How to secure Windows XP after it Xpired?

Discussion in 'other anti-malware software' started by mattdocs12345, Nov 2, 2013.

Thread Status:
Not open for further replies.
  1. mattdocs12345

    mattdocs12345 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    1,785
    Location:
    US
    How to secure Windows XP April 2014?

    So two of my family members are still on XP. They will likely remain on XP after the March or April deadline. How would you guys suggest I secure their computers? Here are few requirements:
    1) Has to be free or software that I already have
    2) Has to have ZERO interaction from the end user
    3) Low maintanance
    4) Must be secure for online banking

    I have one Shadow defender license, one MBAM Pro license, one ERP and 3 Outpost Firewall licences. Both systems have about ~3BG RAM and Core 2 Duo. Some free software that comes to my mind is SBIE. But then neither SBIE nor SD will protect those systems if somebody finds a vulnerability in XP's firewall.

    Or is securing expired Operatin System with the above software impossible and both systems should run VM with linux on it whenever doing online banking.

    So 4/14 is doomsday for XP. Will the following system get bypassed and my parent's banking data stolen.
    - Windows XP 32 bit Pro
    - LUA + SRP + EMET
    - Shadow Defender - Lockdown mode
    - Executable Radar Pro - Lockdown with default deny
    - Outpost FW block all incoming and outgoing traffic except the browser
    - SBIE + Chromium for everyday surfing
    - Bitdefender Safeplay for banking
     
    Last edited: Nov 3, 2013
  2. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    A limited user account and a software restriction policy would most likely take care of ~99% of the malware floating around at the moment (including CryptoLocker). If your family members have XP Home they won't have the Group Policies Editor, but Wilders member Sully wrote a excellent utility which enables SRP for the home version. Will have to look if he still has it available to download.

    To ease the pain of running XP as a limited user, install SuRun. This basically is sudo for Windows. Dedoimedo has a nice tutorial on it here.

    At any rate, I wouldn't bet on any security software as a sole solution.

    Edit: I see that Sully's website is no longer. I have a copy of it, however, if you are interested.
     
    Last edited: Nov 2, 2013
  3. gaslad

    gaslad Registered Member

    Joined:
    Feb 18, 2007
    Posts:
    116
    Location:
    Toronto, Ontario
    I can't imagine any security solution for XP after next April will be secure. Sooner or later the 3rd party security programs will drop support also, and I sure as heck wouldn't trust my online banking to XP.

    Particulary since your requirement for no end-user interaction implies your family members are not that security-savvy. The weakest link in any security solution these days is usually the end-user. I truly think their best bet is to upgrade to a supported Windows OS.
     
  4. mattdocs12345

    mattdocs12345 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    1,785
    Location:
    US
    Upgrading those computers is not an option at this time.

    Thank you for pointing out to me about using LUA. Will for sure try to implement this. I got 6 weeks before I go to Europe and get a first hand look at their laptops. So im trying to see what my options are.
     
  5. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Agree with gaslad, concerning how you want no end user input, implying they're not very computer savvy. Because securing XP after it's EOL (or even now for that matter) really requires on-hand attention. Tweaking, hardening, sandboxing/virtualization, HIPS/policy restriction, limiting privileges, and definitely having clean images. The native FW and an AV set to shoot to kill won't cut it. And even if you set up all that stuff for them, if they're not "with it" your phone will be ringing off the hook with them asking you questions every time they see a prompt, wonder why their updates/downloads aren't sticking, etc...

    I'd strongly recommend they upgrade to Windows 7 32-bit. A Core 2 Duo CPU and 3-4 GB of RAM should suffice to run it. It's easier than doing all that other crap I just said to XP.
     
  6. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    Don't forget SRP. That's the part, together with LUA, that makes this configuration really strong. Something like CryptoLocker, which copies itself to the user profile, is dead in the water because the LUA can only execute files in the Windows and Program Files directories. This is especially good for non-nerd users since they don't have to make any decisions, the OS does it for them. Another advantage is practically no resource usage.
     
