Basic security
Author Message
Philo Offline yiff yap

Posts: 17,098
More info
15th August 2016 03:22 PM
Post: #1
I was inspired to make this by a conversation I had with Irenarch a week or so ago. It's a guide to having a reasonably secure general-purpose configuration, currently on Windows, with macOS and Linux coming. It is important to note what this is not; it is not a "privacy" guide (the two concepts have only some overlap), is not for highly technical people (whose quite reasonable reaction to some of this may be "ah ha but you can do that securely with such-and-such configuration if you know..."), and is not for those with much higher security requirements than a typical user (this does not conform to NSA/DISA hardening standards, for example).

v. 0.0.3

Added footnote(s)

v. 0.0.2

Added note on Windows 10 login settings (PIN and 2FA)

v. 0.0.1

Posted.

Windows
  • Be on Windows 8+, ideally Windows 10. These have a lot of under-the-hood security improvements compared to 7, which I'd be happy to talk about if anyone is curious. If you think Windows 10 is more of a security risk than 7 because "it spies on you" then I have a bridge in Brooklyn I'd like to sell you. And for the love of fuck use at least Pro, not Home (for encryption among other things).
  • Make sure your UEFI/BIOS is up to date. Find your computer's/motherboard's firmware downloads (or some such phrase) page and do this.
  • Set a "setup password" for your UEFI/BIOS, which will help prevent malicious modification of boot settings and the like.
  • Enable TPM if you have one. If not and you are using a desktop, where the motherboard can be easily reached, it is worth seeing if you can buy one (I did for my ASUS X99-A mobo in my desktop). This is basically a special cryptographic microcontroller with crytopgraphic key burned into the hardware.
  • Enable Secure Boot. This is a big deal. While it is not quite as secure as we thought and as some have tried to spin it (see this vulnerability, which seems to have been substantially mitigated as of August 9th, 2016) this is still a very useful hurdle with which to confront an attacker as one layer of defense-in-depth, and it stops a lot of run-of-the-mill rootkits in their tracks. Note that some Linux distros, if you dual-boot, do not play nicely with Secure Boot (the major mainstream commercial-backed distros like Ubuntu and Fedora are fine as companies like Canonical and Red Hat have cooperated with Microsoft), but be aware of the tradeoff being made.
  • [Optional]You may opt to disable various bits of hardware, such as FireWire, in UEFI/BIOS. If you don't use it there is no reason to present another attack surface. I highly recommend at least disabling FireWire (1394) and ExpressCard if you have them unless you really need them. I personally also have bluetooth, the webcam, and mic disabled on my laptop.
  • Windows now gives you the option to log in via a Microsoft account. If you choose not to do this, then just make sure you have a strong local password. But if you do opt to log in via a Microsoft account, as I do, you'll want to use a PIN to log in. The PIN uses locally-generated asymmetric key pairs which sign authentication requests, and is specific to the device. This way, while it would be very bad indeed if your Microsoft account was compromised, they still couldn't log in to the device, and if someone compromises your PIN it is useless for compromising your account unless they have physical access to your device. I also use two-factor authentication (2FA) on my Microsoft account via the iOS app. Don't use SMS 2FA if at all possible, SMS is very insecure, although it is better than no 2FA at all. I do not have it so that I need to use 2FA every time I log in to my machine, however, only for sign-ins on a new device.
  • Set UAC to the highest option ("always notify").[1]
  • [Optional]In Windows Update settings > Advanced > Choose how updates are delivered, turn off "updates from more than one place" unless the machine lives only on a network you can trust. I leave this on on my desktop as it lives permanently on a LAN that I admin, but I have it off on my laptop. This one is somewhat controversial and I'm not sure it's necessary, but it does reduce the attack surface.
  • Don't turn off telemetry, especially not by editing the registry. "But muh NSA." No. It does important things.
  • Always update as soon as is reasonably possible. I don't care if you don't like rebooting, do it at least semi-regularly.
  • Turn on BitLocker encryption if you don't want your data from that install just laid bare. This is part of why I highly recommend you have at least the Pro version of Windows. If you don't have a TPM, here's a guide on how to use BitLocker without one. Although I recommend having one if at all possible.
  • In terms of browser choice, I recommend Chrome for most purposes. In particular, you want 64 bit Chrome, it has a lot of security features the 32 bit version does not. I usually use enterprise Chrome/"Chrome for work", found here, which has a convenient system-wide msi installer. Chrome has arguably the best balance of sandboxing, other security features, and extension support. Edge is a very promising browser security-wise but is not quite there yet. Firefox can be great if you tweak a lot but the sandboxing is not as good as Chrome and a default install is bad. I assume that if you use a browser besides one of these you know what you're doing.
  • In Chrome, set flash to click-to-play.
  • Use the following extensions: uBlock Origin, HTTPS Everywhere. Adblocking is very important for security, not because "arrgh I hate ads" but because ads are sadly an extremely common attack vector. Until ad networks clean up their act, many of them are getting blocked, sorry site owners. HTTPS Everywhere forces https if the site supports it. You can also install an anti-tracker like Privacy Badger or Ghostery if you want, but this is optional as the security benefit is relatively small on the margin relative to the interference with functionality on certain sites. I use Privacy Badger.
  • Use a password manager. This will make it much easier to have more secure and varied passwords, which is one of the most important things you can do for your security. The two major approaches here are cloud-based and local. For cloud-based solutions, where you basically just log in to an online service, I recommend either LastPass or 1Password. LastPass is probably the most well-known and really do excellent work, and the free tier is actually quite good features-wise. If you can afford it I recommend the premium tier; it runs $12 a year (in the US) and has much more extensive syncing capabilities across devices and platforms. 1Password was originally a Mac exclusive, but the Windows version is currently in beta and is doing well. It's pricier at $36 a year, but they do make an excellent product. Alternatively to all this, you can choose to manage your own password database, in which case I recommend KeePass, which is completely free. This is what I do, but you must be careful to manage your own database's security, and it can get a bit annoying to use on mobile if you use iOS like I do.
  • Install anti-exploit of some kind. Microsoft's EMET is an excellent free solution, although do not have it enforce on Chrome, stuff will likely break (Chrome can take care of itself). Malwarebytes Anti-exploit is superb and easier to manage for non-technical users, but the free version only protects the browser, so you will need to fork over $25 if you want more out of it than this.
  • [Optional]Install GlassWire firewall. Gives you a wonderful overview and alerts of network activity, so it is very obvious when something is doing something it shouldn't.

