Secure setup for Win8

Discussion in 'other security issues & news' started by T-RHex, Mar 16, 2013.

Thread Status:
Not open for further replies.
  1. T-RHex

    T-RHex Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    97
    Hello. I'm looking at diving into the realm of Win8 with a new computer for my father, and am trying to determine what I should be doing in terms of security. Currently he's using WinXP with Outpost Pro, Avast (7), and MBAM Pro behind an ISP's gateway device (not a discrete router).

    I know opinions varied on whether 3rd party software firewalls were necessary for Win7 (as opposed to using Windows Firewall), and MSE versus 3rd party realtime virus scanners, but what about Win8? Is it secure enough with whatever is built-in, or is MSE still lacking? Is it still new enough that all the inherent holes are still being plugged on a regular basis? (I distrust any new major software versions, especially OSes, until it's been in regular use for a while.)

    Also, I've long ago made the choice to always use an Admin account. I knew the thoughts on using admin vs. regular accounts, but I figured that there is so much out there on how to get around the restrictions of an admin account (for malware), that I'd rather not have the headache of having to go through the regular-user-limitations learning process. What's the prevailing wisdom on Win8?

    Any opinions would be appreciated. (and if this is the wrong forum, please move to the appropriate one)

    Thanks!
     
  2. mechBgon

    mechBgon Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    68
    Location:
    USA
    I've put together a defense-in-depth plan at http://www.mechbgon.com/security that I recently revised for the Win8 era. This is the approach I use at home and at work, and has proven effective.

    Regarding Admin accounts, I'd suggest reserving the Admin account for Admin duties, and maxing out UAC. There's real-world value to this, and unlike WinXP it's not that hard to be a Standard User on Win7/8.

    If you want to simplify elevation prompts, pick up a used Authentec fingerprint scanner off Ebay and grab a free Authentec software download from http://support.authentec.com/Downloads.aspx. Protector Suite is more deluxe, TrueSuite is more simplified. In the case of Protector Suite, the WBF (Windows Biometric Framework) version is the best pick for Win7/8. This also simplifies using stronger passwords at websites, and not re-using passwords between multiple sites.

    Regarding the built-in Win8 antivirus (MSE rebadged as Defender), if you have realistic expectations about what antivirus protection can and cannot do, then it's OK. I would add EMET for sure, even though it doesn't officially support Win8 yet.

    One other suggestion: since Win8 supports a new type of data execution prevention called SMEP, pick a new computer with a CPU that features SMEP. As of early 2013, this limits the field to Intel CPUs with an Ivy Bridge core. There are Ivy Bridge variants of Celeron, Pentium, and Core i3/i5/i7. SMEP blocks some types of kernel privilege escalation exploits, including one used by the infamous Stuxnet malware.

    Also, don't neglect the Backup aspect of security. If you have an external drive you can spare, setting up the Win8 File History feature is an easy start.
     
    Last edited: Mar 17, 2013
  3. T-RHex

    T-RHex Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    97
    Thanks for the informative reply and the link, mechBgon, that's exactly the kind of summary I was looking for.

    I think I have realistic expectations regarding antivirus software. I know no AV is bulletproof, and I long ago started with education about awareness while surfing etc., but I can't be there to monitor his actual behavior and protect him from all the junk he gets sent to him by friends. In the past I had decided on taking the AV route because I don't have the time (or confidence) to harden the system and make AV superfluous. That being said, is Defender "merely" OK or "really" OK? ie. is there any perceived benefit at going with something like Avast over Defender? I think much of what I read about AV software not being useful (as compared to the lightness of Defender) seems to always be discussing the latest threats -- not older ones that might still be lurking around; then again, maybe Defender is just fine against older "well known" threats, and that's good enough.

    As for the firewall, your link says that no firewall can protect against an infected system. However, I think the symptoms would be obvious, ie. the firewall shutting down or crashing (I had witnessed such symptoms years ago). Also, outbound firewalls would alert the user to spyware which isn't necessarily malicious but annoying. But I agree with the wisdom of using Windows Firewall, in that it's simple; I tire of having to understand/configure third-party firewalls and such, even though I still like to see what's dialing out. Of course my biggest concern is reliability. MS products not only have a history of containing exploits, but they're also the biggest target for exploiters -- I don't know if this makes 3rd party security any better (they're not as high profile) or any worse (not as well tested in the real world).

