Approaches to security - do you have one to share?

Discussion in 'other security issues & news' started by Sully, Apr 14, 2011.

Thread Status:
Not open for further replies.
  1. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    This thread has no real importance, it is just a place for me to put my thoughts onto digital paper ;)

    Recently my wife showed me a screen on a sandboxed firefox, on Vista Ultimate 32, with UAC on and using LUA not SUA - where the page being displayed was BestAntiVirus2011 scam. The page displayed the typical scan results, waiting for you to be duped into downloading and installing the thing. I believe this is the lizamoon thing, but am not sure. She stopped and I closed it and deleted the sandbox. This is the first time she has ever seen such a thing (I have warned her what to look for) and of course she clicked the first prompt that came up to get the ball rolling. She was looking for pictures on google for my daughters homework.

    The next day when I came into work, a fellow worker bee told me he had a strange page that opened up, describing to me exactly what my wifes computer had (and oddly enough was also looking for some pictures on google). I opened the default browser (kmeleon) and sure enough, it loaded straight away to that same scam. This computer (xp pro) does have sandboxie, but due to some things he has to do I had taken that browser out of the sandbox. That box was running as Admin but I had used SRP to start kmeleon as a Basic User and further I had kmeleon downloading all files to a downloads directory that was both set to Basic User with SRP and forced into a sandbox that allowed no outbound network access. After deleteing the cache and all the current items in the downloads directory, I went ahead and ran mbam on it, with no findings. That computer also runs Avira, but it found nothing either.

    Now in both these cases, nothing happened basically because of me telling both users over and over for the past few years what to do and not do, what to expect and not expect. They were both restricted in different manners, and since the payload was never brought to the machine and executed, I don't know what would have happened.

    But it did get me thinking about the different approaches I had implemented. Specifically, how the layers come into play in such a situation and how the user experiences the security in place.

    For my wife, who is not savvy at all, she dislikes sandboxie because she doesn't take the time to learn where here stuff is going. I really HATE how Vista lays out its directories. She is always losing where she put stuff, because the public directories are always popping up in places rather than her profile directories. I modified her directories to point to her shares on the NAS box, and set sandboxie up the best I could for her, but she somehow manages to lose things o_O

    The guy at work accepts sandboxie because he has to listen to me and follow my protocols. In 5 years of being online there everyday, there has never been an instance of issue. Actually all of the people there do pretty well at following directions in that regard.

    So I got to thinking, maybe I should modify how I have been approaching this. Not because what I have does not work, but because as time goes by, I see more and more the distinct like between those who know, and those who don't. Between those who take the time to know, and those who would rather spend time doing something else.

    So I ask for your personal flavors, your likes and dislikes. Not to follow them to the letter, but to see how your bents and twists work, so that I can maybe glean some new ideas.

    I have set it up in 2 ways now for initial testing.

    1. I put the XP machine I modified the user account to user only, modified registry autostart and startup directories to be owned by admins, made sure to change all files not in user profile to being owned by admins, and modified the GPO object so that admins are the default owner of newly created items. I then installed Chrome and Opera, both being installed to user profile. I set sandboxie up so that there is only one large sandbox for all programs to run in, and set some recovery options. There is one lone sandbox devoted to the downloads directory as well. The thought is that by forcing all known programs into sandboxie, the user can install plugins and all that stuff and use them without an issue, yet it is all easily deleted.

    2. On wifes machine I am going to install either win7 or XP. I have to come up with some compromise for her with saving/recovery. I think I will make this machine User or SUA (no admin tokens at all). This machine does do online transactions, so i will install 2 browsers as well, but one will be installed into program files.

    Neither machine will use SuRun or UAC without credentials, which will force them to input credentials and maybe know what is happening, although I am sure I will hear about that ;) Both machines will have browsers set to not ask on downloading, so all downloads go to one common location.

    The problem here is that that while I can do things my way and be a happy little elf, it just does not work for others. They want to install things from time to time (for example iTunes), and I am really debating how I want to keep them protected without having to be called over to input an admin password to install something (or whatever might be needed that requires admin).

