XP (yes I know should be abandoned)

Not quite, I found out after I checked today so time for a correction. I deal with folders in Documents and Settings on a per user basis and I only had removed system from the active user account folders and not the folders that Windows supplies. I found that having system on the All Users folder with read/write permission is necessary for user pictures and to work right.

Otherwise, everything I've tested so far has been working including Windows update and MSE.

 

This is a list of .NET Framework 2.0/3.0/4.0 updates released after end of support for Windows XP:

http://download.microsoft.com/download/0/A/5/0A57F593-57B7-4B8B-8598-A3EBEAC3620D/NDP20SP2-KB2894843-x86.exe
http://download.microsoft.com/download/C/2/C/C2CBA674-3E4B-4BF0-9B75-6239E994C356/NDP20SP2-KB2972105-x86.exe
http://download.microsoft.com/download/F/1/4/F14595A2-A761-4368-9537-CB1347A5C31D/NDP20SP2-KB2972214-x86.exe
http://download.microsoft.com/download/4/A/E/4AEAB77C-6FF8-44C2-9679-1BAB52B93250/NDP20SP2-KB2978124-x86.exe
http://download.microsoft.com/download/E/0/5/E0501D1E-4046-484C-AB8D-00F82DE53651/NDP20SP2-KB2979574-v2-x86.exe
http://download.microsoft.com/download/5/2/C/52CDC545-676A-4BC8-BA7E-F7634A06205E/NDP20SP2-KB3023220-x86.exe
http://download.microsoft.com/download/2/9/B/29B473CB-63B7-4ED0-8A54-5F512AC2475F/NDP20SP2-KB3035488-x86.exe
http://download.microsoft.com/download/D/A/2/DA2E8293-1888-42EA-BA21-CB88EEC51177/NDP20SP2-KB3037577-x86.exe
http://download.windowsupdate.com/c/csa/csa/secu/2015/09/NDP20SP2-KB3074546-x86_B00E38544466254F6C7314127D2F658078C9D53A.exe

http://download.microsoft.com/download/2/B/2/2B23383E-72A3-4B45-A0B2-74F41674AB8D/NDP30SP2-KB2973115-x86.exe
http://download.microsoft.com/download/F/8/5/F859846E-37D4-422F-AA06-DA7F44EB3246/NDP30SP2-KB3048073-v2-x86.exe
http://download.windowsupdate.com/d/csa/csa/secu/2015/08/NDP30SP2-KB3072308-x86_DF948B25BC71432E5CADE81A55E0840A833B8BDC.exe

http://download.microsoft.com/download/5/D/8/5D8CAE6E-DD52-4654-A8A5-F783079CBD39/NDP40-KB2894842-v2-x86.exe
http://download.microsoft.com/download/A/1/C/A1CF7A32-DE4C-4801-9941-97968014D0CD/NDP40-KB2931365-x86.exe
http://download.microsoft.com/download/7/3/2/7326625B-CED1-4466-A3B2-9ACAE4891ED7/NDP40-KB2938780-x86.exe
http://download.microsoft.com/download/1/5/E/15E6F381-A764-457D-A9BF-D4DF22665F1D/NDP40-KB2972106-x86.exe
http://download.microsoft.com/download/7/7/7/777B7C3B-F6D7-4F2A-BAB9-3E79287009E9/NDP40-KB2972215-x86.exe
http://download.microsoft.com/download/C/C/A/CCA7CA55-9109-42B0-908C-FFA419E4792E/NDP40-KB2978125-x86.exe
http://download.microsoft.com/download/2/F/7/2F798ACF-EFDC-45EA-B76F-F0DE4E67882E/NDP40-KB2979575-v2-x86.exe
http://download.microsoft.com/download/2/0/8/208D1422-5B68-4BEB-BFD2-6B860DA4F978/NDP40-KB3023221-x86.exe
http://download.microsoft.com/download/A/A/3/AA3F6C4D-0DC2-4074-9DAC-88FA3A8AFDD4/NDP40-KB3032662-x86.exe
http://download.microsoft.com/download/B/F/9/BF95F11F-6552-437A-BD62-1666826A8EE5/NDP40-KB3037578-x86.exe
http://download.microsoft.com/download/9/2/1/921E5232-83F4-43CA-8B28-6B4F2A4484F7/NDP40-KB3048074-x86.exe
http://download.microsoft.com/download/9/4/1/941A479D-7370-42B3-BF1D-09DF887A05E7/NDP40-KB3072309-x86.exe
http://download.microsoft.com/download/7/6/D/76DAC6F7-223C-44FA-888A-803B51F7B67E/NDP40-KB3074547-x86.exe
http://download.microsoft.com/download/3/2/0/3204BE48-6715-42D5-B480-B94FF7FCC1F2/NDP40-KB3097994-x86.exe
http://download.microsoft.com/download/8/7/9/87937477-D099-4F19-B036-3D32C0BB28CE/NDP40-KB3098778-x86.exe
http://download.microsoft.com/download/0/E/6/0E68D65E-D070-4C3A-A227-130308B82278/NDP40-KB3099866-x86.exe

