Security Options

Hello,

I'm new here and am very thirsty for knowledge. I recently purchased a new laptop.

What are some ways to secure the operating system from malware infections?

I ordered it with Windows 7 Ultimate.

 

Welcome to Wilders Security Forums!

Do you already have some kind of Antivirus installed, or are you completely naked?

 

Hello,

I have Microsoft Security Essentials AV. I uninstalled the free trial version of Norton AV. Maybe a mistake, Norton AV has improved.

 

I see you are using Windows 7 Ultimate, probably 64-bit; which is a great thing.

The easiest solution to protect yourself against malware is the following:

1. make sure you have got Windows Update enabled;
2. make sure you keep all your applications up-to-date, especially applications like: Adobe Reader, Adobe Flash and Java;
3. make sure you make backups of important personal files (you can do with Windows Backup and Restore, or any third party alternative);
4. make sure you have got an system rescue disc available (probably your laptop manufacturer has some kind of recovery method, otherwise you can also make a system image with Windows Backup and Restore);
5. make sure you use the very latest version of one the major browsers (Internet Explorer [version 9 is coming next monday/tuesday], Google Chrome, Mozilla Firefox or Opera);
6. make sure your Windows Action Center recognizes an active firewall, antivirus and antispyware program. The combination of Windows Firewall and Microsoft Security Essentials is a free, solid and easy to use solution;
7. stick the golden rules of security (1. watch out for risky websites, downloads, advertisements and email attachments, 2. make sure you are on the right website and on a safe connection [https / padlock icon in browser] when you perform sensitive actions online [such as banking]).

If you don't feel safe using the above, these could be additions to consider:

8. download Malwarebytes' Anti-Malware and scan, after updating the database, with the free product once every week;
9. use ClearCloud DNS (blocks known malware domains) on your pc, or even better, on your router. For instructions Google "ClearCloud DNS";
10. use a Standard user account instead of an Adminstrator account, which will avoid 95% of the problems (just like sticking to the golden rules of security).

 

Security checklist for Windows 7, The Ten Immunitable Laws of Security

 

Hello,

And thanks for the responses.

If my understanding is correct, this type of user account does not operate with administrator rights. Is this right?

Do any of you recommend any other Windows security features? I have Ultimate.

 

Win 7 User Account frequently asked questions

Why use a standard user account instead of an administrator account?

 

I recommend Sandboxie (takes a while to learn, but more than worth it), ClearCloud DNS, WOT, SUMo (helps with keeping software up-to-date), and Hitman Pro (don't activate trial unless you're infected).

 

I also recommend Sandboxie.

 

What are you looking for specifically? Are you running 32-bit or 64-bit? Who are using your machine - single user or shared among family members? You also need to be clear on what you're trying to achieve and how much time/effort you're willing to put in.

Start your quest for knowledge by having a look here:

Securing Your PC and Data

 

I would go with Norton. I think it's the best IMO. If you want free maybe Avast or even Comodo Internet Security.
WOT
Super Anti Spyware
Malwarebytes.
Norton 360.
Here are Just a few choices.

 

As stated and advised by siljaline, implement and get used to SUA (standard user account).
Later on, if you wish to go further with internal OF security features:
https://www.wilderssecurity.com/showthread.php?t=262703
(There are many other pages about AppLocker for Win7 ultimate)

 

A Standard user account indeed doesn't have the administrative capabilities. So indeed you will have to switch to the Administrator account to perform administrative actions. But that has a huge advantage, 95% of the security threats are blocked simply by using an Standard user account.

The 7 steps I mentioned really are the easiest (and completely free) to get bulletproof protection. Implementing something like AppLocker (which is available in the Ultimate version) is quite some harder if you are not that much of an pc expert.

 

If I may, not exactly.
You can right click and provide the admin credentials in Run as administrator, or simply provide it when requested by the system.

