Hello,

I'm a confessed security addict. It is a good thing in my case since I am a consultant. For about 15 years I've tested out alot of hardware/software
firewalls. My two favorite are Tiny Personal & Outpost. I prefer tiny a bit
more because it allows me to control and secure my machines more. It seems
like much for someone who installs it but once you get it configured it runs
nicely.

I use Kav Personal, Process Guard, Ewido and Tiny. PG and Tiny kinda over lap
a bit. Does anyone have anything written on making Tiny more secure? I might have missed somethign =).

Ciao

I've been dedicated user of Tiny for over a year now .. the latest build 2005 is the best ever in my view .. stable and like you said one of the best firewalls available...

indeed pg and tiny do overlap but you can configure it...I didn't I just leave it like that together with Regdefend...

put your networkcard in dangerous zone for starters .... (network options) and the rest you can read here:

http://www.tinysoftware.com/forum/showthread.php?threadid=2288

Excellent posts with very experienced/helpful people ;)

hope you can do something with it

I see now you need to registered...this is quoted from Wterrel

-{ Quote: "A. Segregate your apps

1. Download Process Explorer from SysInternals. www.sysinternals.com
Use this software to identify your System apps and your normal apps.

2. Turn off Windows Security.

3. Using Process Explorer identify all of your Microsoft system apps and put them into the Services group. My philosophy is that if I am going to use Windows OS, I am going to trust my OS. So create a normal Application group and name it appropriately (i.e. Windows OS). Put the remainder of all Microsoft apps into this group.

4. Create Dangerous group and enroll cscript.exe, wscript.exe, wordpad.exe, notepad.exe, dllhost.exe, etc. Enroll into this group any Windows apps that may be used maliciously by Trojans and virii.

5. Create Browser group and enroll into this group Internet Explorer and all other browsers.

6. Create Email group and enroll your clients into this group. Include OE, Outlook, spam filtering software, anti-virus software, etc.

7. Create Office group and enroll Microsoft Office apps into this group.

8. Create TrustedServices group and enroll the system apps of your softwares. Use Process Explorer to determine these system apps.

(This will take many hours to properly segregate your apps.)


B. Tighten Spawning

1. Allow complete spawning in Low Priority by your Windows OS group to all apps.

2. Allow complete spawning in Low Priority by your Services group to all apps

3. Allow spawning and ALERT in Low Priority by Trusted to your Windows OS group and create spawning rules for OS boot based upon the alerts. After successful boot without any alerts change rule to Ask User to spawn by Trusted to your Windows OS group and Monitor.

4. Allow spawning and ALERT in Low Priority by TrustedServices to your Windows OS group and create spawning rules for OS boot based upon the alerts. After successful boot without any alerts change rule to Ask User to spawn by TrustedServices to your Windows OS group and Monitor.

5. Allow spawning and ALERT in Low Priority by Trusted to your Services group and create spawning rules for OS boot based upon the alerts. After successful boot without any alerts change rule to Ask User to spawn by Trusted to your Services group and Monitor.

6. Allow spawning and ALERT in Low Priority by TrustedServices to your Services group and create spawning rules for OS boot based upon the alerts. After successful boot without any alerts change rule to Ask User to spawn by TrustedServices to your Services group and Monitor.

7. Allow spawning and ALERT in Low Priority by Services to your Services group and create spawning rules for OS boot based upon the alerts. After successful boot without any alerts change rule to Ask User to spawn by Services to your Services group and Monitor.

8. Allow spawning and ALERT in Low Priority by TrustedServices to your TrustedServices group and create spawning rules for OS boot based upon the alerts. After successful boot without any alerts change rule to Ask User to spawn by Services to your Services group and Monitor.

9. Deny spawning by * to Windows OS. Deny spawning by * to Services. Deny spawning by * to Trusted. Deny spawning by * to TrustedServices. Deny spawning by * to *.

10. Ask User to spawn Dangerous group by *.

11. Ask User to spawn Browser group by *.

12. Ask User to spawn Email group by *.

13. Ask User to spawn Office group by *

14. Go to Active Guards and make rule for each group and only tick the Application Spawning box for each group.

15. Go to Setting/Options and set the life of Alerts to 900 seconds and Set.

16. Turn On Windows Security. Reboot repeatedly and make rules as per alerts that you get.

(Assign Preferred status to appropriate rules to make them effective against lower priority rules so that you do not get prompts for rules that have already been created.)


Until you have your spawning rules created satisfactorily, create rules in every section of Windows Security that allows everything to Windows OS group, Services, Trusted, TrustedServices, etc.

The philosophy of all other sections is that you trust your OS and will allow free reign to those apps. You will deny any access to your files, registry, services, etc. by all apps that are not enrolled into a group.

