A challenge: Secure a PC without any external application

Okay, so i know you guys run a shipload of programs to guard your computer, but how would you secure a computer if you were not allowed to use any external third party program that comes with a standard install of say Windows ME/XP/2000 whatever. The computer will be a stand alone connected directly to the NET 24/7 on a broadband connection.

Yes this means no antivirus,no firewalls, not even if it's a freeware product.

Allowed

Setting up Host files
Using IE spyad to put restricted sites into the restricted zone.
Using cookie managment function intergreted into browser.
Running patches
disenable services


Not allowed
Installing firewall
Paying for antivirus filtering in email.
Using Mozilla

I've being working under such constrains (long story) and I've found you can do a lot surprisingly ....and still keep functionality.

Anyone up to the challenge?

 

Yeah, very good points. I have done all of that, including disenabing WSH and Mediaplayer scripts.

BTW Why is it listening on TCP 135?

I've found a nice trick in Win2k which has a built in port filter via Ipsec settings (allowing inbound and outbound tcp/udp/icmp blocks by ip), altough following the instructions on one website, I managed to close down almost all listening ports by default.

I've also read about all the tips about secure passwords, renaming the admin account and creating a default admin account with no previlages etc, in your opinion is this even useful on a computer that will be used solely by one person?

I'm actually handing 2 "cases"

One is a fairly inexperienced user, who recently shut down the computer because of
messager spam warning about insecure computers

On the plus side he uses only webemail, so securing outlook isnt necessary. Other than that he does basic web browsing but nothing else fancy or particularly risky. (No Peer to peer, no Instant messaging,no irc).

The other user is a holy terror, running ICQ 24/7,irc, emule etc. Naturally his competency level is much higher, except that he thinks computer security is a joke.

I could probably get them to run a antivirus, but definitely not a firewall. The second user, would probably undo much of my changes anyway, if he found his stuff not working.

 

It can be done pretty easily. I have surfed the 'net for months on end with no third party apps in complete safety -- but that's me. There are things to learn and you have listed most of those. I will say that in today's environment if you have IE/OE simply *installed* on your machine and you operate without an effective and updated AV, you are just plain stupid. Still, you could operate without one if the mass of goo between the chair and keyboard was properly trained and controlled. A couple of comments:

Win9x -- kill netBIOS dead

W2k -- there are issues with services and open ports. Learn what those are and close/disable them plus use the built-in filtering

XP -- same as W2k except turn on the included firewall for added safety

I could sit here and type for an hour on all the little tweaks and tips that should be followed but it appears you have done your homework. So I will throw the challenge back at you -- make sure you have them all covered!

In *every* case, the hardest to configure is also the hardest to control -- that mass of goo. In that light, I will provide one link.

http://www.claymania.com/safe-hex.html

Phil

 

LWM and Phil,

Excellent posts!

I thought I would weigh in on the ability without third-party apps to maintain some privacy on the desktop....

One thing you can't do, obviously, is "wash" deleted items. But, there are some things you can do:

1. You can designate a sub, sub, sub folder for sensitive items. Just a holding place really. A place to put items to - rename.

2. Then, you go through that folder before shutdown and DivorcePlans.doc becomes FootballPicks.doc (or something related to your interest that wouldn't raise eyebrows). If it's really sensitive like Bank Robbery Plans.doc (just kidding - but you get the idea) change not only the name but change the extension so it becomes "blue5.gif" and drag it to the "Temporary Internet Files."

3. Then delete.

4. Again, depending on sensitivity level - maybe the info shouldn't be there in the document in first place. Before you delete the file, go in and empty the contents of the file - or better yet - make nonsense of it and then delete.

5. Remember, this is all hypothetical having no access to 3rd party apps.

6. A sensitive photo can be opened with notepad where you see nothing but gobbledygook. Scramble it. Mess around with the all the characters in the file - select all, empty the file, rename it - and then delete the file.

There are other things obviously, but if stuck with nothing - those are some simple things you can do to maintain some privacy with documents, pix, etc.

Kind of an interesting topic to think about JayK!

John
Luv2BSecure

 

Howdy all

I found this very interesting indeed...how to make surfing as secure as possible, without any extra apps...

Very good Phil, I would install NetBeui too....

Anyone knows regwizard, how to disable it on run field...:

disable: regsvr32.exe -u c:\windows\system\regwizc.dll
able: regsvr32.exe -c c:\windows\system\regwizc.dll

Except those browser configurations,disabling active x, java, java scripts, cookies etc etc, these might help little too. And ....one of you already mentioned that the less apps running the more secure your puter is.

*Ari*

 

And the best, not the last : Make registry and file backups to restore everytime you log off the net .

John, the mantra, hehee "Backups, backups.."

*Ari*

 

Most interesting topic......very nice comments...

can an os be harden.....sure....definitely ! I prefer the use of the registry.......w2k seems the best for securing ports...never tryed XP.......

on a win95 for a period of five years with a computer used solely by two youngsters....no firewall...no anti-anything =no problems. The one fault was in their use of cookies.....found 347 tracking/profiling cookies.....this could easily have been avoided. Otherwise...no viruses..no trogans...no Bots
it does not seem often spoke of but IE does have a sandbox.....an yes it does work....perhaps not as well as the more costly programs...but does work. that sandbox and Zones used together helps greatly.
A SCRIPT DETECTOR works wonders using the proper scripts.....the win95 mentioned did not even have that installed....no third party software was installed on it.
Today that same win95 has numerous third party programs....an is still working like the new was purchased.
Making as much of the os as possible "disappear" can't hurt either.
No I would not suggest not using a firewall....but its done by millions.....an while there is alot of hype about using anti-virus software......lets not forget that anti-virus programs are after-the-fact.....while a mere script detector is before-the-fact (bet I get comments on that)

just my six pence==P.S. I use firewall/anti-virus&trogan and tons of other such programs

 

HI!

I appreciated this topic. Those who can do a smart configuration of their system are blessed. They won't have to load all kind of softs . Knowing the register is also a good thing for you can disable keys that cause problems. Im not there yet! Uguel