 

You're right.
An effort is necessary if one wants to use it.
Few links:
http://www.microsoft.com/downloads/...29-4d8b-43c5-8115-78bc30a187c2&displaylang=en
http://technet.microsoft.com/en-us/library/dd548340(WS.10).aspx
http://technet.microsoft.com/en-us/library/dd723678(WS.10).aspx

 

Yes you are right there, what I should have typed in my post is that you have to perform additional steps to provide Administrator credentials.
One could also enable Fast User Switching via gpedit.msc or http://answers.microsoft.com/en-us/...witching/643ea7cd-d98a-42be-b8d4-ba37801a9ea8, but that is quite some more technical already.

 

Hello,

Wow. Thanks to everyone for their input. And thank you Lucy for your links to AppLocker and your recommendation for using a Standard User (Limited) Account.

I will look into these options. My Windows Ultimate is x64.

Are there any other Windows 7 security options I could take advantage of?

 

Well,

standard user account,
windows firewall default set,
microsoft security essentials AV,
windows update set to automatic (you may additionally use secunia PSI to update your non microsoft programs),
are already more than enough.

If you feel like investing time to get some knowledge,
there is AppLocker (as we already said) - but really it is not necessary
there is group policy management - very difficult to understand and apply properly - not necessary.
there is as well EMET, a microsoft tool to mitigate some 0-day vulnerabilities - it allows to activate / apply various protection strategies uch as DEP, SEHOP.... There are many threads about it on this forum.
Some golden rules:
- too much security kills security.
- Keep it simple
- too many programs from too many vendors = big mess / no improvement
keeping microsoft tools whenever available instead of other vendor's tools will greatly simplify your life.

 

I personally use Norton 360.
If you are looking for free I would suggest Comodo Internet Security, Both my son and daughter have CIS on their computers. a Laptop and a Desktop. It works fine. They had Avast free on the laptop and MSE on the desktop until my son got a virus on his laptop. Avast flat out missed it. I cleaned it out with Mbam. I put CIS on his laptop and that found more stuff and cleaned it out.After that my daughter put Comodo on the desktop with Comodo Dragon the web browser,all works great. So there is good free stuff out there.
The laptop is 64bit windows 7.
The desktop is 32bit XP.

 

Hello Lucy,

Not necessary. Why? I heard AppLocker was a great way to lock down write access in your user account.

Not necessary. Really? Very difficult to understand? You mean things like configuring access control is not necessary?

 

Hello dan323,

So, it sounds like anti-virus programs alone aren't enough anymore. Does your son or daughter use a standard user account?

 

Perhaps (and I am assuming) Lucy is implying that the permissions already in place with a user account are enough. As a member of the users group, policies and rights already restrict most modifications/deletions/writes to pre-defined areas, and allows more rights to user areas.

While applocker can afford more protection in terms of building a default deny or similar scenario, the user account is already denied much.

Also, unless you need to set permissions on custom created directories (which the creator might own) the majority of concerns are already addressed in the group policies.

If you understand group policies (I am not saying you don't mind you) then you might come to the conclusion that what is there already is most likely enough. Group policies can be cumbersome IF you don't fully understand them. It is true there are some easy options to toggle that can be of use if one desires to understand what is going on.

I agree with Lucy, that in most cases, leaving group policy alone is fine. Advanced users or users who want to learn, well, it is a great tool to do so with IMO. One just has to know the implications

Sul.

 

Hello Sully,

I heard that there is still write access to the standard user account and many people have been hit with fake avs and keyloggers. It would seem to me that AppLocker could be used in conjunction with a standard account.

 

Well, yes, there is certainly write access as a "user", but it is restricted to only %userprofile% areas. And it is also true that there are threats that operate in userland. These threats are not generally seeking to destroy the system as much as get your personal data IMO.

What can you do? In win7, you could use applocker. You might also use Integrity Levels or other features that can help. I am certainly not saying applocker and policies don't have thier place, but I wonder about thier effectiveness in the hands of those who don't/won't take the time to learn. But then, I view UAC in the same light. A nice simple message spawns that asks for permission, you say "ok" and it is allowed. A standard user account is not as subject I don't believe as the default lua which is really an admin account with 2 security tokens, one of them admin, the other user.

Sul.

 

Ahh he has ultimate, don't let him throw away the cookie jar of policy management