Simplicity fun setup

XP Pro SP3

- Windows FW (sort of free)
- Surun (free) = LUA smart (link http://kay-bruns.de/wp/software/surun/#8)
- Trust-No-Exe (free) = SRP smart (link http://www.beyondlogic.org/solutions/trust-no-exe/trust-no-exe.htm)
- Edgeguard Solo Beta (free) = extra contained threatgates (link http://www.blueridgenetworks.com/forms/es_register.php)
- Set P2P, mail, IM, download, temp IE, recycler directories to limited user with XP Pro's SRP
- Avira 9, high heuristics, check on all file types, only at write, safer driver load, optimised scan (also rootkits)
- Keyscrambler free for IE8 (default banking/shopping browser), Chrome's internal sandbox (using Chromium for daily browsing)
[EDIT]
- Arrovax shield freebie (old, but still works, tracking cookies disabled, becasue they are not updated) to provide some additional user space protection
- Rising PC doctor Free (IE frame protection and USB main reason)

Two essential utilities for ACL http://www.fajo.de/portal/index.php?lang=en&option=com_frontpage&Itemid=1 for additional NTFS access policy management (missing security tab for files in XP Home). And ACLView, download from http://web.archive.org/web/20071026...hp?f=data/en/download&img=images/baner01e.gif)


Used the above to gibe surunner plus current user access to diskcleaner and setting restore points/go back (C:]\windows\system32\repair), plus defraggler, OSAm and Panda anti-rootkit. Can use Windows recovery to 'undo'user space intrusions now plus repair capabilities of arrovax shield and Rising PC doctor.

What do you think?
a) does it feel responsive? yes
b) has it low memory usage? yes
c) low CPU time usage? yes
d) low I/O overhead? yes
e) safe?

 

Why use SuRun and limited user SRP at same time?? Why Edgeguard instead of AppGuard, especially if this is all ran from admin? The could be more to mention on SRP. You have not mentioned sandboxie also as free and fun

I have a feeling this thread could start some interesting ideas..

Sul.

 

I know you can make XP Home an XP Pro, https://www.wilderssecurity.com/showthread.php?t=200772 I know Tlu, Mrkvonic, You and Lucy are active with that. Just wanted so see whether I could find a lazy Freeware alternative. Possibly also for people who like LUA/SRP/ACL but do not dare to change their XP configuration as describesd in TLU's thread.

Why SRP? simply because I want some programs (like LimeWire, Messenger, Outlook Express) and their downloaded data directories always contained. SO I did it for two reasons:
a) I did not know what file extensions Surun covered (Trust-No-Exe also only monitors a few). So when Surun provides all extentions of SRP, I can drop this.
b) I like the silent containment of SRP, which can be evaded by the user through Surun for these specific aps.


Why Edguard in stead of Appguard: Appguard is paid, EdgeGuard is free. Another reeason is that EdgeGuard does not require terminal services to run, which reduces a lot of disk I/O (for some reason a few services keep on accessing the disk when terminal services is started). Therefore I needed Trust-No_exe to prevent executions from the user space.

Note you have to set most of Avira's Apps to run as admin, also have to add C:\Documents and Settings\All Users\Application Data\Avira in TNE as a directory where executables are allowed to start (otherwise update wont work).

Regards Kees

 

"Security setups which reduce the attack surface are boring, they even deny you the BASIC (user) RIGHTS to make wrong decisions"

 

Can you tell me how this can be done in XP Pro? Thanks

 

Start ==> Run ==> secpol.msc

See http://support.microsoft.com/kb/324036

In IE you can find the location of your temporary internet dicrectories, in Outlook Express you will find them Options, Maintenance, Archive Map, you r P2P program will problably have a standard (limewire users limewire).

Google for "Securing Windows XP" (Gaullaume Kaddoch), see page 11 at the bottom, Another source of interest is Microsofts "Windows XP Pro SP2 Security Configuration Guide 3.0", both are PDF's so I can not upload them.

Regards Kees

 

Ahh thanks Kees as always

Running surun atm so I think I may forego the reg tweak since by default applications are set to run under surun supervision. Good info nonetheless

 

I have never been good in keeping secret, and that is going worse as I get older.

So, Sul, please, excuse me for this terrible sin :

Sul is about to release a beta version of a free tool, which handles SRP, for admin or for LUA. You will not have anymore to use M$ tool or make a hazardous workaround.

I guess the lazy one will have a simple and fun setup!

 

... and that would be me!! yey!

 

Is "someone" going to be beaten up?

 

@Lucy,

I have PM email with Sul on sharing ideas and examples, he did not mention it so you problably blown a scoop . . .