    So what of it? Yes, we know a limited user account is best, but it is not always the best solution without the aid of SuRun or similar technology, yet using SuRun and remembering the password accomplishes what exactly if they use it wrongly?

    Have any comments or ideas? Nothing is wrong, as this is only a brain storming thing. Even the most basic or most obscure idea can hold a gem in the rough, or can cause a line of thought that produces a gem. At least thats how I like to look at it :)

    Its one of those things that when you lock it down, it can cause you headache, and if you don't lock it down, the users lack of infos can cause you headache.

    Sul.
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi Sul,

    Well, I keep things pretty simple, but I'll share...

    I'll start with the lizamoon exploit you've encountered:

    This is an SQL injection that redirects the user to a lizamoon domain.

    Lizamoon – Mass Injection
    http://blog.escanav.com/2011/03/31/lizamoon/
    Using Opera with scripting white listed per site, scripting will not be enabled when using Google, so I would not get the redirect.
    End of exploit.

    Continuing with Opera: I keep plugins disabled so that embedded PDF or SWF files will not automatically load.

    Let's look at a current exploit (link posted by siljaline in another thread):

    Analysis of the CVE-2011-0611 Adobe Flash Player vulnerability exploitation
    http://blogs.technet.com/b/mmpc/arc...-flash-player-vulnerability-exploitation.aspx

    Well, with the plugin disabled, the Flash Player will not load the malicious SWF file.
    End of exploit.

    This also protects against the auto-loading of a malicious PDF file, in which case the browser will display a Prompt box. If I encounter that while surfing, I know that something is amiss, and I would close the browser window.
    End of exploit.

    Proper configuration of the browser stops many of today's exploits at the gate. My configuration includes prompting for download of *all* file types. Granted, the plugin makes it convenient to auto-load files into the browser window. But it's not really that much more involved to click "Open" from a Prompt window when wanting to read files on a web site.

    One thing to remember: you aren't really reading a file on a web site. The file is first cached to disk, then opened either in the browser window by means of a plugin, or in the default application when prompted.

    Continuing from the above Adobe exploit:

    Well, my own anti-execution protection will intercept the binary (executable file) once dumped onto disk.
    End of exploit.

    That security prevents any remote code execution exploit which uses an executable, whether triggered from a file, the internet, or USB.

    A firewall takes care of the stuff that attempts to exploit an open port (EG: Conficker.A via ports 445, 139)

    The only other product I use is reboot-to-restore, which is more for maintenance than security. You know, I'm in the process of "retiring" my Win2K desktop system. My last re-install was in 2005 for a new motherboard. It's run clean all of that time because each reboot restores to a previous good session (removes all temp junk, Registry MRUs, etc)

    All of the above is really secondary in the "approach to security," the primary one being "policies and procedures," to borrow from Lucy's signature.

    For example, again from the Adobe exploit analysis:

    Need any more be said!

    Policies and procedures take care of the social engineering attack vector.

    Security products take care of the remote code execution attack vectors.​

    There is not much else...

    Naturally, one keeps software patched. But that's not much help when there are exploits in the wild pending the arrival of a patch. Two examples:

    • The above Adobe vulnerability won't be patched until Friday/15th

      Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat
      http://www.adobe.com/support/security/advisories/apsa11-02.html
    • Prior to Patch Tuesday, numerous vulnerabilities against Internet Explorer were actively exploited in the Wild:


      April 2011 Microsoft Black Tuesday Summary
      http://isc.sans.edu/diary/April 2011 Microsoft Black Tuesday Summary/10693

    In conclusion: My approach to security is to watch the exploits. If I find one that can get by my security in place, then I'll take appropriate action.


    regards,

    -rich
     
    Last edited by a moderator: Apr 14, 2011
  3. blasev

    blasev Registered Member

    Joined:
    Oct 25, 2010
    Posts:
    763
    Hi Sul, thx for the sandboxie advice btw, it work like a charm :D

    Back to OP

    I don't have a deep knowledge for security ,
    but I do have little sister who likes to install everthing she found on the net.
    She tried 5 or 6 internet browser , itunes , chat app, etc etc....
    And never uninstall em.
    She is not a safe surfer either (u won't believe how much cooking and baking tips and trick websites are infected by malware)
    And sometimes online banking is used

    Sandboxie and SUA is out of the question

    So what I do is :
    1. Teach her to close any fake virus alert on any websites
    2. Install MSE and Malwarebytes real time with website filter on
    3. Firefox with ABP (malware domain list) and keyscrambler free
    4. EMET at max on win 7 32bit
    5. Spending time once or twice a year to restore backup or reinstall windows for her.