To this point, here is what we have done:
1. Put all of our apps into appropriate groups.
2. Created rules in Active Guards for all groups and * and have only Application Spawning ticked.
3. Created rules in Application Start which will produce alerts for the apps spawning on system reboot.
4. Rebooted repeatedly and created rules for spawning based upon alerts received.
5. Changed rules to Ask User after reboot was successful with rules created by alerts.


Following C4m's advice you put all IDS/IPS to prevent and only allow what is necessary to surf the web successfully. This will take very many hours to accomplish.


File Protection

Turn off Windows Security

1. In Low Priority allow all to your Windows OS group.

2. Allow all to Services

3. Create a rule for each of the following Predefined Objects to allow and ALERT for Trusted group: ActiveX Cache, All Execs in Program Files, Fixed Drives, Operating System AutoStart, Personal Contacts, Startup Folder, System Config, Temporary Folders, Access to Cookies, and Windows Directory. After rule making from alerts at reboot you will change the rule to Ask User and Monitor.

4. Create rule for * to allow and ignore by Trusted group.

5. Create a rule for each of the following Predefined Objects to allow and ALERT for TrustedServices group: ActiveX Cache, All Execs in Program Files, Fixed Drives, Operating System AutoStart, Personal Contacts, Startup Folder, System Config, Temporary Folders, Access to Cookies, and Windows Directory. After rule making from alerts at reboot you will change the rule to Ask User and Monitor.

6. Create rule for * to allow and ignore by TrustedServices group.

7. Create a rule for each of the following Predefined Objects to allow and ALERT for Dangerous group: ActiveX Cache, All Execs in Program Files, Fixed Drives, Operating System AutoStart, Personal Contacts, Startup Folder, System Config, Temporary Folders, Access to Cookies, and Windows Directory. After rule making from alerts at reboot you will change the rule to Ask User and Monitor.

8. Create rule for * to allow and ignore by Dangerous group.

9. Create a rule for each of the following Predefined Objects to allow and ALERT for Email group: ActiveX Cache, All Execs in Program Files, Fixed Drives, Operating System AutoStart, Startup Folder, System Config, Temporary Folders, Access to Cookies, and Windows Directory. After rule making from alerts at reboot you will change the rule to Ask User and Monitor. Allow all to Email group for Personal Contacts object.

10. Create rule for * to allow and ignore by Email group.

11. Create a rule for each of the following Predefined Objects to Allow and ALERT for * group: ActiveX Cache, All Execs in Program Files, Fixed Drives, Operating System AutoStart, Personal Contacts, Startup Folder, System Config, Temporary Folders, Access to Cookies, and Windows Directory. After rule making from alerts at reboot you will change the rule to Ask User or Prevent and Monitor.

12. Create rule for * to Prevent and Monitor by * group.

13. Create a rule for Access to Cookies to Ask User and Monitor to Create & Write for Browser Group. Allow Read and Delete.

14. Create a rule for Personal Contacts to Prevent and Monitor for Browser group.

15. Create a rule for each of the following Predefined Objects to Prevent and Monitor for Browser group: Fixed Drives, Operating System AutoStart, Temporary Folders, and Windows Directory.

Now go to Active Guards and tick FILE for each group rule.

Turn On Windows Security.

Reboot repeatedly and make rules in High Priority using the Alerts as fodder for your rules until you no longer get alerts.

Change above rules to Ask User or Prevent as needed.

Repeat the above procedure for Alerts and rule making. for Registry section


have taken for granted that it is understood to make all of the rules in Low Priority for Spawning, File Protection, and Registry to be $+ to snag all of the rule making for System and Non-System apps. If this was not commonly understood, I apologize and suggest that you modify all of the rules in Low Priority in these sections, set them up again for Alert notification and reboot.

I have glossed over the rule-making for the Registry section because it is done in exactly the same manner as that for the File Protection section. And do not forget to tick the Registry column in the Active Guards section of the UI.

Do not forget to create an Alert rule for * for $+ apps.

As a note to be considered: all of the Spawning shall have been in the Child's own security. After your TPF is set up you can go back to the Spawning section and modify your rules to establish spawning in parent's security as you see necessary. The reason for the spawning in Child's security is to assure that the child apps become enrolled into your individual app groups. If the app is spawned in Parent's security the child app will run under the * group recognition.

Summary to this point,
here is what we have done:
1. Put all of our apps into appropriate groups.
2. Created rules in Active Guards for all groups and * and have only Application Spawning ticked.
3. Created rules in Application Start which will produce alerts for the apps spawning on system reboot.
4. Rebooted repeatedly and created rules for spawning based upon alerts received.
5. Created rules in File Protection which will produce alerts for Predefined Objects on system reboot.
6. Ticked the File column in the Active Guards section of the UI
7. Rebooted repeatedly and created rules for File Protection based upon alerts.
8. Created rules in Registry section which will produce alerts for Predefined Objects on system reboot.
9. Ticked the Registry column in the Active Guards section of the UI
10. Rebooted repeatedly and created rules for Registry section based upon alerts.




