Advanced Plus Security Windows_Security (linux Lite :-) PC configuration for 2019

[Windows_Security]

Long story

PC of older family member died (it looked like a dust burn). Their son asked me whether I could arrange a PC for them temporarely, because he would give his son a new gaming PC. So I put their harddisk in my desktop (Dual Core Pentium G3240 with Samsung 850 SSD), removed my HDD data disk, created standard users for them and copied their Outlook PST files (they were used to Office 2007). Because I was prepping other PC's for Linux for older relatives (see my status changes), I put Linux lite on my wife's old laptop (was not planning to work between Christmas and NYE anyway).

Nephew said his son would bring his old PC, put in their harddisk in his old PC and bring back my desktop. Turned out an i7-920 with normal harddisk feels much slower than a G3240 Pentium with SSD. So after my PC was returned a got a call from my older relatives that they had trouble with Windows10 and asked if they could get back my old desktop . So I removed my user on my old Desktop and ordered a silent Graphics Card (730) and Samsung 860 SSD. After upgrading from Windows 7 to Windows 10 and downgrading to Windows 7 after installation of SSD, it seems that I will return to Windows 10 again (will most likely copy the setup of my Wife's 2in1 Yoga).

In the mean time enjoying Linux more than I had expected. Probably my nephew buying me a bottle of Glenlivet for my old desktop helps

Happy new year everyone

Kees or tmfkaWS (the member formerly known as windows_security)

 

[Windows_Security]

@Jack

Could you explain why running everything in a linux sandboxed results in a basic configuration? Please help me understand by explaining the criteria?

Some explanation on my Linux security setup:
1. Linux Lite - only nessecary software is installed to keep the attack surface as small as possible
2. Linux standard user is like running Windows Baisic user with UAC on max PLUS a default deny Software Restriction Policy allowing ONLY admins to elevate after explicit SUDO/Run as Admin (password prompt)
3. AppArmor kernel enforced access control of office documents , so it runs simular to Windows Untrusted User (only with write access to documents)
4. Firejail sandbox with --seccomp switch so mail, media player and browser run in sandbox simular to Windows AppCoinner with Windows system calls disabled AND an additional set of AccessControlList settings (only allowing write access to User's download folder)
5. Hiding in the smallest herd, meaning commercial less attractive to exploit target group: Ubuntu distro's market share is just a fraction of that other OS-ses (like Windows, Android and iOS).
6. I have no AntiVirus installed, but my Home ISP (F-secure) and the Hosting company I use for business (Avast) check al my mail on virusses. I have set Chrome/chromium to block unsafe HTTP-downloads with chrome flag and Emsisift Browser Security extension.

EDIT: Thanks

 

[harlan4096]

The word complete usually is also applied to all areas/fields covered: including PassWord Manager and for example VPN Service (Web Privacy) and an Image System backup Solution...

What do You mean with System Backup -> USB Drive? using some specific solution?

 

[Windows_Security]

Daily backups to Nas, Nightly from NAS to USB. I have two USB-disk. One is at home in the utilities closet (where my NAS, Modem/Router of ISP and second Router are located) and one at my mother's home. I switch the USB-drives every month.

At 0.200 (in the night) the NAS schedule for user access on the NAS disconnects all PC users and backups to USB-disk connected to the my router port. When it works like I intended it to work a ransomware infection on a PC can infect the NAS, but not the USB-disk (nor other users). Luckily it is never tested in practice.

I have two routers, the Mode/Router of my ISP broadcasts at 5Ghz and has 2.4 Ghz disabled. The 5HZ network is only for our PC's and the NAS. The second (older) router broadcasts at 2.4Ghz (and has 5Ghz disabled). The 2.4Ghz router facilitates our smart phones and the TV-set top boxes and also has a guest network enabled for friends.

With some tricks (DHCP reservation, MAC adress and IP filter, Parental Control, short lease time on 2..4 Ghz network and long passphrases with network partitioning on 5GHz ) network is fairly secure, I know no home network is watertight, but those hurdles should hinder hackers hopefully enough to turn their attention to easier targets (e.g. my neighbors)

 

[Handsome Recluse]

Daily backups to Nas, Nightly from NAS to USB.

What tool do you use?

 

[Windows_Security]

What tool do you use?

Came with the NAS, (WD cloud) and is called WD smartware PRO backup.

On my Windows desktop I have an additional "quick backup" option to old laptop drive for which I use Syncback Free to copy My Documents and Mail (PST files). I run Syncback as Another User (called Backup_User). I removed access rights from this Quick-backup-drive for all users except Backup_User. You can set Access Control List on NTFS by right clicking a drive/folder and choosing the 'security' tab. This way I have an on-line backup for business documents, which can't be touched by ransomware (most ransomware tries to acquire system/admin rights, but only the standard user Backup_User has full access).

