Lockdown Security Configuration (2017)

Status
Not open for further replies.
5

509322

I tweak the OS - for example, disable IPv6\Teredo, block incoming network traffic, disable remote assistance including firewall rules, disable all the unneeded services, uninstall unneeded softs shipped with Windows, etc.

Generally, I don't use most of the often-targeted software such as Adobe products, Oracle Java, and Microsoft Office except for testing purposes. This reduces my attack surface and, by keeping browsers up-to-date, eliminates the need for an anti-exploit soft.

When I have a VPN installed on the system I use it 24\7. I use IVPN which provides always-on firewall and multi-hop options. I don't use a VPN for privacy or anonymity, but instead to ensure full-time encrypted network traffic.

I have multiple personal and test machines. The security configuration shown above is representative of what is typically installed on both my personal and test machines. Depending upon what and how I am testing, sometimes I will substitute SpyShelter Firewall for Windows Firewall Control. If I have need of an antivirus\internet security suite for a particular project or set of circumstances, generally I will install either Webroot or Emsisoft (depends upon system specs). For my most-used personal system, the above security configuration is its current one.

I test malware on a host PC using Rollback RX Pro in a malware test lab with its own dedicated networking. This is to eliminate any virtual machine introduced anomalies into the testing and results. Also, it isolates the test systems from production machines and the production network. While Rollback RX is a capable product, using it to test malware is not recommended for the home-tester; use a virtual machine instead.
 
Last edited by a moderator:

DJ Panda

Level 30
Verified
Aug 30, 2015
1,911
Just my personal opinion. Even the best of us can make mistakes, I find it a little unsafe to test malware on a host-pc. Possibly have a system optimizer like CCleaner. (Maybe one of your programs already does something like that. :p)

Really good config! I expected so from a knowledgeable user like yourself. :)
 

_CyberGhosT_

Level 53
Verified
Trusted
Content Creator
Aug 2, 2015
4,298
Am I the only one here that sees that even though he tests on a host, it is in
a controlled environment ? I see that given your job this is acceptable Jeff, I would
not recommend this for the average tester, but seeing it's in a lab under a controlled
environment it is more than fine given your skill level and job description.
Nice share Jeff, PeAcE
 

sudo -i

Level 4
Jan 17, 2017
154
Am I the only one here that sees that even though he tests on a host, it is in
a controlled environment ? I see that given your job this is acceptable Jeff, I would
not recommend this for the average tester, but seeing it's in a lab under a controlled
environment it is more than fine given your skill level and job description.
Nice share Jeff, PeAcE
I agree. I also think that a 'professional environment' is a 'controlled environment'. This is part of his occupation, he knows what he's doing, and he's bettering AppGuard with his efforts. While I can understand the "Caution" tag, I don't think people should necessarily worry, or even advise that Jeff does his JOB any other way.
 

Handsome Recluse

Level 23
Verified
Nov 17, 2016
1,266
Indeed Jeff knows what he is doing , but the tag is (in that case) not for him but to warn "Copycat Joe" that they shouldn't do what he does.
We're all copycats eventually. It's called education. Some just do it with style.
People before were probably smarter than us. They just had less intellect to use that smarts with. Now we have internet.
 
5

509322

I am not concerned about the CAUTION! tag. As @Umbra points out it is to get someone's attention - so that they read the configuration details instead of blindly copying it. There is limited infos given and anyone who decides to copy it for malware testing will probably get themselves into trouble without more in-depth configuration details.

The potential issue is that a user can still bork the system with Rollback RX without specific tweaks. With those tweaks a user's system would be safe for testing. Then there is the greater issue of router infections and that sort of thing. I advocate caution because there is a high potential for unexpected consequences.

Besides, the config is provided as a protection model. Of that I am supremely confident; it will protect the physical system.
 
Last edited by a moderator:
5

509322

I agree with @Exterminator, this configuration is not for inexperienced users, but it can be an incentive for them to improve their skills and awareness, such as in my case.
Thanks for sharing! ;)

Just about anyone can use the security configuration shown.

I run AppGuard on default settings and use Secure Rules in Windows Firewall Control. This is a very simple security configuration.

I just don't recommend malware testing without using a virtual machine to anyone else.
 
Last edited by a moderator:
5

509322

Updated OS Build to 14393.953 in configuration details.

Removed:
  • Excubits cmdScanner (not capturing all command lines)
  • Rollback RX Pro (doing private beta build testing for HDS, but there is currently a BSOD INACCESSIBLE_BOOT_DEVICE issue on Windows 10 1607)
  • Windows Firewall Control
Added:
  • SpyShelter Firewall (for command line logging - sure beats setting up SysMon or Auditpol)
 
Last edited by a moderator:
Status
Not open for further replies.
Top