    Thanks for the tips on SMEP. I was looking at a new Ivy bridge system.

    Because I'm going for a lightweight notebook with no room for a backup drive, I knew I'd need some kind of external backup so I'll check out that File History feature as it may be just what I need (previously having used some combination of Terabyte's IFW, Karen's replicator and Genie backup).

    Thanks again.
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    SMEP is OK but not really worthwhile right now. It will be when SMAP is supported - until then it's kinda a similar situation to DEP without ASLR, working around it isn't difficult.

    For Windows 8 I just use EMET 3.5 with a massive list of protect apps and DEP, SEHOP, ASLR all set to Always On.
     
  5. mechBgon

    mechBgon Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    68
    Location:
    USA
    My thoughts regarding firewall protection are derived partly from reading a lot of malware analyses, and partly from my days as a malware-hunting hobbyist. If first-stage infection uses an approved app or service to fetch more stuff, then I don't know how much value there is. Chances are pretty good we've approved a browser and BITS for firewall clearance.

    After uploading tens of thousands of very fresh malware samples to VirusTotal and seeing how low the signature/heuristic detection rates really are, when it would actually be in time to prevent infection, I really have little confidence in conventional AV from any vendor. If they have good behavioral detection, then that would be an attraction, but look at how many years it took to nail Stuxnet, Duqu, Flame, and so on. By any vendor.

    I haven't studied up on current AVs enough to say which is best, but if I were going to pick something that I expected to beat Defender in practical ways, I'd consider Kaspersky Internet Security. Historically they've had relatively good conventional (heuristic/signature) detection, and I see they have some anti-exploit and anti-keylogger stuff thrown in, plus a 2-way firewall and password manager.

    Anyway, I have MSE or Defender on our systems at work, in the hands of average users, with the lockdown plan described in my previous post. They have no malware problems. The last time I remember the antivirus raising an alert, it was a search result poisoned with a Blackhole launcher. I uploaded the detected file to VirusTotal (html, if I remember correctly) and MSE was the only AV detecting that sample at that point in time, out of more than 40. So it's good to hear that you have realistic expectations of AV... it might work, it might not. So many people still think antivirus is a panacea and a bulletproof defense.
     
  6. T-RHex

    T-RHex Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    97
    Thanks for all the good info (I got waylaid for a bit here).

    I'm looking at an Asus with Win8 but not yet sure if it's Home or Pro (haven't physically checked it out yet). But it's only an HM76 chipset (versus the Thinkpad Edge which has the HM77 chipset but Win7) ... but I'm guessing that has no impact on security, as I think the only differences are the number of USB ports, RAID, and support for Smart Response Technology which wouldn't be useful without a SSD cache anyway. Either is an i5-3210M, and from what you said that's the important part: being Ivy bridge.

    Any recommendations on resources (links) to good sites on setting up Win8? And it looks like to get the Start Menu back (and be rid of Metro/Modern) requires a 3rd-party addon (ie. not a configuration from Microsoft)? o_O
     
  7. mechBgon

    mechBgon Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    68
    Location:
    USA
    Here's a list of Start-menu replacements: http://forums.anandtech.com/showthread.php?t=2283053

    I currently use StartIsBack and Start8 myself. You can give them a free trial and see how you like the results. RetroUI is another to consider, since it can force even the full-screen Metro apps into a window so they don't take over your whole screen. I have a RetroUI license too, but didn't like its klunky-looking Start menu (which I believe they've now fixed).

    I haven't got a Win8 setup guide bookmarked yet, but here are a couple suggestions:

    1. decide if you want your log-on account to be a "Microsoft account" (cloud features) or a "Local account" (traditional). When you reach this screen, you'll see the local account option at the bottom in rather small print (hmmm!), I believe it says "Log in without a Microsoft Account". I've been choosing Local Account, so I don't have any experience to remark on the pros and cons of the Microsoft Account, I'm just pretty sure I don't want to sync stuff between home and work PCs in the first place.

    2. part of prying loose as much Metro as possible, is associating your filetypes with non-Metro programs. Once you have a Start menu, type "default" in the Searchbox and you can assign default programs using "Set your default programs." The Windows Photo Viewer is the traditional one that isn't a full-screen Metro app, likewise for Windows Media Player or your preferred third-party player like VLC. In the interest of security, you might give the Win8 Reader (PDF/XPS reader) a chance before switching to a third-party one, since Reader is simple and gets sandboxed in an AppContainer.

