recommendations for a n00b security lineup

Discussion in 'other anti-malware software' started by Ice_Czar, Dec 17, 2006.

Thread Status:
Not open for further replies.
  1. Ice_Czar

    Ice_Czar Registered Member

    May 21, 2002
    Boulder Colorado
    We are all aware of the dismal level of security knowledge with the majority of computer users. From sheer ignorance to misplaced trust in a variety of applications that may well leave large holes to be exploited. Especially when risky behavior is added to the mix.

    While the majority will continue to heed the siren call of marketing spin, there is a segment willing to learn and forward that information via forums to others. Those recommendations go down far easier when the vast majority of a layered defense are comprised of freeware or affordable alternatives. Maybe with a key (but pricey) central application.

    The secondary point of these lineups is educational. Their ease of use shouldn't be so great as to totally eliminate the need to understand key concepts of security, vectors of attack and vulnerabilities to watch. Nor should they be so complex as to overwhelm the inexperienced.

    The overall objective is to provide several low cost but effective lineups that teach the one great truth. Security needs are always changing and if you want a secure box you need to learn and keep your ear to the ground.

    As a former admin for a forum, and for friends and clients when I build and setup their computers Ive developed my own lineup. But I'm interested in alternatives as I contemplate assembling several step by step (with pictures and arrows) install guides.

    Thanx ;)
  2. WSFuser

    WSFuser Registered Member

    Oct 7, 2004
    for a easy setup, id go with Firewall + AV + Prevx1 + Firefox or Opera.

    A choice for firewall could be the Windows Firewall, or if they have a router with firewall, the use it instead. If they want outbound control then ZoneAlarm and Comodo are two good free solutions.

    For AV, u can pick between AVG, Antivir, and avast. all free.

    I put Prevx1 in the setup because in ABC mode it will likely never prompt, and it will pick up anything missed by the AV.

    Then theres Firefox/Opera, just using an alternative browser can help in keeping users safe.
  3. screamer

    screamer Registered Member

    Apr 14, 2006
    Big Apple USA
    I maintain two different boxes for two "very different" daughters.

    Daughter #1: couldn't give a damn about "anything" and justs wants web access as fast as possible. Will shut down AV, or if FW give a pop-up will click the first button that closes it.

    For her box I use Antivir (free), Comodo PFW, Spyware Terminator (HIPS disabled) AV is set to update & scan during the early morning when she is asleep.She is on a limited account and can't install apps.

    Daughter #2: has kids and really doesn't have the time, nor the inclination to learn about security apps. She mostly uses e-mail, web, and D/L's lotsa free games for my grandson.

    For her box I also use Antivir (free), Comodo PFW, Spyware Terminator (HIPS disabled), CyberHawk, SuperAntiSpyware (on demand) & a Squared (on demand)
    Her AV is also set up to update & scan at off hours. SpyWare Terminator runs daily at 11:00am. If she sees something she is unsure of, I told her to "just block it". Just last night I was checking her machine and ran a few scans. She had 58 (bad files) whether it be a low priority or a tracking cookie and one trojan ( & installer).
    Ran JV16 to clean the registry and then defragged the box w/ Power Defragmenter and Contig (also free)

    When I left, it was humming along like the first day it was set up.


    edit: I gave daughter #2 a router (behind her BroadBand Modem) even though she has a FW, just to be on the safe side
    Last edited: Dec 17, 2006
  4. KDNeese

    KDNeese Registered Member

    Dec 16, 2005
    Going by my own experience when I know next to nothing about security, I know that my "suite" consisted of Zone Alarm free (which was simple to learn), Avtivir AV, and Winpatrol. I later added the usual free scanners (Ad-Aware, Spybot) that were easy to use, but I was also willing to do the scans and take some precautions. The daughters mentioned in screamer's post sound like my father-in-law, who never updates software, never runs scans and then calls on me to come get the crap off his computer. I have now installed software on his computer that updates automatically and runs scheduled scans, which has kept me from getting ticked off, due to the fact that he doesn't call me every other week to come fix his system. The apps I installed on his computer are Zone Alarm, Avast AV, Winpatrol (for startups, not for scans) & SuperAntyspyware. His computer has stayed clean for a long time now, even though he is pretty clueless when it comes to the dangers of the Internet.
  5. Kaupp

    Kaupp Registered Member

    May 17, 2005
    It would be helpful to provide an alternative and also interesting if we had some more info about your lineup. Can you provide any details please? :)

    kind regards

  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    May 9, 2005
    Indeed, providing with an alternative can be tricky if we don't know the primary.

