Securing your Windows machine and files

[crosswire]

DISCLAIMER: I am not responsible for any future, present or past hacks, vulnerabilities, etc. incurred by anyone. I am just trying to help out with the limited layman knowledge I have.


Step 1 : Download Ubuntu
Just kidding, Windows has some annoyances, but this is what I do to ease them.


Consider your files: Is it something that you do not want others to access any at all (Sensitive)? Is is something that you worked on and you do not want to loose (You don't mind sharing but do not want to do over)?

If in the first case consider Encrypting a folder on an NTFS partition. Ensure you have a back up of the encryption key.
The key can be password protected when created, and you can save the key to a thumb drive or a media (including CD/DVD/etc) that you can securely put up. You can also reuse the key and install it on another PC you admin and use it to encrypt more folders.

You may have both sensitive and backup issues, then try creating a backup of the encrypted folder on an external NTFS portable HD, or NTF thumb drive and secure the backup. (Have any tried this to disc media? I think I tried but it does not keep the encryption. Has anyone get it to keep encryption on DVD like file system?)

Also try to always back up off the machine, all files you need.

How to handle shared folders.
Delete the "Everyone" group from the Security tab properties on the root folder, that is, the folder to be shared
Do this anywhere you think it is unnecessary. (Unless it is on a portable NTFS HD that you move between windows machines. The everyone group is useful when moving it between machines)
Create a user with non-admin level for the share. Assign only tasks that are needed. Example, only allow read access when needed. Do this on both the share properties and folder security tab properties. You can remove the created user from all groups, including the "Users" group, if the user does not need then. Removing a windows user from the "Users" group in admin tools means that that user cannot log into that windows machine locally, but can still access the shared folder remotely.

You can create other users the same way in Admin Tools, and give them different level of access to the share. Example, write access to another user as needed on that shared folder, the permission would be done on both the shared folder properties and the folder security tab properties.
Other folder shares can be created and setup as desired, but start out by removing the Everyone group from the shared folder properties, as well as the folder security tab, and explicitly add the user that was created. Admin usually always have access, I think, leave that.

On the remote machine, that will access the share, use this batch file to connect. Windows has a way of making it difficult to change credentials to a shared folder.


save this code as a batch file (.bat)

Code:

net use \\servername\sharefoldername /del
net use \\servername\sharefoldername /USER:username *

pause

* means that you are asked for password when you run the batch

Create a batch for each user on the remote machine. You only need to run the batch when you are going to change user/credentials to the shared folder.


Please feel free to add anymore advise here on how to secure a Windows machine.

[owen]

For none technical users set them up as a separate guest user on thier machines so that they do not use the admin account on a daily bases. Alot of problems popup when regular users daily drive an admin account and install viruses by accident. if they need to install something just make sure they know how to access the admin account.

[khat17]

There's free and paid solutions to staying safe.

https://www.av-test.org/en/

Or more specifically....

https://www.av-test.org/en/antivirus/home-windows/

Checks can be done about the various available AV solutions to make a decision. Some people have personal preferences, so it's a matter of that as well.

https://edition.cnn.com/2021/06/23/t...ath/index.html

McAfee's creator died, but he had no more involvement in the company for a long time. It's bundled with a LOT of systems - with the two top (and oldest) bundled ones being McAfee and Norton. I believe both companies have million dollar compensations for certain types of infections - that's if you get those infections while their software was previously running on the system. Not sure about the others, but there are features in each that make them liked.

An example between BitDefender and Norton would be these - BitDefender shows the IP/MAC of the devices in the backend dashboard. Norton doesn't do that, but they give you free dark web monitoring.

AV solutions aside - the best way to stay safe is to not go online, not plug in external drives that's not yours, etc, etc... Most of this can't be done in the world today due to work and such. So what other solutions?

A locally deployed backup solution using things like FreeNAS, Synology or OwnCloud/NextCloud would work. These solutions have versioning which helps against viruses and deletion or ransomware. Most things target/infect Windows so these solutions using a non-Windows file system will help.

If you don't mind paying for storage then there are HUNDREDS if not THOUSANDS of online solutions available. Some with "unlimited" storage and others with good amounts. Degoo for example has been pushing their services - and they do have a lifetime option available. Caveat would be "copyright" material. I've used their service and had my account suspended for copyright content. This is done automatically through some algorithm they have - which means they trawl through your data. I got an email after to say the account is unlocked because it was a mistake, but I've not used their service since. There are alternatives as well - and finding services based in Europe would be better IMO.

Local encryption works. Encrypting an external drive for backup also works.

Using 2FA for everything or a security key like YubiKey is good. What I do is have 2 of those since the second is like a spare - and accounts that support it have both keys attached. If some accounts don't have that then 1 YubiKey and 2FA on my mobile.

Removal of the shared accounts as mentioned previously is good - sharing only over online storage or physical storage works. Most online storage companies will have some AV built in - and moving data by physical storage will allow your AV to automatically scan the device before usage. If that's not supported you can just manually do it each time it's plugged in.

[crosswire]

@owen
I agree 100%

The user will not cripple the system by the next week.

