[ale] PT1 - ale OT Need to lock down a Windows laptop / (OR Linux)

Ron Frazier atllinuxenthinfo at c3energy.com
Sun Jun 26 04:58:35 EDT 2011


TO my friends reading this and running Linux.  It is no longer true that 
Linux users don't have to worry about security and viruses, if it was 
ever true.  Now, the risk level may not be as great as Windows, but it 
is there, and will increase as the usage numbers increase.  Here, I 
detail a number of steps to secure windows.  However, many of them are 
cross platform, and usable on Linux too.  I detail which ones can be 
done on Linux as well.  When I give instructions for Linux, I'm 
referring to Ubuntu 10.04, which is all I know.  Users of other versions 
will have to adapt.  Trey's original inquiry is copied at the bottom.

Trey,

I was browsing through some old threads and saw this.  I've been working 
with Windows since it was a baby (v 3.0).  While not a security expert, 
I've studied it a bit, and have learned a lot from the school of hard 
knocks.  I wanted to elaborate on some of the things mentioned in this 
thread and add a few.  They question you asked cannot be answered in one 
paragraph.  Locking down a Windows system is not easy, and there are 
many technical issues and many psychological issues.  You can take a 
paranoid or a lax approach.  I prefer the former.  I would use similar 
procedures on the Linux side of the fence.  There are starting to be 
more attacks focused on Linux and Mac.  Risks that relate to things like 
Java and Flash are cross platform sometimes.  Here are a number of items 
in no particular order.  I can help you with these issues, if desired.  
Contact me privately.  If there is an interest, I can post some more 
specific details on the list.

0.5) Lock down your home router.  Applies to Windows and Linux.
Disable remote administration (from the WAN), turn on its firewall and 
NAT functions, set up WPA / WPA2 encryption for the wifi wiith a long 
random password, and set up an administrative password which must be 
used to configure or alter the router.  Set the router to use OpenDNS 
(as mentioned below) name servers, which will, at a minimum, provide 
some phishing protection.  More on this later.  If you have other 
devices which need to connect besides your computers, like game consoles 
or your daughter's friends, and if the router supports it, set a guest 
WPA / WPA2 connection with a memorable but hard to guess pass phrase.  
Guests should have access to the internet only, and not anything on your 
LAN.  Do not use WEP encryption, it has been broken.  It's usually a 
good idea to update the router's firmware to the latest level and save 
the firmware file as well as the configuration settings.  Update the 
firmware before you set the settings, as it will sometimes erase the 
settings.

01) Set up a login on her laptop for her, which is a standard user.  
Applies to Windows and Linux.
Password protect it, give her the password, and set up a screen saver 
which locks the system after a timeout.  Set up a boot password in the 
BIOS and give it to her.  These things will encourage her to keep 
security issues in mind.  They will also provide some protection if the 
machine is sitting in public for any period of time, or if it's stolen.  
Make sure she uses her login for normal activities.

02) Set up a DIFFERENT administrative login for yourself and don't give 
her the password.  Applies to Windows and Linux.
Let her know she's not allowed to install software without permission or 
alter the configuration of the machine.  Most of the system 
configuration, you will have to do from your administrative account.  
Most of her user applications will have to be configured from her user 
account.

03) Applies to any child and any computer.  Lay down ground rules about 
what she can and cannot do with social networking, peer to peer file 
sharing, contacting strangers, etc.  Discuss the potential problems 
involved in downloading illegal music and movies, etc.  Advise her to 
avoid that at all costs, and if she needs music or movies or books, 
etc., to buy them legitimately.  If she's younger, you may wish to not 
give her the boot password, and to require that she do all her computer 
usage in a common family room where you can monitor it.  Your choice.  
Instruct her not to do configuration changes or installations without 
your prior approval.

04) Using Windows Updater, install all relevant patches on the machine.  
Applies to Windows and Linux, except use the Linux Updater for Linux.
Reboot, and check again.  Keep doing this until all recommended patches 
are installed.  If the machine is new, make sure you do this from behind 
a home router with a firewall, so the machine doesn't get infected the 
moment it's connected to the net.  Do not connect it directly to the 
cable or dsl modem.  (As mentioned below) set the update settings to 
notify you every time patches are needed.  Also, make sure it's set to 
get patches for all MS products.  Set it for automatic updates every 
night at 3 AM or whatever.  However, this doesn't work if the system is 
off.  At least every month, after MS releases patches on the 2nd 
Tuesday, check for and install new patches in case the auto update 
didn't happen.  Basically, ANYTHIHNG that connects to the Internet needs 
to be updated at least monthly or whenever there is an urgent patch.

