Building Your Own Privacy Package

Discussion in 'privacy technology' started by Reality, Aug 5, 2014.

  1. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    If you're running SeaMonkey in SandBoxie, there's no need for the separate DropMyRights utility. That option in SandBoxie does much the same thing. The DMR utility is best used with non-sandboxed items. The only component of DMR you need is the executable itself. Copy it to the root folder of the drive that contains the apps you want to run with reduced rights.

    There's a couple ways that you can launch apps with it. The simplest is to create desktop shortcuts for each app that you want launched with reduced rights. If you open a command prompt first and then open DropMyRights in it, it'll show you the correct syntax. Very few apps can run with the untrusted setting. Here's a couple of examples from one of my virtual test systems.
    Code:
    C:\DropMyRights.exe "C:\Program Files\Seamonkey\Seamonkey.exe"
    C:\DropMyRights.exe "C:\Program Files\PROX\Proxomitron.exe" C
    The first part of each example "C:\DropMyRights.exe" assumes that you've copied its executable to the root folder of the C drive. The second section in quotes is the path to the executable that you want it to launch. The quotes are necessary due to the space in the path, specifically the one between "Program" and "Files". The "C" at the end of the 2nd example is the switch that dictates the level of restriction. DropMyRights has 3 levels of restriction, normal, constrained, and untrusted. The switches are N, C, and U respectively. Since DropMyRights defaults to the normal setting, the switch "N" isn't needed.
    The first launches SeaMonkey with DropMyRights normal level of restriction.
    The 2nd launches Proxomitron with DropMyRights constrained level of restriction.
    You can see how DropMyRights affects an applications level of privilege and system access with Process Explorer using the security tab. The security tab is accessible by double clicking on the specific process you want to view in Process Explorer's main window. DropMyRights doesn't make an application less exploitable. By reducing the applications system access and privilege, it takes away the attackers ability to use an exploited app to gain more access to the rest of the system. When used in conjunction with a good classic HIPS, they can often prevent a hacked or compromised application from becoming a compromised system. Here's screenshots from Process Explorer for Proxomitron, taken from a virtual XP system.
    launched normally,
    Prox-default.png
    launched with DMR using normal restriction level,
    Prox-DMR-N.png
    launched with DMR using the constrained level.
    Prox-DMR-C.png

    Regarding registry backups.
    On XP, ERUNT is excellent for creating and restoring registry backups. It also includes a small optimizing utility which removes empty spaces in the registry files, reducing their size.
    I'm not sure how well the built in system restore works when it comes to the registry. That new error message has me wondering just what you deleted. I suggest using that restore point, then checking that registry key to see if it is restored. Assuming that it does, could you take a screenshot of it and mark exactly what you deleted? I'll try to get back with you tomorrow about that. Hopefully I'll have another post ready for the firewall rules.
     
    Last edited: Aug 13, 2014
  2. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Here's a quick update. I did the Restore. Went into Reg Edit. The entry was back as in the screenshot below. This is what I did yesterday, clicked on the end column and nothing happened (as in hi-lighting) The only thing that was high-lighted was the VDD. So I deleted that, which took out the whole line. I looked back in the instructions on the link ...and yes what a difference ONE WORD makes. Delete the VDD Value.
    OK that said, I need to know exactly how to do that.

    VDD Reg.png

    I also should have uninstalled SeaMonkey before the restore because any part of it that went to the C drive is gone, like shortcuts and I had set it to be default browser and the icons have gone back to FF's. It's still installed on the D drive, so a bit of tidying up there. I have 3 ways to deal with that, which I won't do until I get this Symantec thing sorted first.

    Thanks for the ERUNT Link. I've downloaded but won't install yet. I went in and checked DMR expecting that to be gone, but it's still there. I made an exception and let it go to the default location on C since it's a/ so tiny and b/ recommended.
     
  3. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    It's very easy to make a mistake like that, especially if you're not comfortable with the registry. Right click on "VDD" and select modify. On the "Edit Multi-String" interface that opens, delete the C:\Progra~1\Symantec\S32EVNT1.DLL entry. If there are any other strings there, leave them intact, unless they're more Norton or Symantec entries.

    Have you checked if there are any Norton or Symantec entries left in "add/remove programs"? If there is, see if the uninstallers will work. If Symantec or Norton wasn't uninstalled properly or completely, it will continue to cause problems.

    I have to ask. If "C" is your system drive, why are you installing applications on the "D" drive? Many applications including browsers add files and subfolders to the Windows and system32 directories as well as in the "Program Files\Common Files" directory in addition to the registry. When an application installs components on more than one drive, using a different backup or image for either one can break those apps. The only way to avoid problems with that arrangement is to make backups of both drives and treat them as a unit. If you restore one of the drives, you have to restore the corresponding backup for the other drive. This defeats the purpose of separating them in the first place. The XP System Restore will complicate this even more. It doesn't back up or restore everything, just what it considers important. Actual drive images are much better because they're complete. If you're getting low on space, check to see how much is tied up as restore points. Windows makes and keeps a lot more of these than most users will ever need.