    Its a very prehistoric approach, but it works for me.
    I don't have time to always be her admin. And yet its been 2 years since the last time she complain about anything. ( I don't count a fake anti virus alert pop up on firefox, which she closed immedietly)
     
    Last edited: Apr 14, 2011
  4. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Being secure could mean installing 20 programs, or only 1, or none. The more geek you have flowing, the more you enjoy software, so 20 programs might be what turns the crank of some people. Regarding WSF, I wonder if people forget sometimes that most of those who frequent here are either enthusiasts (of whatever genre, there are many) who like to talk geek and experiment, or they are hoping to glean some infos from the said geeks. The internet is full of infos, and false infos. You can go to thousands of places to get either. I like it here because of the amount of infos available, the willingness of others to share thier views (right or wrong) and in general a bunch of folks who are enjoyable to converse with. Maybe you don't see it the same, but thats cool, everyone has an opinion after all.

    Getting old school or back to basics isn't all that bad, but I don't believe most can do it. The world has changed and is not going to revert short of a cataclysmic meltdown. If you are one of those who can revert, I think that is great. Life cerainly would be much more simple, but for me, I enjoy the technology.

    But the purpose of this thread is not to say what is too much or too little, what is right or what is wrong, what is stupid or what is smart. It is to simply share some ideas and approaches, specifically dealing with how one might provide ample security on both sides of the thin line, with the hopes that (specifically) I can devise a better strategy that is not too complicated but is secure for those who have a hard time speaking geek.

    Sul.
     
  5. wat0114

    wat0114 Guest

    My security setup is here for x64 machines and on one XP pro machine my son uses, the setup is lua+srp+Sandboxie paid, forcing Internet-facing apps sandboxed and restrictions to network for those ones only.

    My approach for some time now is to simply utilize as much as possible what is already built-in to the O/S. Sandboxie is one 3rd party app, however, that I utilize on the kid's machine to, so far, tremendous effect. RMUS mentions the effectiveness of browser configuration to minimize exploits, and I have done that with NS in FF, pretty much set up near perfect to my liking :) As for EMET, it is MS designed so it integrates seamlessly into the O/S anyway, not imposing the potential issues so many 3rd party security apps are apt to do.
     
  6. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    203
    Hello Sul,

    You always have good posts.

    It's a bigger headache not to lock it down.

    Since I've implemented LUA, SuRun, SRP and other policies, my infection calls from users has gone from several a day down to a flat zero.

    I'll gladly take a call from a user to install a printer or other authorized software.

    It looks like you've already got all the right tools in your black bag, but sometimes the tool has to fit the user I guess. ;)
     
  7. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    How do you find, or handle, instances where your family (or novice user in general) needs/wants to do something that requires admin rights? That is the crux of the problem. I don't nor can I spend the time (at work) to come running when a user wants to install something - I don't want to be the admin god ;) How do you handle the balance of allowing them root when needed (SuRun or RunAs)?

    I wish there were a way for sandboxie to elevate to admin within its confines, that way you could run as user in the real environment, and an admin with the sandbox. Sadly though, it does not.

    I am trying to figure out the best way to compromise the best security without giving a novice user root. Since this is not a corporation, I have to give some flexibility to the users to update flash without me approving it or doing it for them. Of course in the case of my wife, at times she is the CEO so my rules get over-ridden ;)

    After playing with RunAs and SuRun, it leaves me with still disliking LUA only because the sandbox doesn't work like I want it to. I want to use sandboxie because it is so easy to clean up and start over. I don't like the prospect of a user having root and borking thier profile. I don't worry that the system itself would stay protected with LUA, as it would, but only that user profile gets borked and I really don't have time nor desire to go cleaning it out, nor does the user relish the idea of having to configure a new user account if I deleted thier old borked one.

