Going thru all the posts to date I see no mention about ROOTKIT prevention.
The worst kind of rootkit has the ability to take over a PC and place itself between the hardware the operating system with all its
anti-virus, anti-spyware tools you have mentioned.
It runs the operating system as a virtual machine so it has absolute control of the operting system and its applications.
To learn more about this vicious threat visit
en.wikipedia.org/wiki/Rootkit or do a search on Google.
Warning do not visit rootkit.com. Bad, bad news!
I had 13,000 plus maleware files loaded on to my PC by interacting with this site. The Windows API could not see any of these files, only one of 3 rootkit scanners could find them.
Wikipedia gives details about rootkit scanners for both Windows and Linux.
Visit http://www.av-comparatives.org/ then click on the menu selection "Comparatives. Down the near the bottom of the page you will find a pdf document called - Comparative of various protection tools "October 2006". This document contains a list of tools that deal with the short-comings of the anti-virus and anti-spyware products i.e trying to block stealth rootkit infection attacks.
Two products that help with safer surfing are SiteAdvisor and Scandoo. There are a few others.
The product I favour most for browsing is Opera. It is less vunerable than IE and Firefox.
Have your choice of alternate browser, anti-rootkit tool etc. on CD or flashdrive to load before you go online.
A good idea is to run a check on a site like secunia.com to see if any of the software that is loaded on to the new PC - before it goes online - has any unpatched vulnerabilities.
Dont bother to check IE.
Discussion on:
View:
Show:
A really good list to follow, but I'd advise to add another simple but important step to the list: To really be able to count on the router, one should change the default admin passwords of each and every connected network device, especially the router's.
I'd also add the suggestion of enabling DEP (Data Execution Prevention) for "all programs and services." By default, XPsp2 and Vista are configured in opt-in mode, wherein only certain Windows progs/services are typically covered by DEP. Enabling it for all programs affords far greater protection (namely if the processor supports NX/XD; all new processors will have this capability now).
I would rather format the machine, than uninstall unwanted crApps.
Ideally, after fully setting up the final gleaming PC, I would image it to another HD using the brilliant and free XXClone.
It would be great to know that down the line there's a dormant OS waiting to spring into life.
Ideally, after fully setting up the final gleaming PC, I would image it to another HD using the brilliant and free XXClone.
It would be great to know that down the line there's a dormant OS waiting to spring into life.
I make certain all programs are on a separate partition with the OS. After doing the necessary things to the configurations (per the article and all other tweaks)-- I make an image of my "perfect state"....
I have used Disk Imaging software from Acronis and it is quite a speed-up when you have to recover the system state instead of a whole new lengthy installation.
Moreover, you can have multiple states backed-up.
Moreover, you can have multiple states backed-up.
This is my procedures for new PCs re: account protection:
1- Rename ADMINISTRATOR account and, of course, assign a complicated password ( like: uad%tr64T )
2- Deactivate accounts like: SUPPORT, HELPASSISTANT and GUEST
1- Rename ADMINISTRATOR account and, of course, assign a complicated password ( like: uad%tr64T )
2- Deactivate accounts like: SUPPORT, HELPASSISTANT and GUEST
in fact, I always run Belarc Advisor which benchmarks XP or 2000 Pro versions acording to CIS standards (http://www.cisecurity.org) and flags any thing like this.
I also run Microsoft's free Baseline Security Analyzer, which will also flag SQL vulnerabilities. These are common when only the Desktop Engine is installed for something like Outlook 2000 with Business Contact Manager.
I also run Microsoft's free Baseline Security Analyzer, which will also flag SQL vulnerabilities. These are common when only the Desktop Engine is installed for something like Outlook 2000 with Business Contact Manager.
Remove 'everybody' everywhere, and change that to at least 'authenticated users'. Normally I put Domain Admins on top of the drives with full control, and domain users as 'change'. Individual folders are tailored by using GROUPS. Never ever assign rights to persons, or you will very quickly lose control ending in a complete mess.
Really though, Windows IS part of the problem. It would be quite nice if MS would actually make an attempt to secure it out of the box...jeez... 
/puts on flamewear
/puts on flamewear
Steps to Secure a New Linux Box:
1. Install Debian (or another suitable "lean and mean" distribution) as a "minimal" install, with no software beyond the base system.