    3. if you decide to use Windows Defender, you can schedule more frequent updates by creating a Scheduled Task. Click Start, type "Schedule" in the search box, and Task Scheduler will appear. Right-click it, choose "Run As Administrator," and then "Create task." Have the task run as SYSTEM, give it a schedule, and have it run "C:\Program Files\Windows Defender\MpCmdRun.exe" with the -signatureupdate switch. You can create other tasks for MpCmdRun to run quick or full scans on a schedule too. -scan -scantype [1 or 2] get you quick(1) or full(2) scans respectively. This is also applicable to Microsoft Security Essentials.

    4. once it's fully set up and updated, you might want to run Disk Cleanup and get rid of old update files, and do an Optomize on the drive (in Computer, click the drive, then the Drive Tools tab at the top of the window).

    5. enable Enhanced Protected Mode on the Desktop version of IE by opening the Internet Options panel and going to the Advanced tab, then scroll down to the Security section for the EPM checkbox. You might also want to go to the Privacy tab, set Privacy to at least Medium-High, then choose the Advanced button and set it to arbitrarily forbid third-party cookies. If you don't routinely use IE yourself, this is still not a bad practice in case something tries to co-opt it for malicious purposes.

    6. I suggest maxing out the User Account Control slider to "Always notify."

    7. go to Windows Update in the Control Panel and switch it from Windows Update to Microsoft Update using the "Get updates for more Microsoft products" link. I've seen a couple cases where I get put into an endless loop and can't install MU that way, in which case installing Silverlight will enable MU and then I can uninstall Silverlight. There's probably a more elegant way to do this, but whatever works.

    That's all I have time for this morning but if I think of more suggestions, I'll post them separately. Hope that helps :) Oh, and make sure the new system does in fact have 64-bit and not 32-bit Windows.
     

    Attached Files:

    Last edited: Mar 26, 2013
  8. T-RHex

    T-RHex Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    97
    Thanks, mechBgon, that's very much appreciated. :thumb:

    I have to agree with sentiment that I've read about Win8 in that I hate having to add-on something that should be fundamental to the OS. But I'll think about it.

    The new systems I'm looking at are all 64-bit, but, they're not Pro. Other than Software Restriction Policy and Bitlocker, is that any kind of real limitation, security-wise? I've used Truecrypt for years to protect sensitive data, and (by searching) it sounds like it runs fine on Win8 (non-system-partition encryption), so BitLocker isn't an issue for me.
     
  9. adrenaline7

    adrenaline7 Registered Member

    Joined:
    Apr 27, 2011
    Posts:
    128
    great stuff mechbgon, like your website too and recommend it often
     
  10. mechBgon

    mechBgon Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    68
    Location:
    USA
    Software Restriction Policy is just one of the many things Pro can do using Local Group Policy, which regular Win8 lacks. Some of the tweaks could be done without a Group Policy, others cannot. I think it's worth having if at all possible. If you're interested, download and install Microsoft's free Security Configuration Manager, and check out the hundreds and hundreds of security settings it can customize for you using Group Policy.

    Thanks adrenaline7 :)
     
  11. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    If it's your dad's comp, I wouldn't pay extra dollar for the features Pro offers over Home.
    When you (or he) really want to use GPO settings on his computer, Pro is a must of course but otherwise I'd spend saved money on an extra 32/64GB mSATA SSD inside the Lenovo Edge to store the OS.
    If your father can work easy and safe with (/isn't bothered by) his current security software, money spent on a small SSD might give him more enjoyment than Pro features like GPO setting options.
    Perhaps other Pro features are usefull/needed for your dad but considering the speed/experience bump offered by an extra msata SSD, it's something to consider imo.
     
  12. T-RHex

    T-RHex Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    97
    Thanks for the replies.

    I've decided on the Asus over the Lenovo Edge; even though at the same price the Lenovo has the better features (support for mSata, fingerprint reader, faster HD), in the Thinkpad support forum there are a lot of users having had issues with a noisy/whiny/annoying fan in the Edge that are not getting fixed.

