- Enable DEP for all processes: Go to Control Panel->System->Advanced System Settings->Advanced->Settings->Data Execution Prevention, select "Turn on DEP for all processes and services except those I select."
- Enable SEHOP for all processes: http://blogs.technet.com/srd/archive/2009/11/20/sehop-per-process-opt-in-support-in-windows-7.aspx
- I found a new tool, called EMET, this will allow you to turn on various exploit protections system wide, and additional ones on a per-file basis. One of the major ones is 'mandatory ASLR', which has the added benefit of making every .dll that gets loaded by a process ASLR'ed, in the past, various IE8 hacks were done (such as at pwn2own) because not all .dlls that IE8 uses opt into ASLR, EMET, with iexplorer.exe protected, will enable ASLR (and other protections) for all those .dlls which should prevent most every exploit that we have and will see. EMET can be downloaded from: http://www.microsoft.com/download/en/details.aspx?id=1677. In EMET, you should set DEP to always on, SEHOP to "opt out" and ASLR to "opt in" system wide (those are the most secure settings), then click 'configure apps' and add internet explorer, and any other browsers that you have and apps that handle external data (adobe reader/acrobat, media players, office programs, explorer, and so on.) In my testing, this fully works with IE, adobe reader X, and explorer, but it may not work for everything so test it thoroughly before adding to a production environment.
- In Windows 7, Either maximize UAC (Control Panel->User Accounts->Change User Account Control settings, then move the notch to the top so it's at "Always Notify.")
Run as standard user, in Control Panel->User Accounts->Change Your Account Type, select "Standard User" and apply the settings. You may need to make a seperate admin account, if you don't have any other admin accounts on your system (or enable the built-in Administrator account ala: http://www.hardforum.com/showpost.php?p=1034950404&postcount=4 ). Running as Standard User is more secure than running as Admin with UAC because programs you elevate with UAC use the same profile as an unelevated Admin, which means infected libraries, etc. might be referenced in elevation mode. When running as Standard user and elevating, programs get their own profile.
- Require Ctrl-Alt-Del for elevation to Admin: Execute gpedit.msc as admin, navigate to: Computer Configuration\Administrative Templates\Windows Components\Credential User Interface, Enable Require Trusted Path for Credentials Entry.
set to dword "1".
- Require ctrl-alt-del for log in - only the OS can receive a ctrl-alt-del sequence, so if you require ctrl-alt-del for log in and elevation, you can be sure no malware intercepted the log in or elevation sequence in order to steal your password, to require ctrl-alt-del for log in, hit windows key+R and type "control userpasswords2" - go to advanced and check the box at the bottom that says "Require users to press ctrl-alt-delete."
- If you use Internet Explorer, disable Active-X in the Internet Zone: Internet Options->Security->Internet Zone->Custom Level, set "Run Active-X Controls and plug-ins" to disabled. You can then add sites that have active-x plug-ins you wish to use (e.g. youtube.com) to your trusted zones, by clicking the blue and green globe at the bottom of the internet explorer window and selecting Trusted Sites->Sites->Add. (uncheck require https if necessary.)
- IE9 has a new feature called 'active-X filtering' this is a much better way to run securely, now you can just enable active-X filtering (gear icon->safety->active X filtering), and for every website that you want to run active-X controls on, just click the blue circle with the line through it, in the address/search bar and select 'turn off active X filtering' - now you only have to do this once per site for sites you want to run active-x controls on, vs. the old method that could result in many dialogs per site, with new content generating new prompts.
- IE10 desktop version in Windows 8 has a new feature called 'enhanced protected mode'. Enhanced protected mode will run IE10 x64, and run it in a special hardened sandbox better than the previous sandbox. The new sandbox prevents read access to the file system and registry, as well as write access, so it's better than the write-blocking sandbox previously available. When IE10 is run in x64, it uses HEASLR (a feature specific to Windows 8), which stands for 'high entropy address space layout randomization'. I won't turn this into a thesis, but ASLR randomizes addresses as knowing the addresses of code makes it easier for a malicious data file (like .html that you get from the web in your browser) to exploit the running process, so ASLR tries to make it hard to guess the address. Typically if you guess the wrong address and try to exploit, the browser will just crash and close. Previously you could fill up an entire 32-bit address space of 4GBs with 'heap spraying' and probably infect the process any way, but because of HEASLR it will be impossible to do so if you run with enhanced protected mode enable. As the process gets 1TB of virtual memory, and filling it up will cause the machine to run out of memory long before an infection can occur. This is something people are ignorant about when they say x64 programs are unneeded, the security benefits make them greatly needed actually. Enhanced protected mode supports flash, but not many other plug-ins, you will be prompted to load the specific web site in the regular sandbox if the web site uses an unsupported plug-in, which is usually ok and the best available at this time.