    Treat all installed applications as "system", not "data". The exceptions here are applications that are not installed, that don't use the registry, and don't put files in any folders other than their own. Even these should be kept on the system drive unless you have a good reason for wanting them elsewhere. The location of folders like MyDocuments, the desktop, and others can be moved to the data drive with utilities like TweakUI, or by manually editing the correct registry keys.
    XP-TweakUI.png
    Regarding DropMyRights, I'm pretty sure that the instance of DMR that's in the root directory of the "C" drive will not work with applications installed on another drive. I'm almost positive that it has to be on the same drive as the applications it launches.
     
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    This could complicate things. The BZ ruleset contains some very good ideas but it also contains rules that won't apply to many systems. It has several rules that use network/mask which Kerio has a problem with. It also has a standard loopback rule that will need to be replaced by individual loopback rules that are application and port specific. Like any downloadable ruleset, several rules need to be edited to match your system.

    It turns out that I still have a copy of the BZ ruleset. Found it in the screenshots made for the Kerio learning thread. The BZ ruleset has 2 configuration files, a standard and an advanced set. Below are screenshots of each. If you used one of his rulesets as a starting point and haven't removed the rules that don't apply to your system, it should be possible to compare your existing rules to these screenshots and see if yours contains those rules. If your rules use these as a starting point, that will give me a much better idea of what needs to be done.
    BZ Kerio 2x Default Replacement - Standard - Final.gif BZ Kerio 2x Default Replacement - Advanced - Final.gif
     
  5. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Thanks, that doesn't make me feel so bad. Regarding Reg Editing, I'm good about going in there as long as anyone tutoring me assumes I need exact and complete instructions. Just remember, Reg Editing for dummies and I should be fine.
    Bingo, that Reg edit did it. The installer for Sockscap ran up to the Eula screen (forgot to reboot before trying to install as per your instructions above ....) I exited out though until I get the rest of "the mess that is Symantec", sorted (see below). I went in and deleted that S32EVNT1.DLL file then rebooted. So it looks like that parts fixed.

    Theres an entry ..."Symantec Network Drivers Update" in Add Remove Prog, but when you click on it there's no dialogs or anything that comes up allowing you to uninstall it. All there is, is "used" and "rarely". If I click on rarely it gives me a definition of rarely. That's kind of them.

    There is one very simple explanation for this. I simply made the system partition far too small. Hind sights great eh? It basically was a typical nOOb mistake. Because XP has been SO stable for me, even though I've literally thrashed it, I've never re-installed. I've been extremely wary of resizing partitions. At the time space and the lack thereof started being an issue, I saw that installing to another partition was supposed to be OK. Of course what you've just described is bang on. I'd never separate programs now, because of exactly what you said. When I do reinstall I'll cut the drive in 1/2 or do something like 70 /30 System/data respectively. I didn't know you could move My Docs. I have Tweak UI on my computer. Not sure how much memory a restore point takes. There looked like heaps of them for this month as Ive done quite a bit of playing around.

    With the rise of more and more portable apps, and where possible I want to use these, it's still a case of beware. It's not always clear whether they're totally portable. Some of them can still put files on the system, when you "install" them. Unless they specifically declare they're totally portable, I'm cautious. I think it's a good idea to put the truly portables in their own area rather than mixed in with those that are installed.

    With a quick look from a search, that's basically what I saw mentioned but saw there was a way to do it with creating shortcuts but I didn't look into that. Anyway the program is so small, like Kerio, I have got just a few on C (System)

    With Kerio, I'm sure I started with the standard BZ ruleset, but we're talking years ago. I did have to reinstall Kerio and what not, so anythings likely. I haven't had time to read its help files yet. As can be expected with these ventures, there's bound to be some stepping back in order to go forward. I've done a fair bit of that. I'll study those grabs you've put up, with my Kerio.
     
    Last edited: Aug 13, 2014
  6. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    If I may jump in again, (hey, I'm learning too :))
    This had cool screenies and comments from 2003. For me, much, much cleaner and easier to understand than the BZ rules ever were.
    http://www.dslreports.com/forum/remark,6642367
    describes Kerio proxy or no proxy setup and other info along the lines noone_particular mentions. Includes Proxomitron rules.
    (About the only thing different from NP is a too global DNS rule (and, for me, NetBios needed limiting to my LAN, but that's OT))
    It still amazes me how Kerio and Sunbelt firewall are so current and functioning inspite of all the WinXP changes to date.
     
