Do You Use Only Windows' Built-in Security Tools?

In rethinking my security setup I've been surprised to find Windows already comes with an array of powerful security tools:

• AppLocker - Permits only whitelisted software to run
• LUA/UAC - Limits any damage to only current user
• DEP - Prevents running code from a non-executable memory region
• Windows Firewall in default-deny both in and out-bound
• BitLocker and/or EFS - Drive and User-level Encryption

I'm trying using only these tools with no third party software. I've messed around on the "darker" side of the web, downloading whatever I can find and so far AppLocker has stopped everything. Even if something did get past, the damage done would be very limited between DEP, UAC and the firewall.

While no setup is bulletproof, this setup seems remarkably secure with the obvious advantage of using no system resources as well as costing $0 and not requiring updates or being signature based. Does anybody have a setup like this or similar? Please post with your thoughts, I'm curious how secure a setup like this is in the scary real world.

 

I use a similar setup, except I also have installed Microsoft Security Essentials. Not sure is MSE is necessary, but it free, and as long as it doesn't cause any issues or slow things down I will leave it. I also configure my Linux boxes similarly, with the exception of MSE, and I have locked down the network pretty tightly as well.

 

CyberCat&Spiral123:


Guys,what OS are you using?

respect,
rat

 

Yes. I'm running XP/2003 so I don't have AppLocker, but I use SRP, similar effect. I turn off the Windows firewall, I have an IPCop box as a firewall. I do however have on demand-scanners to check out files I download and scan the C partition every couple of weeks just to be certain. Been doing this for a long time and have never had any problems.

 

They guy you are looking for is elapsed. He relies on MSE along with security features built into Windows 7 64-bit.

 

Yes!

AppLocker - YES!
LUA/UAC -both YES!
DEP - YES!
Windows Firewall - Unfortunately no, as I have NIS 2010 installed.
BitLocker and/or EFS - No, I found Encryption unnecessary for normal user .

OS: windows 7 Ultimate 32-bit.

So, AppLocker under LUA with UAC at highest level and DEP enabled to all programs. And NIS 2010..

And maybe some programs to make sure on demand once a week or something like this. (Malwarebytes, Hitman Pro)

 

AppLocker - NO!
LUA/UAC -both NO!
DEP - NO!
Windows Firewall - YES - this is a great firewall once configured properly
BitLocker and/or EFS - NO

windows 7 ultimate x86

 

The only thing I use outside the OS is Sanboxie and Macrium Reflect. And yes, I do consider Macrium part of my security suite, lol, you might call it the last bastion of defense

Sul.

 

Great idea, IF you trust Microsoft enough....which I don't.

 

I haven't tried Applocker yet. Does Applocker prevent all types of executables from running? or is it just exe's?

If not what do you have to prevent things like malicous scripts and dll's from running?

 

It has option to prevent scripts and dll's aswell.

Unfortunately I don't use dll ones

 

Hi Sul I have a question for u and others in here.

what software do you use to control outbound connections for programs running outside of the sandbox?

Or does the windows 7 firewall allow you to control each application individually?

 

I used to be that way. But, I have a legal copy, have nothing saved on my machine which is worthy of stealing other than some serial keys for software. So, I don't really have a reason to worry. I turn auto-update and error reporting, stuff like that off. I basically figure if there is something I can turn off from phoning back to the M$ Borg, fine. If not, I have nothing they really want anyway.

I have been sleeping at night since I stopped caring, so it must be working

Sul.

 

Sully, I am a total novice in the world of computer security, and your attitude rocks! Despite your (and others)detailed knowledge, you don't seem to worry much.
I find your posts to be very informative and practical...and funny.

 

As you elude to, the Sandboxie settings are strict in my case, so that only the absolutely essential are allowed network access.

I used to use Outpost firewall. Then I went searching for something else. I tried all the firewalls you are familiar with, and every obscure one I could find. Some had promise but nothing really seemed to fit what I desired, which was simplicity. Next I used the XP firewall for some time, but my router was just as good really. After that I moved on to using IPSec as a firewall.

Now, on windows 7, it does have a proper firewall. Somewhat of a twisted interface, but this is M$ so I did not expect something as polished as OA or Outpost. And yes, w7 allows application control in and out.

But, honestly, I stopped caring about it. I monitored everything in my computer for years. You know, nothing is going to happen that I don't allow. The software and OS are evil, they always want to phone home with my habits or my data. But, after many years of monitoring, it just became evident that not much was really happening. If I were a pirate, I would use one to stop software from phoning home for license checks. But with freeware or paid versions, I have nothing to block.

I did have a firewall installed on XP so that I could fire it up to see what a program was doing if I was curious. Maybe to see what ports it was opening to go to which address, etc.

I guess I am just to the point in my computing life, that AV, Firewall, HIPS, etc etc just don't make sense to me anymore in normal usage. I use the same programs. I do the same thing. My browsers are confined. I have images for restoring easily. My critical data is properly managed for redundancy. New software is trialed in SBIE or vmWare prior to being accepted into the general hive of my borg. Most of what I do is break the OS and software anyway, so a restore is only hours/days/weeks away, then back to a known state.

So, I don't worry about viruses or malware or software that wants to phone home. I manage somehow to stay squeeky clean. Occassionaly if I have not restored my image for lets say a month or two, I will run MBAM and such tools, just to see. But it never finds anything other than a tracking cookie. Spybot and Adaware were the same way. On my machine, I never really got to use them because there was nothing there.

Call it luck or destiny or whatever, but since I have been running this way, I have been no more or no less infested with problems, and honestly other than not baby sitting security tools not much has changed.

Sul.

 

Thanks for the compliment.

Well, it is probably only because I want to understand lower level things that I feel comfortable not using much protection. I understand how to safeguard what needs it, and how to repair/recover if needed. It allows me great freedom.

If I were not so schooled in the fine arts of OS bowels, I would probably still be using security tools. I hope that when I speak, people understand that I am saying "you CAN" not "YOU should". But yes, my worrying days are done. Being a good soldier and standing guard at the door for years without seeing much action has led me to believe that for myself, something is working right so I don't have to be on guard so much. Maybe it is like having Obi Wan sitting at my gateway mind tricking the remnant into going the other way. Or maybe it is that I spray painted on the side of my gateway "for a good time call 192.168.1.199" LOL.

But, I know lots and lots of people who just use thier computer casually who always seem to get infected. I honestly don't understand how they can do this, but they do. So I have cleaned up many a mess, but usually wish I could reformat thier system and make it all shiny new again.

Sul.

 

you say that w7 does have application control and that you would also use another firewall if you were a pirate.

This indicates to me that the w7 firewall isn't very good at blocking outbound connections? I wonder how many microsoft programs that it would allow to phone home?

 

Not really. What it indicates is that M$ firewalls are rather spartan in thier UI. I don't believe there is anything wrong with XP firewall nor Vista/7 firewall. But they are not exactly "user friendly". 3rd party firewalls may use more resources, and include everything but the kitchen sink, but they are built to be firewalls and have much more thought in how a user interacts with them. M$ firewalls feel more like "we should put one in, but we have more important things to do than firewalls". See?

Sul.

 

I'm like Sully, I don't worry anymore.

Ever since I decided to practice "create, enable and configure" vs "download, install and update", I've become much more secure.