Harden XP system - how and with what

Discussion in 'other anti-malware software' started by db9, Sep 3, 2009.

Thread Status:
Not open for further replies.
  1. db9

    db9 Registered Member

    Joined:
    May 28, 2007
    Posts:
    14
    I used the word 'hardened' because I see it used on this forum and I think that this is what I wish to do.

    One of my system got clobbered with MS Anti-virus - etc.. running AVAST & super anti spyware.. my son playing a game (WOW) accepted it and bingo...re-installed XP sp3 and want to harden to basically lock down installations & mods without me reviewing first.. The user needs to be a admin for the game to work so changing the user setting isn't an option.

    open for suggestions..

    Thank you for taking the time.

    Stephen
     
  2. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    There would be many ways to harden it.

    Perhaps consider that using LUA is alone a method to make it harder for problems to arise.

    Perhaps you can harden the OS by turning off services that are exploitable. Many services open ports to the outside world, so by controlling your services you can close certain ports that may be targeted.

    If you exist behind a router, you have been hardened already unless you port forward in the router.

    Hardening might be something so simple as using Sandboxie to do your surfing in. If you are running as admin, and cannot switch to LUA, perhaps you should consider using SRP and then starting network facing applications AS a user. This too can harden your system.

    There are many ways. I think the objective should be to make it 'HARD' for malware/virii to get installed in the first place. Short of a HIPS type approach, being a User aka LUA is probably the best bet.

    Sul.
     
  3. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i will say a hips program and or anti-executable app;)
     
  4. db9

    db9 Registered Member

    Joined:
    May 28, 2007
    Posts:
    14
    Currently behind router, no forwarding


    At this point I don't believe that LUA is an option - however SRP maybe - but forcing users to sandbox the browser may be the current alternative (correct?)
    Suggestions for sandbox programs - I have heard of but never used sandboxie, are there others?

    thanks
     
  5. db9

    db9 Registered Member

    Joined:
    May 28, 2007
    Posts:
    14
    jmonge..

    any program in particular?
     
  6. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    malware defender,put this baby in silent mode and blocks all the unknown in real time:thumb:
     
  7. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    Hardening tools:
    Invincible Windows
    Harden-It
    Secure-It
    SafeXP
    XPantispy
    Security & Privacy Complete
    Seconfig XP
    Samurai
    Windows Worms Doors Cleaner
     
  8. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    dah:D ofcourse white list the safe applications(your faves)and then anythin new that wants to be introduce to your system is block;)
     
  9. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    G1111's list is a good one, but some of those do require you to know exactly what will happen when you engage some of them.

    Think about your threats first. If you are primarily worried about browser and email issues, you can:

    A) use LUA, where browser/email cannot touch system areas without admins approval -- this is probably the best route

    B) use SRP to start browser/email AS user, essentially creating the same thing LUA does but you are still admin. Maybe not as secure because IF anything else happens, you are not as protected because Admin has root.

    C) use Sandboxie on browser/email. Purchase it and you can then force the browser/email to open in SBIE every time. Additionally you can state that in this sandbox, ONLY browser/email have access to internet or run at all.

    If you percieve other threats, such as games or another computer in the LAN, you will want to probably run as LUA. Employing SRP while in LUA to create a default-deny scenario is very restrictive. If you desire only what you permit to run, then the inclusion of SRP in LUA may well serve your needs.

    It may be that you don't desire much configuration or interaction with your security. Again, LUA would probably be best. If you are knowledgable, wish to learn, or just plain want to know everything that is happening, some sort of HIPS would be your approach. You can definately lock your system down if you so desire. It all depends on what you think your threats come from and how much energy you wish to devote to the process.

    Security itself is only an abstract as you can never achieve absolute. You must decide what you are willing to pay for it. Some pay much in clicking many options from thier HIPS and are happy. Others pay little by using imaging. Some pay partially by using LUA with SRP and/or SuRun. It really does take digging a little into the differing philosophies and thier ramifications to decide which scheme will best suite you.

    For myself, imaging alone would probably be enough. It is easy enough to do. But I feel I am knowledgable enough to know when I am compromised without relying on too many other tools. But I have paid the price of years of learning. Not everyone wants to go that route. Although around here, I daresay many are happy to pay the price of learning HIPS and Firewalls because it lets them eventually not have to use as much because of the knowledge gained.

    Good luck.

    Sul.
     
  10. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Defensewall would be another good option. Set it and forget it and virtually foolproof with very little learning curve. Alternatively, Malware Defender left in learning mode for a few days, then switched to silent mode....but there's a much steeper learning curve...though it is a great HIPS :)
     
  11. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    agree with you buddy;)
     
  12. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Absolutely.
     
