CLASSE suggestions for home computers
This is going to be some suggestions on how you might set up and secure your home PCs. The first will be a baseline that we require for access to the LEPP Network. The second set(s) will be fully described setups various CLASSE computer group members use personally. We will try and expand on why we do some things we do so you can consider if that sort of setup is reasonable for you or not.
CLASSE Baseline Security
We recommend that you comply with the Cornell Security Instructions
- Use a password on your account. This can prevent unauthorized access on laptops when you're not around or if stolen.
- Run AV Software.
- Install Updates within 7 days of release. Sooner is better, but it's OK to wait a day or two to make sure there aren't problems with the updates.
James' 2 suggested setups
For either, it is critical to make sure your computer is clean before doing the setup. It's no good to lock the door after the burglary.
1. The "set it and forget it" method.
This is not necessarily the most secure method, but it is the least ongoing effort.
- Create a regular user account. Use this account whenever possible.
- Run "good" AV software. This is a bit of a misnomer, because the best AV software test to detect ~99.5% of passive AV samples, but still only stop ~45% of active malware during the infection process.
- Symantec is free from Cornell. This is an "average" AV, that detects ~ 30% of active malware. You will need to take additional precautions.
- Norton 360 is Symantec's consumer AV - a well rated commercial product that does better than the Cornell Symantec clients "stand alone".
- NOD32 is a well respected commercial stand alone AV.
- Kaspersky is a well respected commercial AV Suite.
- Antivir is a very good free standalone AV available from http://www.avira.com/en/avira-free-antivirus. However it does have a nag screen that encourages you to buy the premium version. You do not have to.
- Microsoft has released Microsoft Security Essentials which has some good reviews.
- Scan all installers with your AV before trying to install them.
- Use your administrator account via RunAs, or sudo depending on OS to elevate specific tasks. Only log in as administrator if this fails, and log out immediately after completing your task. DO NOT browse the web as administrator.
- Have a backup. Image based backups are best. We recommend either Acronis or Windows 7 Backup if you have Windows 7. This way, even if you get infected, you can restore your backup image in a matter of minutes (well, maybe 45 or so) rather than days.
- Run a full AV scan every week. Some products let you schedule this.
- Enable Windows Firewall or third party firewall. Many Suites come with one.
2. The slightly more complex but arguably more secure method (What James Does himeself)
- Run a "True" Host Intrusion Protection System (HIPS). It will pop up and ask you questions during the first couple days running it, after that it's pretty quiet.
- There are paid and free ones. The one I use is Comodo Internet Security free. This includes HIPS, AV and Firewall along with some sweet sandboxing and other heuristics to detect and block Viruses from being installed.
- You can buy service with CIS for $49 / year. They will remote in over broadband internet and configure CIS for you, and will clean up viruses if you get any. You can also hire local professionals to do the setup for you.
- Other respected HIPS are Outpost and Online Armor. On Linux you could use SELinux or AppArmor.
- Use the following rules of thumb with your HIPS:
- Do I recognize the program it's asking about?
- Yes - Do I expect that program to do what the HIPS is saying it's trying to do?
- Yes - Say OK and have it remember the settings. This will minimize unnecessary pop-ups about an application you use doing what you want it to.
- No - Say Block Once (or don't remember). - Do things break?
- Yes - restart program, then if it comes up again, allow it and have it remember the setting.
- No - if it comes up again, block and remember the setting.
- No - Were you trying to install a new program or make a change?
- Yes - Say OK. Remember to use installation mode if your HIPS supports it or you might get a LOT of prompts for an install of software.
- No - Say Block Once (or don't remember). Does it keep coming back? You might not understand what the program is trying to do, or something fishy may be going on. Better ask an expert.
- Turn off UAC. It doesn't help, and can confuse things. Your HIPS is like UAC, just much better.
- Scan everything before trying to run it.
- Occasionally run a task manager to look for out of pace things. Something like Comodo's KillSwitch is really good at this as it will examine every process that's running against an online database to see if they're viruses or not.
- Run a Weekly AV scan. This is good to pick up e-mail attachments that are viruses or just anything you've missed.
Why these restrictions are important
There are many ways for computers to become infected with malware. Web sites and thumbdrives are two common sources.
- Thumbdrives -- Modern malware copies itself to every writable device on your computer. When you plug an infected thumbdrive (or other USB disk) into a clean computer, the infection will write itself to the computer's other disks. This vector can be reduced by disabling the AutoRun feature. For information about how to do this, see Microsoft's page http://msdn.microsoft.com/en-us/library/windows/desktop/cc144204%28v=vs.85%29.aspx
Web Browser Configuration
- Run Firefox with some useful security / privacy extensions
- Ghostery - helps protect privacy
- Request Policy may be better than Ghostery - we are evaluating
- Ad Block Edge - fork of the famous Ad Block Plus that doesn't let companies opt out of ad blocking - you want to block the ads to prevent a common drive-by download vector, and to improve the internet experience.
- Advanced - No Script - additional protection at the cost of often breaking sites, and needing HIPS like input from the user.
- Install a privacy protecting search engine.
- Startpage - we provide this as an option on our Firefox installs