    About restoring the start menu, I think I'll try without for now and see what my dad thinks about it (using an open mind here). If he finds it annoying, I'll look at adding back the start menu. I did find a tip on putting the desktop as the first app so that one keystroke (enter) would launch the desktop from the modern UI.

    And overall for security, I'm getting a little hesitant about going overboard in enabling all these security features. I wanted something easy to setup/maintain, and thought built-in features would simplify things over using third-party security software. But now it's getting a lot more complicated! I don't just mean the learning curve to set up everything (and I know it's mostly set up once and it's done) ... but also the ongoing usage of the computer. If something ever doesn't work because of EMET or SRP settings and I'm not around or available to walk him through it, then he won't be very happy. Until now, I've had success with Outpost FW (with Anti-leak protection disabled, the source of most prompts), Avast AV, and MBAM Pro ... though there are a few prompts, it generally hasn't been a problem and has not been a limitation (I don't get any panic calls). I'm not saying the combination hasn't been without issues (mostly due to annoying Kodak printer driver updates), but I fear replacing it with something that requires a higher level of technicality (which SRP definitely is). Is this where Parental controls comes in? ie. adding a level of protection where all it takes is entering Admin credentials to allow it to continue? I know he can manage that.

    I also like having a firewall that at least shows all outgoing rules that have been created; I like to review these once every few months just to make sure nothing has gotten out that doesn't need to. I know this is not a proactive tactic, because it's not designed to be -- mostly it's just a way to monitor what's going out and restricting things that really don't need access (usually monitoring or registration type stuff). Can the Windows firewall show everything that's been automatically allowed outbound access?
     
  13. mechBgon

    mechBgon Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    68
    Location:
    USA
    I can understand where SRP might be baffling. You could try Parental Controls first.

    For a real-world example of how they would differ in handling stuff, I'll use the Adobe Reader updater. Once either SRP or Parental Controls are set up, they'll allow the Adobe Reader updater to run. SRP allows it because it's in an approved location. PC allows it because it's been specifically whitelisted by its hash.

    When the Adobe Reader updater *does* run, and finds an update, it asks the user to approve the update. It's running in the context of the user, so the file that gets downloaded from Adobe lands in the user's Temp directory, where SRP won't allow it to run. Your update fails with a mysterious error code in the Updater panel that does NOT cue the user "well duh, SRP blocked it. Elevate the parent process." To work around that, you launch the Adobe Update thingie using Run As Administrator, thereby bypassing SRP since you wouldn't have SRP apply to your local Admins.

    Parental Controls, by contrast, will prompt the user with "hey, we have a new .EXE here and it's not approved. Execution has been blocked," but the user can then override using the Admin credentials. So it's a little easier because the user has a cue that they need to take action, instead of an unexplained error code. But it also has a downside: the user is being trained to just approve any unexplained Yes/No prompt that appears on the screen. And we know how that can end up. "oh look, this thingie says it's a Flash Player update or a codec or whatever... I'm always clicking Yes to these to get stuff done." And it turns out to be a Trojan.


    Definitely do max out UAC; it doesn't present any greater of a challenge in maxed-out form, it just questions more types of actions.

    If you have a preferred third-party firewall, go for it. The native Windows Firewall can be set up to log stuff, but it's doubtful you'd find it useful.
     
  14. T-RHex

    T-RHex Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    97
    Thanks for that example, it really shows the operational difference between the two. I think he could live with Parental Controls and I'd be comfortable with that.

    I have the Asus (K55A) and am finally starting to play with Win8. Not as bad as I had feared (though still don't like Modern, since it's *gasp* not a tablet).

    Another question: Is there a hidden Admin account in Win8? Do I need to change the password for it?
     
  15. mechBgon

    mechBgon Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    68
    Location:
    USA
    Sorry it took this long to reply, I've been working 12-hour days :blink: Yes, in typical Windows fashion, there's a built-in Admin account named Administrator (on English installations), as well as a built-in Guest account. Both are disabled by default, so they're not an inherent hazard. They both have blank passwords, which makes it impossible to use them for "secondary authentication," like using the RunAs command to run a program using the built-in Administrator account. This is why, ironically, a blank password can be stronger than a weak password in some scenarios.

    To see the user accounts that don't necessarily show up in Control Panel's User Accounts GUI, run compmgmt.msc using Run As Administrator, and you can view your system's accounts there. Or you can use the command line, with the net users command.
     

