Handsoff setup recommendations for my father

Virumo

Junior Member
Jul 21, 2013
19
0
0
I'm personally comfortable using stuff like NoScript where you actively need to work with it as you go about. My father, on the other hand, will either ignore or close any prompts that come up. For instance, I've already put Firefox and Chrome on his computer with AdblockPlus and Ghostery, because those are handsoff extensions. Other than that he's only got Windows defender right now. What additional antivirus, antiPUP, etc. things should I consider for him that would require no user input? Paid options are fine.
 

Mushkins

Golden Member
Feb 11, 2013
1,631
0
0
How much browsing does he honestly do?

Personally, I'd set up NoScript anyway and sit down with him to whitelist the handful of sites he most likely spends 99% of his time on. Anything else, if it doesn't work oh well.

Anything truly hands off is going to run into false positives eventually, and anything designed to be hands-on is either insecure or too restrictive if you treat it as hands-off. you just have to balance security vs usability for what he needs to use it for.
 

Virumo

Junior Member
Jul 21, 2013
19
0
0
He actually needs to do a fair bit of browsing to new sites on a regular basis for work, NoScript would be a nightmare for him.
 

MustISO

Lifer
Oct 9, 1999
11,927
12
81
I'd strongly consider getting him a subscription to Sandboxie and a different anti-virus.
Sandboxie creates a virtual environment for the applications you run in it so in theory an infection could never reach the rest of the system.

For AV, Bitdefender does very well in testing and can usually be found on sale several times a year. For a free solution, Avira is good.

Also make sure he's not set up with an Admin account.
 

KeithP

Diamond Member
Jun 15, 2000
5,664
201
106
So he needs to do web browsing but does he need to do it in Windows? What about a ChromeBook or ChromeBox?

-KeithP
 

TheRyuu

Diamond Member
Dec 3, 2005
5,479
14
81
Personally, I'd set up NoScript anyway and sit down with him to whitelist the handful of sites he most likely spends 99% of his time on. Anything else, if it doesn't work oh well.

Anything truly hands off is going to run into false positives eventually, and anything designed to be hands-on is either insecure or too restrictive if you treat it as hands-off. you just have to balance security vs usability for what he needs to use it for.

NoScript would definitly be too much. If you absolutely wanted some kind of blocking like that I would recommend uBlock in medium mode[1] as it would be far easier than maintaining NoScript. Otherwise just run uBlock, if you're super worried about false positives just use the default filter lists + the privacy ones. However you should be able to enable quite a lot without false positives even if the chances do increase.

I'd strongly consider getting him a subscription to Sandboxie and a different anti-virus.
Sandboxie creates a virtual environment for the applications you run in it so in theory an infection could never reach the rest of the system.

For AV, Bitdefender does very well in testing and can usually be found on sale several times a year. For a free solution, Avira is good.

Also make sure he's not set up with an Admin account.

I would forget about Sandboxie as that's also likely too hands on and adds needless complication into it. It's not going to offer much if you're already using Chrome which already has proper sandboxing. There's also nothing wrong with sticking with Defender if Windows has been set up properly (e.g. with a software restriction policy (SRP)) and as you've said it's not an admin account.

I'd also ditch Firefox and just use Chrome. You can disable the data reporting stuff if it bothers you just makes sure the protection from maleware (Safe Browsing) and optionally the DNT settings are enabled. Install HTTPS Everywhere[2] and uBlock Origin[3], enable whatever filter lists you want (you can enable a lot and see how it goes) and ensure it auto updates. Not sure if this hit the stable channel yet but in chrome://flags there are two options to enable AppContainer support and win32k lockdown support in plugins which you'll also want to enable. You can also block third party cookies in the content settings which is pretty safe to do without breaking anything.

That should give you a pretty damn secure hands off browser with proper sandboxing including plugins like Flash.

[1] https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-mode
[2] https://www.eff.org/https-everywhere
[3] https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm
 
Last edited:

Virumo

Junior Member
Jul 21, 2013
19
0
0
So he needs to do web browsing but does he need to do it in Windows? What about a ChromeBook or ChromeBox?

-KeithP

Computer is already in his possession (XPS 15 9550), he's also got a contract with Dell for tech support, I'm not sure how changing the OS around would gel with that. Either way, I have no experience with Chrome OS, so I have no idea how MS Office, ACT!, and the other software he uses would work in it.

I would forget about Sandboxie as that's also likely too hands on and adds needless complication into it. It's not going to offer much if you're already using Chrome which already has proper sandboxing. There's also nothing wrong with sticking with Defender if Windows has been set up properly (e.g. with a software restriction policy (SRP)) and as you've said it's not an admin account.

I could probably make not using an admin account workable. Barring physical access to the computer or anything similar where they can view the screen (if that level of penetration is already achieved he's probably toast anyway), would leaving the admin account without a password introduce a security risk? Or using a password, but having the password hint be super obvious (his middle name)?

I've never set a SRP before, is there a good guide for it out there?

Enjoying all the suggestions from everyone so far, thanks for the great input.

Edit: in the past my father has been hit with things that change his home page to Google imitators like Conduit. Anything that would specifically prevent against that nuissance would be nice. Other than that, crypto-ransomware is my biggest fear, in case my father would panic and do something that would make his data unrecoverable.
 