  7. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Haha act8192, feel free, boots and all! I think noone_particular will agree, the more the merrier. We also realize this thread may go far and wide in our quest to nail down potential vulnerabilities. I hope anyone who has an XP system will come here and at least give it serious thought before going to later OS's. After what noone has brought to our notice I think it's worthy of consideration, even for those who hardly know where to start, which would be a lot of people.

    Thanks for the link. Been a while since I've been there, but there's some great info. I remember there was a dedicated Kerio Forum YEARS ago which I joined but unfortunately it closed not long after. I might see if theres anything on the waybackmachine.... you never know.

    Well I just compared, and my ruleset is nothing like the BZ ones. I had to dig into the system and access Kerios help file another way as it didn't come up from Kerios interface. Im reading the Security section now and trying to get my head around protocols and such.
     
  8. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
  9. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    A lot has also changed between when 98 was the current system and and the current versions of Windows, but even more has remained the same. The address system used by IPv4 is basically the same as it was. We still use the same DNS system. Operating systems still use the same ports. There's more application protocols now but most of them still run on TCP and UDP. Windows has different requirements for drivers before it will run them but the drivers themselves still do the same things. The internet itself is much bigger, has become a battleground, and has a lot more garbage on it, but at its heart it works the same as it always has. Kerio still works as it always has because the internet itself still works the same way. The basic rules that govern both haven't changed, Kerio would work on Win 7 if it wasn't for changes in Microsofts driver requirements. I suspect those changes are as much for controlling user choices as they are for anything else. At first glance, todays firewalls appear to be changing a lot. When you look more closely, most of the changes are the additional components and feature creep that's being added to firewalls. Aside from automatic rule creation, making them dependent on the cloud, etc, the internet firewalls themselves have changed very little. On many, the firewall components are being neglected. Many don't have the configurability of the older ones like Kerio, loopback control being one good example. Leaktests and testing sites are little better than paid promotion tools for security suites. Most of their "tests" have nothing to do the the internet firewalls themselves. The result is that most users have never seen a set of firewall rules, let alone tried to write their own. It's quickly becoming a lost art. On todays internet, that lost art is one of the best tools we have against corporate and government snooping, data mining, tracking, etc.

    The links you posted are like walks down memory lane. I've forgotten about most of those. Things seemed simpler when the operating system wasn't outright hostile to your privacy. This thread is about enabling users to build and configure their own privacy package to suit their needs, not just a building package for Reality. By necessity, that will include securing the traffic in and out of the PC so that it can't function as a bypass or a leak. Everyone can contribute to it. Anyone can use it. There's no way that I can address every possible data leak or potential open door, especially in an OS that I'm not using or with firewalls that I've never run. The ideas presented will need to be translated into rules that work in these other firewalls. Those firewalls need to have their ability to control loopback traffic evaluated, something that those so called firewall test sites don't seem to do. The one site you linked to explained why loopback control matters with Proxomitron. With Tor, it's even more important, especially when one considers what the potential consequences of being deanonymized can be for some people. By all means, feel free to contribute.
     
  10. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I'm assuming that this means that you don't have most of those rules for local IP ranges, LAN subnet, LAN range, standard loopback, etc. That will reduce the amount of editing that's needed for your existing rules.

    Regarding the protocols themselves, you only need the very basics. I'll try to sum it up a bit. The majority of traffic in and out of a PC is TCP. TCP is used when data has to be sent accurately and completely. Example, one unit sends a file via TCP. The receiving unit responds regularly that it received a given segment and that it's ready to receive more. Data sent via TCP generally requires acknowledgment and response from the receiving unit. TCP is 2-way traffic. This aspect of TCP confuses a lot of people when it comes to the inbound and outbound aspect of firewall rules. With TCP, inbound and outbound are determined by who initiated the traffic. When you connect to a website, you initiate the traffic. This makes it outbound traffic. The page/data that the website sends back to you is a solicited response. It comes back to the same port that the request originated from. The browser opens the local port on your PC, sends the request, and holds that port open until it receives a reply after which it closes the port. When you connect to a given web page, your browser can open dozens of these. Since the solicited reply comes back to the same port that the request originated from, a port that the browser holds open until the reply is received (or times out), the firewall considers the traffic as outbound. There's no need for an inbound rule.

    UDP is primarily used for DNS lookups, DHCP negotiation, audio/video streaming, etc. It's used when completeness and total accuracy isn't as important and for small quantities of data that can easily be sent again if needed. Take streaming audio or video used for communication for example. If a couple of packets are lost in transit, the audio or video might lose a few words or frames. The communication itself will probably be just fine. If you were downloading a browser with UDP and a few packets got lost on the way, the result would be a corrupt file that's probably unusable. Unlike TCP, UDP traffic does not require an immediate response and it doesn't wait for one. When a response is needed, it will be a separate connection. DNS functions this way. That's why the UDP rules for DNS have to allow both inbound and outbound connections.

