Back to the drawing board....

Discussion in 'other security issues & news' started by JustFixIt, Feb 22, 2009.

Thread Status:
Not open for further replies.
  1. JustFixIt

    JustFixIt Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    10
    Hello WSF - I have been a lurker off an on for awhile and now have decided to join so I could hopefully benefit from your expertise. I am an XP3 user but I have a store bought copy of Vista I haven't used yet (builder gave me a downgrade.) Mainly because I am still undecided about whether or not I should use it and I am more familiar with the XP environment. I am probably between a Novice and Intermediate.

    To make a long post short, I am going to do a clean install of XP PRO SP3. But this time around I want to run it even safer if possible. I sandbox, surf safe, have paid versions of my malware, SAS and AV scanners, don't use P2P pgms, followed the MG forum advice on malware protection but I just "have a feeling" from recent events ( i.e. Online Armor asking if cmd.exe could run after Sandboxie logs down, etc. when it never has before) something is not right. So if I could get some forum advice on the following I am very grateful:


    • Securing XP - I have the Kelly XP checklist on what services/policies/ to change albeit it was a 2006 list.If there is another good recent checklist on how to secure XP SP3 please share. Also any clean install tips?

    • Can I get rid of the hidden user groups and are there consequences to doing so? (i.e. SYSTEM. Local Account, Power User etc.)

    • MOST IMPORTANT - How can I protect the registry? I know most security forums don't recommend cleaners esp. for the novice but how can you protect it from hidden processes & software bloat?

    • What is the best way to set up the file sharing system between the limited acct. and the admin acct. for safety but also access? I notice if I allow read & execute for one thing it may not necessarily run or the thumbnails don't show correctly.

    • Any firewall (router) tips or tweaks?

    • And last but not least, should I just give up on XP and try Vista? If so why?

    Thanks for all of your help to these important questions as I will be "hunting and gathering" and doing the clean install very soon.

    *Admins if this is in the wrong area, my apologies.
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Doesn't your Sandbox protect the Registry ?

    If not, any reboot-to-restore program like Returnil should do this.

    Vista vs XP? You find arguments both ways. You'll never know until you try them both!

    ----
    rich
     
  3. JustFixIt

    JustFixIt Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    10
    I guess not totally since I ended up with a temp system file found by my malware scanner (system32\1.tmp) hence the desire to just start over even though logs are coming out clean.

    So installing Returnil at fresh install will help protect the registry?

    What about the hidden security groups? Do those pose a security threat?

    And what is the safest but easiest way to set up file access between Limited acct & the Admin acct?

    Thks.
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    You will get expert help with this in the Returnil forums

    Post this question in one of the LUA threads where those who use Limited Acct can give a thorough answer.

    ----
    rich
     
  5. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    My advice would be to learn how to operate in a LUA environment. If you can. Use SuRun or some other tool to help manage those times when you have to be an admin. If you can live in this way, you will be steps ahead.

    If you find like so many that you cannot live as a user but must live as admin, just decide how many things you do that will touch the dirty old internet. Perhaps you only browse a little and watch movies. In that case using Sandbox as your primay defense would make sense. But suppose you do many many other things online, p2p,itunes,photo sharing, etc etc. Perhaps Sandbox is just not woking. You now have to rely on your security tools. DefenseWall, OnlineArmour, etc.

    As so many have said better than I, you must examine how many surfaces you expose yourself to attack on, and build defense accordingly.

    I think limiting one's actions with a user environment rather than admin is the way to go, supplementing with other tools. HTH.

    Sul.
     
  6. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    If you have a desktop why not get another drive to give Vista a run.

    Have several here that I plug/unplug as to what I feel like using.

    I don't mind using Vista or XP even though XP is a tad faster on this quad.

    I always use an admin account and deliberately download/run malware using the apps in my siggy and haven't had a breach as yet.
     
  7. JustFixIt

    JustFixIt Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    10
    So many questions

    @ Franklin - I always thought of dual boot just been to chicken to try it out.

    @ Sully - What is your setup that allows you to not get "bugs"? I have Sbxie, SAS, Avast, all updated regularly but still end up being breached somehow. I've decided for my next go round of fresh install that I want to still use an LUA but I can see how difficult at times it is to work around things including wondering how safe it is to use RUNAS, plus software is so picky.
    =====================================================
    So when I start all over again what can I add to beef up my defense? I took note of SuRun, a paid version of Sbxie for the forced programs command, and installing Returnil first before anything else.

    Should/can you remove the hidden user groups? Will it provide more safety?

    A recommended tutorial for setting up Software Restriction Policies

    Have more questions but will stop at these for now.
     
    Last edited: Feb 27, 2009
  8. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Re: So many questions

    Personally, I think most of the fight to stay free of 'bugs' is using your best weapon, your brain. I have over the years made efforts to learn as much as possible, at the expense of not knowing much about photo editing or music editing etc. But I do know a lot about how my OS works and what can break and how to fix it.

    For me, I have a pretty heavily customized version of xp sp2 on. Services are cut to only what I need. Ports are closed that I don't need. Startup apps are limited. I run behind a router, and use only windows firewall. I use Kmeleon browser about 95% of the time, and use Opera as 2nd choise. I have FF and IE to fall back on if I am desperate. I use the Proxomitron for years now. I have flashblocker and css adbllocking enabled in Kmeleon. I don't have flash installed on OS, only sandbox. I use hotmail or gmail only, and I only get the headers, so I delete any junk before it comes into my machine. I don't open email from peeps I don't know, and I always view email as plain text, never rich text.