Crystal AEP requires .Net Framework 2.0.
At least uninstall .NET 1.0 and 1.1.

Silverlight also would not be a good choice:

http://malware.dontneedcoffee.com/2015/07/cve-2015-1671.html

Update at least the latest version (5.1.41212.0):

http://download.windowsupdate.com/d/msdownload/update/software/ftpk/2016/01/silverlight_22b0beaaaf181fcaf0166ddcde8cbdc96d38de52.exe


Modern Silverlight needs Windows Installer 4.5 KB94228 on Windows XP to work properly:

https://www.microsoft.com/en-us/download/details.aspx?id=8483

Check this update.

 

Change of plans, had a closer look at QupZilla. Security through obscurity is applicable for QupZilla since it has a near zero market share and uses the Qt application framework, which is a cross platform C++ platform which uses its own precompiler and a signal and slots for GUI and asynchronous communcation between objects. It has a Opera like speed dial, a build in adblocker, password manager with encryprion and sufficient privacy settings.

I will ditch local email and learn her how to use the webmail of her ISP (accessed via speeddial and password manager). Webmail of ISP is very straight forward and in Dutch. Because of Qt programming language I "only" have to worry about Silverlight, Flash and Webkit exploits.

I can't find how QupZilla updates itself, so anyone knowing how QupZilla auto updates on Windows please post how the update proces works (separate updater? downloads updates to specific folder?).

This certainly looks promising

 

@Windows_Security

My advice re QupZilla is currently "Don't."

https://www.wilderssecurity.com/threads/the-mess-that-is-webkit.383710/

 

Thanks for the link, but that is on Linux. Can't find info on the latest Webkit version. Qupzilla uses 538.1 as I recall from the version documentation for Windows.

 

@Windows_Security,

your original plan looks really good. I suppose you could virtually bullet-proof it by forcing the browser into a lightly restrictive Sandboxie environment, so as not to cause headaches for your relatives, balancing convenience with security, maybe running Firefox with uBlockO configured with enhanced easy mode blocking (easy mode with additional blocking of frames).

 

Thanks for the suggestion. I am testing it with Firefox and free GesWall sandbox right now (using redirect for everything except Firefox profile and Download folder), having some trouble with GeSwall allowing Silverlight and Flash updates. Since the relative does not do any on line banking or shopping, so I might use uBlock and block third party scripts and iframes. A pitty that there is no equivalent of Script Blocker for Chrome (which also blocks plug-ins from third party) available in Firefox.

 

The additional blocking of 3rd-party scripts will probably break too many sites, resulting in frustration for your relatives, unless they know what to unblock when it happens. Just my 2 cents based on my experience with uBlockO.

Even gorhill implies blocking only iframes will prevent many exploits from happening. And of course this approach will cause very little grief for users.

 

Because IE (remember nozzle etc), Edge and Chrome apply script sanitizing, the method of infecting websites has become iframes. Firefox is sort of victim of its advantage (having NoScript), so Firefox does not have the same script sanatizing features as far as I know, so it needs a scriptblocker for that. Also I know the user only visit two news websites, I will make sure nos.nl and nu.nl will work with uBlock.

 

Okay, this is how I did it

1. Installed al applications
2. Locked Windows with ACL like Mister B suggested (disabling write as much as possible)
3. Software Restriction Policy default deny (excluding Firefox download folder) and run all steady applications as BASIC USER
4. Kept Outlook Express, but emails are read in plain text
5. Crystal AEP blocking OE to start other programs, allowing Firefox to start updater only
6. Secure Folders with read only on Firefox installation folder and Firefox Appdata folder (includes download) allowing Firefox, updater and explorer full access
7. Firefox with no plug-ins (learned her how to look TV missed through set top box), pining the six websites she only visits, with uBlock origin blocking third party and tweaked to have full functionality on thise six websites.

Thanks for all your suggestions.