For the long term, I would add to that: The admin should pass tru (once a month-ish) to ensure security updates are on the OS, and app/programs.

Certain programs/apps (even form Microsoft) needs updating sometimes to address some security issues. Sometimes the updates are not automatic and/or need Admin privileges to complete.
Even a non technical user can download a ex3l file and open it, but it has malicious content that an un-update program cannot handle, and somehow find itself under the system account, for a hypothetical example.

@khat17

AV solutions aside - the best way to stay safe is to not go online, not plug in external drives that's not yours, etc, etc... Most of this can't be done in the world today due to work and such. So what other solutions?

This is a major issue.

I have deleted a file to the recycle bin in windows 10 machine (with updated win virus defs) some time ago. Then when I went into the recycle bin, a prompt came up, don't remember what is was. But I think it was a security hole of the recycle bin itself that virus files (or malicious scripts) would try to take advantage of when you open the recycle bin.
(Cannot put too much faith in windows virus defs)

I am very meticulous with the files that I download. I only download what I consider trusted apps, from trusted sites only. Full stop. If by chance, a trusted site no longer host a older version of an app, and I find it somewhere else, then I would take the hash of that file that I found on the untrusted site, and research the hash until I see enough occurrences of the hash on the web associated with the trusted site. This means that the file is unlikely modified internally. (I have seen many time where files have been modified back in the day) I do not think everyone will be this meticulous. You should to be careful with older versions app. Careful with non-exe files from the internet. And careful with sites. And don't combine even 2 of the later 3.

For retro gaming I would recommend batocera iso, so you do not have to install programs.

A locally deployed backup solution using things like FreeNAS, Synology or OwnCloud/NextCloud would work. These solutions have versioning which helps against viruses and deletion or ransomware. Most things target/infect Windows so these solutions using a non-Windows file system will help.

Sound interesting.

Thanks khat17, you have provided a wide variety of options, and experience.

Backup is a must, and should be practiced in some form. Furthermore, there is always the risk of drive failure.

A lot there khat17 to look at.

In my original post, I talked on securing Windows. In this case it should be Windows 10/8. I don't personally trust XP being safely used in todays time.

And I should have stated that securing a windows machine involves many layers of security, such as IP, Software, OS etc.

As I am not expert with the networking IP security, I leave that out, but that should be the first line of defense. Anyways.

From a pc user point of view, the layers that I want to cover are the file system, the OS, the software.

I also wanted to emphasis that a shared folder must be secured on two layers: the file layer/file system in this case NTFS, and the net share layer. You may tend to secure one layer and forget to do the other, but to guard against any unforeseen 'holes', apply the security settings on both.

[owen]

Certain programs/apps (even form Microsoft) needs updating sometimes to address some security issues. Sometimes the updates are not automatic and/or need Admin privileges to complete.
Even a non technical user can download a ex3l file and open it, but it has malicious content that an un-update program cannot handle, and somehow find itself under the system account, for a hypothetical example.

Its debatable whether updating really improves security. I find over the years it has been come a chicken or egg situation where updating becomes "busy work" because systems become more and more unstable over time as updates roll in. updates assume that the system is never secure and if a system is never secure why use it at all? in a era where updates are frequent an attacker would need to be very deep into a system to determine which of the hundreds of issues any system could possibly be vulnerable to at any given time. reducing attack surface area is more important than updates. This is why ATMs still use XP - less attack area, less stuff.

[khat17]

Its debatable whether updating really improves security. I find over the years it has been come a chicken or egg situation where updating becomes "busy work" because systems become more and more unstable over time as updates roll in. updates assume that the system is never secure and if a system is never secure why use it at all? in a era where updates are frequent an attacker would need to be very deep into a system to determine which of the hundreds of issues any system could possibly be vulnerable to at any given time. reducing attack surface area is more important than updates. This is why ATMs still use XP - less attack area, less stuff.

Address some stuff here.

Hardware replacement to fix security issues may be required - but software updates can fix holes. With Windows however, I believe in having your patches selected. Unlike in the past where you'd have fixes and then Service Packs with GOOD versions of the fixes available - they now just roll out whatever crap they want. For the older ones in here you'd remember that some patches had all 2/3/4 versions and that's the one that made it into SP1/SP2/SP3.

For Windows 10 - I use something to completely disable updates and then manually update as needs be. Think there was some update recently that broke Chrome - or some update to Chrome that broke itself - don't remember. But Edge is basically Chrome and it may even be more secure....but that's another story.

On the ATMs using XP - while I agree with what you said partly, most vendors are updating so that the XP systems are running 7. Vendors are also moving to 10 NOW. This was a trend that I noticed where vendors usually take the leap to the next version when it's halfway or closer to the end of life. After it's "fixed" mostly. ATMs in the past were running on Unix or DOS. Current Windows versions are running firewalls with heavy rules to prevent outside access, but there are still ways in. Encryption is really just becoming more prevalent with vendors - and it's being done on 7/10. I'll note that vendors I'm aware of skipped Windows 8 entirely.

