Security Sticky

[dBTelos]

Maybe I'll make one if you guys would find it useful.

[jonnyGURU]

Ok. After all, you're the software moderator.

[dBTelos]

I am? You never responded to my PM

[Ice Czar]

working on a new one myself
(excerpt about discussing it)


my current lineup & proceedure goes something like this:

Hardware Firewall
advantages and typical configurations

Secure the OS
partitioning the drive to separate the OS system partition and the data partition(s) from the recovery partition with the image of the secured OS.
download and burn service packs and hotfixes previous to the install
or employ Knoppix to do so from the fresh install
setup automatic updates
disable unecessary services
disable NetBIOS (implying there are also no insecure "legacy" OS's on your network)
disable Guest account
setup a general user account
rename Administrator account
create fake Administrator account (disabled)
enable network lockout of the true Administrator account
Limit the number of logon accounts

remove the "Everyone" group and replace with "Authenticated Users" shares
disable default hidden shares, administrative shares, IPC$ (depending on networking needs)

Unhide File extensions, protected files, all files and folders
remove insecure subsystems (OS/2 and POSIX)

optionally how to protect, watch\log, remove and reinstall: arp.exe \ at.exe \ cacls.exe \ cmd.exe \ Command.com \ cscript.exe \ debug.exe \ edit.com \ edlin.exe \ finger.exe \ ftp.exe \ pconfig.exe \ Issync.exe \ nbtstat.exe \ net.exe \ Net1.exe \ netstat.exe \ netsh.exe \ nslookup.exe \ ping.exe \ posix.exe \ qbasic.exe \ rcp.exe \ regedit.exe \ regedt32.exe \ regini.exe \ rexec.exe \ rsh.exe \ route.exe \ Runas.exe \ runonce.exe \ telnet.exe \ tftp.exe \ tracert.exe \ Tlntsvr.exe \ wscript.exe \ xcopy.exe
how to remove and as needed replace the .reg file association from the registry editor (breaking any automated malware that requires the above)

configure security policy control through GPedit and building your own MMC console
(here you see where my tutorial is really aimed at W2K\XP Pro versions with registry tweak alternatives for XP Home)
enable auditing (logon, object, privilege, account management, policy, system)
set permissions on the security event log
set account lockout policy
assign user rights set NTFS permissions


Install Software
disable HTML in e-mail
(in both Internet Explorer & Thunderbird with the option to use Allow HTML temporary in TB)
Installing Firefox with the noscript extension
how to restrict IE with a noaccess.rat
optionally how to disable and restore ActiveX\WHS\VB\Java\Java Scripts in the OS itself

Install, configure and log an AV (likely freeware with a general discussion of advantages and disadvantages of various paidware)

Install, configure and log a rule based HIPS (my first example will employ ProcessGuard since I have a full license but here is where additional alternatives are welcome)

Install, configure and log a rule based firewall (again recommendations Im still using Kerio PF2)

Install, configure, log and employ a sandbox (Im going to use sandboxie in my initial example configured as a service protected by the HIPS from termination) a step by step of how to get it to play nice with the HIPS, scan and save data out of it, where and why youd want to use it, ect.

Install and configure checksum tripwires to watch the security .exe and .dll
(intially I'll be using Filechecker with an additional baseline generated at startup and on demand with a .bat and fsum for additional verification)

Baselining the security with Rootkitrevealer and HijackThis and running down entries as you install additional software to maintain a current baseline. (again additional alternatives are welcome)

Configure applications to write to the data partition rather than their default locations, change the default locations of the OS to do the same (My Documents et al)

how to install the recovery console to the HDD\boot menu
a .bat to automatically backup the registry at each boot (system32/config) enabling you to roll back to any previous boot not just the last known good (which gets overwritten) from the boot menu recovery console

>>> connect to the internet start configuring software firewall

Installing and running Baseline Security Advisor
optionally NessusWX\Nessus 2.2.5, ATK

installation of common aps with a good freeware list, the advantages of aps that arent employing DRM and phoning home, and what these aps require to run correctly without overloading the event log with errors or failing to run altogether if youve chosen to be really paranoid and remove\restrict the files listed above.

some common OS tweaks and customizations (shell integrations, reg tweaks ect)
how to Install and secure TightVNC w\ openSSH so you can remotely admin your brother\sister\GF\ect's box (if this is for them) with a tutorial on dynamicIP services

optionally how to employ XPLite to remove large chunks of the OS that arent needed (potentially insecure) and what that can mean for updating and how to circumvent that manually. (IE, OE, WMP ect)


cleanup HIPS and firewall rules, double check logs, save up-to-date baselines and clear all log entries

Imaging the secured and tweaked install to the rescue partition employing examples of both freeware and Ghost.

(a brief discussion of the importance of hard backups of the data partitions with checksum verifications, with a sad story of how a bad stick of RAM corrupted 200GB of RAID 5 array as I moved data around )

the closing discussion leads the security wannabe to SANS, Snort, Bugtrac, Honeynet ect (and of course here) for further education or extracurricular activities. The really scary monsters that are both real and may soon be real (undetectable rootkits, virtualization exploits, port knocking, subversion of hardware EEPROM and flash memory)
and the advantages of configuring Google news to include a few custom news sections like worm, virus, malware, exploit, hotfix and rootkit which should at least be skimmed once or twice a week.

and finally how to conduct really risky behavior via a Live CD
also how to employ a LiveCD (or parallel install) to detect malware from outside the OS (Slax w\ Fprot ClamAV Snort ect modules from a USAB or live CD)

and the alternative path

employ a Linux system to virtualize XP\W2K

[Kab]

Just some comments and suggesstions

Quote:

Originally Posted by Ice Czar

Hardware Firewall
advantages and typical configurations

Excellent for managing incoming packets -- but not everyone is in a position to buy one so its more of a "recommended" suggestion.