    Now I know there is no perfect solution here, I must give something up somewhere. My latest thought was to use Shadow Defender in conjunction with Admin account and SRP/Basic User and Sandboxie. This would allow the user to be admin, thus start anything within the sandbox as normal, and also use SRP to start key programs restricted as an extra measure of insurance. The sandbox could be the playground then that the user could install flash into, and just keep using it indefinately until there arose a problem, at which time the sandbox could be deleted and they start over. Shadow Defender could have exclusions for the desktop to keep icons etc, for the sandbox directory so the sandbox never changes, and for a few other choise directories that might need it. This would then provide the system with very good protection as a simple reboot would rid anything that the user (because they have root) might have done.

    The main thing here is not which is the most secure, but which is the most secure while at the same time allowing the user to do thier thing without me having to manage things much. It is a whole different matter for what I do myself or what I set up for an knowledgable user.

    Sul.
     
  8. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Thanks for the compliment :)

    I agree with you, LUA is in general the way to fly for the novice. I have no issues with it really, if it fits the situation. For those who might be prone to get things borked, it is exactly as you say, and works well. I have set many people up like that.

    This issue is a little different, as the users actually do listen to most of what I tell them. They are capable of installing a new program, and generally ask me if they can and what one would be the best choise. So they are learned enough to make wise decisions, but not learned enough to avoid all the pitfalls. This latest one, BestAntiVirus2011 first puts up a prompt that looks like a system prompt, something like "you might have issues, click ok to fix them" or something like that. I would never fall for it, but they did because it looked legitimate. The next phase where the webpage shows them the fake scan results and tells them they are infected and need to fix it by downloading something, I had prepared them for such a scenario, so they left it for me to handle because they did not know what to do.

    So, I have begun to rethink how I have them setup. I trust them as much as thier level of knowledge allows me to, and now I am seeking to take away what remains. Since they are capable of doing a lot of things themselves, I hate to clamp down on them with a very strict LUA. Yet I cannot trust them enough with root because they might make a bonehead mistake, not thier fault but could happen.

    It is tricky to be sure. I wonder if it weren't better that they were true novices and knew nothing, then they would not feel the bite of being so restricted.

    Thanks everyone for the replies so far. I enjoy hearing the different perspectives.

    Sul.
     
  9. wat0114

    wat0114 Guest

    It's pretty rare when they do need admin rights, and my kids aren't computer-saavy enough to be using SuRun and installing stuff. Sometimes my son wants to play those on-line games, such as Battlefield Heroes, that need a plug-in to function properly. If I deem the game to be safe, then I'll log in as admin and install it for him. It's never been a problem yet.

    At your work I don't know what your policy is, but I would think most of the employees should not even be allowed to install things, such as is the case where I work, so running to people's aid on frequent occasion would not even factor in the equaiton if this was the case. Of course admin rights need to be authorized for at least those who are both capable technically, responsible with it, and of course authorized as part of their job description, so if the ratio of admin-authorized employees to non-admin employees fits the work load, then that should probably suffice, I would think, but I'm no expert at all in this field, so I'm only guessing :)
     
  10. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Yes that is the case with most of them. A couple long term employees are trusted enough and just savvy enough that I do trust them to do things like flash updates (and other things that are just strange, but still productive), which is why those 2 computers are admin mode. The others use LUA, but do use SuRun, so if I give them root for any reason they may as well be admin.

    It is not the ideal situation from an admins perspective, but it is how it exists. I must trust them to degree or I have to do it for them, and with the economy the way it is I am already filling in more roles than normal, so I simply don't have the time I used to for simple situations which they should be able to handle.

    It just so happens that my issue at home with my wife is very similar. She likes to do things her self to learn, but only wants to learn just a wee bit, not enough for me to really teach her what is going on. A frustrating predicament, but at least she has a desire to learn and is not just clicking buttons and waiting for me to fix the issues. Still, I would like to turbo-charge the process if I could ;)

    Sul.
     
