Recommendations for a 1d 10t proof security setup.

I am currently re-building my dads machine for the nth time.

He just cannot stop clicking on things.

Short of breaking his fingers, could you comment on the following idea I have for his setup or suggest something else.

Please bear in mind, that while we may prefer seperates, to him this has to be simple, and much as I try, he feels he is better with some sort of suite.

I have succeded in persuading him to use Opera. That was a struggle. I will be removing all shortcuts to iexplore, and if I can, prevent the process from loading (like the kill in ZASS).

Having now played with BufferZone (and liking it a lot). For someone who is click happy, I think I will siggest it. The question is free or not .

I also plan to couple it with Kaspersky IS. Up until now I kept him on ZA Free and AVG freem because he does not want to spend money. But it is his birthday soon, so I was thinking of treating him

Even though he has some knowlegde of ZA, I am not sure that ZASS would be the way to go for him. I like it, and think it is simple enough to use, but I am not sure of the Checkpoint takeover, and do note a hint of disdain creeping across the forums for it. Also, ZA's AV is not the best. It is good, but NOD and KAV do the preverbial all over it.

So in summary, once I have "cleaned" his machine, I am planning to load it with Opera, Kaspersky Internet Security and BufferZone.

RE: BufferZone, I cannot decide whether just the Browser protection would be enough, or for someone as click happy as he, the Pro version.

Is this a good setup?
Would it be easy for him to understand?
Would it be light enough on resources (not really an issue, but every little helps)?
Would it be secure (as secure as things can be with "user" at the helm anyway)?

Answers on a postcard please

Many thanks.

 

The software base is stable over time?

 

does he use outlook or outlook express?
if so i think you will need to get all the messages to display in plain text so he trigger fingers dont open a dangerous email by mistake.
also superantispyware pro might be worth a look for realtime antispyware because he might click on random free downloads and it will stop the dangerous stuff from installing.
bufferzone is good.
i would still favour online armour or prevx or even both.
or nod32+bufferzone.
light but protective
or if he is as trigger happy as you say then kav do a custom install and dont install PDM and use bufferzone to do the
job of pdm.
lodore

 

thank you - could you explain what pdm is please?

he only uses web mail, but if he were to use pop, I would set up Opera to handle that.

No Outlook or O. Express is being installed.

 

BufferZone should be fine for him to use. You probably do want emails & maybe even IM's covered as well, so the Pro version may be better for his needs. It shouldn't let anything out. Just remember, BZ's philosophy isn't to stop malware downloading - it's to prevent any untrusted file <and it's children> from doing harm. Also, BZ won't allow anything requiring a driver to run as untrusted. And it doesn't work well with other virtualisation software. Within those limits, it's probably exactly what your dad needs.

With KIS, doesn't it give a few too many popups? (I remember playing with KAV 2006 once, with it's proactive defense). Just thinking that he will click yes to everything.

By the way, don't use BZ with Prevx1 - last I knew it causes a BSOD (though that was about a year back - it may be fixed now).

Another option is to use something like FDISR, ShadowUser, or DeepFreeze (if you want to freeze your dad out of making permanent changes to the computer OS...though he will still be able to download stuff if you set them up right).

 

Is it XP Pro?

If so, then activate the default rules for the software restriction policy and set him up as a limited user. He will not be able to install anything either deliberately or by accident. It's very light, secure, free and he wouldn't need to understand anything.

 

No its XP home.

 

the following should suffice:

KIS
a sandbox (bufferzone, geswall, or defencewall)
a limited account

 

PDM (Proactive Defense Module) = Kaspersky´s behaviour blocker.
If the system is a static one, the best setup is:
-Router.
-Hardened system.
-XP firewall.
-Light AV.
-A limited user account or DropMyRights.
-A whitelisting HIPS such as AntiExecutable.
That´s a system that would give almost zero prompts (except real malware and/or policy violations). You could add an on-demand malware scanner (AVG AS or SAS)

 

Just use KIS and if you dont want many pop ups of PDM just choose basic mode at the time you are installing it, and remeber to have Anti-Hacker in training mode.

 

Hello,
How about Linux?
Mrk

 

I suggest imaging or cloning software. I use both of the following. But imo only 1 would work well. Your choice of which 1 if either at all.

A cloned HDD or image(s) DVD.

I use Acronis MigrateEasy for cloning & Paragon for images.

 

I forgot to mention he is behind a NAT Firewall (Netgear, not sure what model though). I will look into locking that down a bit harder to help. Mums machine has been fine, but she is more wary about things (Well actually she is paranoid that the establishment is spying on her). So she downloads very little.

I will look into DropMyRights with interest.

Excuse my ignorance but isn't a whitelisting HIPS, a bit like the Proactive Defence Module - or is that suggested because the PDM is a little too vocal?

I have given that some thought, however, as I pointed out in my original post, it was enough of a struggle getting him to use Opera. Not only that, he plays a lot of games that are windows only.

One my Bro-in-laws friends is also very click happy, but a little easier to "train". He still needed windows, but for him we dual booted with a Debian based Linux and made sure that XP A: had a limited account, and B had all network adapters disabled, so he could only use the net under Linux. Unfortunately, the hassle of switching between thee 2 would e 2 great for someone more stubborn than a heard of mule and oxen.

I will be making disk images this time, as I have just got Acronis for myself. So I will make a safe back up on a portable drive I have kicking about.

========================================================

I have just downloaded KIS onto my laptop to see what it is all about.

 

Fine
Don´t forget to change the default password and disable remote connections.

Services tweaks
Harden-It
Secure-It
SafeXP
BugOff
Windows Worms Doors Cleaner
SpywareBlaster and IE-SPYAD
Script Defender or Script Sentry

Very good. A stable machine is a good candidate for a whitelist HIPS.

Use DRM in the browser and the mail client.

Kaspersky´s PDM is a behaviour blocker like Cyberhawk. Behaviour blockers prompt you when suspicious activities (for example, installing a hook, injecting a DLL, etc) are detected. You must decide if those behaviours belong to legitimate apps or malware.
A whitelisting HIPS scans your system for installed apps and gives them full permissions. Anything else which is installed/download later is denied access. A good article about AntiExecutable.

 

thank you - lots to digest

But where do we stand if he wants to download something that is legit, or install a new game from thw shop - will a whitelis block that too?

 

Yes
-Disable AntiExecutable protection.
-Install the game/app.
-Reenable AntiExecutable.

 

I swear you're talking about my father-in-law... I think I'd go with the breaking the fingers option.

You did better than me. I did the same thing, making sure he could not open IE in any way. But he hated Opera, said he couldn't work it, so ended up installing Firefox.

If he's like my father-in-law, several things to take into consideration: Is it simple so it will work without requiring a lot of interaction on his part? I tried to pick apps that automatically updated when he went online, because if it required a manual update - then forget it! Not gonna happen with him. So I installed Avast AV that updates every time he goes online. I also installed ZA free and set permissions for all his apps. I don't think the pro version would be a good option for your dad - too many decisions to make, etc. It would be a disaster if I put it on my father-in-law's machine. Also, if he can't keep from clicking on the wrong things, he's going to hose his machine no matter what you put on there. Also, I would just use the browser protection for Bufferzone, and create the desktop link to where he has to open his browser through Bufferzone. I will say that as click-happy as my FIA is, his machine has stayed squeaky clean just by having a good AV, ZA and using Firefox. If all else fails, there's still the finger thing...