    Inbound rules are needed to receive traffic that's initiated by someone else. A web server that hosts a standard HTTP site listens on port 80 for requests for its web pages. If that server used the same kind of firewall, it would require an inbound rule that allowed TCP. That server has to be able to receive incoming connections, so port 80 is open all of the time. Open ports serve one purpose, regardless of whether they're opened by an application or a system service. They're open to receive unsolicited connections and traffic, traffic that's initiated by someone or something else. Those connections can originate from other PCs and devices on a local network or from the internet itself. That traffic can be file sharing between different PCs on a local network. It can be a Tor relay/exit listening for inbound traffic from other relays. The configuration of the equipment between that PC and the internet (routers, hardware firewalls, modems, etc) determines what traffic can reach that open port.

    Windows has several ports held open by system services. The newer versions have a ridiculous number of them. No matter what else those services do or how they're integrated together, the ports that they open are intended to receive incoming connections. This requires answers to several questions. Where would these connections originate from? What function or purpose do they serve? Is this something that I need or that the OS requires to function? If not, why is it running by default? Can I shut off or disable that service, close the port it opened, and still have a functional system? If not, why? IMO, if those questions can't be adequately answered, that OS can't be trusted. Most used to consider this paranoid. Since the Snowden revelations, a lot more people are asking these and other questions, and not finding adequate answers. Many argue that the open ports on Windows are not exposed to the internet, that they're only open to the local network. If these routers and firewalls weren't equipped with backdoors for "lawful intercept", which Cisco openly admits to, and other vulnerabilities including hard coded access available from the web, then I might agree. The way they're made now, they can't be considered secure. I also don't see anything that really prevents undetected malicious code from opening ports in those devices using UPnP. IMO, UPnP is a security disaster that's waiting to happen. UPnP has been exploited and patched several times already. It's safe to assume that it will happen again. Given the level of access it can give an attacker, it's also reasonable to assume that this is exactly the type of exploit that government agencies collect. It's also the type of problem that a user can eliminate completely by manually opening any ports that an application might need and using a software firewall to restrict that inbound traffic to that specific application only. UPnP can then be disabled on all of the devices and the ports it uses blocked with firewall rules that alert the user if it's re-enabled.
     
  11. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    act8192, I wasn't clear sorry, I didn't join dslreports but there was another forum especially dedicated to Kerio. Followed your link and I want to read it properly as ran out of time and only glanced through. No matter what I did I couldn't get those screenshots to show :-( . People getting attitudy aside, that long thread at wilders will also be good reading material.

    I'm pretty sure initially I did start with a BZ ruleset but it looks to me like somewhere along the line I just built from the default ruleset and as Kerio threw up screens (because of that "ask me first" setting) I made rules from there and found by and by the screens got less and less. I guessed at the time that process was my Kerio in "learn" mode. In that way "it just seemed to work". VERY basic understanding I know. I've always known about the importance of rule order but found that concept hard to get to grips with.

    Your expansion of Kerios help topic about protocols and other security issues about ports and traffic flow/direction goes a long way to helping people grasp this difficult topic. Again, thanyou.

    What are the best sites for testing things like this? This is a crucial part of setting up your own privacy package. I'd also hazard a guess that for those starting out, not being able to test or know how to test if something works or not could cause them to not bother.
     
  12. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Enabled show images (or equivalent) in the browser? In SeaMonkey it's in Preferences under Privacy and security.

    I just went there. It looks like the old Kerio-Tiny forum is still there. Try this:
    http://www.dslreports.com/forum/kerio

    For testing some rules, especially loopback, see post#3
    https://www.wilderssecurity.com/threads/intercept-loopback-needed-only-if-running-proxies.229252/
    PCAudit2 is really a great test. I used it several times.
     
    Last edited: Aug 14, 2014
  13. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    After my system restore I'm not using SeaMonkey at this point. Just FF.
    I was there in those forums yesterday having a quick look around. Heaps to read. Images generally show on many other sites I go to even with scripts locked down (disallowed) but this wouldn't even show when (temporarily) allowing every script they wanted, plus allowing Request Policy as well. I always did find dslreports quite restrictive and that's why I don't go there often.
    Thanks
     
  14. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    IMO, firewall test sites aren't worth reading. They're paid promotions at best with some bordering on extortion. The only tool you really need for checking loopback traffic is TCPView. If anything on your system is utilizing a loopback connection, TCPView will display it. If TCP view shows loopback connections and your firewall didn't prompt for them, look for a rule that permits loopback traffic. If none is visible, either the rule is hard coded or the firewall doesn't filter it. Neither of those is acceptable when trying to prevent leaks past a local proxy or Tor. PCAudit2 is better used for testing the loopback rules than it is for evaluating the firewall itself. Any firewall with a global or standard allow rule for loopback traffic will fail the test.