  11. wat0114

    wat0114 Guest

    My kids think that the admin stuff I do is "nerdy" so they aren't really interested in learning too much themselves :D They'd rather just watch their youtube or play games. Typicall kid's stuff I guess. My daughter, being in junior high, is using the pc for a fair bit of homework assignments as well. She's alreday schooling me on how to use Power Point and other MS Office apps effectively :p
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Regarding the work, I think it's pretty simple: Unless some are people you can trust them a few decisions, grant no admin permissions. Period.

    Regarding your wife... you did mention she dislikes Sandboxie... Where have I heard that before o_O :rolleyes: ... Yeah, some relatives... so, I think the best solution would be to find a compromise between security, usability and convenience.

    I'm setting some security to a relative. The operating system is Windows 7 Ultimate x86.
    This machine will also be used for accessing the bank's account. That means two web browsers, being that IE9 will be used for accessing the bank's website. The other one will be Chromium (I find it very stable for nightly builds... and even the so-called software final version have bugs... so...).

    Chromium is set with a low integrity level and forced to save downloaded files to a folder w/o execution rights. Trick 1806 is in place as well, so it kills drive-by downloads.

    There's an additional Chromium profile to watch Youtube videos. This profile only allows Plugins (Flash Player) and JavaScript to youtube.com.

    Both profiles run with the command switch --safe-plugins and --enable-click-to-play.

    I've added Chromium under Microsoft EMET protection.

    Chromium is to be used in a standard user account dedicated only for general web browsing.

    Adobe Reader's plugin is disabled in Chromium. Whenever my relative needs to open a PDF file, from "within" the web browser, it first will be downloaded to the downloads folder w/o execution rights, and then it's possible to open the PDF file from within the browser itself.

    It's Adobe Reader X, so it already provides a sandbox of its own. It's also under EMET's protection.

    To protect against phishing/fradulent websites, there's Google Safebrowsing and AVG LinkScanner Safe-Search Search-Shield (I don't know why AVG is calling it Safe-Search! :D). I'm waiting to see if BitDefender solves a conflict between LinkScanner and TrafficLight Chrome extension. If they do, then I'll also add it.

    Ads are also being blocked via HOSTS file. I considered adding AdBlock Plus, but it uses ~30,000 KB sometimes, and my relative doesn't have a machine on steroids, so the HOSTS file is the best alternative. Once BitDefender brings TrafficLight out of beta, I may try the full installer, which also blocks ads. Ads are a source for malware infections as well, so that's one less problem!

    Outside of web browsing, I've applied a low integrity level to VLC Media Player. Also added it under EMET's protection.

    Heck, for now is all I can think of! :argh: ... Ah! I also switched DNS servers to ClearCloud DNS. There are no differences between that and the ISP's own DNS service, that I could notice for the last days, so... I'll keep an eye on it. It provides an additional layer, so most likely will keep it.
     
    Last edited: Apr 14, 2011
  13. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    203
    This is interesting because I face this situation everyday as well.

    Using admin user accounts, I have professional users, engineers, MBAs, who, believe it or not, are the most troublesome. And I think it boils down to their attitude regarding computers and the Internet. They're overly-confident when it comes to email and Internet security, it's almost like they're on a bicycle that's on a tightrope with a balance bar, only they're not very good at it, they just think they are. Sooner or later these users always fall off. Users like these need to develop a healthy fear of the Internet and any email they come across. They're intelligent, they just need to change their attitude and become more self-aware of their habits.

    I usually send out emails every few months reminding every user of the dangers of driving their car on thin ice. Usually there's no warning when you're about to fall through and once you've fallen through, the longer you're connected to the Internet, the more susceptible you are to hypothermia.
     
  14. wat0114

    wat0114 Guest

    Something interesting I've noticed in this thread is most of us are employing some security measures that are beyond the technical scope of the majority of typical everyday pc users, such as setting integrity levels, registry tweaks, EMET, configuring the browser, using AppLocker and SRP, for example. We seem to, not surprisingly, think a bit "outside the box" :)
     
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Precisely. If we deploy certain stuff, we the geeks are aware of, to other people's systems, who have no idea about them, but deploy it in a way it will be set and forget, they won't struggle with it, and will actually be a lot safer.

