What is your security setup these days?

Reverted to Platinum status :

My security setup
Win 7 x64 Ultimate Desktop:

1. Using LUA account as default
2. UAC at highest level
3. AppLocker with all rules, including DLL, enforced
4. Windows Firewall with advanced security, inbound and outbound blocked by default, restricting web-facing applications to specific remote ports and in some cases to remote ip addresses.
5. EMET, with mainly web-facing and MS Office apps configured
6. MBAM on-demand free (used sparingly)
7. Routine images of system using ShadowProtect RE disk, saving the images to two separate physical locations.
8. All sensitive data kept on a TrueCrypt volume on h/drive and USB pendrive, and also a bitlocker encrypted volume.
9. 09/01/2011: Added Sandboxie Paid:

• Set up for web browsers Chrome & IE9 with forced folders full qualifying path to iexplore.exe & chrome.exe
• Restricted Internet access
• Restricted Start/Run access

I've decided I really don't need Sandboxie after all. Nothing against it; it's just that it's additional 3rd party overhead I can do without. Even tzuk has said the more 3rd party apps added increases the attack surface (or something to that effect).

the following services are disabled:

• Secure Socket Tunneling service
• IP Helper
• Remote Access Connection Manager
• SSDP Discovery service
• TCP/IP NetBIOS Helper
• Workstation
• Function Discovery Resource Publication
• WinHTTP Web Proxy Auto-Discovery service

• SuRun, v1.2.1 B9 – used only for convenience to easily launch some programs and Windows functionality with administrative priviledges.

Note the use of free MBAM for on-demand only. I despise realtime antivirus programs. They are, for the most part, an antiquated, resource-sucking leech on the system.

[Hungry Man]

Literally any application on your computer increases the attack surface (which is why I don't like EMET and have constantly said it should be built into the OS.)

Sandboxie was the best part of your setup. Looking at your setup I see a lot of system hardening (which is wonderful) and default-deny.

The problem with default-deny is that every decision goes through you first. Do you honestly trust yourself to always make the right decisions?

The nice thing about sandboxie is that you don't HAVE to make the right decisions, you can run malware if you like just make sure it's sandboxed, and then it doesn't matter if you default deny or default allow.

[m00nbl00d]

Quote:

Originally Posted by wat0114

[...]
I've decided I really don't need Sandboxie after all. Nothing against it; it's just that it's additional 3rd party overhead I can do without. Even tzuk has said the more 3rd party apps added increases the attack surface (or something to that effect).[...]

Damn... Short life...

[Konata Izumi]

Quote:

Originally Posted by Kees1958

lua plus geswall or spyshelter plus sandboxie would satisfy my surfing habits. What dark cornes of the web are you frequenting to double stack a system wide plus threatgate protection?

lol. I don't worry too much about what comes in to my PC, I worry what goes out from my PC these days.



EDIT: Oh wow I just had a BSOD with my current setup... happened during ccleaner cleanup...
BSOD only happening when I have other realtime app running with geswall (like spyshelter/pandacloud/rapport)

probably harddrive cant handle the I/O.. my harddrive is dying

[justenough]

Sandboxie Experimental

MBAM real-time

Mamutu Paranoid

[Hungry Man]

I've had paranoid on for so long. I almost never get Mamutu popups. I guess I just haven't introduced anything to my system in a long time.

Quote:

Originally Posted by m00nbl00d

Damn... Short life...

Yep, I came to my senses

Quote:

Originally Posted by Hungry Man

Literally any application on your computer increases the attack surface (which is why I don't like EMET and have constantly said it should be built into the OS.)

You don't have to worry about EMET. It's an MS product so it no doubt co-exists splendidly with Windows.

Quote:

Sandboxie was the best part of your setup. Looking at your setup I see a lot of system hardening (which is wonderful) and default-deny.

Again, nothing against SB or tzuk (a genius, really) but it's still 3rd party software so problems with O/S conflicts are inevitable. If you don't believe me, just check out the SB forum and behold the trouble reports (where have I said this befiore? ). I had a few issues myself, not really worth mentioning here, but they were real issues.

Quote:

The problem with default-deny is that every decision goes through you first.

How often do you think I need to make decisions in my day-to-day home computing? I can tell you it's not very often, but for the few I do need to make, it does me no harm, and probably helps stimulate my ageing and weary brain, at least somewhat Also, how would it be any different using Sandboxie? One still needs to decide whether or not allow something out of the sanbox on to the real environment.

Quote:

Do you honestly trust yourself to always make the right decisions?

