XP Home Security Plan

It seems it is not that far away now, got a mail last week with a 50% discount on the Pro version telling me version 3.0 is coming SOON!
But then again, you never know...

/E

 

Well if they are safe users that rarely download anything, and savvy, perhaps something like SuRun wouldn't be necessary then? It came to mind seeing she was on XP Home and not Pro. At least create another Admin account then disable the built-in one.

Still you could trim some dead wood (like services) that aren't needed, and other things, as she seems to only need it for basic use type stuff. Along with a registry tweak or two (that won't affect her) ports 135 & 445 can be locked down. Also to make it snappier. Some GP stuff, like disabling Autorun namely. A few LP tweaks too like the disallow of anonymous enumeration of SAM accounts and shares, and a few other things in there that aren't safe by default. Maybe even force secure login (Ctrl+Alt+Del) while you're there. In SRP, checking the boxes for Trusted Publishers and applying it to Admins only.

VT Hash Check might not be a bad idea in the rare instances she goes DL stuff.

Set up an outbound FW, like Comodo, and just add a few preset rules. Like a global rule to block all inbound TCP/IP. And a good preset for Web Browsers, with rules just for Loopback (if necessary), HTTP(s), and DNS. Maybe also use the "Protect All Files" tweak from Chiron's guide. Then just put a password on the program so she can't mess around with the stuff. She'll never hear a peep out of it and it will add protection.

EMET... if she has .NET FW on there already anyway.

(Portable) Hitman Pro and MBAM Free for on demand scans once in awhile. Maybe also TDSS Killer, or even GMER for when your trained eyes stop by once in awhile just to check out the state of things. Keep clean images on hand as well and bring them along in case ever needed.

You know her abilities more than I. "Maybe" a real-time AV would be a good idea?

 

Heh I got that email too. Must be because I am registered on the PCAV forum

 

Yes will consider Surun when GeSWall gives troubles (it is home, but I have added PrettyGoodSecurity of our forum member Sully). Added Bitdefender free (seemed to have the lowest impact, when Panda 3 comes out I will give that a spin).

 

Adblock Lite has been removed from addons.mozilla.org
Does anyone know why his author adstomper only uses AdblockEdge ?

 

If you don't mind having a slow computer then Forti has one of the most powerful website blockers out there. I use it on my family computers along with MBAM Pro realtime. Those computers are like fort knox. Nothing gets through.

 

Probably because its not needed anymore. Adblock Edge is gaining popularity, so he might have removed the other one.

 

NoScript is necessary.
Is easy to use even in the default setup.
Do some testing with / without:

http://www.browserscope.org/security/test

 

AdBlock edge (ABE) loads a bit faster than Adblock Plus (ABP). nevertheless on some old system it will take ages to load firefox entirely.

crashing on flash - chromw flash or some other installed? note that adobe offers some LTE version of flash (11.7)
~ Link Removed - See Flash Player Policy - JRViejo ~
The problem will re-occur after mai 13 when LTE will get v13. (long term edition)

anyway if flash cause blue screens/crashes there will be more issues for sure. XP will stay outdated although it got some update last days (some told me) and if your hardware is pretty outdated also you better investigate of some newer hardware.

have you though about linux? for common users with internet, some office and other normal stuff it would be more practicable and if you design -ix like windows - it works

 

Okay, new simplified setup

1. Driver Radar Pro v1.5 (Freeware), whitelisted all current drivers

2. Added Sully's PGS (Pretty Good Security)
a) Deny execute for all basic user writeable folders in Windows
b) Default deny in user folders, for all files, all users (allow install via TEMP)
c) run Office 2003 + WMP as basic user (2003 also end of life)

3. Set current user as Power User (allowed to install in program files folder and system 32 folder, not allowed to change windows settings)

4. Chrome (loaded a lot faster as FF on XP) with BD traffic light and addblock plus.

5. HitmanPro alert free (with free CryptoGuard)

6. Bitfefender Free (cloud)

 

I have an old XP laptop which doesn't get much use any more and isn't worth upgrading to a newer version of Windows. I have always run it with Limited User Accounts and SuRun, and now have Panda Cloud AV Free installed on it. Would anyone care to comment on the merits of either (a) installing Toolwiz TimeFreeze or (b) installing Comodo IS and setting it up to auto-sandbox unknown applications fully-virtualized (sort of like BufferZone)? I also have Macrium Reflect images in case of disaster.

About the only thing this is used for is if my kids are doing something with GameMaker, Lego Mindstorms, or some games from GOG (being a 15" 1024x768 display it actually isn't bad for those old games), but I can't rule out Internet access.

 

With Toolwiz Time Freeze, you could make it a kiosk PC. After every reboot it would restore to its default state. I would exclude Panda directory from protection. So when you don't need to update a lot and can do updates yourself, it is a good choice IMO.

Comodo really has become a swiss pocket knife for virtualization (f.i. virtualizing internet facing aps partially and new unknown fully). See https://www.wilderssecurity.com/threads/comodos-swiss-army-knife-sandboxing-virtualisation.339661/ I have no idea on how this would perform on an old CPU, but I think it requires less management as a Toolwiz Time Freeze kiosk or LUA + SURUN because you can control the whitelist.