05) Make sure the Windows Firewall is on.  Applies to Windows and 
Linux.  Use Firestarter or something similar for Linux.
Every month, check it's exception list and purge anything that's 
unnecessary as both legitimate and malicious programs can sometimes 
change it.

06) Find the settings for User Account Control.  Applies to Windows and 
sort of Linux.  This is pretty much the default behavior in Ubuntu.
Crank it up to the max and save the settings.  This will require the 
administrative password when programs try to install software or make 
changes to the computer or you change fundamental Windows settings.  
This will include routine software updates, so you'll have to do those.  
When your daughter is older, and you think she's mature enough to take 
over system maintenance, you could give here the password.  However, 
neither of you should ever enter this password unless you know that it's 
for a valid administrative purpose that you requested or that you know 
is automated.  Otherwise, you're probably under an attempted virus attack.

07) (As mentioned below) MS Security Essentials is a good option for 
Anti Virus.  Applies to Windows and Linux (in my opinion).  You can use 
ClamAV or similar for Linux.
It's free, and they update it.  If you want to pay for a package, Eset 
NOD32 (as someone else mentioned) is a good choice.  It's usually a bad 
idea to use multiple packages.  They fight with each other.  If the 
machine came with AV, you may have to uninstall it to use these.  Always 
check the settings of these type of programs.  The defaults, while 
adequate, may not match what you want the machine to do.

By the way, based on the current knowledge of numerous tech and security 
experts I listen to on podcasts, forget about cleaning out viruses.  
Modern viruses are very sophisticated.  Once they get their hooks into a 
system, they have a way of coming back and back, or hiding in such a way 
that you'll never know it.  Once a system is infected with a virus, you 
can never trust it with sensitive information, like your credit card 
number, again.  If it gets a confirmed virus, back up the data, wipe the 
hard drive, and reinstall everything.  I know this is a pain in the 
butt.  I just did it recently to my sister's machine.  However, it's the 
only way to know for sure that it's clean.

08) (As mentioned below) Firefox is a good alternative for a web 
browser.  Applies to Windows and Linux.
I would not use Internet Explorer, as it has historically had many 
security problems.  Many exploits take advantage of ActiveX, which is 
part of IE.  If you want to know more about locking down IE, contact 
me.  Noscript is a great plugin.  Configuration is a bit complex, and I 
can help with that.  The bottom line is that you don't want any active 
content to run, or any scripting, unless you have a credible reason to 
trust the website.  Scripting should be off by default.  Then, if you 
have to trust your bank for their site to work, then you turn it on.  
Advise your daughter not to trust sites just because they don't work.  
She needs some reason to believe they're credible.  Preventing scripting 
prevents many exploits.  The Firefox Sync plugin (mentioned below) backs 
up your bookmarks, and passwords if you want, and optionally lets you 
synchronize them to other computers or restore them if needed.  It 
crashed and corrupted my bookmarks once and lost many of them.  I read 
similar complaints from other users.  I recommend Xmarks instead, which 
seems to be more reliable.

08.5) There are a number of Firefox settings which I would change from 
the defaults.  Applies to Windows and Linux.
Some of these relate to security and some relate to privacy.  I could 
discuss these privately or post on the list if there is an interest.  
These relate to things like whether you clear history and cache data 
when exiting, whether you use a master password, whether you store 
passwords, etc.  Everyone probably has different preferences here.  For 
privacy protection purposes, consider the Better Privacy and Ghostery 
plugins.  Firefox should generally be updated when requested.  However, 
Firefox 4 broke a lot of my plugins which live in the status bar, so I'm 
still on 3.6.18.  You also have to separately update the plugins 
(addons) even though this sometimes happens automatically.  WARNING, the 
FIREFOX and PLUGINS settings have to be done in EACH user account on the 
machine, including the administrative account, and have to be updated in 
EACH user account every time they change.