Close to 100%, which is close enough to rationalize the use of the security I've decided upon. If I do go wrong I've got enough moxie to detect it right away and apply my trusty fail safe image/restore plan. It's a peice of cake, really

Quote:

The nice thing about sandboxie is that you don't HAVE to make the right decisions, you can run malware if you like just make sure it's sandboxed, and then it doesn't matter if you default deny or default allow.

I don't have to worry about that with my current setup, either. Malware will be blocked if I do try to run it, and then again I tend not to get in to situations where I have to make these type of decisions. If i somehow navigate to a site that requires a "codec" or "plugin" to view a video (not pr0n of course ), I navigate away from it. Again, rather easy.

[Hungry Man]

No matter who EMET is developed by it still increases attack surface just by being installed to userspace. Not only that but I am against any security being handled outside of kernelspace.

My issue with 3rd party security is not that it can cause incompatibilities but because that's just poor security.

Quote:

How often do you think I need to make decisions in my day-to-day home computing? I can tell you it's not very often, but for the few I do need to make, it does me no harm, and probably helps stimulate my ageing and weary brain, at least somewhat Also, how would it be any different using Sandboxie? One still needs to decide whether or not allow something out of the sanbox on to the real environment.

You probably only make decisions very rarely. But it's not about how often. IT's about the decision. If malware finds its way onto your computer and you think it's a legitimate application you'll let it run.

How does sandboxie mitigate this? It lets you run it in a sandbox and stops it from touching the system.

Quote:

Close to 100%, which is close enough to rationalize the use of the security I've decided upon. If I do go wrong I've got enough moxie to detect it right away and apply my trusty fail safe image/restore plan. It's a peice of cake, really

Yes, a backup is nice I guess. Still I am always going to advocate prevention over cleanup.

Quote:

I don't have to worry about that with my current setup, either. Malware will be blocked if I do try to run it, and then again I tend not to get in to situations where I have to make these type of decisions. If i somehow navigate to a site that requires a "codec" or "plugin" to view a video (not pr0n of course ), I navigate away from it. Again, rather easy.

Yes, it will be blocked... until you allow it.

I'm not trying to knock the security but I think that security should never be handled by the user. One time you might download a crack for software (just an example, I'm not saying you do, there are other methods of socially engineered malware =p) or some pr00n or whatever and it'll ask to run and, naturally, you will allow it.

And there's the layer of defense. All of that default deny stuff gets bypassed immediately.

Quote:

Originally Posted by Hungry Man

One time you might download a crack for software (just an example, I'm not saying you do, there are other methods of socially engineered malware =p) or some pr00n or whatever and it'll ask to run and, naturally, you will allow it.

If I download something I can't be sure about, even after the on-demand av clears it as legit, I can test in the vm. If it runs fine or not at all (suspected vm-aware) then it's ditched. This never seems to happen to me, probably because I tend to download from known, legit sources.

Quote:

And there's the layer of defense. All of that default deny stuff gets bypassed immediately.

Default-deny employing already built-in mechanisms no less (AppLocker), performs its intended duties with almost self-effacing perfection. My decision-making process comes in to play when necessary, but I can do so with utmost confidence that it will be done so responsibly and without detrimental consequence.

I can't understand your stance users making decisions for themselves, nor your objections to the employment of common sense.

[justenough]

Quote:

Originally Posted by Hungry Man

I've had paranoid on for so long. I almost never get Mamutu popups. I guess I just haven't introduced anything to my system in a long time.

Hardly any pop-ups for me either.

[m00nbl00d]

Quote:

Originally Posted by Hungry Man

My issue with 3rd party security is not that it can cause incompatibilities but because that's just poor security.

You scare the hell out of me!!

What would you think of anyone else if they said that, and then they post a security setup where they have third-party security, while having Windows 7 Ultimate?

You could ditch Comodo Firewall and Defense+. According to you it's poor security, isn't it? The same for Mamutu.

Why don't you deploy AppLocker? It operates at kernel level. Why not Windows Firewall with Advanced Security?

You seem to say one thing, but do the opposite. I don't know... it's just that you seem to have a lot against third-party security software, yet you use them. And, the irony is that you actually have a Windows 7 version that allows you to deploy AppLocker.

[Osaban]

Vista32 SP2 (UAC on, Firewall on, WD off)

Real Time:
Look'n'Stop (Application Filtering enabled only)
Sandboxie (Restrictions /Internet/Start/Run access/Drop Rights)

On Demand Scanners:
Avira Premium
MBAM Pro
HitmanPro

Virtualizers and Backup
ShadowDefender V 325
ShadowProtect Desktop (Cold Images, 3 USB Hard Drives)

Browser: Chrome + Ad Muncher

[Hungry Man]

Quote:

Originally Posted by m00nbl00d

You scare the hell out of me!!

