Windows 7 Secure setup

[winguy]

Hello guys.
I started learning about security related stuff not long ago.
I really like to play games with windows, which is kind of hard to live with, if you want security.
So I decided to try to setup the best secure yet operatable setup for win7 that I could come up with.
I wanted to hear your suggestions before I implement it.
Here is what I thought about:

1) Clean install win 7 64 bit
2) Create a "Secure" folder for my internet downloads (only r &w not exec)
3) VM to test files that look suspicious
4) Antivirus Avast + malwarebytes (I want free tools)
5) Nod32 trail on the vm + trackwinstall + what chanhed + sysinternals
6) Secure boot (UEFI)
7) no shares enabled
8 ) NAT for fw
9) AUTO run disabled.

Any major problems? and suggestions for the set up?
Thanks in advance.

[proxx]

Thats not "secure"
I suggest you run a BSD/nix vbox with a real firewall and route the traffic through that.
Run snort, blacklisting etc.
Move homefolder to other partition.
Amongst a couple other things I cant name right now.

[Kulverstukas]

That does not sound secure and is completely unneeded. You will never be secure if you don't know what you are doing, no matter how much AV's and FW's you install.
Basically you only need malwarebytes to do a scan once a month or so, everything else is replaced by common sense.
Set downloads folder to only be written? no, that is not how windows attributes work.
Secure boot? that won't help if you get a rootkit.
No shares enabled? makes life harder. Just set a password, or only share stuff when you need stuff shared...
The VM for unknown crap and disabled autorun are the only wise decisions IMO.

What I can suggest is read more on social engineering, windows filesystems, learn a bit of coding and develop a common sense. Also you might want to look at ProcessHacker, it's awesome.
And 64bit? only if you have 4+GB of RAM, otherwise you don't need 64bit.
Might as well consider using online file scanners to check an executable, fuck virus makers, I hate malware actually, when the sole purpose of it is to mess the system up...

[Traitor4000]

I did not know secure and Windows could be used in the same sentence 

[winguy]

Thats not "secure"
I suggest you run a BSD/nix vbox with a real firewall and route the traffic through that.
Run snort, blacklisting etc.
Move homefolder to other partition.
Amongst a couple other things I cant name right now.

Move homefolder to other partition. - why does this help?
"blacklisting"? of what? ips?

-------------------------------

That does not sound secure and is completely unneeded. You will never be secure if you don't know what you are doing, no matter how much AV's and FW's you install.
Basically you only need malwarebytes to do a scan once a month or so, everything else is replaced by common sense.
Set downloads folder to only be written? no, that is not how windows attributes work.
Secure boot? that won't help if you get a rootkit.
No shares enabled? makes life harder. Just set a password, or only share stuff when you need stuff shared...
The VM for unknown crap and disabled autorun are the only wise decisions IMO.

What I can suggest is read more on social engineering, windows filesystems, learn a bit of coding and develop a common sense. Also you might want to look at ProcessHacker, it's awesome.
And 64bit? only if you have 4+GB of RAM, otherwise you don't need 64bit.
Might as well consider using online file scanners to check an executable, fuck virus makers, I hate malware actually, when the sole purpose of it is to mess the system up...

What about an AV? which one do you consider good? are there any good free ones?
About the dl folder when I tried to execute an exe from a folder with only r&w it didn't let me, so i considered it another step into a more secure zone.

What about dual boot - one secure partition and one for crap software?

[Kulverstukas]

No AV is "good" and I don't use any... only malwarebytes to scan stuff from time to time. Dual boot just to test weird executables would be an overkill... a VM is enough, but keep in mind modern malware usually have methods for breaking out of VM's and sandboxes and stuff. A Dual boot would be better for this.... but like I said, all that could be reduced to common sense... until that tho, this is good.