    Take the integrity levels example. I know none of my relatives know about them, even less how to set them and what to set them with! :D But, if I do it myself, and it's set and forget... no issues.

    For example, VLC Media Player needs to create/access a folder that it creates in AppData folder, so it's needed to add a low integrity level to this folder as well. Once that's done, for people like my relatives, the experience will be the same - They're still able to play music and videos, without problems! End goal achieved. :cool:

    Regarding the 1806 trick, it's simple. One registry file to enable and one to disable, when needed. Properly named, no confusion. If we tell people the additional security they'll have with this trick in place, and how easy it actually is to operate with it, what confusion can it bring? :p

    If we apply this type of protection, in a set and forget way, then we only need to care for two type of threats - social engineering and fraudulent web sites.

    Regarding fraudulent web sites, the web browser's protection (SmartScreen Filtering, Google Safebrowsing) already provide a decent level of protection. 100% perfect? Not, at all. So, why not couple that with something like AVG LinkScanner Search-Shield, BitDefender TrafficLight... perhaps also WOT. Whatever we personally prefer... :D

    Would there be something better than this approach/similar approach, that wouldn't freak out people just like some of my relatives, and perhaps some of yours? :shifty: If they can't handle this... what the heck can they handle? lol
     
  16. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    It seems like you guys get what I am contemplating. There is sometimes a much finer line between what can be used and what can't than I give credit to. I sympathize with less geekish users who just want to do what they want to do and move on, because the reality is if you want to have some "authority", you have to achieve a certain level to really stay safe. Being ignorant has its merits I suppose -- you do what you are told to and maybe don't even question why.

    I often have to remind myself that while I think Sandboxie is an extremely easy concept to understand, many barely grasp what a directory is, let alone a file type. But then I barely grasp how to glaze a ham :D while my wife can do that an 10 other things at the same time. Maybe if it had a transistor in it or a trigger.. :cautious:

    Sul.
     
  17. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    I don't know if this setup would add security but..

    I have "Do not process the legacy run list" and "Do not process run once list" enabled in GPEDIT.msc


    right now I have this RPG icon in my taskbar so I call it RPG setup :)
    1. Returnil
    2. Privoxy
    3. Geswall

    they are the only apps I've tried so far that work properly with the gpo settings above. (aside from prevx)

    Even MSE failed to run on startup when I enabled the settings.
     

    Attached Files:

  18. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    What exactly is the 1806 trick ? And how do you accomplish it ?

    TIA

    I searched the forum & found lots of hits, but couldn't find the answer :(
     
  19. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    It really isn't a trick. I will tell all ;)

    On NTFS systems, a file may have what is called an ADS or Alternate Data Stream. You can think of it as an attachement of sorts. The attachement could be a text object, something similar to an .ini file, or even it may have an executable.

    When IE or Windows Explorer copies something from somewhere else, it can (unless you disable it) attach to the file an ADS. This ADS indicates where the file came from, or what zone. Internet, Intranet, Trusted or NotTrusted. It is indicated in the ADS.

    The 1806 setting in the registry tells the OS what to do when you execute a file with an ADS. If the ADS says it is from the Internet, and the 1806 value is set in the Internet Zone (registry keys are per zone, so you have 1806 for Internet, Intranet, etc), then the OS will do one of 4 things, depending on what value 1806 is at.

    1. do nothing and allow execution
    2. tell user the file came from one of the zones (whichever it is) and that it could be bad - then the user has to say OK I want to do this
    3. deny the execution and tell the user it was denied
    4. silently deny the execution

    If you are using the 1806 setting to deny, then in order to execute the file (even if you move it) you have to right click on the file, go to its properties, and there is a place where you can "unblock" the execution. In reality all this does is to create a very complex registry key that points to that file and over-rides the block setting. You can accomplish the same thing though by modifying the ADS, but I digress :)

    Explorer and Chromium seem to process them the same way, but Firefox and Opera handle the creation of the ADS a little differently, but the end result is still the same - more or less (not technically, but again, I digress).