[1] For an example of why this is important from...today, see this. Warning: Technical

[Coming soon]
  • Antivirus
  • VPNs
  • Other assorted stuff

macOS

[Coming soon]

Linux

[Coming soon]

"Some of you may have had occasion to run into mathematicians and to wonder therefore how they got that way"
-Tom Lehrer
(This post was last modified: 15th August 2016 04:05 PM by Philo.)
AgreeDisagreeMaybeFunnyWinnerZingInformativeHeartsUsefulOptimisticPessimisticArtisticCrazyJellySpookyWiseHiByeWhat?Dis gon' be goodI'm horrifiedBuy some apples
PM USER
QUOTE REPLY
Robospector Offline Filly

Posts: 10
More info
13th September 2016 05:35 PM
Post: #2
Great post! Might I add this to Linux?:
  • When logging into a Linux machine via SSH, it is a good idea to use a private key, instead of a clear password to log in, alongside disabling clear password logins. This private key is in the form of an encrypted file that can be generated with tools such as PuTTYGen.
AgreeDisagreeMaybeFunnyWinnerZingInformativeFriendlyUsefulOptimisticPessimisticArtisticCrazyJellySpookyWiseHiByeWhat?Dis gon' be goodI'm horrifiedBuy some apples
PM USER
QUOTE REPLY


User(s) browsing this thread: 1 Guest(s)