What would you think of anyone else if they said that, and then they post a security setup where they have third-party security, while having Windows 7 Ultimate?

You could ditch Comodo Firewall and Defense+. According to you it's poor security, isn't it? The same for Mamutu.

Why don't you deploy AppLocker? It operates at kernel level. Why not Windows Firewall with Advanced Security?

You seem to say one thing, but do the opposite. I don't know... it's just that you seem to have a lot against third-party security software, yet you use them. And, the irony is that you actually have a Windows 7 version that allows you to deploy AppLocker.

I don't see your point. Yes, I believe all security should be built into the kernel. Yes, 3rd party applications DO increase the attack surface. These ideas are fairly accepted by everyone I've talked to in the industry.

Does that mean I'm going to rely on Windows? No. That would be silly at this point in time. However, if Windows and Comodo both had literally the same software but Windows had it built into the kernel I'd use Windows' built in security.

Security should only ever be handled the operating system, it just happens to be that modern operating systems don't have enough security and I am forced to look elsewhere.

Quote:

Originally Posted by wat0114

If I download something I can't be sure about, even after the on-demand av clears it as legit, I can test in the vm. If it runs fine or not at all (suspected vm-aware) then it's ditched. This never seems to happen to me, probably because I tend to download from known, legit sources.



Default-deny employing already built-in mechanisms no less (AppLocker), performs its intended duties with almost self-effacing perfection. My decision-making process comes in to play when necessary, but I can do so with utmost confidence that it will be done so responsibly and without detrimental consequence.

I can't understand your stance users making decisions for themselves, nor your objections to the employment of common sense.

I'm not saying you should switch your setup. It works for you.

But I don't think that common sense should ever come into play when it comes to security; furthermore the User themselves should never come into play when it comes to security.

TLR : The best way to secure a computer is to have the security built in at the lowest possible point, the lower it's built the harder it is to circumvent. If something goes wrong the system crashes rather than allowing a successful attack.

[Hungry Man]

Furthermore: I don't like any of the security software on my computer. I mean... I feel it protects me, but I don't think it's the best way to be protected.

1) It DOES add to the attack surface. Literally anything that executes code adds to your attack surface.

2) It's all closed source. I really don't care about licensing or "free and open" whatever, the fact is that being open has security benefits.

But I use it anyway because the alternatives are the (in my opinion) not so great security implementations of Windows 7, which are far too limiting.

[SweX]

Quote:

Originally Posted by Hungry Man

Furthermore: I don't like any of the security software on my computer. I mean... I feel it protects me, but I don't think it's the best way to be protected.

So why don't you use what you think is the best ?

[1chaoticadult]

Quote:

Originally Posted by SweX

So why don't you use what you think is the best ?

Maybe he is still searching for the best

[m00nbl00d]

Quote:

Originally Posted by Hungry Man

I don't see your point.[...]

The point is: You consider third-party security software to be poor security. If they are poor security, then why have something that provides poor security, in the first place?

Quote:

Security should only ever be handled the operating system, it just happens to be that modern operating systems don't have enough security and I am forced to look elsewhere.

Wouldn't you say that AppLocker and Windows Firewall with Advanced Security provide strong security, considering that they belong to Windows, in opposition to a third-party application/third-party applications?

Don't take me wrong, but what I don't understand is why you say what you say about third-party security software, regardless of These ideas are fairly accepted by everyone I've talked to in the industry., and yet you don't use AppLocker. AppLocker operates at kernel level.

So, you already got something provided by the operating system. You complain about third-party security software, which are poor security, yet you use them, and ditch AppLocker.

Question: So, why do you say one thing and act differently?

Using your own thoughts, if you were to use AppLocker, you'd have built-in security, operating at kernel level, without increasing the attack surface. Yet, there you go using third-party security software.

-edit-

AppLocker by no means is a lousy implementation. It simply cannot defeat user stupidity... but what can? lol

[Hungry Man]

Quote:

The point is: You consider third-party security software to be poor security. If they are poor security, they why have something that provides poor security, in the first place?

Better than none. Windows has no methods for doing what I want to do.

Quote:

Wouldn't you say that AppLocker and Windows Firewall with Advanced Security provide strong security, considering that they belong to Windows, in opposition to a third-party application/third-party applications?

No. Applocker may be built into windows but that doesn't mean it's better. It just means it's designed better. (EDIT: This isn't very clear. I don't mean that it's somehow programmed better - just that it fits into the overall scheme better.)

Security should be built into the OS. The fact that it isn't means I have to look elsewhere. Applocker is, unfortunately, not a replacement for other security methods that are not in the OS.