09) Java applies to Windows and Linux.  See note after this paragraph.  
As JD wrote in his 05/10/11 post entitled "Should I keep Java on my PC", 
the top 4 attack vectors you can easily control are: Adobe PDF's, Java, 
Adobe Flash, and MS Office documents.  We'll address each of these 
separately.  The general security rule is don't run what you don't 
need.  Many sites don't need Java to run.  Many exploits do.  While I 
need it, I may delete it from my son's machine and my Dad's.  Java is 
different from JavaScript, which is widely used.  If you need it, get it 
from Oracle / Sun at http://www.java.com rather than using an 
alternative.  This is the most widely used and most updated Java 
system.  You must keep it updated whenever they issue a patch.  If you 
don't need it, don't install it or uninstall it from the control panel.

For Linux (Ubuntu), you need to add the PPA to the Synaptic repositories 
screen.  I cannot locate the procedure or link at the moment.  Then, 
reload the database.  Search for java6 and install java6-fonts, 
java6-bin, java6-jre, and java6-plugin from Sun.  Don't use a direct 
download from Sun / Oracle.  By using the PPA, you'll get auto updates, 
although they may be a bit older than the current Java release.  You 
should remove the open jdk and icedtea as well as old java -bin, -fonts, 
-jre, and -plugin as all these are out of date compared to Sun's Java; 
unless you have a specific reason to use these older items.  If you want 
to remove Java completely, you can do so from Synaptic.  Search for 
words like java6, open jdk (or maybe openjdk), icedtea, etc.  Make sure 
you're removing actual Java stuff, and not just something else that 
happens to end in -bin.

10) Your daughter will probably need the Adobe PDF Reader on her PC in a 
Windows environment.  Applies to Windows and MAY apply to Linux, if you 
run Adobe's reader in Linux.  With other readers, you should take 
similar steps to disable features which may be a security risk, 
including Java, JavaScript, embedded automation, etc.
PDF's are widely used, but can be malicious.  Make sure you have 
installed Adobe Reader X (ten) from http://www.adobe.com .  If the 
machine has Reader 9 on it, uninstall it and install X.  Version 9 has 
some significant security holes.  After installing, you must change some 
settings to maximize security.  You must do this in EACH user account, 
just as with Firefox, since this is a user application, not a system 
application.  You should check these settings after every update or new 
reader install, since sometimes they will get reset to defaults.  Start 
Reader X, then select Edit, Preferences and set the following:
      Click the JavaScript category, UNCHECK the "Enable Acrobat 
JavaScript" box.  There is almost never a need, outside of specific 
corporate usage, to need JavaScript in a PDF, and it is often used for 
attack.
      Click the Multimedia Trust (legacy) category, UNCHECK the "Allow 
multimedia operations" box.  This prevents multimedia files from being 
triggered by PDF's (I think).
      Click the Security (Enhanced) category, CHECK the "Enable Enhanced 
Security" box.  Don't know what it does, but I want it on.
      In the same Security (Enhanced) category, UNCHECK the 
"Automatically trust sites from my Win OS security zones box.  I don't 
want any "automatic trusting" of anything.
      Click the Trust Manager category, UNCHECK the "Allow opening of 
non-PDF file attachments with external applications" box.  This prevents 
an XLS file, for example, from being attached to a PDF file, which could 
be a vector for attack.
      Click OK to save the changes.
      Then, go back into preferences and make sure these are all set as 
required.
      You may then click OK to exit the preferences and then exit the 
program.
      Do this same setup in EACH user login including the administrative 
one.

By the way, when you installed Adobe Reader X, you probably also got 
Adobe Air.  Go to control panel and uninstall it unless you know you 
need it.  Also, every time you run one of the installers, watch out for 
things like a check box (defaults to on) that says Install the Yahoo 
toolbar, etc.  (Actually, that might be the Java installer.)  Make sure 
you read everything on the screen before clicking any button.

11) She'll probably need Adobe Flash too.  Applies to Windows and Linux 
if you use Flash in Linux, as I do, and many others.
YouTube runs on it, as does Pandora, and many others.  Facebook probably 
uses it.  Flash, too, is a major attack vector.  You'll need the latest 
Flash.  As with the other things, you must update it whenever there's a 
patch.  All these things should be checked at least monthly.  As with 
the other USER apps, you have to configure flash in EACH user account.  
The default settings are NOT conducive to security and privacy, and the 
way to change them is not obvious.