    Rule order can be complicated, especially on systems that use local proxies, Tor, etc. In general, global rules, those that apply to all applications and services will be at the top, both blocking and permit rules. A global blocking rule for Google, Facebook, etc using the list of IP ranges posted in this thread and the custom address group would go at the top f the ruleset. Normally the DNS rules would also be global and at the top of the ruleset. This changes when you're using a browser (with or without other components) with Tor. That browser, Tor itself (when run as a client) and all components or filtering proxies in that chain need to be prevented from accessing your local DNS servers. The rules for chained applications will include both the permit and blocking rules, and will need to be kept together. The DNS rules will be below the rules for the chained apps. I'll try to explain this in detail a bit later.
     
  15. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    This post continues where post #23 left off, tightening the firewall rules for the operating system and tightening the configuration of the OS itself. The next item on the list is DHCP (Dynamic Host Configuration Protocol) and your PCs IP address. DHCP is an application protocol, carried by UDP. It's communication between network devices like your PC and your router or modem and is used to give your PC a dynamically assigned IP address. Most home PCs and network devices use it by default. The router, modem, firewall, whatever device your PC connects to, assigns your PC an IP address without any input from the user. A detailed explanation of DHCP can be found on Wikipedia. With DHCP, the user doesn't need to understand networking, IP addresses, etc. Like most things, that convenience comes at a price. Quoted from the Wikipedia page:
    These can include DNS hijacking and some forms of MITM (Man in the Middle) attacks. There are some hardening mechanisms available on many routers like restricting network access to specific MAC addresses. These require some knowledge from the user. A user capable of using these mitigations would also be capable of manually assigning IP addresses to the devices, eliminating the need for DHCP. While hardening a potential attack surface is good, eliminating it completely is better. The screenshots below are from the XP control panel, network connections. On the network connection or device being used, right click and select properties. On the next screen, select Internet Protocol, then Properties after which you'll see one of the images below.
    NETWORK1.PNG network static.PNG
    The first image is the configuration for using DHCP. The IP address portion is the default setting on most PCs and home networks. The 2nd image is a manually assigned static IP. On both of those images, the DNS IPs are manually assigned for Open DNS. The default gateway is the LAN IP address of the device that your PC is connected to. When DHCP is used, it supplies the PC with the gateway IP. When IPs are specified by the user, the user enters the gateway IP. You can obtain the gateway IP from the interface of the network device or by using ipconfig.exe from a command prompt. A detailed explanation (with far more info than is needed) of an IP address can be seen here. On that page, take note of the section named "IPv4 Private Addresses" including the 3 IP ranges it lists. These ranges are reserved for local and private networks. This page explains how to configure XP for a static IP. With a static IP, DHCP is not needed. The DHCP service can be disabled.

    If you want or need to use DHCP, the firewall rules that control it should be tightened. Refer back to the screenshot of the default rules in post #23. As it's written this rule will allow any application to send and receive UDP traffic to anywhere as long as it leaves via port 68 and is destined to port 67. First change. "Any application" doesn't need access to DHCP. The only things that need to use DHCP are svchost.exe and ipconfig.exe. Next change. DHCP needs to be permitted to and from one address, the gateway IP. DHCP traffic originating from any other IP could easily be a MITM attack. Make 2 DHCP permit rules using the gateway IP for the remote address, one for svchost.exe and one for ipconfig.exe. Change the original DHCP rule to filter both TCP and UDP, change it from permit to deny, and rename it DHCP-block. Set it to log or to display an alert if you want warning if such an attack (potential MITM) is taking place. Put this blocking rule directly below the DHCP permit rules.
     
  16. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Building my package was always going to be a slow process, and of course life outside the forum has it's demands. There's never enough time. Anyway, here's a bit of a summary of where I'm up to:

    Regarding SeaMonkey - Checked Folder on where it was installed (D Partition). Just a few files remained, including an install and uninstall log which included a list of Reg Files. Did a Reg search and didn't find any Sea M entries. Checked System Restore settings and fortunately all Partitions were monitored (I thought only C was monitored), thus Sea M would have been uninstalled by Sys Rest. Unless advised otherwise I'm going to re-install to the same folder over the top just leaving the few files that Sea M left.

    Im reading through the Kerio learning thread. Nearly half way through that. Looking at the detail in the screengrabs is going to take a while. Also sorting out what is relevant to me and which isn't is a time consuming process.

    Because this thread has now got lots of info, Ive prepared a summary of needed components according to what I think is suitable for my XP/ Kerio system. Since noone_ particular is familiar with this setup it makes more sense to follow noones recommendations and settings for an ideal package setup, rather than follow the advice of other (respected) posters in the Learning thread.