SERVICES

The following suggestions are constructed to provide rules for access to Services at reboot.

Turn Off Windows Security
Reset all of the Low Priority rules in Spawning, File Protection, and Registry back to the IGNORE and ALERT type of monitoring!

1. In Low Priority create a rule for Windows OS group. The service that you want to create rules for is *. So under the Service column select *. For this rule allow all access to every column. In the Query and Open columns select ALLOW and IGNORE type of monitoring. In the Start, Stop, Delete, Install, Control columns select ALLOW and ALERT type of monitoring.

2.In Low Priority create a rule for Services group. The service that you want to create rules for is *. So under the Service column select *. For this rule allow all access to every column. In the Query and Open columns select ALLOW and IGNORE type of monitoring. In the Start, Stop, Delete, Install, Control columns select ALLOW and ALERT type of monitoring.

3. In Low Priority create a rule for Trusted group. The service that you want to create rules for is *. So under the Service column select *. For this rule allow all access to every column. In the Query, Open, Start, Stop, Delete, Install, Control columns select ALLOW and ALERT type of monitoring.

4. In Low Priority create a rule for TrustedServices group. The service that you want to create rules for is *. So under the Service column select *. For this rule allow all access to every column. In the Query, Open, Start, Stop, Delete, Install, Control columns select ALLOW and ALERT type of monitoring.

5. In Low Priority create a rule for Dangerous group. The service that you want to create rules for is *. So under the Service column select *. For this rule allow all access to every column. In the Query, Open, Start, Stop, Delete, Install, Control columns select ALLOW and ALERT type of monitoring.

6. In Low Priority create a rule for Browser group. The service that you want to create rules for is *. So under the Service column select *. For this rule allow all access to every column. In the Query, Open, Start, Stop, Delete, Install, Control columns select ALLOW and ALERT type of monitoring.

7. In Low Priority create a rule for Email group. The service that you want to create rules for is *. So under the Service column select *. For this rule allow all access to every column. In the Query, Open, Start, Stop, Delete, Install, Control columns select ALLOW and ALERT type of monitoring.

8. In Low Priority create a rule for Office group. The service that you want to create rules for is *. So under the Service column select *. For this rule allow all access to every column. In the Query, Open, Start, Stop, Delete, Install, Control columns select ALLOW and ALERT type of monitoring.

9. In Low Priority create a rule for * group. The service that you want to create rules for is *. So under the Service column select *. For this rule allow all access to every column. In the Query, Open, Start, Stop, Delete, Install, Control columns select ALLOW and ALERT type of monitoring.



Now go to Active Guards and tick Services Control for each group rule.

Turn On Windows Security.

Reboot repeatedly and make rules in High Priority using the Alerts as fodder for your rules until you no longer get alerts.

NOTE: If you have anti-virus or anti-spam software that ceases to load or monitor or operate correctly, create rules in High Priority for EVERY .exe of that software in File Protection, Registry, Services and allow everything for these .exe's. After your UI is configured, you can go back and modify these rules gradually to maintain protection of your OS.



If you have followed this method of creating rules to nail down your rules for your UI, you now have many hours (20-30?) invested in rules creation.



System Privileges

The following suggestions are constructed to provide rules for access to System Privileges at reboot.

Turn Off Windows Security
Reset all of the Low Priority rules in Spawning, File Protection, Registry, and Services back to the IGNORE and ALERT type of monitoring!

1. In Low Priority create a rule for each of your groups including the *. For these rules allow all access to every column. Select ALLOW and ALERT type of monitoring.


Now go to Active Guards and tick System Privileges for each group rule.

Turn On Windows Security.

Reboot repeatedly and make rules in High Priority using the Alerts as fodder for your rules until you no longer get alerts." }-

I wonder: is Tiny out of the box secure enough too? That's the way that I have it in any case, at the moment...

Put your nic card in dangerous zone otherwise it would be surfing like it was safe ;)

drag and drop it...simple

Out of the box, tiny has enrolled some apps that access the internet into the trusted group.
That is not a good idea. I enroll all internet apps into a special group, then i can control access to the internet and files,etc. separately.

Michael

Oops, I also forgot, you need to watch the tiny forums.
Inbetween builds they sometimes post new files in the forum, if you dont catch them there you wont know about them. There was a new kmx file posted last week i believe for 6.5.110.

Michael

I think these series of Tiny Firewall 2005 are very good for starters too.
Strong out of the box protection, it just needs study for the most.

And don't forget.
It is the only strong and reliable protection for gateway servers in the Windows market.