I got my DSL hooked up.

I have had dl speeds of 75 Kb/sec.

I have been using Windows Firewall.
Should I use another one?

Any other recommended items would be appreciated.

Andy
Posted on 2009-08-14 18:34:45 by skywalker
Kerios/Sunbelt Personal Firewall.

But still, nothing beats a router imho; hiding behind a NAT.
Posted on 2009-08-14 19:32:41 by Ultrano
I have been using Windows Firewall.
Should I use another one?
look'n'stop (not free)
Posted on 2009-08-14 19:36:25 by drizz
Create an unpriviledged user and log in as that user by default. Use administrative account only when needed which is -normally- rarely. 99% of malicious software can be filtered out this simple way.
Posted on 2009-08-14 20:40:11 by ti_mo_n

Create an unpriviledged user and log in as that user by default. Use administrative account only when needed which is -normally- rarely. 99% of malicious software can be filtered out this simple way.


Agreed. Triggering exploits as a privileged user can compromise any running software, including a software firewall.

Most "broadband" (consumer) routers provide a sufficient default firewall setup, in which should keep most inbound attacks at bay. You should be able to further configure it to a more paranoid setup, by limiting/controlling outbound traffic as well, if needed.

IMHO, don't waste your time/money on a software firewall for Windows. Stuff like Avast, Windows Defender and SpyBot S&D in conjunction with Windows firewall and a broadband router will be a greater (and cheaper) investment.

If you want still want a hardware firewall without the heavy cost burden, look into pfSense, it turns any 386+ PC into a proprietary-like router/firewall.
Posted on 2009-08-14 22:52:51 by SpooK

Create an unpriviledged user and log in as that user by default. Use administrative account only when needed which is -normally- rarely. 99% of malicious software can be filtered out this simple way.


Thanks.
I took your advice.

I am trying to figure out how I can save files to certain directories.
I would like to be able to edit and save batch files.

Giving myself full permission to those directories didn't work.

I am also wondering if disabling the LAN connection when I don't need access to the Internet
might be a good idea.


Posted on 2009-08-16 12:56:44 by skywalker
Preparations: make sure you have all security updates for your Windows or at least that the newest service pack is installed. Otherwise the whole effort is kinda pointless.

1. Turn off "simple file sharing" (control panel -> folder options -> view). This will give you full control over the file privilege system. It will make "security" tab appear in every folder's options.
2. Make sure you use NTFS on all your hard drives.
3. Give ownership of ALL files to the "administrators" group. And make sure your admin account belongs to this group or else funny things may happen ^^'
4. Start with drives: give the "administrators" group full control over every hard drive/partition. Do not give anything more to anyone.
5. Exception is the system drive: LOCAL_SERVICE, NETWORK_SERVICE and SYSTEM usually require full control over system drive.
6. start giving the unprivileged account access to stuff you want to access. It's usually sufficient if you give it "modify", "read & execute", "list folder contents", "read" and "write" to all drives EXCEPT system drive.
7. Make sure you give the unprivileged account proper access (including write) to user's profile folder "C:\Documents and Settings\unprivileged_user's_name"  _AND_ read (ONLY read) access to other users' profiles (read access to other users' profiles is not required, but many poorly written apps crash if they can't read data from those folders).
8. Enable DEP for ALL applications (control panel -> system -> advanced ->performance -> DEP tab). Allow exceptions only to known apps and only if you know that this particular app crashes when it has DEP enabled.
9. Run Local Security Policies (%SystemRoot%\system32\secpol.msc /s). Configure it wisely. Double-click on a setting and read "explain this setting" tab if unsure what it does.
10. And make sure that the unprivileged account belongs AT MOST to the "users" group (or none if you don't want to use groups).
11. Now you can give ownership of the files you want to to the unprivileged account. It will be any documents that account may work with/create/modify/write to  and/or your own applications. All other files should be owned by "Administrators" group. Proper ownership management makes it easier to apply proper security policies. You can allow owners full access over their files. This way if an app makes any "settings file" or anything like that it will be able to read/modify/write to it without the need of giving it any more access privileges.
12. Stop AND disable uPnP service if you don't really need it. This service, in short, enables any app to open any port on your router, which is bad. Additionally disable uPnP on your router.
13. Stop AND disable any services which are not Microsoft's and you don't know what they are. Double-click on a service to see the path to its executable code. It you suspect it's malicious - stop and disable.

