Lockdown Security Configuration (2017)

[509322]

I tweak the OS - for example, disable IPv6\Teredo, block incoming network traffic, disable remote assistance including firewall rules, disable all the unneeded services, uninstall unneeded softs shipped with Windows, etc.

Generally, I don't use most of the often-targeted software such as Adobe products, Oracle Java, and Microsoft Office except for testing purposes. This reduces my attack surface and, by keeping browsers up-to-date, eliminates the need for an anti-exploit soft.

When I have a VPN installed on the system I use it 24\7. I use IVPN which provides always-on firewall and multi-hop options. I don't use a VPN for privacy or anonymity, but instead to ensure full-time encrypted network traffic.

I have multiple personal and test machines. The security configuration shown above is representative of what is typically installed on both my personal and test machines. Depending upon what and how I am testing, sometimes I will substitute SpyShelter Firewall for Windows Firewall Control. If I have need of an antivirus\internet security suite for a particular project or set of circumstances, generally I will install either Webroot or Emsisoft (depends upon system specs). For my most-used personal system, the above security configuration is its current one.

I test malware on a host PC using Rollback RX Pro in a malware test lab with its own dedicated networking. This is to eliminate any virtual machine introduced anomalies into the testing and results. Also, it isolates the test systems from production machines and the production network. While Rollback RX is a capable product, using it to test malware is not recommended for the home-tester; use a virtual machine instead.

 

[DracusNarcrym]

You really hate malware, don't you?

I bet malware really hates you.

Superb config, mate.

 

[509322]

You really hate malware, don't you ?

It's not a problem for me so I am resentment-free.

 

[DJ Panda]

Just my personal opinion. Even the best of us can make mistakes, I find it a little unsafe to test malware on a host-pc. Possibly have a system optimizer like CCleaner. (Maybe one of your programs already does something like that. )

Really good config! I expected so from a knowledgeable user like yourself.

 

[_CyberGhosT_]

Am I the only one here that sees that even though he tests on a host, it is in
a controlled environment ? I see that given your job this is acceptable Jeff, I would
not recommend this for the average tester, but seeing it's in a lab under a controlled
environment it is more than fine given your skill level and job description.
Nice share Jeff, PeAcE

 

[509322]

Even the best of us can make mistakes, I find it a little unsafe to test malware on a host-pc.

For highest confidence of results, testing on a Host PC is a requirement. I can always clean install the OS if something goes wrong. It's more important to have fully-isolated malware test networking.

 

[sudo -i]

Am I the only one here that sees that even though he tests on a host, it is in
a controlled environment ? I see that given your job this is acceptable Jeff, I would
not recommend this for the average tester, but seeing it's in a lab under a controlled
environment it is more than fine given your skill level and job description.
Nice share Jeff, PeAcE

I agree. I also think that a 'professional environment' is a 'controlled environment'. This is part of his occupation, he knows what he's doing, and he's bettering AppGuard with his efforts. While I can understand the "Caution" tag, I don't think people should necessarily worry, or even advise that Jeff does his JOB any other way.

 

[Deleted member 178]

Indeed Jeff knows what he is doing , but the tag is (in that case) not for him but to warn "Copycat Joe" that they shouldn't do what he does.

 

[ForgottenSeer 55474]

Nice Configuration,real nice

 

[_CyberGhosT_]

Indeed Jeff knows what he is doing , but the tag is (in that case) not for him but to warn "Copycat Joe" that they shouldn't do what he does.

I know brother, my reply was more aimed at Gamez065 and his feedback, than it was at Jeff's config warning.

 

[Handsome Recluse]

Indeed Jeff knows what he is doing , but the tag is (in that case) not for him but to warn "Copycat Joe" that they shouldn't do what he does.

We're all copycats eventually. It's called education. Some just do it with style.
People before were probably smarter than us. They just had less intellect to use that smarts with. Now we have internet.

 

[aragornnnn]

That's a high quality and very professional setup you got there.
Thanks for sharing it with us

 

[509322]

I am not concerned about the CAUTION! tag. As @Umbra points out it is to get someone's attention - so that they read the configuration details instead of blindly copying it. There is limited infos given and anyone who decides to copy it for malware testing will probably get themselves into trouble without more in-depth configuration details.

The potential issue is that a user can still bork the system with Rollback RX without specific tweaks. With those tweaks a user's system would be safe for testing. Then there is the greater issue of router infections and that sort of thing. I advocate caution because there is a high potential for unexpected consequences.

Besides, the config is provided as a protection model. Of that I am supremely confident; it will protect the physical system.

 

[In2an3_PpG]

Very nice Config. Believe this is the first developer config iv seen.

Thanks for sharing your setup.

 

[509322]

Very nice Config. Believe this is the first developer config iv seen.

Thanks for sharing your setup.

It is to demonstrate that any user can craft a comparatively simple security configuration that reliably provides high system protection. It's one option out of many. Each user must decide for themselves what works best for them personally on their specific system.

 

[Deleted member 2913]

I expect this from you Mr. Lockdown...Simple, Strong & No Nonsense...COOL config

 

[Exterminator]

Very experienced and very knowledgeable.
I have to agree that this is not for the inexperienced but I cannot think of better member to ask if you want to know something.
Thanks for sharing your config

 

[Winter Soldier]

I agree with @Exterminator, this configuration is not for inexperienced users, but it can be an incentive for them to improve their skills and awareness, such as in my case.
Thanks for sharing!

 

[509322]

I agree with @Exterminator, this configuration is not for inexperienced users, but it can be an incentive for them to improve their skills and awareness, such as in my case.
Thanks for sharing!

Just about anyone can use the security configuration shown.

I run AppGuard on default settings and use Secure Rules in Windows Firewall Control. This is a very simple security configuration.

I just don't recommend malware testing without using a virtual machine to anyone else.

 

[509322]

Updated OS Build to 14393.953 in configuration details.

Removed:

• Excubits cmdScanner (not capturing all command lines)
• Rollback RX Pro (doing private beta build testing for HDS, but there is currently a BSOD INACCESSIBLE_BOOT_DEVICE issue on Windows 10 1607)
• Windows Firewall Control

Added:

• SpyShelter Firewall (for command line logging - sure beats setting up SysMon or Auditpol)