"Security" is not a thing. Applocker may be an application aimed at securing the OS but that does not make it the same as Comodo or Mamutu just beacuse their end-goals are the same. If Windows had a "Security" application that spat out the DVD drive every 5 minutes it wouldn't be better for being kernel level.

My point is that the security just isn't there; it should be but it isn't.

[m00nbl00d]

Quote:

Originally Posted by Hungry Man

Applocker may be an application aimed at securing the OS but that does not make it the same as Comodo or Mamutu just beacuse their end-goals are the same.

I totally agree on that one!

Having been an old COMODO user, I for sure can say with 100% certainty that Defense+ and AppLocker are totally different.

But, I can tell you I can achieve, and do achieve, a way better and silent security, without increasing my attack surface, using built-in stuff. It goes from AppLocker to integrity levels, messing with the registry... You just need to find your way. Could it be better? Yes, it could. Is that bad? No, it isn't. Even if you got no AppLocker, user Kees1958 posted some excellent threads about the Safe-admin concept/project, using built-in stuff. Very rock solid, without increasing the attack surface.

One has to use what one considers to be the "best", I suppose.

[Hungry Man]

Ugh I typed up a response and hit "back" by accident.

Anyways, I'll cut out the fluff. I don't know your security setup so I really have no idea if what you're saying is true.

Kees1958 has the right idea. I am not saying "Stop using 3rd party software" at all. I'm just saying that security should, in an idea world, only come from the kernel level and only run in kernel space.

[m00nbl00d]

Quote:

Originally Posted by Hungry Man

Ugh I typed up a response and hit "back" by accident.

Anyways, I'll cut out the fluff. I don't know your security setup so I really have no idea if what you're saying is true.

Quote:

Kees1958 has the right idea. I am not saying "Stop using 3rd party software" at all. I'm just saying that security should, in an idea world, only come from the kernel level and only run in kernel space.

The thing is, I agree with you. Security should be built-in. Microsoft has done a lot of progress, from sandboxing Internet Explorer (others can take advantage of the same security measures, of course), providing isolation to a certain degree, AppLocker, etc.

What surprises me is that you DO have AppLocker at your disposal, yet you don't consider of even using it... considering that you consider third-party security software poor security.

I just find it odd, that's all.

If I had your thought, and I do have it, I'd rather use AppLocker, and I do use it... It does its work, silently. I can check the logs whenever I want. It operates at kernel level. It won't increase the attack surface. And, it actually works great.

[Hungry Man]

Quote:

Microsoft has done a lot of progress, from sandboxing Internet Explorer (others can take advantage of the same security measures, of course), providing isolation to a certain degree, AppLocker, etc.

I agree.

Quote:

What surprises me is that you DO have AppLocker at your disposal, yet you don't consider of even using it... considering that you consider third-party security software poor security.

Applocker provides nothing that I need - a poor security measure is not made better by being implemented in the kernel. If windows somehow had an AV built into the kernel I wouldn't choose to use that because AV's are a poor security method (in my opinion.)

From what I understand of AppLocker it's basically a default deny that lets you either block a program or run it. How is that helpful? If I put a program on my system I want it to run and if I'm suspicious about it I learn nothing by blocking it.

Perhaps there's more to applocker than what I know? Is it more fine tuned than simply blocking or allowing things?

[1chaoticadult]

Quote:

Originally Posted by Hungry Man

I agree.


Applocker provides nothing that I need - a poor security measure is not made better by being implemented in the kernel. If windows somehow had an AV built into the kernel I wouldn't choose to use that because AV's are a poor security method (in my opinion.)

From what I understand of AppLocker it's basically a default deny that lets you either block a program or run it. How is that helpful? If I put a program on my system I want it to run and if I'm suspicious about it I learn nothing by blocking it.

Perhaps there's more to applocker than what I know? Is it more fine tuned than simply blocking or allowing things?

Well I know when I was using applocker I auto-generated rules for directories I wanted which added them to rule lists. Once that happen, I enforced those rules. Anything not allowed in those rules, are not allowed to run. I hope I explained that right

[Hungry Man]

And if you add something to your system, what do you do?

You either allow it to run or you block it. No middle ground. Not very strong in my opinion.

[1chaoticadult]

Quote:

Originally Posted by Hungry Man

And if you add something to your system, what do you do?

You either allow it to run or you block it. No middle ground. Not very strong in my opinion.

When you say adding something, do you mean for example you want to try new software? The way I used it is just one example. I just did this one because it seemed the easier way to try applocker at the time You can create broader rules than what I did. I'm no expert at applocker so maybe someone else can explain it better Whatever knowledge I have about applocker, I gained by looking thru the applocker thread To me an applocker setup is good only if you don't make frequent changes to your system otherwise it can be a pain IMO.