[winguy]

No AV is "good" and I don't use any... only malwarebytes to scan stuff from time to time. Dual boot just to test weird executables would be an overkill... a VM is enough, but keep in mind modern malware usually have methods for breaking out of VM's and sandboxes and stuff. A Dual boot would be better for this.... but like I said, all that could be reduced to common sense... until that tho, this is good.

So after reading your takes on my set up here is the new version:
- VM (vbox)
- Autoplay disabled
- 2 Users (day to day will be a standard user)
- NAT
- No shares (i don't need them)
- Snort + Wireshark
- ProcessHacker
- Secunia
- Malwarebytes + Microsoft security essentials.
- EMET

Sounds better?
Thanks for the help!

[karsa]

Take a look at malwaretips, I think it's what you're looking for.

[Kulverstukas]

Take a look at malwaretips, I think it's what you're looking for.

Oh wow, that's a cookie worth material man!

@winguy: 2 users? snort? wireshark? yeah it's ok to begin with, but I guarantee you're gonna get so fed up with it later in life. The way I see it you don't need snort unless you have a huge network and servers on it...
All in all, I don't even know, I'm not such a huge security dude, but what I do works for me to not get infected yet... it seems to me you're just too paranoid.

[proxx]

Oh wow, that's a cookie worth material man!

@winguy: 2 users? snort? wireshark? yeah it's ok to begin with, but I guarantee you're gonna get so fed up with it later in life. The way I see it you don't need snort unless you have a huge network and servers on it...
All in all, I don't even know, I'm not such a huge security dude, but what I do works for me to not get infected yet... it seems to me you're just too paranoid.

All of this is pretty much default on linux
Silly windows users.

[karsa]

Oh wow, that's a cookie worth material man!

Not sure if sarcasm or not, but it seemed appropriate. I'm not saying it's some treasure trove of great info but it might help OP. That being said, consider switching to another operating system and learn as much as you can about it. Installing shitloads of programs doesn't really help if you don't know what you're doing. Changing the users habits and trading a bit of conveniency for more control goes a long way.

[Kulverstukas]

Not sure if sarcasm or not, but it seemed appropriate. I'm not saying it's some treasure trove of great info but it might help OP. That being said, consider switching to another operating system and learn as much as you can about it. Installing shitloads of programs doesn't really help if you don't know what you're doing. Changing the users habits and trading a bit of conveniency for more control goes a long way.

Oh no that was not sarcasm, sorry if it sounded like sarcasm. I totally bookmarked that site!

[noob]

This guy put a nice effort to describe how to harden windows 7 machine:

Code: [Select]

http://hardenwindows7forsecurity.com/Harden%20Windows%207%20Home%20Premium%2064bit%20-%20Standalone.html

[Darkvision]

This guy put a nice effort to describe how to harden windows 7 machine:

Code: [Select]

http://hardenwindows7forsecurity.com/Harden%20Windows%207%20Home%20Premium%2064bit%20-%20Standalone.html

never used EMET before, ill have to look at it. The rest of it is rather good. One point to stress along with this guide though, turn off EVERYTHING you dont use. Uninstall components you dont use(like IE). Unfortunatly for some of the best performance tweeking/security you will need to familiarize yourself with the registry. Unfortunatly(as far as i know) windows stopped releasing their dev developed tools after XP(these were amazing) so you really need registry knowledge to do everything(not that you could even with their tools, just that you could go a lot quicker for some of the reg only stuff). I would estimate that 95%(minimal) programs out their designed to tweek/secure you PC actually make your PC LESS secure than doing it yourself. For instance ive only ever found ONE "booster" that actually gave my performance a boost and they quit updating it after XP, and the only reason it gave me a boost was because it was a heavily modified windows kernel. Any other program ive ever seen gives "boosts" by applying a pre-approved set off off/on for services(mainly) and sometimes a few reg keys. The issue with that is that if you know what your doing it will end up turning on services/changing keys that you have already changed.(worsening performance and making you more vulnerable). So at the end of the day the best solution would be to learn fundamentals...then get into a book or two thats heavy into the internals of windows.