@All
Because Kafu.exe, Browser Hijjack Retailitor and Arrovax all do not completely cover the startup entries in the user space of the registry I have removed the rights of the current user of some HKU entries

Removed create subkey and set value with regedit for
( when = created is mentioned, that key did not exist and I have added it first)

HKEY_CURRENT_USER\Control Panel\don't load\

HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\
HKEY_CURRENT_USER\Software\Microsoft\Ctf\LangBarAddin\ = created

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\fileexts\.exe = created
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ = created
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\ = created
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ = created

These rights were allready removed (maby by SURUN?)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\


HKU keys covered by Arrovax, so omited
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FormSuggest PW Ask plus all search and URL page references

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts\Logon\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Policies\Network\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\

HKEY_CURRENT_USER\Software\Classes\*\shellex\ContextMenuHandlers\
HKEY_CURRENT_USER\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
HKEY_CURRENT_USER\Software\Classes\Directory\Background\shellex\ContextMenuHandlers\
HKEY_CURRENT_USER\Software\Classes\Directory\shellex\ContextMenuHandlers\
HKEY_CURRENT_USER\Software\Classes\Directory\shellex\CopyHookHandlers\
HKEY_CURRENT_USER\Software\Classes\Directory\shellex\DragDropHandlers\
HKEY_CURRENT_USER\Software\Classes\Directory\shellex\PropertySheetHandlers\
HKEY_CURRENT_USER\Software\Classes\Drive\shellex\ContextMenuHandlers\
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command\
HKEY_CURRENT_USER\Software\Classes\Folder\shellex\ColumnHandlers\
HKEY_CURRENT_USER\Software\Classes\Folder\shellex\ContextMenuHandlers\


Regards Kees

NB1. When you make these changes, be sure to set a restore point first and keep a text file which describes in detail what you have done, might you want to undo it later

NB2. Rising PC dDoctor has got a LSP fix option

 

I certainly hope not!

 

Lucy, I wonder as a kid how excited you are before christmas or birthday lol. Ever sneak a peak at presents

We have been working on this for some time now, and it nears the end from alpha to beta. A little more yet. But I am working 7days a week ATM, so it crawls like slug. But very soon.

Sul.

 

We can only thank you for your efforts! It sure will make the task of applying SRP a lot easier!

 

I ran some quick tests and I really like Surun's flexibility. Trust No Exe looks at executable code in memory. This is stronger than SRP, after EXpOff had made a PoC which broke SRP in XP (= he is with Mickesoft now, LUA of Vista is much better so do not be afraid), I always was reluctant to build my security around SRP, but guess what:THIS FUN SET UP WILL REPLACE GeSWALL.

So I diitched the regedit workaround of stripping rights of the user and the old crippled Avorax Shield and used a life time lisence of Malware Defender to replace it.

Malware Defender now defends user space file access (task scheduler, host file and program autostart entries) and I made a registry group of all by Xiaolin provoded default Registry protection of autostarts, network, system and four of the guys from ThreatFire (sorry Xiaolin can't tell you, promised PC Tools DJames) and simple outbound protection plus application protection on direct disk access, kernel objects, direct disk access (since EdgeGuard does not protect against it) and system shutdown.

I must say it is the lightest and strongest deny setup I ever have configured (ven EQS, Comodo's D+ could not match this), with so few pop-ups.
sometimes it is good to play, stimulates your out of the box thinking. Aslo thx to Stem who helped me configure my router, with his excellent ARP flow of event examples!

Regards from a really happy Kees

Note I also got an invitation of Avira to test new behavioral blocker, I will pass this one. In future I might check out on Panda when it comes out of beta.

 

Yes, like we couldn't guess it already

 

I only use it as a simple application network access firewall, protect files in user space and registry entries of user space (simular which DefenseWall defends besides HKLM). Comodo V3.5 missed some user space registry entries maybe new version has caught up. Luckily you have Sandboxie to protect you.

 

I will when time machine gets out of public beta, meaning the official release version 4.1xx

 

Decided to test ride the Avira Beta. Reason is I wanted to complete the fun setup with freeware only. So few icons in the system tray of my desktop (XP Pro SP3 E5200@3,06Ghz - 2 GBRAM)

- Windows FW (not visible)
- Surun (not visible)
- Trust-No-Exe (not visible)
- EdgeGuard Solo (visible)
- Avira Free beta (visible), secure load, rootkit check for scan, optimised scan. unattended heal (quarantaine repair delete), set heuristics high, for all files on write only, proactive on medium
- Keyscrambler free for IE (not visible)
- ScriptDefender (not visible)

Browsing
- Through OpenDNS set in router
- IE8 (phising check disabled, since it is done on OpenDNS servers, XSS filter enabled) for online banking and shopping
- Iron latest with addblock (and its internal sandboxed rendering engine) for daily browsing -incognito mode

On-demand
- OSAM
- Panda AntiRootkit

Zero layer defense
- External Harddisk off line with paragon Free for image backup, Syncback for data backup
- Linksys D635 router: Nat/SPI/Limited DPI FireWall with Lan partitioned (clients can not access each other), WPA2-AES, Mac Address Control Network filter (only our MAC addresses may bind to Router) with static IP's allowing only 5 internal IP's go through router (both in and out), inbound filter excluding our internal IP addresses to go in, ARP, DDos and Flood attack prevention, SSID hidden, WL clients wanting to add themselves to the LAN also need a PIN. Compensated this security overhead by fiddling with Quality Of Service Engine to recover full bandwith (typical Ping Time within NL < 8 Ms - !0Mbs download)

Regards Kees