    HTH.

    Sul.
     
  20. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    lots of legitimate apps failed to run at startup when I enable "Do not process the legacy run list" and "Do not process run once list" in GPEDIT.msc

    Does that mean malware that requires reboot to execute will break as well? :)

    or this setting is useless? :D
     
  21. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    I'm "PC support" for most of my family and some of my friends. For my help, they need to have the following simple, universal setup.

    1. Windows Vista or 7
    2. SUA (but they have the admin password)
    3. SRP (execution from Program Files / Windows directory only)
    4. MSE
    5. Windows firewall (no outbound restrictions)
    6. Sandboxed Browser (direct access to profile and download directory, auto delete on exit)
    7. Automatic Windows Updates
    8. Disabled Autorun
    9. NAT Router / WPA2 / Norton DNS
    Users are solely responsible for backing up their personal files. They can install any software they like, although they're advised to install the bare minimum. I use remote access where possible to investigate any problems.

    If something is badly wrong with the system, they all have an image of their system's starting position on DVD and some instructions. I will never try to fix a malware problem.

    My aim is to guard against the most common malware problems using a simple, universal setup that while not bullet proof, is "good enough" and suitable for all non-technical users.
     
  22. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Not sure about the first one, but do not enable the second one. It will mess up many installers and uninstallers that require reboots, as well as other programs that does similar actions (ex: deleting locked files, changing system settings, etc).
     
  23. wat0114

    wat0114 Guest

    Very nice in its user-friendly simplicity and effectiveness :thumb:

    Best approach in dealing with malware, imo. Eradicate everything then restore known good image.
     
  24. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Very logical, simple, well-thought out plan.

    -rich
     
  25. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    For me the most simple setup for friends is

    a) Split harddrive in programs and data partition
    b) Add the 1806 registry trick with shortcut Switch ON and OFF from menu start (and auto set to deny on startup through script, proviced by Sully :)
    d) set Data Partition to deny execute with right click / security tab for users only, relocate windows libraries to D (except downloads)
    e) Install Avast free with sandbox on AUTO, file shield and script shield (it sanities JavaScript) and PrevX SOL Safebook freebie.
    f) set UAC to elevate silently, disable installer detection
    g) disable some remote support stuff of XP/Vista/Windows to reduce attack surface (a mild and conservative known services disablement which has never raised a problem)
    h) Install Chrome for backup (see note).
    i) Install Keriver -1- click and restore, make a restore
    j) Tell them to use IE9, despite what experts tell them, show them how 1806 prevents executables downloads, but allows windows update
    k) All routers adviced by the cable company (which operates nearly nation wide) have build-in firewalls, I configure the router for them properly

    Have not yet experienced where combined protection of IE9 smartscreen and IE9 download reputation and PrevX SOL FaceBook phising shield + Avast Scriptshield have let something through. Can't tell how effective the Avast Sandbox is, because it never kicked in. I set Avast to Auto all, explain benefits of PrevX for social media and shopping online.

    The 1806 trick is mostly psychological: by showing them executables can't download when it is on, they feel they are in control over there PC, so are less likely to respond to fake fear building AV's. Often (before installing Avast) I google for a fake AV and show them how these real looking fake AV's operate and ask they to say YES YES to all questions. They see nothing happens with 1806 on DENY. They feel really comfortable knowing that they have to explicitely set 1806 to WARN when installing things.

    For support I install Microsoft Attack Surface Analyser and Autoruns/Process Explorer and Hirman Pro. I save the reference files of Autorun and MASA in case anything should happen.

    Notë:
    I have gotten telephone calls that IE9 reputation downloader has eaten up the downloaded program, while Avast or PrevX did not beep. I think IE9's reputation download check has a lot of FP, but they happen at earliest tage so are not a problem. For this occasions I have installed Chrome (download with chrome and install). Also tell the use at your own risk (this puts off most because they don't dare).

    Regards Kees
     
    Last edited: Apr 15, 2011
Loading...
Thread Status:
Not open for further replies.