WARNING, there have been exploits, sometimes using flash, sometimes not, 
which use the computer's web camera and microphone to spy on people and 
take pictures of them or record their conversations.  We will set these 
flash settings accordingly.  However, I would recommend disabling the 
built in microphone and web camera if you don't need them.  At the very 
least, I would place a piece of dark thick tape over the web camera when 
I'm not using it.  I intend to do just that with the new laptop.  If I 
want a mic, I'll plug in a headset.  If I want a camera, I'll either 
re-enable it or plug an external one in.

Go to this address to check if Flash is installed and what version it 
is.  (PS, I use the flashblock plugin in firefox to prevent flash from 
running unless I want it to, even if the site is trusted by NoScript.)  
Once you visit this site, it will tell you if flash is installed, and 
what version it is.  If you need the new one, get the installer from here:
http://get.adobe.com/flashplayer/  For Linux, install the flash-plugin 
from the repository after enabling the various repositories.
It may try to install the Adobe Download Manager plugin into your 
Firefox.  Install it if you have to.  Then uninstall it later.
Once you've got Flash installed, for each user account, go to this 
address and make the changes outlined below:
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html 
- This is where you set the settings from.  There is also a control 
panel applet, but it doesn't allow as much flexibility.

Click on Global Privacy Settings panel at the left.

The applet will appear which configures default settings for your camera 
and microphone.  Click Always Deny, then Confirm.  Do this 3 times.  
Then click on Global Privacy Settings panel again and do the same thing 
3 times again.  Sometimes, for whatever reason, the settings don't stick 
initially.

Click on Global Storage Settings panel at the left.

Check all three check boxes, then click on Global Storage Settings panel 
again and do the same thing again.  Click on Global Storage Settings 
panel again to make sure the settings were saved.  This disallows sites 
from storing Flash cookies on your computer by default, but will allow 
it if you specifically ask to per site.  Note that things like Pandora 
won't work this way, but you can enable them specifically.  Disabling 
Flash storage enhances privacy.

Click on Global Security Settings panel at the left.

Click on Always Deny.  This prevents sites from using an older security 
system.  Click on Global Security Settings panel again to see if the 
setting stuck.  If not, repeat and test again.

Click on  Global Notifications Settings panel at left.

Set to notify you of updates and check every 7 days.  Repeat as 
necessary to make it stick.

Click on Website Privacy Settings panel at left.

Delete all the sites.  As sites are visited, they will appear here.  
After this point, any websites listed here deny symbol, a red circle 
with a line through it.  They will be denied access to the camera and 
mic.  If a site does need access to the camera and or mic, you can click 
it's specific line and authorize it.  Make sure you go back into the 
screen to make sure your changes stick.

Click on the Website Storage Settings panel at left.

When you deleted the sites from the previous list, they were deleted 
here.  As sites are visited, they will populate this list, and it will 
show how much flash storage is allocated.  They should all say nothing.  
No numbers shown.  If a site has requested storage, it may say never 
under the limit.  If you go to Pandora, for example, it will fail and 
complain about not having any Flash storage.  You can come to this 
screen, and select Pandora, which will now be in the list.  Uncheck the 
box that says never ask again, and slide the slider to set the limit of 
storage for that website, for say 100 KB of storage.  Then, you can go 
back into the screen to make sure it stuck.  Pandora should then work.

Click the Peer-Assisted Networking Panel at left.

Flash has some peer to peer features that can present security risks.  I 
just disable them.  There should be no websites here unless you've 
enabled them.  Any that are there should have a deny symbol, the red 
circle with a line through it.  Also, check the box that says Disable 
P2P Uplink for All.  Go out of the screen and come back to see if it 
stuck.  If not, do it again.

Well, that's ALL that's required to properly secure Flash.  Oh, just 
remember to do it for EACH user login.  And remember to check it after 
each update, which you should do every time the version changes.

12) Office Documents were the other item on JD's list.  Applies to 
Windows and Linux.  Linux users will probably have Open Office or Libre 
Office.  See below for that.
They can have macro viruses and Visual Basic applications embedded in 
them, which can be malicious.

I'm not an expert in the new MS Office package.  I don't own it or use 
it.  It costs too much $$$ when LibreOffice is free.  I did get my wife 
to boot her work computer long enough to print out the menu screens 
related to security and privacy.  I'll tell you how I'd set them for a 
son or daughter.  Remember, I take a paranoid philosophy.  Turn off all 
unneeded automation, and block all potentially malicious content unless 
there is a good reason not to.  You can do the following in Word 07.  
There should be similar menus in Excel, Powerpoint, and Access.  Do this 
in each one, as relevant, and in EACH user account.

