How to - Windows Fast Edition

[Slyboots]

Disable Firewall (I'm happy with my NAT router security)

I really should add that disabling the firewall is not going to give you any real performance gain..

And NAT is *not* security and its an awful idea to rely on it as such. If you have a real firewall further down the line thats fine, but otherwise you should keep your firewall enabled.

 

[Mr Blonde]

Would be a good idea, but you'd have to create a list of 'trusted' devices as Windows doesn't have direct access to the electrical signals sent via physical peripherals.

Well for me, this method you speak of sounds a little like what MS might say on the matter if I'm honest. To possibly carry on down that route however, surely it would just be a case of properly securing the base API(s) for these devices!?

Simply put and to quote an often used cliché, surely it can't be rocket science to actually know what signals just came in to a system via the keyboard or mouse alone

 

[Sin_Chase]

You could have a dedicated chip to pass this information up the OSI layers to where it needs to be.

But as with anything, I am sure it could be exploited somehow!

 

[Paracelsus]

I do the same as you

I don't need indexing service as I know how to find any single file on my drives as I know how to put things in folders lol. Can't actually remember ever using the search function in Windows tbh, closest I've come is dir *.something to find all files of a certain extension in the command prompt

Disable all the other crap as I don't need it and Windows has a habit of doing stuff when idle which I don't want. I want to scan, defrag or prefetch I'll do it myself thanks. Ideally the 'custom' Windows installation (aimed at people who know what they're doing) would let you select exactly which services and functionality were installed, unfortunately we need to use third party tools for this...

Disable UAC as it's intrusive and pointless for me, I never messed up a win2k/xp install or got a virus so don't suddenly need linux style security policy on win7

Never used AV or software firewall and not had a virus in 10 years (which was me at 15 downloading a suspiciously small .exe file off Kazaa knowing full well it would probably be infected but wanting to play the game that desperately I didn't care lmao)

Yep Linux would tick all my boxes, but I like playing new videogames and having driver support for any hardware I buy so it hasn't got a chance I'm afraid

edit: On the other hand, my dad has a vista laptop with UAC, AV, auto-updates for windows and AV, software FW and NAT router and STILL managed to get malware on it several times that took me ages to sort out involving anti-virus programs off USB sticks etc

just goes to show, your brain is by far the best protection you can give your PC, if you know enough then you don't really need anything else

 

[Fire Wizard]

UAC is a lock which many average users unlock unquestioningly every time a program rings the doorbell, without first checking who's outside.

The elevation dialogs aren't there for security purposes, but are there merely as a convenience. User Account Control is really a tool which enables users to take advantage of a security feature, known as standard user accounts.

As a side note, I'm surprised that Microsoft seemingly haven't been able to differentiate between commands sent via the keyboard and mouse (electrical impulses) as opposed to any other means, thus negating the need for UAC? Unless I'm missing something obvious here...

In what way would that negate the need for User Account Control?

 

[Mr Blonde]

In what way would that negate the need for User Account Control?

Well, at some point in time, you, me and everyone else in here will move our mice over to a shortcut or application and double click it. This may bring up a UAC prompt. This for me begs the question - why isn't an OS in this day and age able to know that this was physically initiated by us moving the mouse and clicking with it in the first place. If it did it would surely not need to ask me if I was sure that I wanted to run it with elevated rights?

 

[Amp34]

The issue is that the AV products don't achieve it. They claim automation of removal but in practice it rarely works except for the absolute simplest of malware. And this type of malware is a dying breed.

AV isn't a lock. Windows security policies and things like UAC are a lock. AV is more akin to a private security guard, with no legal powers and no gun. All he can do is attempt to chase away the thugs. Tell the residents the problem is resolved. Only for the residents having to put up with the same thugs returning the next day.

Sorry but I can't help laughing to myself about this... You suggest that AVs are useless then suggest that UAC is better? Most basic viruses are written to bypass UAC as one of their first aims... UAC will stop some viruses getting onto the machine but in reality I'd still trust a piece of free AV software over it...

 

[NathanE]

Sorry but I can't help laughing to myself about this... You suggest that AVs are useless then suggest that UAC is better? Most basic viruses are written to bypass UAC as one of their first aims... UAC will stop some viruses getting onto the machine but in reality I'd still trust a piece of free AV software over it...

If you really believe that then you're lacking basic understanding.

 

[SoundsGood]

Never used AV or software firewall and not had a virus in 10 years

How do you know then?

 

[Mr Blonde]

If you really believe that then you're lacking basic understanding.

As far back as November 2009, Sophos highlighted Windows 7 UAC's ineffectiveness...