When you control the PC yourself LUA + SURUN is also a good solution (Panda Free does well in tests), so why change when it fits the bill currently?

 

doesnt matter which software, XP is nailed and highly vulnerable
http://www.pcworld.com/article/2148...ts-web-at-risk-and-xp-isnt-getting-a-fix.html

 

The vulnerability mentioned in the article is IE related, not XP related.

 

why linux is not an option here? if you want "windows look alike" you can use linux mint and fell at home immediately

 

At this point, I'd say the maintenance and care required to keep an XP system functioning is probably much greater than what is required for a typical Linux system. IOW not so much that Linux is easy, as that XP has become prohibitively hard for non-ultrageeks.

 

Why not use Opera v12 as browser?

It´s a lot less attacked, and many banking trojans don´t even work inside Opera (see link).

http://en.wikipedia.org/wiki/Man-in-the-browser

 

If one's computer is as old as XP, then Mint might be a bit heavy. On my aging box the Distros that work best are Linux Lite & Pinguy.

On the other hand, I am firmly convinced that XP can safely be used for a long time to come, with adequate security apps in place PLUS frequent imaging. (Frequent imaging is THE essential XP security factor.)

As to "adequate security apps" my present set-up is:

• Realtime: AppGuard, Exe Radar Pro, Driver Radar Pro, MB Anti-Exploit, Router with firewall
• On demand: Avast SafeZone (banking browser), Tiny Watcher (file integrity checker - works great on XP 32 bit), VirusTotal (scan all downloads), Avast AV (full system bootup scan - I let it run every few nights, while I'm sleeping), Keriver Imager (I routinely clone to external drive every 3-4 days & retain each clone 1-2 months. I also do an extra clone whenever I trial new software -- the best uninstall of a trial is to install the pre-trial image).

XP forever!!!

 

with old box I prefer puppy linux, latest slacko puppy can run to all internet facing software as non root, with an easy wizard.

that being said.
I'm still amazed with the security setup on both bellgamin and windows_security
and I'm quite sure you guys can make xp safer than most of us.

 

My win7 got an ie update today - after yesterday announcement MS will feed also XP with an update to this critical exploit. maybe they will offer other patches if critical, nevertheless XP is out of date and wont get any other updates - i wont count on that onetime shot again.

 

Linux Lite. You took my suggestion. I knew you wouldn't be disappointed

 

Yeth!!! Thanks for splendid advice.

 

Attention to use Trident-based applications:

https://en.wikipedia.org/wiki/Trident_(layout_engine)#Trident-based_applications



Example image

Script Off for I.E.8
(+ trick1803)

 

Suggestion:

1. Standard Account
2. Crypto Prevent
3. Toolwiz Time Freeze (with exceptions)
4. Norton DNS
5. MVPS Hosts File
6. Tip 1806
7. Google Chrome and Foxit Reader

 

I have returned the PC, thanks for all suggestions

Final setup
1. Installed using TinyXP, run as Power User (able to install programs, not change windows settings)

2. Use Keriver-1 for OS-restore, Free File Sync for data backup.

3. Added Sully's PGS (Pretty Good Security)
a) Deny execute for all basic user writeable folders in Windows
b) Default deny in user folders, for all files, all users (allow install via TEMP)
c) Run Office 2003 as basic user (2003 also end of life)
d) Added Crypto Prevent double extension block rules manually for TEMP folder

4. Panda Free 3.0 Cloud (without URL check, set to ask before clean)

5. Chrome with AdGuard (using chrome's flash & pdf)

6. Foxit-PDF (not using for browser, used as viewer and PDF-printer)

7. Media Player Classic (because it is light and does the job well on XP)

Explanation for choices
1. Keep it Simple (stick to OS-they know, use OS-features)
2. Reduce attack "Admin" surface (TinyXP, Power User, Run 2003 as LUA, deny execute User folders, Black Viper Services advice),
3. Using Dutch language programs Keriver, Free File Sync en Panda cloud Free for primary defense (backup/restore, antivirus)

Weakness of choice
I had to allow easy updates of vulnerable programs, so some sort of Admin rights and update was mandatory. Considered SUA (Surun/Sudown) but that slowed down the system more as PGS+Power and sort of defeated the purpose for which those programs were developed because I had to provide maximum rights to the most vulnerable programs (browser, media player and pdf). ToolWize Time Freeze worked well allowing browser/pdf/mediaplayer folders to update, but registry is always virtualized, so this could potentially be a cause to cripple the system.

Finally opted for PowerUSer+SRP deny execute with a deliberate hole in the deny execute policy to allow execution/installation in TEMP-dir only. Disabled updates of other programs to keep it as simple as possible (only update browser, PDF-reader, media player and AV). This worked well and passed a series of "good" updates tests. Panda does well in real world tests, so fingers crossed that reduced attack surface with their safe browsing habits and Panda will keep them clean.