    I use Avira free, but in the past have used avast. I used to use fprot years ago. I do use Cyberhawk right now, but I have tried them all. I like my old version of PG too, but I tire of the popups. Same goes for firewall, I used to use Outpost. But, I don't need to answer those questions all the time anymore.

    That is about it for the standard stuff. I have been using modified ipsec rules and some tools I made to manage that. I also use different versions of SRP, where I run as a admin, but demote most every internet facing app to basic user. I have download folders that I tell browsers to download to that are also SRP'd as user only. I have a little tool I made which I demote myself to user when I want to go online, or if I am just doing some quick stuff, I use Sandboxie. I have forced stuff enabled on that, but don't always use it.

    So, I don't know. I have a lot of little tools and methods. Nothing I could really say is the end-all method. I would think something is working, as I don't have issues. But then, I am just as apt to reformat or throw an image on as look at a bsod. I like to code and dig and poke around, and when I am not doing that, I like to shoot people online. I don't have time to futz with silly malware and figure how to remove it. Too many other interests.

    I think that Sandboxie really has been a great tool. It allows me to just start stuff and not really worry. If I get a tool that I know will need access to stuff that SB just won't do well, like a firewall, I start up vmWare. All comes down to what you trust. And for the most part I don't get too paranoid. I just watch it when I get things I don't know much about.

    That probably does not help, but it's all I got.

    Sul.
     
  9. JustFixIt

    JustFixIt Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    10
    Re: So many questions

    I appreciate what you mentioned especially about closing ports, limiting startup apps, and customizing SRP for software. Do you have any resources for this sort of information? I know there is not a such thing as stealth for any PC but I would like to make my PC a little more "rubber and less glue" ;)



     
  10. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Re: So many questions

    Of course. For ports the best tool is wwdc (windows worm door cleaner ? ), it will easily shut off common open ports. I pretty much close everything except netbios because I do have a network at home. I could type it all out, or better you could just look for a couple threads regardinig open ports. mrkvonic is the author of one good one. I think most of them are in the general software forum.

    For limiting startup apps, I use startup cpl (mlin.net I think) and for services I use pserv. I used BlackVipers services list many moons ago to get a feel for what services were doing. Now I have a set in place and I just manage new ones. Many apps put them in place, such as Nero or CdBurnerXp, and many more. Customizing SRP is easy, depending on your choise. You either lock everything down by default as a user, then open certain ones up, or you leave everything open as admin, and choose to close certain ones down or just demote them to a basic user. Again, there are a few threads regarding this topic.

    I would be happy to send you my reg file that I merge with every xp install, but don't know if you are going to xp way or not.

    Unfortunately the website I used to have that had a lot of this on it is gone way of dodo bird, so I don't have a place for it. But let me know and I will hook you up the best I can.

    Oh, there is the whole sanboxie part or vmWare, which are great tools expecially to play with new stuff before committing to a real install. And I can hook you up with a method to make an hdd image after a clean install with all your fave tweaks in place, which includes a boot.ini option to quickly boot into a ramdrive to restore your 'cluttered' hdd to a pristine freshly installed state. That does require a little more work, but I have done it many times and it is not too hard.

    Concerning firewalls, it will depend on your comfort level. Living behind a router is great for incoming protection. Even running a software firewall is ok most of the time. Most peeps start to worry about outbound apps, especially ones they don't know are wanting to get out. For me, I install softperfect fireall, but don't have it start. I do use xp firewall, it is sufficient for basic needs. I do have custom ipsec rules to only allow traffic on ports I deem appropriate, so yes rogue app could go out on port 80 to phone home I suppose. But I also limit dns outbound port 53 to only my dns servers, so sometimes this can help. Deciding to run with no real 'application detecting firewall' was probably one of the hardest choises I made. Not knowing is not always comfortable. But, with softperfect, I can check to see what is happening if I think something is going on. And it can run alongside xp firewall without problems. At least for me. I developed some tools awhile back to examine logs of softperfect and xp firewall. And to create rules for softperfect easier. It also used a couple programs to watch and see what apps were going out. More paranoia pacification than anything else. Now, I just use sandboxie for much, and may check out a new app thorougly in vmWare with Outpost if I am worried. Then I have a pretty good piece of mind that if I install on my real system, what to expect.

    It is all about how much you know, how well you could handle problems and how well you sleep at night without the protections of best of class firewalls or hips. I apply a very heavy dose of common sense and it seems to fit the bill.

    Sul.
     
  11. JustFixIt

    JustFixIt Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    10
    Sorry just now being able to come back to the site. Yes Sully please PM me with your reg file and other recommended thoughts I am happy to check them out.
     
  12. Spiral123

    Spiral123 Registered Member

    Joined:
    Jan 10, 2007
    Posts:
    128
    Also, BeyondTrust @ http://www.beyondtrust.com/ has an application that is great for giving privledges to certain applications that require admin rights to run properly. It cost money for the AD policy environment but it is free for the local security policy. It works wonders....
     
Thread Status:
Not open for further replies.