Seeking advice on overhauling and hadening my security setup

Hello,
I'm seeking your advice on overhauling and hardening my security setup.

A short introduction first: I am what could be called a "safe" user. I don't visit questionable websites, don't install stuff that I don't know, generally don't thinker with the system if I don't know what I'm doing, etc.
I don't like AVs, nothing personal, but I just don't like all those resident shields and the quite often performance hit that accompanies them, and because I'm most likely to get hit by a drive-by malware from allegedly legitimate sources, I seek to employ a more "passive" layered security setup that will prevent the malware from accessing my system and runing in it.

For a while I've been meaning to get to the subject of hardening my system more seriously, but (excuse here) had other priorities. I recently been hit by a drive-by in the form of a malware spreading through an Ad in a very legitimate website (and this is why I had AdBlock disabled on the domain), and although it turns out I managed to caught it up before it could do any damage - Windows Defender alerted me about a suspicious activity, I immediately closed the browser and cleared the cache and then ran some on demand scans that did not find anything; Upon revisiting the website, now with AdBlock enabled, no malware was detected by Windows Defender and later I learned that some users were seriously infected, probably by some blend of rootkit(s) with some more visible malware - I came to realize that I'm taking a very unnecessary risk.

• I'm currently using Windows 8 Pro, with Windows Defender that came with it and Windows Firewall.
• I'm behind a NAT router with the firewall enabled.
• I'm using Firefox with Adblock Edge (I tried NoScript but it is too much of an inconvenience for me), and although I know that Chrome is more secure because it runs in a low level integrity and even has its own sandbox, I prefer Firefox from a usability standpoint (unless it is too much of a securitu compromise).
• After the above-mentioned incident I start using Sandboxie as well, which I've been meaning to do for a while. Still learning how to use it properly.
• I don't store passwords in the browser, I use KeePass for that.

What I would like to get your opinion about is what should I add next?
I want the harden my permissions through Group Policy (until now I have only use it to disable Autorun). I did some research on the subject (mainly on this forum) and noticed that a lot of people are referring to it, but didn't find any description of best practices or specific details on what people are actually doing. I'm also considering adding AppGuard, but if I understand correctly I could achieve quite the same thing by hardening the system's permissions, and I'm intrigued by that because I like to first use the tools that I already have and avoid unnecessary duplications if there isn't a good reason for that.

And lastly, what I want to achieve is the best balance for me between security and convenience. I don't mind some inconvenience at first while adjusting to the new setup (for example, like learning how to use and setup SBIE), but in the long run I want a reasonably robust security setup that doesn't get in the way of the day to day use and don't put me at risk to lose data (like light virtualization solutions such as Shadow Defender, Deep Freeze, etc. which I'm sure great, but don't think are the right solution for me).

I don't expect to get a step-by-step instructions, but would appreciate if you could suggest some best practices and point to specific topics that I could research further in order to learn how to implement the relevant security measures.

 

I'm on XP so I really can't give you any real advice. However, I'll recommend you to search for the posts of Kees1958 (now he goes by Windows_Security), who, in my eyes is a guru of OS-internal hardening

Welcome to the forums, by the way.

 

you could disable unnecessary services, thats one good thing to do. makes the system run swifter in addition to the security benefits

 

In my opinion, I think your setup is fine. If you find that you like Sandboxie, then I would say use that as your "main" security program. Properly configured, it works great. I used it for a while and even bought a lifetime license but have since removed it as it was an inconvenience for how I wanted to use it. I would recommend adding EMET. It's Microsoft's anti-exploit program. It's light and shouldn't interfere with anything. I would also recommend you consider disabling defender and use Hitman Pro or another scanner to scan your downloads before recovering them as well as your system. Also, make sure you have a backup system in place. One last thing, if you're after convenience, I would look into execution control programs (Applocker, EXE Radar Pro, and HIPS like programs).

As for group policy stuff, I'd be interested in hearing what people had to say with this as well. This is a good thread to start with though.