    This is the current status of my privacy package ( I may have missed a couple of things). If for any reason you can offer advice about any thing you don't agree with, or is lacking feel free to chime in. Also, unless something else should be tackled first I'm going to start on the messy task of fixing my firewall ruleset. Hopefully will post about that later tomorrow.

    XP Pro
    Kerio 2.1.5
    Firefox 28.0 - Cache set to 0.
    Addons:
    - Adblock Plus 2.3.2
    - Better Privacy 1.68
    - Foxbleed 0.1
    - HTTPS-Everywhere 3.2.4
    - NoScript 2.6.7.1
    - Prefbar 6.4.0
    - Request Policy 0.5.27
    - Self Destructing Cookies 0.4.4

    Sea Monkey yet to re-install

    Sandboxie 4.12 Mainly default settings except Drop my Rights Checked and only App to go out on the net is Firefox
    Proxomitron - Installed
    - Filters (none yet)
    HashTab - Installed
    Wireshark portable

    Downloaded but not installed
    Erunt-setup.exe
    pcAudit2.zip
    TCPView.zip
    sc32r240.zip

    Internet Protocol (TCP\IP Properties) from post 40 - Nothing done.

    EDIT POST to add others :
    Windows Worm Doors Cleaner (WWDC)
    PServ from P-nand-Q.
     
    Last edited: Aug 17, 2014
  17. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Provided that the installer doesn't complain about pre-existing files, there should be no problem with installing SeaMonkey back to the same place.

    Regarding the Kerio learning thread, the thread had a different purpose than this one. But like so many things with computers, learning one topic often requires you to learn parts of others. On a PC, very little works in isolation from everything else. Firewall rules for instance are very dependent on system settings, especially at a service level. Getting control over data leakage requires getting control over the things that can leak that data, not just the browser or a Tor package. Escalader had different goals in the Kerio learning thread, mainly learning how to make secure firewall rules with Kerio. Privacy and security, while basically separate subjects are completely intertwined. There is no privacy or anonymity without security. The member "Stem" is extremely knowledgeable about many firewalls. I haven't seen him around for a couple of years now. The material in that thread is reliable. When you get to the last few pages, you'll come to the info that shows the problem that Kerio has with network/mask rules. On that occasion the blocking rules for LAN subnet (from the BZ ruleset) were blocking DHCP broadcasts. The fault wasn't in the BZ ruleset. It's in Kerio itself. In that instance, the error wasn't creating any exploitable weaknesses since it was blocking more than it should have. If that had been a "permit" rule, it could have allowed more traffic than was desired and could have created an easy route right through the firewall. That example is one reason that I stress knowing the abilities and especially the limitations of the software that you use.

    Regarding the package you're assembling, I've never looked at Foxbleed or self destructing cookies. On mine, I allow first party cookies only with all cookies deleted on exit, or by the "clear all" option on PrefBar. NoScript and Proxomitron duplicate a lot of each others abilities. I strongly suggest that you don't use them together, at least not until you're much more familiar with Proxomitron. I've never used Wireshark portable. I don't know how well it works when used on the same unit that you're trying to monitor. Wireshark is best when installed on another device that sits between the web and the PC that you want to monitor. Wireshark itself is a pretty steep learning curve if you've never used such an app before.

    ERUNT is a registry backup and restore tool. The 9X versions of Windows have tools with similar abilities built in. For some reason, MS decided that XP didn't need one. The system restore is a very poor substitute. IMO, every NT system should have ERUNT or an equivalent registry tool. It takes the risk out of working with the registry, and since their settings are stored there as well, system services. Most users don't need a registry backup/restore point very often, but when you do it's worth its weight in gold. Install it before you start changing settings.

    Regarding changing settings, especially those for services, I'd like to suggest another tool that can be invaluable. It's PServ from P-nand-Q. It's similar to the services interface in administrative tools but displays better information and gives the user more control. It's best feature is its ability to save the settings for all of the services as an XML template. These templates can be imported and used to put all of the services settings back the way they started. It's especially useful for those who want to tighten and disable unneeded services. If you go too far or make a mistake, it's easy to undo. For XP, the latest 2.X version is more than sufficient. I'm not sure if the current version works on XP.

    TCPView is an excellent connection monitor. Process Explorer is another invaluable utility. All of the Sysinternals utilities are worth having. Some you'll rarely use, but when you need them, nothing else will quite do the same job. Regarding the Sysinternals utilities, I've stayed with the last versions released before Microsoft bought out Sysinternals. Call it paranoid or a total distrust of Microsoft, either is OK. I couldn't help but notice how much larger many of these utilities became after the acquisition, but didn't gain any abilities or features to account for the size increase. If you look for it, there is a zip bundle available in various places that contains the pre-MS versions of all of the Sysinternals utilities.

