Securing Vista 64 H/Premium

I made the change to 64 bit Vista Home Premium from the 32 bit version , and decided to see if securing it was possible without using any vendor AV ,HIPS,Sandox ect.

After lots of research on wilders and other sites , i put it all into practice .
First off 64 bit vista has "kernal patch protection" , not really a saving grace as vista shuts down if the kernal is hooked. Next turn on hardware DEP (Data Execution Prevention) for all programs. turn on UAC (User Account Control). and set up a LUA (Limited User Account) account and use it .

Using Lucy's great post www.wilderssecurity.com/showpost.php?p=1402246&postcount=1 with an addition to an unrestricted path for "Program Files (x86)", i now have SRP set up (not sure if any more paths are needed, mabey "Program Data" DiR ?).

Having a NAT router with firewall i dont feel i need vistas firewall running.
so what have i got ... Windows defender , DEP, UAC , LUA ,SRP , Firefox with noscript . I would be interested in hearing your opinions/views downsides ect.

 

Hi,

Get rid of Windows Defender.

 

Windows Firewall would only be inbound protection and provides an extra hurdle for anyone wanting to gain access to your computer- a very good idea to put those extra hurdles into place and help them to make the decision to go elsewhere, but what do you have to protect the outbound side if perchance you become a high-valued target (if they are determined enough, they can break into your computer) from calling home, i.e. outbound communication filters that only by your approval (unless they get root or admin access when they break into your computer) can anything go outbound.

Think about it - at least ZoneAlarm Free can handle it for you to protect your back.

BTW, only get onto the Internet with a regular users account - surfing with root or admin permissions makes it far too easy for someone unauthorized that gets into your computer to have root or admin permissions, and then your computer becomes owned by them.

-- Tom

 

Hello

First, you need the Vista firewall on, if you have more than one computer on your local network or if you have some friend's comming by with laptop's.

Here is my advice to a simple secure setup.

1. Enable automatic updates (Windows + Adobe + Java, etc.).
2. Enable windows firewall.
3 Use a limited user account (LUA).
4 Install a AV program, that uses minimum system resourcess.
(ex. Microsoft Security Essentials - Avira AntiVir - avast)
5. Setup Software Restriction policy/Parental Controls.
6. Implement system and online data backup.
(ex. Carbonite - Live Mesh (5 GB) - Macrium Reflect - Easeus Todo Backup)
7. Think (Mail, Web, Software)

No need for anything else.
Also In Windows 7, you will have a built-in image backup, nice and easy.

/Jesper

 

Hi Tom

For the average home user, outbound filtering is false security.
If malware is activated on your system with admin rights , it's "game over".
It can manipulate with your security software (firewall, services, system files)

In my view all "internet security suites" and 3 part firewall's are the worst junk and should be forbidden by law. They give the users endless problem's.

/Jesper

 

Windows firewall
Eset- Suite or AV
Keyscrambler
Malwarebytes on demand

that is my setup on my 64 bit and it is working.

 

Try this https://www.wilderssecurity.com/showthread.php?t=250748

When you install x64 MSE anti virus, it automatically shuts off windows defender.

 

Thankyou for all your comments,

Lucy and Kees1958 .. i took your advice and installed MSE .. as you say defender is put on hold.

I really dont see the need for an inbound Firewall as i am behind a NAT router with SPI firewall, but i take on board your comments about an outbound firewall.

The whole point of this setup though, is that nothing without my consent can actually run (read my folders yes), but ring home and download more crap no.

Update: i got fed up with programs only running from %program Files% %WinDir% ect, that i went back to admin account and run win7 in a VM when i need to surf unsafe sites , Online banking i now run from a Linux (Knoppix) CD.

i'm weak i know *grin*.

 

Hi Ickk,

Not weak, just getting smarter about security!

-- Tom

 

Ickk i absolutely dont think you are weak!

Together with brain1.0 you should be very well protected! Better then with unnecessary security software!

One question just because i am thinking of that at the moment.
Is LUA nessecary while UAC is active?
I thought UAC will lend the LUA token to the administrator token if nessecary. So it should be as safe as a LUA. Am i wrong?

 

As far as i know the default setting in Vista when you install and create your account is an administrator account, which is run as a LUA if UAC is enabled as you say.
What the difference is between the admin/LUA and a normal LUA account is i couldnt say ... I do get UAC prompts when running this account.

When running another created LUA account i dont seem to get any UAC prompts even when i right click and run programs as admin.

Whether or not the admin under UAC is the same as a normal LUA account i couldnt say. Perhaps someone can enlighten me.

 

Maybe you will find your answer here.

http://windowsvistablog.com/blogs/w...7/01/23/security-features-vs-convenience.aspx

http://www.dslreports.com/forum/r23005707-Confused-about-limited-account

 

Thankyou for those links Jdd58.

Habakuck you are not wrong , it seems there is little difference running an Admin account under UAC than a Standard user account.
The Admin under UAC seems to share/use on the surface anyway the Standard user Token.

 

Ok. So i should be no security problem to log in with admin rights as long as uac ist active.