Protect your friend computer

Returnil free or Shadowdefender + Sandboxie

Weekly ondemand scans with SAS or MBAM

Make for her exclusions in both Returnil/Shadowdefender and Sandboxie for e-mail, download folder and stuff.
Configure so that she stay in Shadowmode after reboot.

Basically a set and forget config. that i use myself and advice to others.

 

Limited User Account

If wanna pay:

Defensewall

free alternative: Geswall

Macrium reflect free or Comodo time machine ( schedule for example take a a snapshot at first boot of the day or on a interval of hours - you can control to delete snapshots more old than x days)

Install Avast and Avira as on demand-scanners (or put Avast in real time) and schedule updates and quick/full scans.

tell to before put some download as trusted (remove from geswall/Defensewall protection) scan the file with the 2 AVs. Put Virustotal in the favorites too.

 

I've had the best luck keeping it simple for the newbies. Only browser I'd have them use is IE8 since protected mode gives the browser low level rights and the built in smartscreen filter is noob friendly and pretty good, also IE8 will be patched along with other windows updates which should be set to automatic.

Newbies cannot be trusted with updating any applications, including Windows and especially other apps like adobe, firefox, itunes, etc. I'd just install all her apps she absolutely needs so she doesn't visit shoddy sites to download a cd burning program or something like that, install foxit reader instead of adobe, no itunes but windows media player as the only media player, keep UAC on default & show her what it is, install MSE, install MBAM and show her how to do a quick scan, tell her if she ever gets redirects or the 'the internet acts weird' to run a quick scan with it. Lastly

So far a normal windows install. Only things I would change from default would be change IE8 to block 3rd party cookies, change MSE weekly scan to a full scan, and enable sehop.

It would be ideal also to turn on DEP for all programs and services and to not allow exceptions through the windows firewall, it won't cause a problem unless she wants to install an app that interferes with those settings. So maybe skip that if you worry about her calling you with a potential issue from that.

 

On x32 I would go with s23 (defensewall paid)

On x64 I would go with captainron (auto update IE and MSE is a good argument), only with my download tweak

 

the download tweak is very strong

 

I guess that I will keep it simple then...

Something like this:

-Windows firewall locked down to a minimum
-MSE... or maybe NOD32
-Firefox as a browser
-May try to teach about Noscript (something like: if you go on a site that dosen't work, and you are SURE it is perfectly fine, then click on this button)
-Run Firefox as a Low Integrity application (kind of like protected mode IE)
-With the "maybe" of NoScript, ADBlock as the only extension to firefox... well... maybe flash even if I hate it...
-Auto windows updates
-Always run as standard user
-DEP set to AlwaysON
-Autorun COMPLETLY disabled with a registry tweak
-Maybe a weekly or monthly scan with MBAM of something like it
-Foxit as the pdf reader
-Block third party cookies with firefox

I probably forget something here... but it looks like that for now!

 

I have always thought of a set up for a normal PC users that will give reliable security. Unfortunately I could never think of any solid options.

A bit of education is most important IMO.

 

Hey if you are going to run Firefox with low integrity, I guess you know that you also have to set the three main storage folders that firefox uses to low integrity. Set them to low integrity with No Read Up rights, and then configure a folder for her to keep all of her sensitive data, eg credit card info, receipts, orders, etc. Now you can use the chml tool to make her sensitive data unreadable, unwritable, unexecutable to firefox, and IE in protected mode.

Also you can enable SEHOP (Structured Exception Handler Overwrite Protection) on her computer for protection against SEHO exploit techniques. This will add some protection. It may be enabled by default in Win 7, I am not sure but If you dont know how to do this here you go.

Locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Session Manager\kernel\DisableExceptionChainValidation and a value of 0 will enable it. If you can not find the DisableExceptionChainValidation key you will have to create it by

a. Right-click kernel, point to New, and then click DWORD Value.
b. Type DisableExceptionChainValidation, and then press ENTER.
Double-click DisableExceptionChainValidation and set value to zero.

I thought that Microsoft had put out a Fix It package to enable it automatically on install but I could not find it. Anyway Good luck

 

I've had good luck so far with PC Tools Firewall Plus on a couple systems used by family members who are very inexperienced.

I've also had good luck with avast! 5 Free on those same systems as well as my own.

I would suggest PDF-XChange Viewer. No security reasons though, just personal preference.

 

I think you made an error there... Setting firefox and the three folders to low integrity with the NO-READ-UP flag is useless... The "no read up" is useless...

No read up will prevent a process with lower integrity to read the object with the no-read-up flag... since firefox is already low... it won't to anything...

No WRITE up is on by default on everything so that anything at a lower integrity won't be able to write to it. No read up and no execute up would be useful in the case of a medium or high integrity folder. In that case, a lower integrity won't even be able to read it...

Alex

 

I was only trying to help miss type I guess. But it wouldnt effect anything since they are all at low integrity. What I was trying to say was to configure the folder with her personal info with No Read Up rights. it came out jumbled somehow. My bad and Good Luck

 

Hey, I'm not mad at you

I sometimes do make errors too

Thanks for your help!

Alex