How light can you go?

Well,

My Son needed a laptop for his study. It is a more or less a forced buy from his university, with a few options. So we decided to use the cheapest one.


Setup will be

Vista 32 bits 4 GB RAM (old DDR2), we will be using the non addressable RAM as RAM Drive for teh swap file

FireWall
No question, we will use the fastest two way firewall, low overhead FW available for Vista. Thanks to Stems post https://www.wilderssecurity.com/showthread.php?t=239750
(and a little help from Vista FW control free, to get the correct paths and executable names to manually allow)

Intrusion Protection
UAC/Norton UAC
No Question again. We will use the fastest/lightest Intrusion detection available on Vista: UAC. To remember choices we have selected the freebie Norton UAC Tool, BYE BYE ROOTKITS

Windows Defender
Joined the advanced group, Deselected scheduled scans and the on-access scan. WD will still check doownloaded programs, but uses very very few CPU cycles now. Also the other Agents will still warn you when an intrusion occurs, BYE BYE SPYWARE.

Virtualisation/sandboxing
Chromium/Iron's Internal policy Sandbox
We downloaded the fastes lightweight browser, the completely desinfected version of Chrome: Iron of SRWARE. We used the mobile version, becasue it is easier to contain/further limit. Iron (chromium) has an internal sandbox.

The VISTA virtualisation trick with UAC!
Just to be sure we right clicked on task manager, clicked VIEW, selected Columns, choose Virtualisation (see pic). All Internet facing programs were forced to run virtualised (simular to run in protected mode like IE8 ). Also Foxit (PDF) Flash, etc set to this mode.

Software Restriction Policies
PrettyGood Security
YES it is there, the great Pretty Good Security, just PM Sully when you want to beta test. Version 1028 running great. SRP Policy
a) All Internet facings programs run in LUA, except IRON
b) The user space (in our case D:\Data or the moved My Documents) has a DENY execution

EdgeGuard Solo
Runs OFFICE and IRON as limited. Advantage: With Edge Guard Solo IRON runs when SRP is on all executables (otherwise you have to exclude DLL's), downside EdgeGuard does not protect against Direct Disk access, but this is compensated with virtualisation.

AntiVirus/Blocker
Avast Standard Shield
We used Avast free, only standard module [noparse](we have moved the e-mails of OutLook Express to D:\Data\Mail and contained them with Pretty Good Security 102[/noparse], so only the standard shield is enough). We only check on execute the old DOS and 16 bits Windows Programs, 32/64 bits and dll's are not checked.
We have deselected READ scanning, so only checking on Write of new or changed Executables. Normally Writing is to late, but AVast has its VRDB data base to fall back to a previous executable (un infected)

Avast Blocker.
We also use the old fahioned BLOCKER (see advanced options standard shield) to throw a warning when an executable is RENAMED. The funny thing this RENAME also prompts into action when an executable is MOVED!. This closes the gap from any malware being able to move its exectuable from the user space (where it can not execute), to the Admin/system space (where no SRP is in place). PERFECT!

Bottom line
An amazing light setup, safe and super fast (checked with benchmark programs).

 

That is VERY cool!

Silly question: how do you know which programs are internet-facing (I am unfamiliar with the lingo)? Are you describing browsers and mail programs?

 

Awesome setup there Kees, you put a lot of thought into efficiency.

Off-topic, really enjoy Iron, but find when the spell-checker identifies a word, when you right-click, it crashes.

Also with Windows Defender, once it alerts you of a possible change, how effective is WD in preventing the change? I liked how light it was, but found to 'undo' a system change it had alerted me to, it would report back something like 'change could not be made', or along those lines.

 

Interesting. Can you explain what you are doing with PrettyGood Security/SRP and the Vista virtualisation trick with UAC?

 

Yes e-mail, webbrowsers, Peer-to-peer, messenger, windows media player, etc.

 

those program that uses/conect to the internet are target by hackers and cyber crminals so it is better to close doors seal the doors at all times to protect your privacy/files and pc

 

Well, on Vusta with UAC it is stronger than on XP. I agree that on 'heavy' malware it sometimes warns, but can not prevent system from shutting down. I have OSAM and Process Hacker when WD fails to un-do (look at history in WD).

It is much lighter when you disable the on execution scan of the real time agents

Did not know about the bug of Iron, alternativelu just download teh latest Chromium Portable and start incognito by default.

 

Pretty Good Security is a new SRP utility. It gives you the SRP abilities when using XP Home or Vista Home. I block all execution on the My Documents folder (moved to D:\Data).

Mail Sully he has developed it. It works well (I have tested it). Mail him when you want to try.

Vista Virtualisation. It virtualises access to e.g. HKLM\Software registry changes and C:WIndows, C:\Program Files changes for the programs you mark in task manager.

 

We ran some benchmarks and beat some other freeware setups, some marginal (e.g. the latest CIS, 17% more efficient on CPU and 7% more efficient on internet, this sounds a lot but with the low resource usage both have the absolute difference is fractional), some by far (e.g. Sandboxie).

 

67 processess is light

Just use a hardware firewall, Sandboxie and Returnil for a superlite and exceptionally secure system.

Turn off and or delete anything MS security related as it's useless bloatware.(IMHO)

 

I just use a little bit of common sense, Windows Firewall and Prevx 3. It's not for free but easy, effective and extremly light.