2. Install only the software you need.
3. Check your firewall configuration to ensure it's configured for your needs (since it's already running).
4. Ensure you use good passwords
5. Set up tripwire, chkrootkit, and any logging/monitoring you want to use.
6. Connect to the Internet only through a separate router/firewall.
7. Use your package manager to keep up to date on security patches.
8. There really isn't anything past 7 for most Linux systems. You could run AV if you want to help prevent the spread of Windows viruses, I suppose.
1. Install Debian (or another suitable "lean and mean" distribution) as a "minimal" install, with no software beyond the base system.
2. Install only the software you need.
3. Check your firewall configuration to ensure it's configured for your needs (since it's already running).
4. Ensure you use good passwords
5. Set up tripwire, chkrootkit, and any logging/monitoring you want to use.
6. Connect to the Internet only through a separate router/firewall.
7. Use your package manager to keep up to date on security patches.
8. There really isn't anything past 7 for most Linux systems. You could run AV if you want to help prevent the spread of Windows viruses, I suppose.
I myself am a Fedora person (for home use anyway)
Perhaps a business oriented distro comparison could be useful to the uninitiated, as well as a look at wine and other crossover projects (I don't know about the rest of you, but as System Admin, I don't get much of a say in what productivity software we use, and most of ours is poorly written garbage that is windows specific).
Perhaps a business oriented distro comparison could be useful to the uninitiated, as well as a look at wine and other crossover projects (I don't know about the rest of you, but as System Admin, I don't get much of a say in what productivity software we use, and most of ours is poorly written garbage that is windows specific).
Gentoo - The other Slack meat
Slackware - A "roll your own" distro. Quite nice, but not for the faint of heart
Debian - Apo has sung its praises, but it is a good distro. With apt and ease with which you can move from a minimal install to exactly what you need is nice.
Red Hat - A good "all around" distro. While not good at any one thing, it is a jack of all trades.
SuSe - The root of all evil. Perhaps Novell with fix it?
Slackware - A "roll your own" distro. Quite nice, but not for the faint of heart
Debian - Apo has sung its praises, but it is a good distro. With apt and ease with which you can move from a minimal install to exactly what you need is nice.
Red Hat - A good "all around" distro. While not good at any one thing, it is a jack of all trades.
SuSe - The root of all evil. Perhaps Novell with fix it?
Here's the short version of a rundown on some major Linux distributions (assuming that's what you were asking for), in alphabetical order:
Debian: My favorite Linux distro to date, it has the best CLI based software management available (which also means the most scriptable software management). This is a lean distribution: it allows for very minimal installs. Because of the excellent software management system (and the single largest repository of binary software packages available to any distribution), it is absurdly easy to configure exactly the way you want from an initial minimal install. Its stability is legendary, and an unfortunately well-kept secret of Debian is that you can also get more cutting-edge releases of it by using the Testing or Unstable versions, or even the Experimental versions, if you don't need the rock-solid unchanging workhorse stability of the Stable version. Of course, Testing and Unstable tend to be at least as stable as the "stable" releases of most other distributions, because Debian has the single largest community of any major distribution, and they test the livin' bejeebers outta the packages that go into its software repositories.
Fedora: This is the community-based spinoff of the Red Hat line. It's meant to be the cutting-edge testbed for Red Hat Linux technologies that, after sufficient testing, will end up in RHEL. It has a fairly strong community, and tends to be well supported (for a noncommercial distro) by commercial software vendors because they tend to default to Red Hat support first (the fools). It's a kitchen-sink distro, the the extent that the friggin' installer is a GUI system written in Python. Seriously.
Gentoo: This is a minimal distro that allows for very easy management of custom compilation. This makes for a very customizable system. It'd be awesome if it didn't take three friggin' days to upgrade KDE or GNOME because of all the recompilation that has to occur, and if it wasn't for the cloud of Ricers who hang out on the fringes of the Gentoo community giving it a bad name. (Of course, KDE and GNOME are huge bloated heaps of cruft that I tend to think should be avoided, but I know I'm in the minority on that one.)