  7. mattdocs12345

    mattdocs12345 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    1,785
    Location:
    US
    Still, I don't have much choice in here. Upgrading is not an option. There is no updates after April so I will simply turn off system update. They are very simple computer users. They use their laptops only for a printer, scanner, email and vsee/skype. They will not be installing any new stuff.
     
  8. aztony

    aztony Registered Member

    Joined:
    Sep 9, 2012
    Posts:
    547
    Location:
    USA Southwest
    Because of the ransomware CryptoLocker there is a little utility that protects against it called CryptoPrevent. CryptoPrevent will add SRPs to protect data files, if checked blocked certain .exe files from running. It occurred to me that is also a great utility to be on an XP OS when support ends.
     
  9. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    836
    Location:
    Québec, Canada
    What about Linux then?
    Xubuntu or Mint XFCE should be easy for them to grasp quickly.
     
  10. mattdocs12345

    mattdocs12345 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    1,785
    Location:
    US
    I will not. I will probably need help implementing complete LUA with SRP. I will keep this in mind and when Im in Europe in December I will post specific questions.

    So far Im leaning towards this configuration:
    Laptop A:
    - SD
    - LUA with SRP

    Laptop B:
    - ERP Lock Down mode Silent
    - SBIE
    - LUA with SRP

    They don't want to use Linux. Also there is no Vsee on Linux and this is the only Skype alternative that works for me. Although Jittsi is gonna get tested soon, I doubt that it will work as well as Vsee over transatlantic internet calls that are often slowed down by either the NSA or other connection issues.
     
    Last edited: Nov 2, 2013
  11. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,194
    Location:
    Virginia - Appalachian Mtns
    I second the idea of installing Mint using Cinnamon (LTS if Mint has it...not a Mint fan). You could install Ubuntu 12.04.3 LTS, strip out the Unity stuff, add the Cinnamon PPA...like I did, and you've got a very usable OS. It's what I have setup for my wife (not a technical whiz...god love her ;)), and she's happy. And, I do online banking in Ubuntu all the time with no worries. The only problem that I can foresee is the brand of printer they use...hopefully HP.

    Later...

    Bob
     
  12. mattdocs12345

    mattdocs12345 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    1,785
    Location:
    US
    Yeah they do use HP. However lack of Vsee support is a dealbreaker for us.
     
  13. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    It's actually very easy. If you read those guides I linked to, you won't have any trouble at all. The author of the LUA and SRP guides is btw also a Wilders member. Also don't forget to look into SuRun, it really makes a difference in usability in a LUA.
     
  14. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    CryptoPrevent is a step in the right direction, but SRP (set up in Group Policies) will keep junk from running in other places as well, like pictures, music, documents, etc. Of course the key to this is not using an admin account, since malware can then write to the Windows and Program Files directories and we don't want that.
     
  15. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,515
    Location:
    USA - Back in a real State in time for a real Pres
    I suggest installing TeamViewer so you can provide maintenance remotely. Should be able to add options to your XP dilemma.
     
  16. mattdocs12345

    mattdocs12345 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    1,785
    Location:
    US
    Yup, I've been using Teamviewer for awhile now.

    I bookmarked those links for LUA and SRP. Seems pretty straight forward.
     
  17. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    I said it in another thread about a totally different topic. But it apples here as well...

    Once XP is as hardened and secure as it can be after "the date that will live in infamy" and Microsoft withdrawals support, a Boot-To-Restore program with a perfectly clean and hardened system will be your best friend. Install Deep Freeze or something similar. If something "gets by" XP (and they will), just reboot - it's gone.

    Seriously worth your consideration if you're not moving on to the next gen of operating systems. The last (and best, imo) line of defense (Boot-To-Restore) could become your only line of defense down the road. One big sandbox.