As I posted that I forgot about firewalls. There are LOTS of free ones. One I'd recommend would be....

https://www.thepcinsider.com/evorim-...eview-windows/

That works. It's free. And there are others too - but you can test that one out.

Having an AV, firewall and practicing safe browsing is a good idea. If you want to do dangerous things online then use a sandbox.

https://sandboxie-plus.com/

If you're not averse to either dual-booting or using an isolated environment - use that. For Linux users you have options. For Windows users you can create your own PE with the tools you want, then use that for your unsafe browsing. Can spoof your MAC and use free proxies or a VPN to mask your IP - etc -etc - etc.

Whatever you do, do it safely. Just don't get too paranoid with it.

[psilos]

Whether a user has regular user access or admin access once your OS has an exploitable hole the outcome is the same. Patching is just as much of a necessity as running endpoint security software. Its unlikely that a typical AV solution is enough nowadays.

Reducing the attack surface is a great idea but usually what happens is just one loose email clicked and the fox in the chicken coup. So the roof and cage well fortified but he sneaks in one day when one day under someone's foot when entering. He will stay there for months and months picking off the strays while no one notices and when he finally strikes its all over. The race is no longer for the swift, even the criminals are about long term goals now.

When ransomware strikes backups are your only hope. Educate your users whether they are home users or work users, install endpoint protection and most of all BACKUP your data. Syncing is not a backup as you can't usually go back more than a version or two if you are lucky. RAID is not a backup.

Excellent discussion, keeps the ideas and opinions flowing.

[owen]

I am not sure how regular access users are setup now but back in the day you could not run unsigned code or install anything as a regular user. In some cases I remember regular users cannot even save stuff on the root drive so I think its an effective solution to "on machine viruses". Getting an on machine virus from clicking a link in a email is that even possible? Google chrome has been blocking zip files from insecure websites to my great annoyance. Chrome is dead to me. Hackers can create secure websites too so I dont know what they on about.

Backups are complicated, what to backup, backups that are already corrupted, online backups that backup everything, etc. Personally I keep my backups offline and manually decide when to do a backup because you never know what can and will go bad.

The mysterious "exploitable hole" is like duppy or gunman; its always out there waiting and if you are afraid of it you might as well not use computers at all. Alot of people use android phones since 2.3 and once they reach version 3 they say 2.3 is full of holes. But the reality is every version of android is insecure, not just the older versions. Updates give some people comfort, for others its just shifting the holes around.

[khat17]

I am not sure how regular access users are setup now but back in the day you could not run unsigned code or install anything as a regular user. In some cases I remember regular users cannot even save stuff on the root drive so I think its an effective solution to "on machine viruses". Getting an on machine virus from clicking a link in a email is that even possible? Google chrome has been blocking zip files from insecure websites to my great annoyance. Chrome is dead to me. Hackers can create secure websites too so I dont know what they on about.

Backups are complicated, what to backup, backups that are already corrupted, online backups that backup everything, etc. Personally I keep my backups offline and manually decide when to do a backup because you never know what can and will go bad.

The mysterious "exploitable hole" is like duppy or gunman; its always out there waiting and if you are afraid of it you might as well not use computers at all. Alot of people use android phones since 2.3 and once they reach version 3 they say 2.3 is full of holes. But the reality is every version of android is insecure, not just the older versions. Updates give some people comfort, for others its just shifting the holes around.

Everything is secure until an exploit is found. The more development done - the more likely you'll have a hole. This is why FOSS is better since persons actively assist with plugging every hole they find - not just a closed group of persons that may not have the vision to look elsewhere. And funny enough, it may be someone with little to no experience that finds the hole.

As far as backups go - use something like the ones I suggested. OwnCloud/NextCloud uses methods to ensure the data integrity is there. SyncThing is another great tool - and I mean GREAT tool for syncing things to another storage platform. If you rather simplicity then AllWaySync is good.

There are LOTS of online backup options. If you used some of them from back in the day then you'd have gotten good space. If you want something cheap then check out up and coming companies like pCloud or Koofr. The latter one has a lifetime deal with....varying storage sizes.

https://stacksocial.com/sales/koofr-...bscription-1tb

There are options - but people usually don't want to pay. If you're paranoid about online storage then use a local deployment. But as said - backup is essential. Especially if you get ransomware. If you get one of the REALLY OLD ones then you may get lucky and have a removal tool available. But trust me. I've seen some of the largest companies in Jamaica get ransomware - and some small companies as well. It's no respecter of company. As said - all it takes is ONE clicked link in an email.

[owen]

This whole thing about email link clicking has got to be dispelled. Clicking the link cannot infect the computer (major browser or email client hole). A download then execution of the payload must occur. Its probably a 2 step process. An infected Word, PDF, Excel or ZIP might be easily downloaded then opened by a user but I remember seeing office showing so warnings on possible infected files - not sure what libre office does. If a user gets a exe directly in a email and is somehow convinced to run it for a prize then the fact that they are not an admin user should be enough of a hurdle. Unless of course its kids that want to install roblox (never give kids admin rights).