Applications run as unprivileged users, additionally, can't write to critical registry entries, like HKEY_LOCAL_MACHINE. They also can't configure Windows Firewall settings which makes this firewall actually something useful and kinda secure. Go to Control Panel -> Windows Firewall -> Exceptions and delete any exception if you don't need it. Check the path to the executable if unsure.

The whole process may seem difficult and/or long at first (took me more than 3 hours the first time i did it) but it's well worth it. I haven't got any malicious code, whatsoever, running on my comp since I did it. If I accidentally download and run something malicious then it usually crashes immediately due to strict security and/or poorly/h@xX0Rishly written code.

In case you don't know: when you're logged in as an unprivileged user, you can easily, simply and quickly run an app as the administrator by right clicking -> "Run as...". This way you don't have to log in as admin if you just want to run 1 or 2 apps as admin. Kinda hard-not-to-know function but -believe- I know many people who re-log-in as admin just to start 1 app and and then re-log-in back ^^' Additionally, if there is an app which you routinely want start to run as admin while logged as unprivileged user, you can create a shortcut to it and under this shortcut's properties go to "shortcut" tab and then "advanced -> run with different credentials". This will make the "run as" function the default for this shortcut, instead of simple "open".

Hmm, I think that's all ^^ If you apply all this then your machine is like a fortress ;p

I am trying to figure out how I can save files to certain directories.

You need at least the "write" permission. The easiest way to have it is to give unprivileged user the generic write (named simply "write") access under folder's "security" tab. You need to disable "simple file sharing" if you want this tab to appear. Note that the generic write (and all generic privileges visible in the list under the "security" tab) give many different permissions. If you want to precisely control what you allow and what not, you have to press "advanced" and play there (but it's usually not necessary).

If you're pretty sure that you have configured it correctly and it still won't work then try looking at effective permissions for your unprivileged user. Go to Folder/drive properties -> security -> advanced -> effective permisions -> press "select" -> input fully qulified name of your unprivileged user OR just input the login name and press "check names". Confirm that you have the permissions you need for a given folder.

Feel free to ask if you have any specific questions.

PS: Here are some tips for people new to being unprivileged.

/edit
Corrected, like, 1000 typos. lol.
Posted on 2009-08-16 15:42:33 by ti_mo_n
I have a 2nd drive(FAT 32) with no OS that I use as a backup drive.

I can see the security advantages of it being a NTFS, but I have been thinking about putting Win 98 on it as a kind of backup in case my main drive went nite-nite.

Thanks for the run-as suggestions too.

Andy
Posted on 2009-08-17 06:51:50 by skywalker
Put XP on the backup drive and use NTFS ^^
Posted on 2009-08-17 17:01:13 by ti_mo_n
I might do that.

The 2nd drive is 6 GB and my primary is 18.6.

I have 5 GB free on the 2nd drive.

Andy
Posted on 2009-08-17 17:19:41 by skywalker
You can always use some linux as backup OS? Many of them don't even require any installation.
Posted on 2009-08-17 17:58:07 by ti_mo_n

You can always use some linux as backup OS? Many of them don't even require any installation.


Tiny Core Linux is ~10MB. It should act as a decent crutch until you get your Windows back up and running.
Posted on 2009-08-18 11:16:35 by SpooK
8. Enable DEP for ALL applications (control panel -> system -> advanced ->performance -> DEP tab). Allow exceptions only to known apps and only if you know that this particular app crashes when it has DEP enabled.
IMHO this is often too much bother to make it worthwhile, especially if you don't run internet-facing daemons.

12. Stop AND disable uPnP service if you don't really need it. This service, in short, enables any app to open any port on your router, which is bad. Additionally disable uPnP on your router.
Not really - it's only a problem if you get hit by malware, at which point you're already screwed. And malware can use upnp directly without going through the windows service anyway.

I agree with SpooK that there's no reason to use a software firewall beyond the Windows built-in one. Sure, that one doesn't offer outbound filtering, but outbound filtering is pretty useless... A NAT'ing router (without DMZ aka. "forward all traffic by default to this IP") combined with WF is really all you need.
Posted on 2009-08-20 04:46:14 by f0dder