"We grabbed the next 10 unique samples that arrived in the SophosLabs feed to see how well the newer, more secure version of Windows and UAC held up. Unfortunately, despite Microsoft's claims, Windows 7 disappointed just like earlier versions of Windows. The good news is that, of the freshest 10 samples that arrived, 2 would not operate correctly under Windows 7."

Http://nakedsecurity.sophos.com/2009/11/03/windows-7-vulnerable-8-10-viruses/

 

[Amp34]

If you really believe that then you're lacking basic understanding.

Or not...

like AVs it will stop some installing however plenty will play perfectly well with UAC.

 

[NathanE]

The malware that "play well with UAC" are those that don't need admin permissions. And those are easy to remove using a tool like Sysinternals Autoruns.

All articles I've read surrounding UAC supposed ineffectiveness with some malware is relating to the fact that Windows 7's default UAC security level is one step shy of maximum (and where it was on Vista). Set W7's UAC to maximum security level and this problem goes away.

On a well configured system, the only way some malware can infect you is via a privilege escalation vulnerability. These are fairly rare and are patched quickly.

As I said, Windows security policies together with UAC are stronger and more resilient to malware than any AV snake oil.

 

[Paracelsus]

How do you know then?

no processes running i don't know what are, no strange activity over the network, no passwords or accounts ever compromised, and once every few years I've downloaded AVG or some other scanner, ran it once, found nothing and uninstalled it straight after

 

[Mr Blonde]

The malware that "play well with UAC" are those that don't need admin permissions. And those are easy to remove using a tool like Sysinternals Autoruns.

All articles I've read surrounding UAC supposed ineffectiveness with some malware is relating to the fact that Windows 7's default UAC security level is one step shy of maximum (and where it was on Vista). Set W7's UAC to maximum security level and this problem goes away.

On a well configured system, the only way some malware can infect you is via a privilege escalation vulnerability. These are fairly rare and are patched quickly.

As I said, Windows security policies together with UAC are stronger and more resilient to malware than any AV snake oil.

Setting UAC to it's highest level is simply too inconvenient for most people though. MS also state that UAC isn't a security application, but rather a means to get certain developers to finally make their applications LUA compliant. It helps prevent the spread of malware but it shouldn't be considered as a first line of defence.

Autoruns just offers a means to disable something from running on your system, but this is after the horse has bolted. Patching is of course a must, but you'd hope to be reasonably patched up prior to getting anything, not after the event.

Unfortunately there's a steadily growing number of malware that simply turn UAC off regardless of what level it's set to. If you don't have a decent antivirus running then you increase the chance of coming unstuck sooner rather than later it would seem.

Here's a growing list of UAC related malware (and this is from Microsoft so I'm sure there's plenty more besides) : http://www.microsoft.com/security/p...wall=False&CBF=False&sortby=date&sortdir=desc

They do however seem to say the following in regards to malware prevention...

Install antivirus and antispyware programs from a trusted source, update software regularly, use strong passwords and keep them secret, never turn off your firewall and use flash drives cautiously.
Source : http://www.microsoft.com/en-gb/security/pc-security/protect-pc.aspx

I think I'll be sticking to my layered snake oil approach for the foreseeable future

 

[Cold_And_Miserable]

What I do:
-Uninstall Windows features: Games, DVD Maker, XPS, Gadgets...
-Disable UAC
-Disable Firewall
-Disable Windows Update
-Disable System Restore
-Disable Recycle Bin
-Disable hibernation
-Disable services e.g. Print Spooler, Homegroup, Diagnostics, IP Helper, Workstation, Time, Search, Indexing, Server, NetBIOS, Computer Browser, Shell Hardware, Tablet, ...
-Set Windows appearance to "performance"
-Set desktop background to "solid colors"
-Set Windows sounds to "no sounds"

If theres a way to squeeze anymore performance out I'll find it. You don't need anything more than DirectX and a functional UI.

 

[NathanE]

Setting UAC to it's highest level is simply too inconvenient for most people though. MS also state that UAC isn't a security application, but rather a means to get certain developers to finally make their applications LUA compliant. It helps prevent the spread of malware but it shouldn't be considered as a first line of defence.

Nobody said it was a first line of defense. Windows security policies are though. UAC is simply a UI tool that allows LUA as a security policy to be used on a daily basis.

Autoruns just offers a means to disable something from running on your system, but this is after the horse has bolted. Patching is of course a must, but you'd hope to be reasonably patched up prior to getting anything, not after the event.

Autoruns does a fine job at removing malware that has partially infected without admin rights. E.g. HKCU's Run and RunOnce.