    TECHWG Guest

    Comodo Firewall
    Antivir or AVAST antivirus

    im not up on anti spyware software so i cant comment and i think for a n00b as you put it, they probably cant handle a HIPS software of a high calibre but something that has execution protection would be handy though and i think some anti spyware has this but i am not sure
  8. Ice_Czar

    Ice_Czar Registered Member

    May 21, 2002
    Boulder Colorado

    well, what Im aiming to do is document from a fresh install (which I have several to do) a complete step by step screen capture of how I secure & tweak a box. But since I have several to do I thought I could select a few alternative lineups as well.

    This would include securing the OS and not exposing it prematurely to the big bad internet, discussing vectors of attack and how to limit them, the dangers of potentially vulnerable protocols. And exactly how to configure and use the various security applications & common applications (browser, email, IM) as well as benchmarking the security, testing it and finally imaging the whole shooting match to a recovery partition.

    Its primarily focused on the user creating whitelists and locking everything else down. Its not aimed at the clueless, but rather at the aspiring geek (read gamers and wannabe power users). But the brighter clueless might also benefit if they stick to the "simple" track of the series.

    the central security aps are a rule based firewall & HIPS, a sandbox and free AV with a network of logs and checksums on the security aps for tripwires that should defeat an automated tool's ability to subvert without detection. The Benchmarks are RootkitRevealer and HijackThis (alternately IceSword)

    my current lineup & proceedure goes something like this:

    Hardware Firewall
    advantages and typical configurations

    Secure the OS
    partitioning the drive to separate the OS system partition and the data partition(s) from the recovery partition with the image of the secured OS.
    download and burn service packs and hotfixes previous to the install
    or employ Knoppix to do so from the fresh install
    setup automatic updates
    disable unecessary services
    disable NetBIOS (implying there are also no insecure "legacy" OS's on your network)
    disable Guest account
    setup a general user account
    rename Administrator account
    create fake Administrator account (disabled)
    enable network lockout of the true Administrator account
    Limit the number of logon accounts

    remove the "Everyone" group and replace with "Authenticated Users" shares
    disable default hidden shares, administrative shares, IPC$ (depending on networking needs)

    Unhide File extensions, protected files, all files and folders
    remove insecure subsystems (OS/2 and POSIX)

    optionally how to protect, watch\log, remove and reinstall: arp.exe \ at.exe \ cacls.exe \ cmd.exe \ \ cscript.exe \ debug.exe \ \ edlin.exe \ finger.exe \ ftp.exe \ pconfig.exe \ Issync.exe \ nbtstat.exe \ net.exe \ Net1.exe \ netstat.exe \ netsh.exe \ nslookup.exe \ ping.exe \ posix.exe \ qbasic.exe \ rcp.exe \ regedit.exe \ regedt32.exe \ regini.exe \ rexec.exe \ rsh.exe \ route.exe \ Runas.exe \ runonce.exe \ telnet.exe \ tftp.exe \ tracert.exe \ Tlntsvr.exe \ wscript.exe \ xcopy.exe
    how to remove and as needed replace the .reg file association from the registry editor (breaking any automated malware that requires the above)

    configure security policy control through GPedit and building your own MMC console
    (here you see where my tutorial is really aimed at W2K\XP Pro versions with registry tweak alternatives for XP Home)
    enable auditing (logon, object, privilege, account management, policy, system)
    set permissions on the security event log
    set account lockout policy
    assign user rights set NTFS permissions

    Install Software
    disable HTML in e-mail
    (in both Internet Explorer & Thunderbird with the option to use Allow HTML temporary in TB)
    Installing Firefox with the noscript extension
    how to restrict IE with a noaccess.rat
    optionally how to disable and restore ActiveX\WHS\VB\Java\Java Scripts in the OS itself