  13. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Hi Sully,
    I have SRP's PolicyScope set at (0) running as Admin and really like it this way. I've noticed you mention adding browsers/email to 131072 for restriction. I've added IE and Firefox, checked with Process Explorer to see for sure if it was truly enabled and it was. IE and Firefox both work well being restricted so I guess my question is, how restricted are browsers/email when this is applied?
     
  14. db9

    db9 Registered Member

    Joined:
    May 28, 2007
    Posts:
    14
    Sully..

    recommended links for LUA or SRP tutorials to understand setting up? using either of these can I just open web & WOW - (just trying to get up and running quickly)
    I have thought about imaging but haven't found an open source image app yet or purchased acronis yet
    OR
     
  15. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    You don't need to keep switching in and out of training mode. You can lock down apps and deny all unknown executables from running when in training mode by applying this setting.

    Quote
    "In learning mode if explicit "deny" rule is found, do not create permit rule and do not permit the action"

    So you can even stay in training mode forever. and have just as much protection as in normal mode.

    +1
    but I haven't heard of Invincible Windows where do I find this app. had no luck after a quick google search.
     
  16. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    https://www.wilderssecurity.com/showthread.php?t=137918
    This contains some good threads here by Tlu and Lucy. This should be more than enough to whet your appetite and provide you some anwers to if this route will provide what you need.

    Everyone has thier favorite flavor for imaging. Mine is using Macrium Reflect Free. I keep my c: free of any large programs and make the image in about 3-4 minutes. The image compresses the real 8gb down to about 3gb. I have in my c: a boot.ini option so that I can boot bartPE into a ramdisk. This lets me very quickly (about 30 sec) be in a bartPE environment, and within about 5 minutes put my nice clean image back in place. Some like other methods, but this is free and fast and has been working exceedingly well.

    Sul.
     
    Last edited: Sep 3, 2009
  17. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    First thing to understand is what restrictions a user has versus an admin. A user can only read and execute in c:\windows, c:\program files and c:\ . A user may only create/modify/delete in thier user profile directory OR any custom made directories such as c:\MyStuff. There are no default permissions in place for other drives, so a user can modify at will anything on other drives.

    When SRP takes effect, it basically demotes the process created to a user level of rights intead of admin. So when you start IE as a user with SRP or with DMR, it effectively becomes a user. Anything in turn that IE starts INHERITS the same rights, those of a user. So in effect it is as restricted only as the user.

    Note that Tlu gives good guidance in his SuRun thread on how to lock out certain registry areas for the user, esp. autostart areas the user CAN modify. It is helpful, even as admin, to do what he suggests, so that when you start IE as a user, those few other things Tlu mentions are locked down.

    It is also of note that there are a few things that can compromise SRP. I cannot remember now, but somewhere in the last week or two someone mentioned using RunAs I believe to somehow negate the current restrictions and elevate to admin rights. There is also some POC things going on with SRP. So it is, like every other security feature in the world, in some way not fool-proof. However, until exploits against SRP/SAFER become more than just something to talk about, I am not going to worry about it and continue to use it.

    If you have not tried out my tool PGS yet, I suggest you do so. I makes it much easier to apply your SRP settings. You can find it here www.mrwoojoo.com . You might also check out my tool called SaferZone, which is a DMR variation that I use when I don't want to make an SRP rule but still want to quickly and conveniently start something as a user.

    Sul.
     
  18. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
  19. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Id like to know what are some steps I could take to harden Vista? And G1111 which of those hardening tools applies to Vista as well?
     
  20. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    I am using XP. The ones I was using were Harden-it and Seconfig XP both I believe are for XP only. My guess is that most are XP only.
     
  21. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Are there any hardening tools for Vista? Does Vista even need to be hardened?
     
  22. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    as someone else said , an Anti-Exectutable app would be ideal for this.
    One with a password will prevent installs you dont want.
     
  23. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Definitely LUA and SRP. I feel you should always configure, harden your OS before considering anything else.

    I use virtual machines (VMWare) which have snap-shots or can be frozen which are isolated from the host operating system - these are hardened also.
     
    Last edited: Sep 8, 2009
  24. Wildest

    Wildest Registered Member

    Joined:
    Apr 28, 2009
    Posts:
    304
    Thanks, for a while there I was confused reading all these posts recommending the addition of security software, given the thread title.

    To my knowledge, hardening means removing vulnerabilities in the system itself, not adding software to improve it.

    If I were a kung-fu master and I said I wanted to harden my fist, surely I cannot do this by wearing a glove, as underneath, my fist would still be soft.
     
  25. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    but what about if you add broken glases with glue to your fists:D
    will this be soft?:):)
     
Loading...
Thread Status:
Not open for further replies.