    Treat PCAudit2 like an "unzip and use" utility, similar to many of the Sysinternals apps. You won't need it until we get to the loopback rules at which point we'll use it to verify their completeness.

    If you plan on using Proxomitron with Tor, you will need SocksCap installed. SocksCap will allow you to run most any internet apps that don't understand the Socks protocol through Tor.

    Regarding the firewall rules, I realize that the material I've been covering on system configuration and services is not what you were expecting. I do have one or two more posts regarding these in mind. After those I'll move on to rules for browsers, local proxies, and Tor, and how they fit together. Thanks in large part to the Snowden leaks and other revelations regarding just how insecure routers, modems, and some hardware firewalls are, I think it's necessary to reexamine the system access that open ports can provide and how the communication between the different internet devices can make that possible. When I look at the combination of "lawful intercept" and other weaknesses in routers, modems, etc and add that to open ports on PCs that can't be closed, I can't come to any other conclusion. IMO, it's deliberate and planned.

    Remember who you're dealing with when it comes to anonymity and privacy. The so called "terror watchlist" has over a million people on it. I wish the article had said if that list was global or national. If it's national, that's 1 in every 300 people. Look at other posts that exposed some of the criteria that make you a person of interest. Visiting the Tor site, downloading Tor, expressing an interest in rights and privacy, visiting muslim sites, piracy sites, Wikileaks, and who knows how many others. We have documented proof that they've subverted encryption, compromised equipment, coerced certificate authorities, and use valid digital signatures for their malicious code. We have documented evidence that they're compromising all kinds of equipment ranging from home PCs to the internet backbone, that they require equipment and software vendors to include code or devices for lawful intercept. We know they've worked with Microsoft on "securing" Vista and newer operating systems, and that those systems have open ports that are unclosable. WE know from the recent Gamma hack that Fin Fisher targets Vista and newer operating systems with zero day exploits. It's revealing that they advertise having "some" for XP. Care to bet that this is because XP either doesn't have the vulnerability running by default or that the user has the ability to close the hole they're exploiting on the newer systems? Given everything that we already know for certain about their activities, do we really need to see a document that details a Windows backdoor? Doesn't the track records of both Microsoft and the NSA say enough already? When we know for a fact that they're compromising all kinds of other internet equipment, can we really believe that they've left Windows alone?

    This is the reason that I've focused on system configuration and services in the first parts of this thread. There isn't much point in plugging holes or sealing cracks in a wall if the doors and windows are open.
     
    Last edited: Aug 17, 2014
  18. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Another utility that I neglected to mention is Windows Worm Doors Cleaner (WWDC). It's available at Softpdeia. The hashes for WWDC.exe are
    MD5 999f6e5c8d5c81f48afbdab7f8777323
    SHA-256 df40f41072aeb634e639b7666104e424fc2a7a6ed758f43e239cf0a06aa3b2d0
    WWDC disables several services that have been exploited in the past via the ports that they open. It's very simple to use and is much easier for those who aren't comfortable in the registry or system services.
     
  19. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Good.
    That's why attacking this monster from every angle needed is a massive undertaking. I shudder to think how many average people just go online and never give all this much, if any, thought. Really, I'm not too far removed from that group. My biggest defense I have, then, is just not do certain things online. That way if I make mistakes while I'm learning there's not a lot to lose.
    That's the way I see it too. You have to ask yourself, secure from what? Well, secure from those who would invade your privacy for any number of reasons. It's a no brainer who fills that description.
    There's bound to be too much overlap with my package and when I understand how things run together better, some of these will go. As soon as I'm using Proxomitron then NoScript can get disabled or go altogether. I'm still getting the components organized.
    I fired up Wireshark to just have a look and see what it was doing. That is something that can wait until other things are functional. I don't need to go down that road (yet).
    Will do
    Thanks for that. I will add that to my list in my last post, which I'll edit as needed. (Not sure how long Wilders allows you to edit your posts.) I went through my services sometime ago from blackvipers website. It's another thing I'm rusty on.
    OK my Process Explorer is 16.2.0.0 downloaded early march this year. Eula says.... These license terms are an agreement between Sysinternals (a wholly owned subsidiary of Microsoft Corporation) and you. Guess I better go and re download that zip bundle you've just mentioned. I also have autoruns downlaoded 7 odd years ago.

    Yes that is one of the ways I'll want to use the internet. I forgot to mention this. I took a look on the TOR website and couldn't see anything other than the TBB. What am I missing?

    Whatever is necessary to make for a better locked down system needs to be looked at.

    I'm sure somewhere along the line I'm going to be VERY interested in seeing just what makes my router tick.

    I believe even if its that national figure that number is extremely conservative. This is a horror story in the making.