Last edited:

lxskllr

No Lifer
Nov 30, 2004
59,401
9,926
126
NoScript in allow all mode will still protect against some xss attacks. I always include it on computers I setup. Getting away from Windows is the best security for non savvy users. If his stuff could be made to work and/or replaced by something else, that's what I would do.
 

TheRyuu

Diamond Member
Dec 3, 2005
5,479
14
81
Computer is already in his possession (XPS 15 9550), he's also got a contract with Dell for tech support, I'm not sure how changing the OS around would gel with that. Either way, I have no experience with Chrome OS, so I have no idea how MS Office, ACT!, and the other software he uses would work in it.

If he uses other software other than a web browser than ChromeOS wouldn't work. It's just a glorified web browser (so you'd be stuck with stuff like Google Docs, etc).

I could probably make not using an admin account workable. Barring physical access to the computer or anything similar where they can view the screen (if that level of penetration is already achieved he's probably toast anyway), would leaving the admin account without a password introduce a security risk? Or using a password, but having the password hint be super obvious (his middle name)?

So long as they're separate and both have passwords that's all that matters. It being super obvious shouldn't matter for what we're trying to protect against.

Edit: in the past my father has been hit with things that change his home page to Google imitators like Conduit. Anything that would specifically prevent against that nuissance would be nice. Other than that, crypto-ransomware is my biggest fear, in case my father would panic and do something that would make his data unrecoverable.

If his computer supports UEFI (secure boot) use bitlocker (disk encryption). IIRC it will prevent the ransomware from being able to cause any damage.
 
Last edited:

PliotronX

Diamond Member
Oct 17, 1999
8,883
107
106
Can you cite a source that says Bitlocker and secure boot mitigates ransomware?

It doesn't; any files that are write-accessible will be targets, once booted into the OS, the encrypted system volume is transparent to everything but seemingly Dell firmware upgrades :D When attached bitlocker volumes are mounted, those are vulnerable as well. This means the ransomware will encrypt files that are then encrypted by bitlocker. It would be dangerous to assume bitlocker will keep data safe.
 

PliotronX

Diamond Member
Oct 17, 1999
8,883
107
106
Thought so.
No doubt! Mostly directed at those who think Bitlocker or any FDE somehow protects from damaging malware. The only true contingency is a solid backup. Daily, hourly, even monthly, it all needs to be tucked away from this nasty threat. Frankly I'm surprised ransomware hasn't hit this stage until recently. In most modern systems, the user may not even feel the effects of the encryption while it's happening because of AES-NI. Stay safe guys.
 

Virumo

Junior Member
Jul 21, 2013
19
0
0
Is Bitlocker practical for my father's purposes? If someone steals his laptop and he's not logged in then the data would be safe from theft, but anyone taking that step could also probably just look over his shoulder in some fashion while he enters the password at some point. Does it protect against anything else?
 

John Connor

Lifer
Nov 30, 2012
22,757
618
121
Don't have any experience with Bitlocker. I use Truecrypt myself. Bitlocker would be the easiest, but if things mess up you lose everything. I'm not really sue if Bitlocker has a recovery option. I'm sure they have something you write to external media I suppose. With Truecrypt you write the loader on disk in case it gets corrupted.

Like was mentioned. Have a backup strategy. I clone my computers to external media using AOMEI Backuper. Other stuff like bookmarks gets encrypted periodically in a SFX archive and sent to my FTP server and a cloud provider.

As far as someone looking over your shoulder. http://solutions.3m.com/wps/portal/3M/en_US/3MScreens_NA/Protectors/
 

Chiefcrowe

Diamond Member
Sep 15, 2008
5,055
198
116
Bitlocker does have a recovery option - one of them is that you can write it to a USB in case you get locked out.

Don't have any experience with Bitlocker. I use Truecrypt myself. Bitlocker would be the easiest, but if things mess up you lose everything. I'm not really sue if Bitlocker has a recovery option. I'm sure they have something you write to external media I suppose. With Truecrypt you write the loader on disk in case it gets corrupted.

Like was mentioned. Have a backup strategy. I clone my computers to external media using AOMEI Backuper. Other stuff like bookmarks gets encrypted periodically in a SFX archive and sent to my FTP server and a cloud provider.

As far as someone looking over your shoulder. http://solutions.3m.com/wps/portal/3M/en_US/3MScreens_NA/Protectors/
 

John Connor

Lifer
Nov 30, 2012
22,757
618
121
Thought that's what they used. Kinda like how you could save your password to USB or whatever in XP. I did that and kept the USB stick behind a Tiki head I had hanging up in my room. LOL
 

Entropism

Senior member
Sep 2, 2002
236
0
76
If you want handsoff? Webroot along with Malwarebytes anti-malware, then toss in an ad blocker like uBlock. Maybe Adblock+, since it tends to need less interaction.
 

Virumo

Junior Member
Jul 21, 2013
19
0
0
Does anyone have any experience with WinPatrol/WinPrivacy/WinAntiRansom? The lifetime license is appealing.
 

KeithP

Diamond Member
Jun 15, 2000
5,664
201
106
Does anyone have any experience with WinPatrol/WinPrivacy/WinAntiRansom? The lifetime license is appealing.

I have used WinPatrol (free version) in the past and have always been happy with it. However, when I have suggested it to less sophisticated users they seem to always end up approving everything so it doesn't provide much help.

-KeithP