A challenge: Secure a PC without any external application

Discussion in 'other anti-malware software' started by JayK, Jan 8, 2003.

Thread Status:
Not open for further replies.
  1. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    Okay, so i know you guys run a shipload of programs to guard your computer, but how would you secure a computer if you were not allowed to use any external third party program that comes with a standard install of say Windows ME/XP/2000 whatever. The computer will be a stand alone connected directly to the NET 24/7 on a broadband connection.

    Yes this means no antivirus,no firewalls, not even if it's a freeware product.

    Allowed

    Setting up Host files
    Using IE spyad to put restricted sites into the restricted zone.
    Using cookie managment function intergreted into browser.
    Running patches
    disenable services


    Not allowed
    Installing firewall
    Paying for antivirus filtering in email.
    Using Mozilla

    I've being working under such constrains (long story) and I've found you can do a lot surprisingly ....and still keep functionality.

    Anyone up to the challenge?
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,842
    Location:
    New England
    In my opinion, a great deal of security can be achieved just from tightening up the OS itself and setting proper security levels. Of course, Windows security starts by getting all proper service packs and patches.

    If you are talking W2K/XP, on the configuration you mentioned, then the next thing you do is shutdown all unnecessary Services, which in turn closes a lot of the default listening ports. This is a big step forward, too. On my XP system, on a clean boot up, it listens only on 135/TCP, and two local loopbacks on 1025, 1026/TCP. All the rest are closed and therefore, their corresponding applications are no longer exposed to possible exploit from the network.

    Then there is a host of necessary tweaks and settings, whether the obvious, like setting OE to run in the restricted zone, or the more obscure, like disabling media player scripting (just an example, and maybe not even a current one if one of the latest MS patches fixed all that). You get the idea.

    Next, secure IE. Use all the zones and make the default Internet Zone very tight. Force the use of the Trusted Zone for any and all sites requiring things like active scripting or ActiveX.

    See a recent post of mine on IE here:
    http://www.wilderssecurity.com/showthread.php?t=5892;start=2

    IE's privacy tab for cookie control has been discussed a few time recently, it can be set very tightly, as noted in this thread:
    http://www.wilderssecurity.com/showthread.php?t=5326;start=23

    Personally, I'd take these steps on any PC I'd be configuring, even if the very next thing I'd do would be to install an Anti-Virus and Firewall (which I would, usually ;) ). However, with tight settings, disabled services and closed ports, some risks are mitigated a little. However...

    You did not say what the system would be used for or who'd be using it (what knowledge level and security awareness they have). Without either a firewall or sandbox application, and a solid anti-virus app, improper system usage, including allowing the user to download whatever the heck they feel like (from the web or email) and running it, you'd be likely to quickly run into serious malware issues. (Or, would we be allowed to block all attachments in OE and disable all file downloads in IE? Again, we'd need to know the machine's purpose and user needs.)

    There are no "tweaks" which take the place of serious apps like AV, firewall or a sandbox, so, if the user isn't going to be practicing "safe hex" then this challenge really can't be met in any meaningful way. But, with smart computing practices, the tweaks noted above and others may well make quite a secure system even without third-party packages.

    Got more info on user requirements?
    LowWaterMark
     
  3. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    Yeah, very good points. I have done all of that, including disenabing WSH and Mediaplayer scripts.

    BTW Why is it listening on TCP 135?

    I've found a nice trick in Win2k which has a built in port filter via Ipsec settings (allowing inbound and outbound tcp/udp/icmp blocks by ip), altough following the instructions on one website, I managed to close down almost all listening ports by default.

    I've also read about all the tips about secure passwords, renaming the admin account and creating a default admin account with no previlages etc, in your opinion is this even useful on a computer that will be used solely by one person?

    I'm actually handing 2 "cases"

    One is a fairly inexperienced user, who recently shut down the computer because of
    messager spam warning about insecure computers :rolleyes:

    On the plus side he uses only webemail, so securing outlook isnt necessary. Other than that he does basic web browsing but nothing else fancy or particularly risky. (No Peer to peer, no Instant messaging,no irc).

    The other user is a holy terror, running ICQ 24/7,irc, emule etc. Naturally his competency level is much higher, except that he thinks computer security is a joke.

    I could probably get them to run a antivirus, but definitely not a firewall. The second user, would probably undo much of my changes anyway, if he found his stuff not working.
     
  4. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    It can be done pretty easily. I have surfed the 'net for months on end with no third party apps in complete safety -- but that's me. There are things to learn and you have listed most of those. I will say that in today's environment if you have IE/OE simply *installed* on your machine and you operate without an effective and updated AV, you are just plain stupid. Still, you could operate without one if the mass of goo between the chair and keyboard was properly trained and controlled. A couple of comments:

    Win9x -- kill netBIOS dead

    W2k -- there are issues with services and open ports. Learn what those are and close/disable them plus use the built-in filtering

    XP -- same as W2k except turn on the included firewall for added safety

    I could sit here and type for an hour on all the little tweaks and tips that should be followed but it appears you have done your homework. So I will throw the challenge back at you -- make sure you have them all covered! :D

    In *every* case, the hardest to configure is also the hardest to control -- that mass of goo. In that light, I will provide one link.

    http://www.claymania.com/safe-hex.html

    Phil
     
  5. luv2bsecure

    luv2bsecure Infrequent Poster

    Joined:
    Feb 9, 2002
    Posts:
    713
    LWM and Phil,

    Excellent posts!