Quote:

Secure the OS
partitioning the drive to separate the OS system partition and the data partition(s) from the recovery partition with the image of the secured OS.
download and burn service packs and hotfixes previous to the install
or employ Knoppix to do so from the fresh install

*Use nLite to slipstream Windows and SP2 with other software, and dwonload RyanVMs Update packs to install all of Win updates with the Win installation itself.
*Make a backup of the HDD, using XXClone or DriveImage XML, so that if any change corrupts your system, yu can load the same OS with all your files/folders/software, but working, back on.
*When on a fully functional and stable OS (Win), scan your system for any rogue products and when clean make a good System Restore point.

*Alternatively use Linux (any distro) for better protection and less hassle in terms of safety/security on all gates.

I can provide you links to video and picture tutorials on nLite if you need.

Quote:

disable NetBIOS (implying there are also no insecure "legacy" OS's on your network)
disable Guest account
setup a general user account
rename Administrator account
create fake Administrator account (disabled)
enable network lockout of the true Administrator account
Limit the number of logon accounts

remove the "Everyone" group and replace with "Authenticated Users" shares
disable default hidden shares, administrative shares, IPC$ (depending on networking needs)

Use Microsft Baseline Security Analyzer and follow its recommendations for system security especially Group Policy settings and passwords.
Use BigFix to scan your system and net for any MS updates and install them automatically (without manual download etc). Gives more options than a Windows Auto Update...

Quote:

optionally how to protect, watch\log, remove and reinstall: arp.exe \ at.exe \ cacls.exe \ cmd.exe \ Command.com \ cscript.exe \ debug.exe \ edit.com \ edlin.exe \ finger.exe \ ftp.exe \ pconfig.exe \ Issync.exe \ nbtstat.exe \ net.exe \ Net1.exe \ netstat.exe \ netsh.exe \ nslookup.exe \ ping.exe \ posix.exe \ qbasic.exe \ rcp.exe \ regedit.exe \ regedt32.exe \ regini.exe \ rexec.exe \ rsh.exe \ route.exe \ Runas.exe \ runonce.exe \ telnet.exe \ tftp.exe \ tracert.exe \ Tlntsvr.exe \ wscript.exe \ xcopy.exe
how to remove and as needed replace the .reg file association from the registry editor (breaking any automated malware that requires the above)

Setup the Debugging Tools for WIndows in case of any BSOD.
Use SNARE to analyse and monitor all your system logs.
Get PTRG Traffic Grapher or Wireshark and keep note of your Internet port activity.
Use Promoxitron or Cyberhawk for extra system protection.
DriverMax- backup/check/delete system drivers.
DriverGuideToolkit- similar to above.
DriverCleaner- Delete waste drivers not needed.

Quote:

Install Software
disable HTML in e-mail

Disable JavaScript based images or sanitize them.

Quote:

(in both Internet Explorer & Thunderbird with the option to use Allow HTML temporary in TB)

I think you meant Outlook?
Can also be done in Mozilla too and also to use Firefox and keep up with the latest updates for security, stability and better surfing

Quote:

Installing Firefox with the noscript extension

Excellent and with Flashblock to turn off flash on any site you need.

Quote:

Install, configure and log an AV (likely freeware with a general discussion of advantages and disadvantages of various paidware)

The recent reviews of all 2007 paid AV, Firewalls, AS, and Security-Suite.
Also the ones you'll know, Spyware Guard, Spyware Blaster, SpybotS&D (tea-timer), Advanced WindowsCare v2 Personal, Ad-Aware SE, a-squared Free, a-squared-hijackfree, CCleaner (cleanup system regualrly) etc.

Avast! and AVG are my 2 pick AVs here (free)

Quote:

Install, configure and log a rule based HIPS (my first example will employ ProcessGuard since I have a full license but here is where additional alternatives are welcome)

Install a HOSTS file (MVPS) and IE-SPYAD. Install Hostsman to monitor and manage the HOSTS file.
Install Process Explorer and ShellXView to monitor and checkup software, handlers, BHO's, DLL,s processes, hosts, services.

Quote:

Install, configure and log a rule based firewall (again recommendations Im still using Kerio PF2)

Sunbelt Kerio and Comodo are my favorite here for all the pluses.

Quote:

Install and configure checksum tripwires to watch the security .exe and .dll
(intially I'll be using Filechecker with an additional baseline generated at startup and on demand with a .bat and fsum for additional verification)

Most MD5 hash checkers will do there I guess.

Quote:

some common OS tweaks and customizations (shell integrations, reg tweaks ect)
how to Install and secure TightVNC w\ openSSH so you can remotely admin your brother\sister\GF\ect's box (if this is for them) with a tutorial on dynamicIP services

Style XP themes, Icon hacks etc.
Not using torrent software thus open ports.
Download from trusted places.
Scan a file you download and emails. Not opening exe emails.

Quote:

(a brief discussion of the importance of hard backups of the data partitions with checksum verifications, with a sad story of how a bad stick of RAM corrupted 200GB of RAID 5 array as I moved data around )

I have a RAID 5 setup

Quote:

and finally how to conduct really risky behavior via a Live CD
also how to employ a LiveCD (or parallel install) to detect malware from outside the OS (Slax w\ Fprot ClamAV Snort ect modules from a USAB or live CD)

Can also use a Live CD or GParted Live CD to edit/manage/partition a HDD.
How to use UBCD, UBCD4Win or BartPE will be very useful too.

[Slartibartfast]

Make sure you have the old saying about unplugging the computer and throwing it in the ocean.