    Attached Files:

  16. T-RHex

    T-RHex Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    97
    Thanks for the excellent answers! No problem on the delay; it's been a week and I'm still stumbling my way around Win8 and its config. I just tested imaging software (not builtin) and am now doing a system restore from the factory partition -- figure I may as well clean out all the stuff I've messed around with, test recovery at the same time, and start fresh. Booting from CD and UEFI are driving me nuts, though.

    12 hour days, eh? Yechh, my sympathies. You must either be a sysadmin or a developer.
     
  17. mechBgon

    mechBgon Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    68
    Location:
    USA
    :D Former sysadmin, but now a bicycle mechanic. The springtime rush has begun. And I guess I'm still a sysadmin in a small way, since I maintain the computers at the bike shop.

    On that tangent, one of the reasons I did push to upgrade most of our Win7 systems to Win8 Pro at work, was the lower cost of maintenance... with a built-in PDF reader and integrated Flash Player, both of those now update automatically via Windows Update, which means I can get off the Adobe update merry-go-round and spend that time doing my real job. Those $40 Win8 Pro Upgrade licenses were a bargain, too bad that deal ended.
     
  18. T-RHex

    T-RHex Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    97
    :thumb: Good move.

    I had a look at the modern PDF reader and didn't really like it. Is there a desktop equivalent? And I presume it integrates into web browsers? I've long used PDF-XChange Viewer and have quite liked it; it doesn't update as frequently as Adobe but "apparently" doesn't have the same level of vulnerabilities (or so claims the company).
     
  19. mechBgon

    mechBgon Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    68
    Location:
    USA
    I wish there were a Desktop version of the built-in PDF reader, but there isn't. If I had to use something else, I'd use Adobe Reader. It does have some serious mitigations to offer, they're on their second-generation sandbox now. And although it does have excessive features to abuse, they can be turned off. So if you do that, what you're left with is a functional but well-restricted PDF reader in an advanced sandbox. I'd add it to EMET's list of protected apps for further exploit resistance.
     
  20. T-RHex

    T-RHex Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    97
    Thanks for all the tips.

    A stupid question: is it recommended to set a password on a LUA?
     
  21. mechBgon

    mechBgon Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    68
    Location:
    USA
    If you want to prevent an unauthorized person from using the computer, such as a visitor, then a password has value there. If that's a common scenario, then you can set up a separate LUA for visitors, so they're allowed to use the computer but won't have access to your dad's account and its contents.

    If you want to encrypt files using Windows' built-in capabilities, so they can't be retrieved if the computer's actually stolen, then that's a stronger reason for a password. If I steal his computer and forcibly reset or remove his account's password, his encrypted files are safe forever, since the encryption certificates go *POOF*. Obviously this is a double-edged sword... make sure to create a password-reset USB key and store it somewhere safe.

    Beyond those reasons, the only reason I can think of for giving the LUA a password is if you want to do secondary authentication, which is where you run a program as an alternate user. At work, I want to monitor two Gmail accounts at the same time in web browsers, so my computer has a second LUA account and I run a browser under that second LUA's credentials to view the second Gmail account. Well, this doesn't work with blank passwords, Windows arbitrarily forbids it.

    If anyone else has thoughts on when a password is useful on an LUA, chime in :thumb:
     
  22. T-RHex

    T-RHex Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    97
    Well, it's been in his hands for a week. No real issues so far, other than having to learn a new interface (was previously using XP).

    I chose not to set a password for the LUA, to save him the hassle of the extra steps (pointing out to him that a password doesn't protect anything if the computer's actually stolen (his concern) and unauthorized use by others in the house isn't an issue, as there's only my mom. ;)) Sensitive data is encrypted with Truecrypt.

    Heh, when I had said about PDF-XChange '"apparently" doesn't have the same level of vulnerabilities (or so claims the company).' ... reading that now sounds very naive, but I had meant that we can never trust what a company says about their product, because they'll always say it's secure.

    I still haven't set up EMET yet -- I haven't yet had time to learn enough about it and I wanted to get the computer into his hands. Too little time, so much to learn, eh?

    mechBgon -- thanks for all the info provided and for your time.
     
Loading...
Thread Status:
Not open for further replies.