    Install, configure and log an AV (likely freeware with a general discussion of advantages and disadvantages of various paidware)

    Install, configure and log a rule based HIPS (my first example will employ ProcessGuard since I have a full license but here is where additional alternatives are welcome)

    Install, configure and log a rule based firewall (again recommendations Im still using Kerio PF2)

    Install, configure, log and employ a sandbox (Im going to use sandboxie in my initial example configured as a service protected by the HIPS from termination) a step by step of how to get it to play nice with the HIPS, scan and save data out of it, where and why youd want to use it, ect.

    Install and configure checksum tripwires to watch the security .exe and .dll
    (intially I'll be using Filechecker with an additional baseline generated at startup and on demand with a .bat and fsum for additional verification)

    Baselining the security with Rootkitrevealer and HijackThis and running down entries as you install additional software to maintain a current baseline. (again additional alternatives are welcome)

    Configure applications to write to the data partition rather than their default locations, change the default locations of the OS to do the same (My Documents et al)

    how to install the recovery console to the HDD\boot menu
    a .bat to automatically backup the registry at each boot (system32/config) enabling you to roll back to any previous boot not just the last known good (which gets overwritten) from the boot menu recovery console

    >>> connect to the internet start configuring software firewall

    Installing and running Baseline Security Advisor
    optionally NessusWX\Nessus 2.2.5, ATK

    installation of common aps with a good freeware list, the advantages of aps that arent employing DRM and phoning home, and what these aps require to run correctly without overloading the event log with errors or failing to run altogether if youve chosen to be really paranoid and remove\restrict the files listed above.

    some common OS tweaks and customizations (shell integrations, reg tweaks ect)
    how to Install and secure TightVNC w\ openSSH so you can remotely admin your brother\sister\GF\ect's box (if this is for them) with a tutorial on dynamicIP services

    optionally how to employ XPLite to remove large chunks of the OS that arent needed (potentially insecure) and what that can mean for updating and how to circumvent that manually. (IE, OE, WMP ect)

    cleanup HIPS and firewall rules, double check logs, save up-to-date baselines and clear all log entries

    Imaging the secured and tweaked install to the rescue partition employing examples of both freeware and Ghost.

    (a brief discussion of the importance of hard backups of the data partitions with checksum verifications, with a sad story of how a bad stick of RAM corrupted 200GB of RAID 5 array as I moved data around :p )

    the closing discussion leads the security wannabe to SANS, Snort, Bugtrac, Honeynet ect (and of course here) for further education or extracurricular activities. The really scary monsters that are both real and may soon be real (undetectable rootkits, virtualization exploits, port knocking, subversion of hardware EEPROM and flash memory)
    and the advantages of configuring Google news to include a few custom news sections like worm, virus, malware, exploit, hotfix and rootkit which should at least be skimmed once or twice a week.

    and finally how to conduct really risky behavior via a Live CD :p
    also how to employ a LiveCD (or parallel install) to detect malware from outside the OS

    the beginning and the end are pretty set, but Id like to avoid making this a specific endorsement of security aps X Y Z and provide some alternatives for each class. In effect optional tracks with a different HIPS\Firewall\AV on each. Basically here is a whole lot of freeware with a core paid component that forms a decentralized and self checking layered defense which should defeat or at least detect any automated subversion attempt. Setting it up costs you just little more than time which would be well invested the first time you're successfully infiltrated with a quick restore. And you learn alot along the way.

    Ive got a few websites that would be happy to run this article\guide\series.
    And I'm willing to invest in a few new core aps for alternative examples.
    Last edited: Dec 18, 2006
  9. Kaupp

    Kaupp Registered Member

    May 17, 2005
    Well, that's quite comprehensive! Thanks for the quick and exhaustive > answer! :) > >

    I can't really add much to that other than for a firewall I prefer to use outpost,it's easy for beginners and it packs a lot of advanced features in aswell that can be explored as the user becomes more familiar with the firewall.
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.