Suggestions for setup on old laptop

Discussion in 'other anti-malware software' started by Kees1958, Feb 8, 2013.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi,

    Long story, short recap: a Vista age laptop (Dell laptop with early 1,7 GHz AMD dual core processor PassMark 1.030) given to an elderly with loads of old office software on it needs a tweak (it runs very slow).

    I was thinking of doing a clean install with the following components

    Operating system
    XP because I have one laying around and it is in Dutch (which is very important) and I do not want to loose a lot of time finding old drivers etc.

    Limited admin rights
    Create a new Power User (enable build in Admin keep it as my emergency entry with new password, delete user which installed OS). Power Users are able to install programs, but can't change Windows settings (have access to program files directory).

    Uninstall Windows Media Player, IE and Outlook Express.

    Use only portable 'threatgate' programs which install in Users directory, e.g.
    Chrome (default webinstaller), Portable versions of Mozilla Thunderbird, Classical Media Player, AbiWord, 7-ZIP en Foxit-PDF reader.

    Install Sully's Pretty Good Security (adds Software Restriction Policy to XP Home) and run Chrome and Portable programs as Basic User. Since they are all located outside Windows and Program Files folder, they don't need Admin access and automatically run with reduced rights.

    Deny execute on Data Partition
    Create a data partition, move User Shell Folders to data partition (e.g. My documents), Install http://www.fajo.de/main/en/software/fajo-xp-fse. Set a deny execute for Everyone on D:\ with security tab (Deny execute file/traverse folder). Hide the security tab again.

    Simple security
    Install Avast file shield only with sandbox on "auto". Install Browser Edition of ExploitShield, add Adblock plus. Keep Chrome updated (giving Chrome updater unrestricted rights). Use the build in inbound firewall.


    Risk assessment
    So they still can install old games like patience, chess etc (most of them of are very old and can't handle DEP). By using portable programs and running them as basic user, with the deny execute of the data partition, the attack surface is reduced. Using a Dutch language AV (with auto sandbox) and website protection (Norton DNS, Google Safe-search, Add block), I hope to keep them away from risky places.


    Any ideas, like which hardening tool to use? Requirements: no questions to the users, either block or auto decde.
     
    Last edited: Feb 8, 2013
  2. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    I Would install and use Xubuntu or other easy-going linux distro.
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep, but then they can't play the windows games (in Dutch), like chess, bridge, patience etc.
     
  4. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
  5. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    How about installing Sandboxie, giving direct access to my docs and other common areas of personal data. Tell them to save anything they download to these areas. There is no recovery, the applications ran (forced) in the sandbox cannot tamper with real system, but they don't really know what is going on because everything they download and save is in the real live locations.

    Drive-bys and downloaded installers etc would spawn within the sandbox, so system is safe. Quick delete sandbox wipes all nasties from sandbox, but doesn't effect what they saved.

    Force downloads directory into sandbox, or give it Basic User rights only. I would prefer to force into sandbox, so they can be happy installing new mahjong game without hassle, yet it is contained.

    If needed, you can restrict the sandbox to specific applications/directories without much issue.

    A quick and basic explanation to the user:

    You browse etc in a sandbox. Save downloads to my docs. If you have issues, or just want to be "more safe" delete the sandbox. If you install new mahjong game, it will be in the sandbox but not your real system, so deleting sandbox gets rid of mahjong. If you really trust the game, copy it to your desktop and then run the installer. This is about wrapping the programs that are most likely to cause you issues, and the things you download and run, into an area that is easily accesible to you, but kept separate from your system.

    The more I use sandboxie, the more I realize less can be better with such a tool. We here are always so focused on security that maybe we sometimes forget it doesn't have to be complicated.

    Oh, the applications run sandboxed can also have the Basic User applied, so if it escapes sandboxie, then the SRP would apply.

    Sul.
     
  6. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    You have similar and many others to GNU/Linux in any language you want.
     
  7. CrusherW9

    CrusherW9 Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    516
    Location:
    United States
    @Sully
    I am actually planning on helping a friend with their computer and was figuring out a decent security solution for "noobs." While the person does know a tiny bit more than average, I always imagined Sandboxie being difficult and frustrating for non tech savvy people to use daily. I wanted to develop a go to configuration that I would apply to anyone needing help so I was originally going to use Avast! and EMET because Avast! works on Mac as well. My friend is dual booting and claims she has a virus on her Mac partition. I don't know a whole lot about Mac's, but I figured learning one program for everything is better than using a bunch of different programs. Your configuration however has got me interested in Sandboxie for this purpose; atleast, on the Windows side. I would certainly like to promote Sandboxie as it is what I use and also because installing Sandboxie and telling the person "yea, this is what I use" is likely to atleast make them feel secure. Ofcourse, this could be a bad thing too.... Anyways, long story short, thanks for that post. I may do any combination of Sandboxie, Avast!, HitmanPro, EMET, or LUA + Parental Controls.
     