- IE has tracking protection lists, these lists can be used to block malware originators. You should add malwaredomains from http://www.jansal.net/TPL.shtml and maybe some of the others if you choose.
- If you run firefox: Sandbox FireFox - http://www.victorc.org/2008/03/internet-explorer-7-protected-mode-vs.html Explains how you can use chml.exe or icacls.exe to modify Firefox to run sandboxed from your user profile. You will have to also use those tools on your download directory, and you will get a prompt each time Firefox runs, just select OK. (to bypass this prompt, use psexec.exe from http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx - and make a shorcut like:
or for 32-bit:
c:\-path to psexec.exe-\psexec.exe -d -l "c:\program files\mozilla firefox\firefox.exe"
Filling in the path for psexec.exe, and if necessary for firefox (and possibly drives.)
- Also for firefox users, run the noscript plug-in to block plug-ins and scripts except on trusted sites.
- Enable Auto-Updates: Control Panel->Windows Update->Change Settings, select "Install updates Automatically" and install updates "everyday." Enable Microsoft Updates.
- Use chml.exe (get from http://www.minasi.com/apps/ ) to mark your valuable data on your system as unreadable to sandboxed/protected mode internet explorer and firefox. For example: chml c:\financial_data -i:m -nr -nx -nw
- Run Microsoft Security Essentials Anti-Malware: http://www.microsoft.com/Security_Essentials/
- Run Secunia's Vulnerability Scanner to detect vulnerable, out-of-date applications and update them: http://secunia.com/vulnerability_scanning/personal/ - if you do not score 100% in this vulnerability scanner, you need to fix it. Out of date apps are an easy way in for malware.
- Read and apply information from MS' Security Research and Defense blog: http://blogs.technet.com/srd/default.aspx
- Run 64-bit versions of Windows, 64-bit Windows have Kernel Patch Protection and Require Driver Signing, which together prevent rootkit like activity. DEP on 64-bit also protects more kernel structures than in 32-bit.
- Windows 8 has a lot of new anti-exploit checks on kernel and user program structures, making them it and the programs on it much more secure. If you're not one of the 'metro yucky!' people you should consider it for it's security alone, especially at the $40 upgrade price.
- When you connect to a network, choose the "Public Network" profile, this is the most secure. Especially choose this when using coffee shop, hotel, airports, etc. wi-fi, and basically any time except when you absolutely know you need the services allowed by the other profiles.
- I did not include many things here that are security features of Windows, especially more corporate oriented things, like applocker, bitlocker, firewall settings, parental controls, and so on. So you can do additional web research on those things if you need, but I just wanted to mention them so people reading this know about them.
A word on being a smart user; Be aware that the internet is full of thousands or maybe millions of people who will do anything, say anything, etc. to compromise your system and private information. Do not respond to emails, IMs, text messages, etc. requesting passwords, PINs, credit card numbers and so on. Financial institutions and internet sites (paypal, ebay, so on.) do not do this. Do not click on links in emails, they may take you to bank.com.ru (a russian hacker site for example) instead of bank.com (your banking institution's website), and bank.com.ru may look exactly like bank.com in order to get you to give up a password or PIN or whatever. Also do not download executables and run them from porn and warez sites, or really any random site on the internet. A good tip is to use google to search for the name of any particular utility or tool you want to use that you find on the internet BEFORE running it, if it's legit there will be lots of people in forums discussing said program/game/whatever, and legit sites are more likely to be at the top of search results as well, giving you a good place to download from.
And for goodness sake, do not believe web browser pop-ups that say you're infected and you need to download an anti-virus to get rid of the virus, for the thing you download is actually the virus and you'll be sorry (and a nuisance to everyone else on the internet.)
Hope this helps, as I find more I will update.