Click the start button within the app (the big circle).
Click Word Options (or Excel or PowerPoint or Access).
Click Trust Center.
Click Trust Center Options.

Click the Trusted Publishers category.
    For a child's (non corporate) computer, I think this list should be 
empty.
Click the Trusted Locations category.
    I would think this should also be empty.
    UNCHECK "Allow Trusted Locations on my network (not recommended)
    CHECK "Disable all Trusted Locations ..."
Click the Add-Ins category.
    CHECK "Require Application Add-Ins to be signed by Trusted Publisher"
    CHECK "Disable all Application Add-Ins (may impair functionality)
Click the Active-X Settings category
    SELECT "Disable all controls without notification" - You don't want 
to bother a child with lots of strange pop-ups.
    CHECK "Safe mode"
Click the Macro Settings category
    SELECT "Disable all macros without notification"
    UNSELECT "Trust access to the VBA project object model"
Click the Message Bar category.
    SELECT "Never show information about blocked content"
Click the Privacy Options category.
    Not sure what all these mean.  The ones that look important are:
       CHECK "Check Microsoft Office documents that are from or link to 
suspicious Web Sites"
       CHECK "Make hidden markup visible when opening or saving"

Click OK to save all this.  Then, go back in and see if it saved.

I prefer to use LibreOffice. http://www.libreoffice.org/  For Linux 
users, add their PPA to the repositories list in Synaptic and install 
from there.  This will allow for auto updates.  If OpenOffice is already 
on your system, you should uninstall it before installing LibreOffice.  
I had a hard time doing that in Ubuntu, but don't remember the exact 
procedure.  At the moment, these steps will probably work for OpenOffice 
too.
Here is how to set the options.
Start LibreOffice and open a blank text document.

Select the Tools, Options menu.
Open the LibreOffice category.

    Click the Security sub category.
       Click the Macro Security button.
          Click the Security Level tab.
          Select "Very High"
       Click the Trusted Sources tab.
          Both lists should be empty.
          Add things only if you know what you're doing and you know 
what you need.
       Click OK to save these settings.

    Click the Java sub category.
       UNCHECK the "Use a Java runtime environment" button.
       Click OK to save these settings.

Select the Tools, Options menu.
Open the Load / Save category.

    Click the VBA Properties sub category.
       Under the "Microsoft Word 97/2000/XP" section
          UNCHECK "Executable Code"
          UNCHECK "Load Basic Code"
          UNCHECK "Save original Basic code"
       Under the "Microsoft Excel 97/2000/XP" section
          UNCHECK "Executable Code"
          UNCHECK "Load Basic Code"
          UNCHECK "Save original Basic code"
       Under the "Microsoft PowerPoint 97/2000/XP" section
          UNCHECK "Load Basic Code"
          UNCHECK "Save original Basic code"
       Click OK to save these options.

Go back into the menus again under the Java, Security, and VBA 
properties sub categories and make sure that the settings are correct.

See part 2 for the rest of the message.


On 4/11/2011 6:36 PM, Preston Boyington wrote:
> Trey Sizemore wrote:
>> Hi all-
>>
>> Off-topic for the list, but I know there's tremendous knowledge and 
>> experience here when it comes to tightening a Windows machine.
>>
>> I've got my daughter's laptop dual-booting Windows 7 and Ubuntu.  
>> I've encouraged her to use Ubuntu as much as possible, but realize 
>> there are some programs that are not able to run on Linux at this 
>> point (tried Wine and others).
>>
>> So for the times she does log in to Windows, I want to have 
>> up-to-date anti-virus installed and am looking for some advice on 
>> what to use.  Also, any other software that would be good to install 
>> to help keep the nasties off.
>>
> Microsoft Security Essentials (for anti-virus)
> Mozlla Firefox with the following:
> *Adblock Plus (speeds up things by blocking ads, etc.)
> *NoScript (to block what Adblock doesn't)
> *Firefox Sync (bookmark&  password sync)
> *Update Notifier (to keep add-ons updated)
>
> there are also proxy servers to route through to help protect from some
> nasties and optionally filter content you don't care about.  OpenDNS has
> a 'FamilyShield' that does this.
>
> those would get you started I think.
-- 

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new messages very quickly.)

Ron Frazier

770-205-9422 (O)   Leave a message.
linuxdude AT c3energy.com



More information about the Ale mailing list