 

And if it works for you and you're happy then stick with it.

No need for all those fangdangled fancy setups that Kees is constantly espousing.

Here I can't have or don't want any realtime blacklist/hips scanners as I want everything to come through unhindered in order to test for new malware samples.

Sandboxie fits that role perfectly here.

 

Kees, I have a question. I can turn on virtualization for let's say Firefox (while it's running) but when I close it out and then activate it again virtualization is no longer enabled. So my question, how did you get it to remain enabled? Or did you have to enable it each time you activate an internet facing application?

Thanks.

Later...

BTW, I'm running Vista Ultimate.

 

My setup is as light as it has been in a long time. Windows Firewall, Prevx and Defensewall and a lot of common sense. I think my days of running umpteen security programs at once are at an end.

 

What is so complicated about Kees setup? He is using a firewall, windows at that, so not much really to mess with there.

Chrome, sandboxe sort of deal, not really different than sandboxie.

SRP, which does not have to be complicated.

UAC or variation of this. UAC is default anyway on Vista/7.

Antivirus, which pretty much everyone should use unless they really know what they are doing. At the least if will monitor for older virii that might still float around.

Finally he has some sort of specialized blocker for file renaming or other such thing.

I don't see how this is much different than most peeps setup, except for the SRP rules and a sandbox via chrome.

Am I missing something, because I think this layout is fairly straight forward with not much involved.

Sul.

 

The differing approaches by Kees1958 and Franklin go to show that there are multiple ways to achieve a secure system.Both of the set-ups mentioned would make malware infection extremely unlikely so it's just down to personal preference which method to employ.

 

How do you use UAC to start certain programs with lower rights?

 

Google UAC Virtualization. There is some info out there about this approach but nothing too extensive (at least from what I've found so far...but I'm still looking).

 

Trespasser,

I will have to ask my son. He is on a rugby tour right now, will be back next week. He created a user account which asks for admin password when an elevation request is required. I also know he plays with powershell scripts (I fear he gave me the simple version on how it works ).

I clicked a few links on his laptop he had saved: http://blogs.technet.com/richard_macdonald/archive/2007/05/18/990366.aspx

Regards Kees

Regards Kees

 

He set up another account, editing the KLM\Software\Microsoft\Windows\CurrentVersion\Policies\System with regedit

"ConsentPromptBehaviorAdmin"
User Account Control: Behavior of the Elevation Prompt For Administrators in Admin Approval Mode
0 = run in quite mode (keep UAC on, but automaticallu elevate to Admin)
1 = run UAC, when an elevation request occurs, your are asked to enter the admin password
2 = run UAC, prompts for confirmation to continue a task which requires admin rights (default)

"ConsentPromptBehaviorUser"
User Account Control: Behavior of the Elevation Prompt For Standard Users
0 = no pop-up, disallow/block when UAC is and running as limited user account
1 = allows you to take over the credentials of the admin by entering account and password

 

Ha your are wrong about the number of processes as a benchmark for efficiency. Tip: Use a better performance monitor than taskmanager, Total CPU time, CPU spike variances and I/O overhead are far more important than number of processes.

You are right about Returnil, it is an effective solution to freeze the setup of a PC running admin.

Wondering how you were able to delete OS-related security features of Windows and still have a PC that boots by the way

 

Ad 1 see pic, it is an old feature of Avast, a little useless nowaday, but in combination with Pretty Good Security a nice counter measure to prevent moving an executable from user space (where SRP rules) to the admin/system space.

 

vLite for a base thinning then delete the feck out of it after install.

All I can say is that if anyone thinks they need UAC then they probably do.

Limited user account - bah.

After desktop comes up after a fresh install get Vista to show the full blown admin account at reboot and select it then delete the account you are forced to create at install.

No more right clicking cmd and selecting "Run as Administrator" as it starts in admin mode.

But if you want to use your system like having to crack a safe and a lack of confidence then that's your choice.

 

For years, people have been complaining about the insecurity of Windows systems. When Microsoft finally does something about it, what do they do? They (users) don't give a damn. The most sad thing, is that, advanced users advice casual users not to run UAC because is annoying. I have a different opinion, so has my family running a limited user account and software restriction policies, which in terms of limiting, it only limits changes to important system parts, so it won't limit, for example, an e-mail client from getting e-mail messages, a web browser from browsing the web, etc.

Now, I'm not saying that you don't feel comfortable running in full administrator account.
If you got the knowledge to be using an admin. account or have the time to check what's happening in the system, then go ahead. But, that's no reason to say/advice to others to do the same.

Would you feel safer if I tell you to stop taking your shots, just because it won't prevent you from dying? Its a waste of time, a waste of holes in your skin, a waste of money (if you pay for your shots). Bottom line, you live for your shots, believing they will save your life. What for? What's the point?

Why live in fear?

What if I tell you I don't take any shots... Am I the one not having lack of confidence...? This would be living in full admin. control, right?


Cheers

 

I wouldn't call them advanced users if they go so far as to make the basic mistake of not running UAC not because of any software/hardware problems, but because they think it's "useless bloatware".

Ignorance, coupled with the confidence/belief that one is knowledgeable, is a very dangerous combination indeed, both to the person himself and those around him.