Mandrake: The root of all Linux evil. No, that title doesn't belong to SuSE, no matter what jmgarvin says. At least SuSE has better manpages and a better software management system. This is a kitchen-sink distro with lots of clicky stuff. It includes a lot of distro-specific configuration utilities, which is typically a bad thing. It's RPM-based, with all that entails -- but the RPMs are not always compatible with the RPMs that work with the Red Hat distros.
OpenSUSE: This is the community version of SuSE, completely FLOSS-based. I don't know yet what it'll be like, but I tend to think it'll help to improve on the SLES base from which it is grown.
RHEL: Red Hat Enterprise Linux is sorta the canonical corporate Linux. It's a kitchen-sink distro with lots of clicky stuff. It's encumbered by expensive "mandatory" support licensing, which some businesses consider a good thing and others not.
Slackware: This is about as lean a distro as you can get. The only way you get leaner is with Linux From Scratch, which isn't a distro at all -- it's a set of instructions for building your own distro from nothing. Slackware's really meant to be managed with tarballs (compressed archives of source code) rather than with package management or source management, though it does have a binary package manager. Of course, the package manager sucks. If you're not interested in doing all your software management with only basic tools, you're probably better off using a different distro. Still, for those who find it to their liking, using Slackware can be very rewarding, and is about as "pure" a Linux experience as you'll get from a major distribution. It's also the oldest still existing distribution of Linux, older than Debian by about two months.
SLES: SuSE Linux Enterprise Server is to OpenSUSE as RHEL is to Fedora. Novell is taking some cues from Red Hat. Another kitchen-sink distro, this has one of the most comprehensive GUI software management tools available, and it works quite well. It's a little short on the ability to make it easy to find what you need when looking for something specific, but that's more a function of it being GUI based than any fault of Novell's/SuSE's. On the other hand, the fact that it lacks good CLI based software management is, indeed, Novell's/SuSE's fault.
Ubuntu: Here's an end-user kitchen sink distro based on Debian. It's not really compatible with Debian's software repositories any longer, and it has some very "protect the user from himself" configuration defaults about it, like the fact that it's impossible to actually log in as root under default configuration conditions (everything administrative is done by sudo). A lot of people like it quite a bit. I don't.
Okay, I thought this was going to be short. I skipped a bunch of distros that aren't quite as "major" as these for purposes of open source community impact, permanent install base (as opposed to LiveCD use), and so on. I hope I didn't forget something I should have included.
Debian: My favorite Linux distro to date, it has the best CLI based software management available (which also means the most scriptable software management). This is a lean distribution: it allows for very minimal installs. Because of the excellent software management system (and the single largest repository of binary software packages available to any distribution), it is absurdly easy to configure exactly the way you want from an initial minimal install. Its stability is legendary, and an unfortunately well-kept secret of Debian is that you can also get more cutting-edge releases of it by using the Testing or Unstable versions, or even the Experimental versions, if you don't need the rock-solid unchanging workhorse stability of the Stable version. Of course, Testing and Unstable tend to be at least as stable as the "stable" releases of most other distributions, because Debian has the single largest community of any major distribution, and they test the livin' bejeebers outta the packages that go into its software repositories.
Fedora: This is the community-based spinoff of the Red Hat line. It's meant to be the cutting-edge testbed for Red Hat Linux technologies that, after sufficient testing, will end up in RHEL. It has a fairly strong community, and tends to be well supported (for a noncommercial distro) by commercial software vendors because they tend to default to Red Hat support first (the fools). It's a kitchen-sink distro, the the extent that the friggin' installer is a GUI system written in Python. Seriously.
Gentoo: This is a minimal distro that allows for very easy management of custom compilation. This makes for a very customizable system. It'd be awesome if it didn't take three friggin' days to upgrade KDE or GNOME because of all the recompilation that has to occur, and if it wasn't for the cloud of Ricers who hang out on the fringes of the Gentoo community giving it a bad name. (Of course, KDE and GNOME are huge bloated heaps of cruft that I tend to think should be avoided, but I know I'm in the minority on that one.)
Mandrake: The root of all Linux evil. No, that title doesn't belong to SuSE, no matter what jmgarvin says. At least SuSE has better manpages and a better software management system. This is a kitchen-sink distro with lots of clicky stuff. It includes a lot of distro-specific configuration utilities, which is typically a bad thing. It's RPM-based, with all that entails -- but the RPMs are not always compatible with the RPMs that work with the Red Hat distros.