    `
     
  18. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Do you mind me asking why it is that upgrading the OS isn't an option? If it's because of the exorbitant fees M$ charges... if the computer is a Dell I have a cheap solution for you. You can buy their "reinstallation" discs on EBay for like $15-20 for Windows 7. They're just like Windows OS discs, only you don't even have to enter any license key. And they're not bundled with a bunch of extra junk either, just some Dell drivers which makes the process easier.

    It's a great thing about owning a Dell PC. I bought one for Win7 Pro x32 awhile. And if I decide I wanna try x64 and/or Win8 on a whim I only have to plunk down $20 instead of like $200.
     
  19. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    The fact that they are simple users and don't install much software helps. LUA would help more.

    There are a lot of XP users who aren't going to upgrade. I'm related to a few. The common factor is negative experiences with Vista, 7, and 8 and they return to XP, a system that works for them. I think that there are enough of them out there that Xp support will turn into a nice little cottage industry for quite a while after Microsoft stops supporting it. That such 3rd party still exists for Windows 98 says something. The user base for Xp is huge compared to Windows 98.
     
  20. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Is there any reason that you couldn't run a virtual XP system on the existing XP host? If not, strip and lock down the host system completely, making it as lightweight as possible. Equip it with VirtualBox or VPC. Make a couple of virtual XP systems. I'd make 2, one for everyday use and one for secure usage. Make backups of the 2 virtual systems. Set the "secure use" instance to not save changes and have them do their banking from that one only. If they infect or damage one of the virtual systems, they can delete it and use a copy of the backup without having to use anything but the system they know, XP.
     
  21. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    Running a vm as a full time production environment, especially on dated hardware, is too much of an impact on resources. Johnny's recommendations are excellent. In addition to that, I would image the base installation, backing up to separate physical locations (external or internal h/drives).

    Since the requirements are simple, the linux recommendations are excellent as well, and imo better than continuing with XP. Chrome could be used as the browser, as the sandboxing on the linux environment is first-rate. Mint xfce or Lite might be nice choices. Heck, if the h/drive is even of reasonable size, you could set up a dual-boot scenario easily enough on the hardware to give them some flexibility.
     
  22. mattdocs12345

    mattdocs12345 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    1,785
    Location:
    US
    Again Linux is not an option because 1) vsee doesn't run on linux 2) they don't want to try linux.
    Noone, I don't think running multiple VMs and resetting them is something that they could handle.
     
  23. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,062
    Location:
    Netherlands
    Well, here is a strange setup

    1. Run as Power user
    You are allowed to install programs, but not change system settings. Reduces a fair amount of the threats, but keeps sort of admin flexibility.

    Surun and LUA is better, but when you set it to auto-eleate (to minimise user interaction) it kind of defeats the purpose, when you set it to ask, it won't meet your user interaction requirement.

    Advantage of running power user: no performance impact.

    2. Run Avast with deepscreen enabled and hardened mode set to moderate. Only install file shield, yep you loose webshield protection, but also lower impact on performance.

    3. Install BD SafePay for on-line banking

    4. Install Yandex browser (with Kapersky AV) for daily browsing.

    Use SD lisence and Sandboxie lisence for the person with the highest risk profile.
     
  24. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    +1

    hackers are capable to reverse resolved issues in win7/8 and use them on xp after 4'14. tools are ready and no chance to escape. no security suite can fill those gaps, either as LUA or admin!
     
  25. Feandur

    Feandur Registered Member

    Joined:
    Jun 15, 2005
    Posts:
    401
    Location:
    Australia
    late entry.....

    @mattdocs12345 :
    Stretching the 'free' criteria out to include "no yearly update fee, or once-off fee" ...then...

    (1) Buy 2 licences for DEFENSE WALL, and live with the whatever version performs best before the licence for updates runs out.

    (2) Include SD [have 1, buy 1];

    (3) Run EAM or MBAM free on demand.

    Thant's all you need....Defense wall + SD + AntiMalware on demand.

    Errr, except, ideally, take an image of your system, and test that it works/ restores fine, before the April deadline.


    -cheers,
    feandur.
     
Loading...
Thread Status:
Not open for further replies.