    I thought I would weigh in on the ability without third-party apps to maintain some privacy on the desktop....

    One thing you can't do, obviously, is "wash" deleted items. But, there are some things you can do:

    1. You can designate a sub, sub, sub folder for sensitive items. Just a holding place really. A place to put items to - rename.

    2. Then, you go through that folder before shutdown and DivorcePlans.doc becomes FootballPicks.doc (or something related to your interest that wouldn't raise eyebrows). If it's really sensitive like Bank Robbery Plans.doc (just kidding - but you get the idea) change not only the name but change the extension so it becomes "blue5.gif" and drag it to the "Temporary Internet Files."

    3. Then delete.

    4. Again, depending on sensitivity level - maybe the info shouldn't be there in the document in first place. Before you delete the file, go in and empty the contents of the file - or better yet - make nonsense of it and then delete.

    5. Remember, this is all hypothetical having no access to 3rd party apps.

    6. A sensitive photo can be opened with notepad where you see nothing but gobbledygook. Scramble it. Mess around with the all the characters in the file - select all, empty the file, rename it - and then delete the file.

    There are other things obviously, but if stuck with nothing - those are some simple things you can do to maintain some privacy with documents, pix, etc.

    Kind of an interesting topic to think about JayK!

    John
    Luv2BSecure
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,842
    Location:
    New England
    Windows uses port 135 for the RPC end-point mapper (epmap), which is basically used as a "directory assistance" type service that allows network-aware processes to inquire regarding the address (port) upon which certain services are running on a system. Since these services can use different available ports, there had to be some mapper available to inform inquiring programs about which port is currently assigned to these services.

    When you run a "Probe My Ports!" scan at grc.com, if it finds port 135 open it says:
    No, it is not actually "impossible to close", but, arguably, you are really disabling a lot of your OS if you do take steps to close down the epmap. For information on how to close it, which I do not recommend and have not done myself, see:

    http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html
    While intelligent and cautious people can get by without an Anti-Virus product, it's still a very good idea to run one (like a safety net - just in case). Given the description of this person's activities, I think that system should run a strong AV product (like NOD32, KAV or NAV). I've never found an AV product to "get in my way", as a firewall might for some people depending upon their system usage. Though I have no problem using a firewall, either.
    hehehe, you just know that somewhere, someone has some file like that on their system. ;) File it under the category of "criminals too stupid to live" :D

    Best Wishes,
    LowWaterMark
     
  7. Krusty

    Krusty Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    Howdy all

    I found this very interesting indeed...how to make surfing as secure as possible, without any extra apps...

    Very good Phil, I would install NetBeui too....

    Anyone knows regwizard, how to disable it on run field...:

    disable: regsvr32.exe -u c:\windows\system\regwizc.dll
    able: regsvr32.exe -c c:\windows\system\regwizc.dll

    Except those browser configurations,disabling active x, java, java scripts, cookies etc etc, these might help little too. And ....one of you already mentioned that the less apps running the more secure your puter is.

    *Ari*
     
  8. Krusty

    Krusty Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    And the best, not the last : Make registry and file backups to restore everytime you log off the net ;) .

    John, the mantra, hehee "Backups, backups.."

    *Ari*
     
  9. snowy

    snowy Guest

    Most interesting topic......very nice comments...

    can an os be harden.....sure....definitely ! I prefer the use of the registry.......w2k seems the best for securing ports...never tryed XP.......

    on a win95 for a period of five years with a computer used solely by two youngsters....no firewall...no anti-anything =no problems. The one fault was in their use of cookies.....found 347 tracking/profiling cookies.....this could easily have been avoided. Otherwise...no viruses..no trogans...no Bots
    it does not seem often spoke of but IE does have a sandbox.....an yes it does work....perhaps not as well as the more costly programs...but does work. that sandbox and Zones used together helps greatly.
    A SCRIPT DETECTOR works wonders using the proper scripts.....the win95 mentioned did not even have that installed....no third party software was installed on it.
    Today that same win95 has numerous third party programs....an is still working like the new was purchased.
    Making as much of the os as possible "disappear" can't hurt either.
    No I would not suggest not using a firewall....but its done by millions.....an while there is alot of hype about using anti-virus software......lets not forget that anti-virus programs are after-the-fact.....while a mere script detector is before-the-fact (bet I get comments on that)

    just my six pence==P.S. I use firewall/anti-virus&trogan and tons of other such programs
     
  10. Uguel707

    Uguel707 Graphic Artist

    Joined:
    Nov 9, 2002
    Posts:
    2,999
    Location:
    San Diego
    HI!

    I appreciated this topic. Those who can do a smart configuration of their system are blessed. They won't have to load all kind of softs . Knowing the register is also a good thing for you can disable keys that cause problems. Im not there yet! Uguel ;)
     
Loading...
Thread Status:
Not open for further replies.