OpenSUSE: This is the community version of SuSE, completely FLOSS-based. I don't know yet what it'll be like, but I tend to think it'll help to improve on the SLES base from which it is grown.
RHEL: Red Hat Enterprise Linux is sorta the canonical corporate Linux. It's a kitchen-sink distro with lots of clicky stuff. It's encumbered by expensive "mandatory" support licensing, which some businesses consider a good thing and others not.
Slackware: This is about as lean a distro as you can get. The only way you get leaner is with Linux From Scratch, which isn't a distro at all -- it's a set of instructions for building your own distro from nothing. Slackware's really meant to be managed with tarballs (compressed archives of source code) rather than with package management or source management, though it does have a binary package manager. Of course, the package manager sucks. If you're not interested in doing all your software management with only basic tools, you're probably better off using a different distro. Still, for those who find it to their liking, using Slackware can be very rewarding, and is about as "pure" a Linux experience as you'll get from a major distribution. It's also the oldest still existing distribution of Linux, older than Debian by about two months.
SLES: SuSE Linux Enterprise Server is to OpenSUSE as RHEL is to Fedora. Novell is taking some cues from Red Hat. Another kitchen-sink distro, this has one of the most comprehensive GUI software management tools available, and it works quite well. It's a little short on the ability to make it easy to find what you need when looking for something specific, but that's more a function of it being GUI based than any fault of Novell's/SuSE's. On the other hand, the fact that it lacks good CLI based software management is, indeed, Novell's/SuSE's fault.
Ubuntu: Here's an end-user kitchen sink distro based on Debian. It's not really compatible with Debian's software repositories any longer, and it has some very "protect the user from himself" configuration defaults about it, like the fact that it's impossible to actually log in as root under default configuration conditions (everything administrative is done by sudo). A lot of people like it quite a bit. I don't.
Okay, I thought this was going to be short. I skipped a bunch of distros that aren't quite as "major" as these for purposes of open source community impact, permanent install base (as opposed to LiveCD use), and so on. I hope I didn't forget something I should have included.
gawd, M$ cant even get patch's right thou, you often get top level patch's to fix exploits in last months black tuesday release.
Install Modded firefox W/flashblock, Adblock, and adblock update. Install Spywareblaster and spybot with updated definitions from Jumpdrive. Cripple IE, or remove shortcuts entirely. Install modded version of Hosts file from here:
http://www.mvps.org/winhelp2002/hosts.htm
Make Hosts file "read only". Make DNS Client a manual service. Rename admin account, pass protect. Create multiple user accounts, all restricted without passes. Install VMWare player and configure browser. Install ZoneAlarm, and AVG from preconfigured .bat file. Hand the customer a copy of knoppix on disk. Sit back and relax.
http://www.mvps.org/winhelp2002/hosts.htm
Make Hosts file "read only". Make DNS Client a manual service. Rename admin account, pass protect. Create multiple user accounts, all restricted without passes. Install VMWare player and configure browser. Install ZoneAlarm, and AVG from preconfigured .bat file. Hand the customer a copy of knoppix on disk. Sit back and relax.
I could go along with most most of this ... except ... If you cripple IE and the end users only have non-admin accounts, how do your clients keep patched via Windows/Microsoft Update?
Also, if you as an admin make the hosts file read only, hidden, and system, how is the non-admin user supposed to keep the host file updated?
I can appreciate your giving the user Knoppix on disk, but as you have just tightened down a Windows installation, what is the point?
I often use bootable Knoppix CD's to check out hardware that normally runs Windows. I don't think that anyone would argue that Knoppix does some of the best hardware detection of any Linux distro. And, Knoppix does come with Open Office for accessing MS files on the hard drive should the user choose to boot the Knoppix CD. But, by default Knoppix maps the hard drive partitions as Read Only. Any user who needs help tightening down Windows is going to be baffled by the proceedure to remount a hard drive as Read Write in Knoppix. Without at least creating a swap partition on the hard drive and saving the users Knoppix settings to disk, Knoppix would not be able to perform as well as Windows on the same hardware.
I think the point of this thread is to try to elucidate different strategies we as IT pro's use to tighten down new Windows PC deployments.