Unfortunately there's a steadily growing number of malware that simply turn UAC off regardless of what level it's set to. If you don't have a decent antivirus running then you increase the chance of coming unstuck sooner rather than later it would seem.

No there isn't. Provide proof for your claims. Privilege escalation exploits on Windows are very rare and when they do occur Microsoft patches them quickly.

Here's a growing list of UAC related malware (and this is from Microsoft so I'm sure there's plenty more besides) : http://www.microsoft.com/security/p...wall=False&CBF=False&sortby=date&sortdir=desc

UAC related because every single one of them states a mitigation technique of ensuring UAC is enabled. Always check your background material supports your claims.

They do however seem to say the following in regards to malware prevention...

Install antivirus and antispyware programs from a trusted source, update software regularly, use strong passwords and keep them secret, never turn off your firewall and use flash drives cautiously.
Source : http://www.microsoft.com/en-gb/security/pc-security/protect-pc.aspx

I think I'll be sticking to my layered snake oil approach for the foreseeable future

Terrible quality post.

 

[CaptainCrash]

As far back as November 2009, Sophos highlighted Windows 7 UAC's ineffectiveness..."

Http://nakedsecurity.sophos.com/2009/11/03/windows-7-vulnerable-8-10-viruses/

I'm not sure I'd entirely trust an AV vendor to conduct those tests and present the results with scrupulous objectivity... just saying.

"Lesson learned? You still need to run anti-virus on Windows 7." Oh, really... ?

 

[Mr Blonde]

No there isn't. Provide proof for your claims. Privilege escalation exploits on Windows are very rare and when they do occur Microsoft patches them quickly.

"While UAC avoidance continues as a tactic, the Microsoft Malware Protection Center has found more and more malware opening a new front and turning UAC off itself. Malware does this to prevent users from seeing UAC prompts on every reboot for their payloads. The Sality virus family, Alureon rootkits, Rogue antivirus like FakePAV, Autorun worms, and the Bancos banking Trojans all have variants turning UAC off. So many are doing this that Microsoft Security Essentials, Windows Intune, and Forefront Endpoint Protection now uses behaviour monitoring to find software that manipulates UAC settings, and the MMPC is finding brand new malware disabling UAC regularly."

Source : http://blogs.technet.com/themes/blo...=uac-plays-defense-against-malware&GroupKeys=

Other reading should include the variants of the carberp trojan, the ZeuS toolkit and Metasploit to name but a few.

 

[Mattus]

This debate about malware bypassing UAC is almost entirely academic. If I was writing malware, I wouldn't waste my time trying to find a short-lived exploit to bypass UAC. What's the point when a large proportion of users effectively bypass it themselves by clicking 'yes' to any UAC prompt which comes up, just to get rid of it? (I know UAC isn't supposed to be a security measure. But in the real world, that is exactly how it acts.)

Security, as much as anything else, is about protecting the user from himself. Security policies help in that respect, but are mostly of relevance to corporate and organisational environments rather that home ones. There needs to be something more. AV ain't perfect, but in this respect it's the best solution we have.

 

[NathanE]

"While UAC avoidance continues as a tactic, the Microsoft Malware Protection Center has found more and more malware opening a new front and turning UAC off itself. Malware does this to prevent users from seeing UAC prompts on every reboot for their payloads. The Sality virus family, Alureon rootkits, Rogue antivirus like FakePAV, Autorun worms, and the Bancos banking Trojans all have variants turning UAC off. So many are doing this that Microsoft Security Essentials, Windows Intune, and Forefront Endpoint Protection now uses behaviour monitoring to find software that manipulates UAC settings, and the MMPC is finding brand new malware disabling UAC regularly."

Source : http://blogs.technet.com/themes/blo...=uac-plays-defense-against-malware&GroupKeys=

Other reading should include the variants of the carberp trojan, the ZeuS toolkit and Metasploit to name but a few.

You really, no really, need to check your articles before referencing them as proof for your ridiculous claims.

The key factor here is that for malware to successfully turn UAC off, the malware must itself be elevated to run as administrator. This elevation either requires an exploit in a service with administrator access, UAC to already be turned off, or a user clicking "OK" on a UAC prompt to allow the malware to elevate. Unfortunately, many Windows users have disabled UAC. While malware was mostly avoiding UAC altogether, legitimate software was also being rewritten to not require elevation prompts, so there are fewer UAC prompts than ever to wrangle, which should make it easier to spot any suspicious activity.

It's below the very paragraph you quoted so how can you miss it? You've picked the wrong person to argue this point with really.