    Another one to add to the list. Thanks.
     
  20. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    There's more than one download page. This is the one you need. https://www.torproject.org/download/download.html.en These were separated so that those looking for something other than TBB had to search for it.
     
  21. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Re: DMR in post#26 , three questions:
    1. What is the difference between DMR application and setting SRP paths via gpedit.msc on WinXP-pro which I used for restricting to BasicUser few paths?
    2. Might be OT since is a SSM question: when recently I forgot SSM was running and wanted to just add ONE path to those SRP restrictions, SSM asked me a million times first to remove registry stuff, about 3-4 times/row in the SRP list, and then to add. That looks like Windows was rewrirting the entire list of 14 items instead of adding. I sat there like an idiot clicking allow, allow... Any comments?
    3. Can you explain a little more what I see in ProcessExplorer - which is identical to your screenshots for No DMR and for DMR normal restriction. But I don't seem to have a "constrained" option in gpedit and don't really understand the Mandatory and Mandatory,Restricted in the PE display. Just give us few hints, if possible.
     
  22. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I'm not familiar enough with SRP to give you a proper comparison. Regarding PE and the security tab, I'm not fluent with the terms used. My description might not be accurate with the terminology. Hopefully this will be functionally correct. DMR is a tool for those who run Windows as an administrator, but want to run attack surface and internet facing apps as a user or a restricted user. The term "constrained" is coded into DMR and basically refers to a restricted user. As far as I know, the term itself doesn't mean anything to Windows.

    For comparison purposes, go to the control panel>administrative tools>computer management. On the computer management interface, go to System Tools>Local users and Groups>Groups. If you click on the "users" group for instance, you'll see
    NT AUTHORITY\Authenticated Users
    NT AUTHORITY\INTERACTIVE
    On the security tab of PE, you'll see these along with many of the groups listed in computer management. There's a lot of overlap in the groups. Users can be in many groups at once. IMO, they made this much more complicated than it needed to be. I haven't found a page that provides a clear explanation of the groups and SIDS, but I did find a few will help with some of your questions regarding DMR. The original DMR page is either moved or gone, but I did find this page on the Wayback Machine. This page may also be of interest, and this page. A couple of older threads from this forum with good info here, here, and here.

    A couple things that you may have already noticed. When an app is launched via DMR, the PE security tab shows the administrator is the owner, but the process doesn't have administrator access. You'll also notice that many of the privileges that are available when the app is launched normally are not available when DMR is used in any mode. While not exactly the same, an app launched via DMR using its normal setting runs with privileges closer to those of a user account, even if the user is an administrator. When launched with the constrained setting, the privilege level is more like that of a limited user or a guest. A fair number of apps won't run with the constrained level. If you look at the PE security tab for an app launched with DMR in constrained mode, below the administrator-deny entry, you'll see many other groups with "Mandatory, Restricted. The applications runs with only the permissions a restricted user would have in those groups. On a security tab for a DMR-constrained app, if you click on the permissions button, you'll see that "restricted" to the list of groups or users. When the untrusted flag is used, the privilege is reduced even more. The documentation I've been able to find says that running as untrusted "this will cause some applications to fail." In my experience, most everything I use won't run as untrusted.

    Regarding SSM, I'm assuming that you're referring to the registry rules. They can be a real pain. I don't know of a way to make them any easier. They're effective, but for any user that's not an expert in the registry, they ask too much. As much as I like SSM, I dislike the registry rules and don't use them. I don't know how Windows works with that section of the registry so I can't say if that's normal behavior or not.
     
  23. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Here's a bit of an update. I'm progressing along with this despite having an unusually busy time of it outside of the forum. I just haven't had time to go back to learning thread, but instead thought it more beneficial at this point to backtrack here and get more things in place. Im still only half way down the first page. Anyway....

    Ive installed the utilities at the end of Post # 41. Ive quickly perused the various menus just to familiarize. Ive installed SeaMonkey, altered some default settings that are obvious invitations for attention you don't want. No history, No passwords, Zero cache size, etc. - Installed SocksCap. Entered the various settings in post #11, for SeaMonkey, Proxomitron and SockCap. Made 2 copies of Proxomitron and suitably renamed one for TOR and set up the shortcut Proxomitron/SocksCap as directed by noone_particular.
    Installed TOR/Vidalia and just set it to client. That's all Ive done with that. Had to do some organizational stuff to do like finding my router password which Id "misplaced" and remembering my keepass Master Password..

    Is there anything more I have to do other than going into services and disabling this?

    Act 8192 What are SRP paths via gpedit.msc ?
     
  24. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Noone, didn't see your post before I posted mine. Using a text editor hasn't sunk in yet.
     
  25. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Not really. The rest of the adjustments will be to the firewall rules themselves.

    I'm not sure what you're referring to.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.