I think we are in agreement that the current version of Windows cannot be made secure. One must choose between allowing the end user to be an Admin so that Windows and applications like Norton anti-virus can be kept up to date, or tightening the machine down as an admin then locking the end user out of updates by making users run as non-Admin.
From experience I know that if you give the end user an Admin account that is only supposed to be used for patches and updates, the user will end up running as Admin all the time.
When you deploy a new Windows XP machine you pick your poison you tighten down the OS and deploy with the end user as Admin to allow updates but expose the Admin account to exploit, or tighten down the OS and deploy with end users as non-Admin thereby preventing updates to keep your end users secure.
Also, if you as an admin make the hosts file read only, hidden, and system, how is the non-admin user supposed to keep the host file updated?
I can appreciate your giving the user Knoppix on disk, but as you have just tightened down a Windows installation, what is the point?
I often use bootable Knoppix CD's to check out hardware that normally runs Windows. I don't think that anyone would argue that Knoppix does some of the best hardware detection of any Linux distro. And, Knoppix does come with Open Office for accessing MS files on the hard drive should the user choose to boot the Knoppix CD. But, by default Knoppix maps the hard drive partitions as Read Only. Any user who needs help tightening down Windows is going to be baffled by the proceedure to remount a hard drive as Read Write in Knoppix. Without at least creating a swap partition on the hard drive and saving the users Knoppix settings to disk, Knoppix would not be able to perform as well as Windows on the same hardware.
I think the point of this thread is to try to elucidate different strategies we as IT pro's use to tighten down new Windows PC deployments.
I think we are in agreement that the current version of Windows cannot be made secure. One must choose between allowing the end user to be an Admin so that Windows and applications like Norton anti-virus can be kept up to date, or tightening the machine down as an admin then locking the end user out of updates by making users run as non-Admin.
From experience I know that if you give the end user an Admin account that is only supposed to be used for patches and updates, the user will end up running as Admin all the time.
When you deploy a new Windows XP machine you pick your poison you tighten down the OS and deploy with the end user as Admin to allow updates but expose the Admin account to exploit, or tighten down the OS and deploy with end users as non-Admin thereby preventing updates to keep your end users secure.
By crippling IE, I mean, quite simply whitelist MS Updates, and none else. Delete all shortcuts, make the .exe, read only, and pass protect. I'm dealing with home users. In a corporate environment, updates may be disabled. Recently we've seen a rash of zero day exploits, and allowing auto-updates, may be the lesser of 2 evils. At least these can be safely undone.
Our sysadmin told me he didn't like Firefox, because it could disable Flashmedia, at the user's discretion. I'm not seeing a problem with this. Plain old HTML isn't flashy enough for him, I'm happy to block the crap.
My customers, especially those limited to dial-up, are thrilled with the performance boost. Bout time to leave the factory, and concentrate on my corporation.
Our sysadmin told me he didn't like Firefox, because it could disable Flashmedia, at the user's discretion. I'm not seeing a problem with this. Plain old HTML isn't flashy enough for him, I'm happy to block the crap.
My customers, especially those limited to dial-up, are thrilled with the performance boost. Bout time to leave the factory, and concentrate on my corporation.
I wish removing or crippling IE was the answer. You come across a whole lot of web sites which will respond properly only in IE. How do you accomodate such sites except for blaming the web designers who used quick fix software like FrontPage? I have come across sites of even large multinationals which appear terribly bad under Firefox. Half of the links simply don't function.
I deal with it by not using those websites. I have the luxury of doing so. I know there's a small percentage of people who really truly NEED to be able to access certain IE-only websites, and I feel for them. For my own purposes, however, it is perfectly acceptable to avoid IE-only websites for the express purpose of maintaining system security.
Let me start by saying that Firefox is a great product. IE comprises 89% of my visitors. Firefox - 7% and the rest goes to Safari and so on. While the web person should be checking compatibility, he has to be able to produce for the majority of his viewers. Until we get a true standard in browsers it will always be a problem. But then they will all be susceptible to the same attacks.
it's just that some browser designers haven't felt the need to follow it, coupled with the fact that doing so would break a very large percentage of sites.
Anyone who has dealt with virus's over the last 2 years will know NOT to enable system restore. Why? because it is a nice B&B for that virus to hide after you thought you had got rid of it. Then on the next reboot, its BACK again. Back up your infromation and wipe the disk, that is best thing to do.