 

If you feel your browser is the only real port of entry, you could just do some neutering in that realm using native mechanisms. It won't stop everything, but for the common stuff that you are most likely to run across, it can do a good job. It would fit what you want in terms of being unobtrusive. I do a lot of this, with no AV and such, without issues.

Sandboxie only reinforces this. As mentioned, Kees1958 posts have a lot of good ideas in that regard.

Sul.

EDIT: IMO you left out an important piece of data for anyone who might give you their insights -- do you run as admin or user day to day?

 

Go turn NoScript back on, but turn it to Globally Whitelisted. That'll get rid of the 'annoyance' for the most part, but still provide some critical protection.

Click to play plugins.

EMET 4.0b. Try turning DEP, SEHOP to Always On. Then try ASLR to Always On. Careful to make sure that you're running ATI drivers 12.7+ if you have an ATI GPU, and want ASLR Always On.

None of the above should have a significant hit on your usability. They should all provide a very large benefit to your security.

 

Pleas folks, ask SULLY, to adopt his PGS V1 to make it zero configuration setup version V2, adding simple SRP with freedom to install as admin.

Only thing PGS V2 does (no questions no options, just this)

a) Set DEFAULT LEVEL to BASIC USER
b) Apply DEFAULT SRP rules (run unrestricted in Windows and Program FIles of x86 and x32)
c) Apply those rules for ALL FILES (including DLL) and all users EXCEPT ADMINISTRATORS

d) Add the RUN MSI as ADMIN context tweak to PGS V2, see http://www.symantec.com/connect/downloads/msi-run-administrator-context-menu-vista

After install of PGS V2
1. A deny execute Software Restriction Policy to all Medium Level Integrity Processes outside Windows & Program FIles (both x32 and x86). This would protect against drive by attacks

2. Ability to install software (exe's) with right click RUN AS ADMINISTRATOR, ability to microsoft installation packages (msi's) with right click RUN MSI AS ADMINISTRATOR

Regards Kees

 

Thank you guys for welcoming me and all of your advices.
I deeply apologize for the late reply, life got a little bit in the way in the past few weeks, didn't mean to be rude.
I appreciate all the replies and am meaning to get to read them more deeply very soon.

I didn't create a separate user, I'm just using the user created by Windows at the end of installation. I presume that it is basically the usual Windows administrator account (with UAC turned on).

Edited to specifically address (and thank you) some of your advice:

Thank you atomomega.

@chrome_sturmen
Thank you. Since the days of Windows XP one of the first think that I do is to disable unnecessary services, especially those who could be exploited. I usually follow BlackViper's advice, and for some services I'm not too sure about or don't understand BV's advice, I try to research further. Usually I end up in pretty much full alignment with BV's settings.

@CrusherW9
Thank you for the advice about about EMET. I've heard quite a lot about it but never tried it for myself.
Applocker, unfortunately, doesn't work on Windows 8 Pro, just on the Enterprise (or whatever they call it now) version. I though that AppGuard could be an equivalent alternative (and will look into the other options that you mentioned as well), but I don't like redundancy and always prefer to first use the tools that I already have, unless there is a more efficient and/or effective solution.

@Sully

Thank you, it is a good advice, but I don't have a clue how to go about this in practice. I will search for this in general in in Kees/Windows_Security posts in particular.

@Hungry Man

I will first research the EMET thing a little more just to understand what you wrote here, but thanks for the advice. I'm sure that I will use it. I do have an AMD-ATI chip (on-board graphic. HD4200 if I recall correctly; don't know what version my current drives is though) so I will be careful with ASLR.

Done. Thank you.

 

In Win-7 you can check type of your account in "Control Panel\User Accounts and Family Safety\User Accounts". It must be something like that in Win-8. If it's Administrator then you can create other Admin acc. and change type of your acc. to "standard". The best safety practice is to use only Standard acc, not Admin.