Quote: "Id like to know what are some steps I could take to harden Vista? And G1111 which of those hardening tools applies to Vista as well?" }-

I am using XP. The ones I was using were Harden-it and Seconfig XP both I believe are for XP only. My guess is that most are XP only.

Are there any hardening tools for Vista? Does Vista even need to be hardened?

-{ Quote: " basically lock down installations & mods without me reviewing first.. The user needs to be a admin for the game to work so changing the user setting isn't an option." }-

as someone else said , an Anti-Exectutable app would be ideal for this.
One with a password will prevent installs you dont want.

Definitely LUA and SRP. I feel you should always configure, harden your OS before considering anything else.

I use virtual machines (VMWare) which have snap-shots or can be frozen which are isolated from the host operating system - these are hardened also.

-{ Quote: "Definitely LUA and SRP. I feel you should always configure, harden your OS before considering anything else.

I use virtual machines (VMWare) which have snap-shots or can be frozen which are isolated from the host operating system - these are hardened also." }-
Thanks, for a while there I was confused reading all these posts recommending the addition of security software, given the thread title.

To my knowledge, hardening means removing vulnerabilities in the system itself, not adding software to improve it.

If I were a kung-fu master and I said I wanted to harden my fist, surely I cannot do this by wearing a glove, as underneath, my fist would still be soft.

-{ Quote: "Thanks, for a while there I was confused reading all these posts recommending the addition of security software, given the thread title.

To my knowledge, hardening means removing vulnerabilities in the system itself, not adding software to improve it.

If I were a kung-fu master and I said I wanted to harden my fist, surely I cannot do this by wearing a glove, as underneath, my fist would still be soft." }-
but what about if you add broken glases with glue to your fists;D
will this be soft?:):)

-{ Quote: "Thanks, for a while there I was confused reading all these posts recommending the addition of security software, given the thread title.

To my knowledge, hardening means removing vulnerabilities in the system itself, not adding software to improve it.

If I were a kung-fu master and I said I wanted to harden my fist, surely I cannot do this by wearing a glove, as underneath, my fist would still be soft." }-

Feel free to mention this to a boxer. lol.
Hugger

Hardening would typically involve turning off unnecessary services and features, and changing insecure defaults. e.g. turning off Autorun, creating the My Computer zone for IE and setting its security level to maximum, disabling network shares if you don't need them... That sort of thing.

There are a bunch of applications that can help with it. IMHO the best (and the ones I use ;) ) are these:

Seconfig XP (http://seconfig.sytes.net/) for closing ports
SafeXP (http://www.theorica.net/safexp.htm) for disabling stuff you don't need
Security & Privacy Complete (http://sourceforge.net/projects/cmia/) for disabling even more stuff you don't need and tweaking Firefox settings

These are *not* HIPS or anti-executable applications, and do not replace such; they just make it harder to exploit common vulnerabilities in Windows.

-{ Quote: "Thanks, for a while there I was confused reading all these posts recommending the addition of security software, given the thread title.

To my knowledge, hardening means removing vulnerabilities in the system itself, not adding software to improve it.

If I were a kung-fu master and I said I wanted to harden my fist, surely I cannot do this by wearing a glove, as underneath, my fist would still be soft." }-

Did you read the OP's post ?

-{ Quote: "Did you read the OP's post ?" }-
Yes, I did.

-{ Quote: "Yes, I did." }-

right ..

So can you see why people suggested applications ?

-{ Quote: "right ..

So can you see why people suggested applications ?" }-
No, I cannot.

Wildest is right when he says, hardening means removing vulnerabilities in the system itself, not adding software to improve it.

removing vulnerabilities normally involves making changes in the system registry this is done with certain tools like G1111 mentioned before ie the same tools in my sig.

hardening is not done by installing other software apps.

I never said it was.
I said read the OP's post.

Thank you.. will harden first by removing vulnerabilities, then look into anti-executable ... but need to educate myself first..

Regards

Try Geswall free. It now has almost exactly the same functionality as the paid for version. The only thing it lacks is the same alert warnings. It will harden your system immeasurably and you won't even notice it's there except when you download a file and it puts a little symbol on the icon to let you know it's potentially unsafe. A great program and amazing for a free product.

-{ Quote: "Wildest is right when he says, hardening means removing vulnerabilities in the system itself, not adding software to improve it.

removing vulnerabilities normally involves making changes in the system registry this is done with certain tools like G1111 mentioned before ie the same tools in my sig.

hardening is not done by installing other software apps." }-

While this is technically correct, the level of protection you can gain by "hardening" your system is very low. You could spend weeks "hardening " your system and you still wouldn't have a fraction of the protection you would get by just installing something like Geswall. I can't understand why anyone would bother given that Geswall is free and it's practically invisible to the user. I would just recommend installing Geswall, switch off notifications and forget about it. Your system will be pretty "hardened" by doing this alone.

-{ Quote: "While this is technically correct, the level of protection you can gain by "hardening" your system is very low. You could spend weeks "hardening " your system and you still wouldn't have a fraction of the protection you would get by just installing something like Geswall. I can't understand why anyone would bother given that Geswall is free and it's practically invisible to the user. I would just recommend installing Geswall, switch off notifications and forget about it. Your system will be pretty "hardened" by doing this alone." }-cool idea:thumb: sounds great:)

-{ Quote: "One of my system got clobbered with MS Anti-virus - etc.. running AVAST & super anti spyware.. my son playing a game (WOW) accepted it and bingo...re-installed XP sp3
" }-
1 - what kind of game has a computer get MS Anti-virus?

-{ Quote: "want to harden to basically lock down installations & mods without me reviewing first" }-
2- basically you are a parent who doesn't want to support parent' s job, aren't you?

-{ Quote: "The user needs to be a admin for the game to work so changing the user setting isn't an option." }-
Sure there is no workaround? Since when a parent gives more importance to the game than to the security? Strange.

You are the father. you therefore are the admin. Do your job, or stop crying.

Sorry if I am too direct. But this subject is definitely not a technical problem, nor a tool problem.