Hi I am an IT expert
and the best way to safeguard a computer is -------------take it up on the 200'th fllor of your building and throw it down.
Voila! Now you can easily connect to the internet.
Inform me about your experiences with this SOLUTION
and the best way to safeguard a computer is -------------take it up on the 200'th fllor of your building and throw it down.
Voila! Now you can easily connect to the internet.
Inform me about your experiences with this SOLUTION
Hi I am an IT expert
and the best way to safeguard a computer is -------------take it up on the 200'th fllor of your building and throw it down.
Voila! Now you can easily connect to the internet.
Inform me about your experiences with this SOLUTION
and the best way to safeguard a computer is -------------take it up on the 200'th fllor of your building and throw it down.
Voila! Now you can easily connect to the internet.
Inform me about your experiences with this SOLUTION
Go into IE and turn OFF all active scripting. Scriptlets are the cause of most of virus on Windows. Turning OFF active scripting eliminates the threat much better then Anti-Virus software.
Some have argued, that turning OFF all scripting in IE eliminates the need for Anti-Virus software.
Some have argued, that turning OFF all scripting in IE eliminates the need for Anti-Virus software.
I like the idea of making sure you have all the protection tools you need before taking your old system off-line.
How about making an image/backup of the system? Maybe just BEFORE connecting to the Internet.
If you can't do this, make a bootable disk/CD, have a copy of your OS, and any patches, available to install
How about making an image/backup of the system? Maybe just BEFORE connecting to the Internet.
If you can't do this, make a bootable disk/CD, have a copy of your OS, and any patches, available to install
What's a ?starter? CD-ROM. (I'm not an IT Techie, sorry.) It sounds like it?s a handy way to ?suck? the security applications, drivers and such from a presumably clean machine and swiftly get the machine setup after a reformat & OS reinstall.
How do I go about making one? I do have a concern though, is there not the risk of re-introducing whatever compromise the old load may have had???
How do I go about making one? I do have a concern though, is there not the risk of re-introducing whatever compromise the old load may have had???
for the software you want to put on and burn it to a cd /dvd on your old PC. That way you don't have to risk going on the web to download it.
According to research published by Sophos in July 2005, there is about a 50 percent chance that an unpatched PC will be infected with malicious software within 12 minutes of connecting to the Internet. Once infected, it is almost impossible to get a PC clean again
BS- IF THIS IS TRUE NO PC WOULD WORK AT ALL CAUSE 100 per cent of them would be compromised. BESIDES when you get a pc and hook it to the internet to do updates Especially a fresh computer takes about a hour to download just the microsoft updates.
NOW WHAT NO ONE TALKS ABOUT IS THE INFECTED MACHINES SITTING IN STORES DIRECT FROM THE FACTORY THAT ALREAY HAVE VIRUSES ON THEM
MARK
BS- IF THIS IS TRUE NO PC WOULD WORK AT ALL CAUSE 100 per cent of them would be compromised. BESIDES when you get a pc and hook it to the internet to do updates Especially a fresh computer takes about a hour to download just the microsoft updates.
NOW WHAT NO ONE TALKS ABOUT IS THE INFECTED MACHINES SITTING IN STORES DIRECT FROM THE FACTORY THAT ALREAY HAVE VIRUSES ON THEM
MARK
Good informative article.
12 minutes until infection though seems a long infection time.
In 2004, I saw a fresh XP installation, minus firewall, infected in 4 minutes. It's likely to be much sooner than that now in many regions.
12 minutes until infection though seems a long infection time.
In 2004, I saw a fresh XP installation, minus firewall, infected in 4 minutes. It's likely to be much sooner than that now in many regions.
Don't mind to update your piece...
I also check for updates and create a restore point and move it to 100% I love AVG anti-virus
I have been checking out a few of your stories and i can state pretty good stuff. I will definitely bookmark your blog
reverse phone
reverse phone
There is noticeably a lot of money to know about this. I assume you made particular nice points in features also.
cell phone directory
cell phone directory
Useful information. Fortunate me I found your web site by chance, and I am stunned why this accident didn???t came about in advance! I bookmarked it.
reverse cell phone lookup
reverse cell phone lookup
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