 

[Handsome Recluse]

I thought you were gonna use more rsync command line doodads.
Can't normal people alternatively use the built-in Windows 10 ransomware protection?

 

[Windows_Security]

I thought you were gonna use more rsync command line doodads.
Can't normal people alternatively use the built-in Windows 10 ransomware protection?

So to your definition I fall outside the 'normal people' population

My old desktop was Windows 7 Enterprise, so I could not use WD10 protected folders feature.. I will have a Windows 10 desktop soon and I will enable ransomware protection when is ready. The protected folders feature works without any issues on my wife's 2-in-1 Yoga. So WD ransomware should work for most 'normal' people.

 

[Handsome Recluse]

In this forum, non-default security, no antivirus, default-deny, automated data backups on a separate backup-only user on an Enterprise version, the lesser used Adguard user.
Only normal thing is you copy pasta.
You're beyond normal.

 

[Deleted member 178]

Beyond normal but efficient. @Windows_Security is one of the very few posting stuff deserving my attention.

Great config as always.

 

[Handsome Recluse]

There are weirder people esp. on Wilders with triple anti-exe, triple imaging, triple on-demand scanner yet still with some extras like outbound firewall, host file blocker, OSArmor/Syshardener and PeerBlock.
The nerds.

 

[Deleted member 178]

There are weirder people esp. on Wilders with triple anti-exe, triple imaging, triple on-demand scanner yet still with some extras.
The nerds.

I will say extreme paranoids.

 

[Handsome Recluse]

I will say extreme paranoids.

I'd say the hippie paranoids.
In case the other two anti-exe gets bypassed hippies.

Real extreme paranoids hide in a bunker with an unpickable lock instead of relying on mathematically exploitable software.

 

[Windows_Security]

The lesser used Adguard user has a simple reason: I run chrome always incognito (with Bruce's New Tab Page which also replaces --incognito new tab with a blank). Only reason for using Adguard in stead of uBlock is that uBlock Origin loads an instance for normal browsing and incognito browsing (so 2 in total). I also don't use advanced filtering. Being a minimalist I like to apply Occam's razor principle so Adguard seems the simplest and easiest solution for me (I only enable optimized filters).

 

[JM Safe]

Good config.

Thanks for sharing.

 

[Windows_Security]

EDIT: one minor change: replaced Chrome Safe Browsing with Emsisoft Browser Security (see post 880 in this thread: link)

 

[Handsome Recluse]

AdGuard Mobile Ads filter blocks some additional ads Base and Spyware don't.

 

[Windows_Security]

AdGuard Mobile Ads filter blocks some additional ads Base and Spyware don't.

Thanks: changed spyware filters back to Peterś Low only and 80 most used ads and trackers on the webpages I regularly visit (user filter similar to my filter). Some news websites start to block content when they discover easylist filters.

I compared uBlock Origin with Adguard on Linux Chromium 64 bits, but on my Linux Lite uBlock Origin the right click context items did not work nor would the picker tart when trying to block cookie wall's on the websites I use to visit.

So currently only using some 3000+ plus rules with Adguard. Adguard's memory usage is higher as uBlockOrigin, but I like Adguard's reported and 'ad-picker' functionality over uB0.

Few people mention that the reporter/monitor of Adguard has a very easy to use click and select filter/report option and its "Block Ads on this website" option works easier (and more accuate) as uBlock)rigin's "picker". For Adguard to have a real easy to use reporter/picker makes sense since they maintain a lot of blocklists themselves. So it pays out (saves time) to program ease to use and accurate ad-picker and reporting functionality.

 

[Handsome Recluse]

Thanks: changed spyware filters back to Peterś Low only and 80 most used ads and trackers on the webpages I regularly visit (user filter similar to my filter). Some news websites start to block content when they discover easylist filters.

No more Adguard Base? :'(

 

[Windows_Security]

English filter of Adguard and Easylist prevent watching some video's on NU.NL one of the news websites I check daily: NOS.NL, NU.NL, BBC.COM, CNN.COM and FOXNEWS.COM the latter not because I am a Trump fan, but to compensate for the news of CNN.

When I have to believe CNN/HuffPost it seems that the moral compass of Trump is worse than the average dictator and he has the intellect of a five year old. When I have to believe FOXnews, Trump is the American crossover of the world's most fameous political/economic/spiritual leaders. When someone knows an US news website which does not colour news with either PRO or CON Trump messages, please post suggestions.