How would you improve my security setup?

[Virumo]

I've got myself a shiny new Lenovo y410p, and being in the financial services industry, I need to be sure that I'm security conscious. So far I'm using the free versions of all of these: Windows 8, Truecrypt, Firefox with noscript, ghostery, and adblock+, Avast, Hotspot shield, Comodo firewall, and Secunia PSI. I am willing to spend money on paid services, however conceptually I feel like I've replicated all the features of a paid suite. I'm still learning how to use most of these, Comodo in particular is confusing as heck to me (I have no idea what to do for most alerts that are probably innocent), so if my setup appears good, recommended settings and guides for use of these programs would also help me greatly. Thanks!

 

[lif_andi]

You might want to look at the encryption of local data, both for when sending sensitive information and also how you store it, and secure passwords, both on BIOS and everything else in case your computer were to be stolen. Don't know how safe you want to be and how sensitive your data is and is going to be, but depending on these there is a lot to think about.

Bitlocker with Windows is very good and secure, but it does encrypt entire drives.

If your computer has a TPM then use it where applicable.

 

[Virumo]

You might want to look at the encryption of local data, both for when sending sensitive information and also how you store it, and secure passwords, both on BIOS and everything else in case your computer were to be stolen. Don't know how safe you want to be and how sensitive your data is and is going to be, but depending on these there is a lot to think about.

How would I go about doing this? I actually know very little about computers, the list of things I installed already comes from Googling around in picking stuff off of lists.

 

[blankslate]

Go into the services

type services.msc in the search menu

turn off (set to disable) the remote registry and remote desktop services. They don't need to be on generally and some consider them to be a possible security risk.

Be mindful of the physical security of your laptop. Don't let the bag it's in out of your sight be wary of where you leave it.

 

[mechBgon]

Hopefully you're on 64-bit Win8? Confirm you have functioning SecureBoot by running a PowerShell command prompt as Administrator, and typing confirm-SecureBootUEFI. You should get this:

I have some additional suggestions listed here, including using EMET and SRP: http://www.mechbgon.com/security

The recent security breach here at AnandTech highlights a problem with relying on NoScript: the majority of malicious sites are normally safe! So scripts on your whitelisted sites are going to run, including on the day they get pwned. And then they've got a shot at a browser with no sandbox, and no extra-safe Low Integrity or AppContainer restrictions. Instead, I'd suggest using a browser with sandboxing tech, either Internet Explorer (preferably with Enhanced Protected Mode enabled, a toggle in Internet Options > Advanced tab) or Google Chrome.

Be sure not to use the same password for more than one site. If the bad guys crack your password to something unimportant, and it turns out to also be the password to something critical, then if they can deduce the connection, you're in trouble. Map out where your password-reset requests would go, and make that especially secure; a dedicated account for that role might be smart.

Lastly, and you probably know this already, don't assume something's safe just because your antivirus didn't detect it as malicious. Antivirus is a last-ditch defense that might or might not save us... use it, but don't put excessive faith in it.

 

[Virumo]

Regarding sandboxing, my understanding is the Comodo is capable of sandboxing specific applications? Is there a way to get it to sandbox Firefox so I can continue using it? I'm not opposed to switching browsers, but would prefer to avoid it if possible.

Go into the services

type services.msc in the search menu

turn off (set to disable) the remote registry and remote desktop services. They don't need to be on generally and some consider them to be a possible security risk.

I see both remote desktop services and remote desktop services usermode port redirector. Disable one or both?

Also, I'm unable to find anything on my laptop about TPM.

 

[blankslate]

I see both remote desktop services and remote desktop services usermode port redirector. Disable one or both? Also, I'm unable to find anything on my laptop about TPM.

Sorry for the late reply but afaik the remote desktop services usermode port redirector is dependent on the remote desktop service and that if the remote desktop service is not enabled and the redirector service is then the latter won't function in any case.

That service doesn't ship with Windows 7 Professional, but does with Ultimate so I'm not familiar with it.

this site has good information on services.

http://www.blackviper.com/

I used this guide to tweak Windows XP services for better performance, but that's really isn't as necessary now since MS now sets a lot of services to manual (off but will start if a program or the OS needs it) instead of automatic (just starts with the OS) and the hardware available today of course offers much more performance than what was available back then.

I've looked through the guides on the services for Windows 8 and it looks like they ship the OS with remote registry set to disabled by default. Before it was set to manual or automatic (circa WinXP).

 

[Chiefcrowe]

You can use the program sandboxie to run Firefox in a sandbox. Combine that with running as a limited user account on your PC, and then you will be more secure.

Regarding sandboxing, my understanding is the Comodo is capable of sandboxing specific applications? Is there a way to get it to sandbox Firefox so I can continue using it? I'm not opposed to switching browsers, but would prefer to avoid it if possible.



I see both remote desktop services and remote desktop services usermode port redirector. Disable one or both?

Also, I'm unable to find anything on my laptop about TPM.

 

[Chiefcrowe]

Yes, I also agree that encryption is a must for laptops. At work we are now forced to encrypt all mobile devices.

You might want to look at the encryption of local data, both for when sending sensitive information and also how you store it, and secure passwords, both on BIOS and everything else in case your computer were to be stolen. Don't know how safe you want to be and how sensitive your data is and is going to be, but depending on these there is a lot to think about.

Bitlocker with Windows is very good and secure, but it does encrypt entire drives.

If your computer has a TPM then use it where applicable.

 

[Savatar]

Disable SSDP Discovery service as well, this will have the added bonus of closing a port on your system.

You may want to get a hosts file like MVPS (updated with hostsman) for blocking some common ad/malware sites, since sometimes infections can spread by something as benign as viewing a malicious jpeg (usually hosted on a third-party ad site, though I heard NBCNews.com got infected a while back). Even with AdBlock+, security in layers might help. If you do this, disable the DNS Client service too, this will help the system boot faster if you're using a hosts file with a lot of entries and also make it so you are less vulnerable to DNS cache poisoning attacks. Try setting your DNS servers manually so you don't pick up different DNS servers depending on which wifi you are connecting to, you can use Google Public DNS (8.8.8.8 and 8.8.8.4), this will also let you check these values from time to time to see if it's been tampered with. Disable IPv6 unless needed (some third-party VPN solutions will require it)

At work we use bitlocker, but that only really helps if you lose your laptop or something crazy like that, i.e. if they try to physically remove your HDD or boot from a live OS to inspect the contents - doesn't help once you're logged in at all. Make sure you're using a BIOS password as well, as someone else suggested. To set a BIOS password at boot time you have to press a different hotkey depending on the make/model of your system (usually DEL or F1 or F12 at boot will bring up the BIOS screen) then from BIOS set an administrator password and set boot order of the HDD to primary so that people can't boot from a CD first (unless you manually enter the password and change that in the future).

The most important rules... don't visit lots of random websites, never open suspicious attachments or documents from untrusted sources, limit your attack surface by not installing too many third-party applications like Adobe, Flash or Java unless absolutely required (disable the browser plugins whenever they are not in use), keep everything up to date, scan frequently, and keep a watchful eye on your system's processes/network activity!