  8. Feandur

    Feandur Registered Member

    Joined:
    Jun 15, 2005
    Posts:
    401
    Location:
    Australia
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Actually a good idea, I am only going to do this with GeSWall free

    1. Download Free and use Pro data base through geswall.dat trick
    2. Give the sandboxed application full access to user folders and partition
    3. Add these user folders and partitions in the system resource section as "trusted". So GW won't sandbox downloaded files
    4. Disable GW protected icon/border in GeSWall GUI
    5. Remove autostart of GsWall GUI with sysinternals autostart
    6. Remove GW shell/overlay icon's dll's with autoruns/regedit
    7. Remove access of Power User to registry entry which loads GW service (and zip GW uninstaller with pasword into 7-zip compressed file)

    Result: Applications will be fully protected, downloads are on the real system, having no GW-icon and can install software (because all downloads are trusted now). Applicatio GW is not visible on the system (only GW service) and they have a hard time removing/disabling the service.
     
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    That is the reason I got this question, I gave my DW lisence to my mother, she has no problem using it :D Although becoming 80 this year. It is her neighbour of her (so I don't want to start paying for lisences, it is an elderly complex and they meet every week for a social event and dinner).
     
  11. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    why use an email client? why not just use web mail an open in chrome?
    also can IE be uninstalled from XP?
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Sorry had to explain it better.

    They live in an independant living complex for elderly (60 appartments). They meet every week and have dinner together. A few of them have joined senior net in the Netherlands. They feed the rest of the digital community in that complex with free programs and games. When someone is on a different OS, that imples that I have to search for the linux/unix equivalent of the game of the week.

    That would take to much time, installation effort etc for me
     
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well, disable access in Add/Remove programs, and give the IE directory a "deny execute" SRP. You can;t update XP manually after this, but considerig the discontinued status of XP, won't be much of a problem.

    Why not use a webmail? Have not considered this to be honest, thx. I will check out how easy it is to access webmail (they are using a TV cable net provider as ISP which also handles their e-mail, with spam and virus checker).
     
  14. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    @Kees1958
    I use only webmail. It's easier. ;)
     
  15. Feandur

    Feandur Registered Member

    Joined:
    Jun 15, 2005
    Posts:
    401
    Location:
    Australia
    Kees1958:
    Understood ! Yes, women talk - sometimes about the most surprising things. ;)

    Amit:
    Yes, I also . Have changed my computer so many times, and now have multiple boxes and OS's......all mail still stored on my ISP as webmail which I can access anywhere , anytime.

    [Proviso: I don't get a lot of mail... :( .... so my storage is not huge]


    -cheers,
    feandur
     
  16. Pinga

    Pinga Registered Member

    Joined:
    Aug 31, 2006
    Posts:
    1,420
    Location:
    Europe
    There is no need to flaunt your sexism here.
     
  17. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    Yeah webmail is very convenient for me.

    Why don't worry. Pm me your email address and you'll find your storage full in no time.:D
     
  18. Feandur

    Feandur Registered Member

    Joined:
    Jun 15, 2005
    Posts:
    401
    Location:
    Australia
    Apologies Pinga, no offense meant - just an old man's experience. :-*

    Thanks Amit.....your gracious offer to relieve my carefully guarded solitude here in my man cave is most touching...I will ponder this matter most deeply... :ninja:

    PS: I so totally blame that 2nd glass of red I just had...no responsibility at all taken for any replies tonight. I shall be suitably shame faced in the morning.

    -apologies to all, and to all, a good night. :thumb:

    -cheers,
    feandur
     
  19. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    @Feandur
    No prob. Always here to help.:D
     
  20. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I will have a look at new Microsoft on-line, I heard the neighbour was used to outlook. I had a look at the webmail client of their ISP. I can assemble some filter rules to move them from ISP to MSN (delete SPAM, forward mail to MSN.account and move to NewMailFolder, send a changed adress mail whem mail enters NewMailFolder plus delete the incoming message). The ISP uses a very decent SPAM filter and ClamWin AV, so nothing wrong using it as off-line first malware filter.

    This also solves a problem I have with the mailbox of my mother. The in-box is only 25MB large, she has two female friends who send het large 'funny/humoristic' movies every day (often up to 5 MB large). When she does not use her laptop for three days, her mailbox becomes full and I have to send an e-mail to the ISP asking to purge her mailbox (it happened so often, I got a direct mail address of the help desk :D ).

    So I skip Thunderbird, will implement the same for my mother.

    Thanks :thumb: for the suggestion
     
    Last edited: Feb 10, 2013
  21. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    @Kees1958
    You're welcome my friend.:)
     
  22. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    @Kees1958
    The only security needed for that laptop is in my sig.;)
     
  23. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Thank you, but no thank you :D

    To complex. I will try the combo with Power User, SRP basic user on portable aps, deny execute on download directory and GeSWall free in the way Sully suggested SBIE, with your suggestion outlook webmail.

    I will still add Avast file shield.

    Still welcome a suggestion for hardening, like XPantispy or simular
     
  24. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    Um that also looks strong setup. :)
     
  25. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Final Setup

    1. Running as normal Admin, with block on non-signed drivers (registry tweak).

    2. Installed Sully's pretty good security and set all non-essential programs to run as basic user (ABIword, 7-ZIP, Foxit, MovieMaker, DVDPlayer) and a deny execute on the data partition (all files and all users).

    3. Installed GeSWall Free for Chrome, Outlook Express and Windows Media Player 11, with iconoverlay disabled (no GW icon on downloaded files) and Data Partition and Document & Settings as trusted (downloaded files/programs can run without being contained/sandboxed by GeSWall).

    4. Installed Avast with file shield only (and sandbox on auto).
     
Loading...
Thread Status:
Not open for further replies.