Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Protecting Your Family's Computers - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Protecting Your Family's Computers

If your family members are anything like mine, by default you wind up being the tech support for your entire family just because you are the “techie” guy (or gal) in the family.  A number of years ago I became frustrated by how often this role became a malware removal or rebuild role. Although there are no silver bullets to prevent a computer from being infected, I came up with a standard configuration that I apply to all of my family’s computers to substantially reduce the likelihood of a serious infection.  I have continually tweaked it over the years, but here is my current standard build:

Malware Protection

Antivirus is rapidly becoming  irrelevant in the current malware world, however,  I don’t think I am willing to go without it yet. There are several free antiviruses available, and I have tried most of them, but the last few years Microsoft Security Essentials is the one I usually install for family use.  I don’t know if it is any more effective than the alternatives, but it  seems to do the job, and it doesn’t expire regularly and leave the machine unprotected. Don’t forget to uninstall the antivirus trial software that comes on nearly every computer.  Two antiviruses running on the same computer rarely get along.

Safe Browsing

I have long run out of patience with Internet Explorer.  For family computers I give them a choice between Firefox or Chrome.  My family are not technical people.  They don’t have the knowledge to judge a good link from a malicious one. I have looked at numerous extensions to reduce the likelihood they will get infected while surfing the Internet.  In the end I settled on only two:  Web of Trust (WOT) and Adblock Plus.  I install Web of Trust (WOT) so at least if they try to go to a bad site they will get a warning. I install Adblock Plus to reduce the likelihood of infection from a malicious ad. It also has the added advantage of speeding up the browser experience for some sites.

I used to install noScript, but found it was too complicated for my average family member.  I have also been experimenting with SSL Everywhere.  I haven’t added it to the toolkit yet, but I probably will in the near future.

Up to date applications

The last tool in the box is Secunia Personal Software Inspector (PSI).  PSI is the free, for non-commercial home use, version of Corporate Software Inspector (CSI).  Its function is to scan the computer for what software is installed and to keep most of the software up to date.  Although PSI will automatically keep most software up to date, some software will require manual intervention to stay up to date so you may need to train your family a bit to  handle those instances.

So that is my toolkit.   I am always looking for improvements.  What is in yours?

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Rick

290 Posts
ISC Handler
I also use AdBlock Plus (which is now available for Chrome and IE as well), which has anti-malware and privacy subscriptions in addition to the traditional ad blocking subscription.

For up-to-date software I used to use Secunia PSI, but now I use Ninite. I have a Ninite Pro subscription, which can silently update programs and disable the annoying auto-updaters for other programs like Java (curse you Minecraft), but the free version can also work... just not silently. Create the installer, and put it in the Startup folder. Ninite also makes bundled toolbars etc. a non-issue.

Finally, I use OpenDNS FamilyShield or an OpenDNS registered account plus the OpenDNS Dynamic IP Updater Client for DNS-based filtering.
Anonymous
" Microsoft Security Essentials is the one I usually install for family use."

I have cleaned more PC's with this product then with any others, it constantly scores low on protection from independent organizations, sadly even Wiki gave :( . For those that do not want to pay cents a year for data protection, Avira, AVG. Comodo. Qualys to check the bad dogs, browser plugins, Java and yes.. No Script Just my .02 worth

More on MSE http://www.fixedbyvonnie.com/2013/10/microsoft-admits-security-essentials-will-always-be-on-the-bottom/
ICI2Eye

52 Posts
The thing that has saved the day more than anything else for me is automatic nightly backups to my local backup server. No off-site over-the-internet backups for us! Too much time, too much bandwidth, and lately, too much government snooping! I backup every night, every file on every machine connected to my network, to a local raid array. This has provided the easy means to nuke and reload whenever a windoze box has been compromised. Yes, I use Avira, and the local mail server uses clamav, and everything is firewalled by an external device, but nuke and restore is easy if you have ready access to a current backup on your local network. Restoration is fast and secure. With local copies of every filesystem every night, you can go back in time until you find an uncompromised copy if that is needed.
Moriah

133 Posts
I just have them install Linux Mint and problems are solved. No more viruses after that.
Moriah
6 Posts
I would suggest using either Parental Controls or Software Restriction Policy for application whitelisting. Blocking the execution of exploit payloads and user-launched malware by default is a game-changer. For those interested, I have a guide at mechbgon dot com/srp that covers setup.

IE is actually not bad these days, I'd certainly choose it or else Chrome over FireFox for mitigation tech. Enabling ActiveX filtering and adding some of its tracking-protection lists would also be worthwhile, although users will need a primer on how to enable ActiveX features on sites that legitimately require them.

Other than that, Secunia PSI is a must-have, and simply uninstalling all unnecessary software and particularly Java.
Moriah
12 Posts
I'd suggest installing NoScript plug in nevertheless and configure it to always allow JS but block all the other things (nearly default settings). So it is an additional protection w/o the hassle for non-technical users. Works well.
gebhard

7 Posts
Reading through these responses one thing seems to stand out.. NO SCRIPT since we know the Grand Canyon holes in Oracle/Java continues to deliver. What should be of concern to all of us, one of the "brain trusts" that have been summoned to Washington for fixing website everyone will eventually have to visit is Oracle, and since they make solid products like Java, I am sure we are all in "good open hands" :rolleyes: Like the author of this piece, I had WOT, Ghostery, ADP, HTTPS Everywhere but then it became user not friendly, patches then came.. DAD!?? And this is not the real problem facing us, but mobility! May the digi-gods shine on us all.
ICI2Eye

52 Posts
Hi,
For free url filtering, I'm use good K9 Bluecoat
and Immunet Sourcefire for antimalware protection.
Enabling more windows audit logs and using nxlog.
Best Regards
@Rmkml
Rmkml

11 Posts
EMET is also a good free underlying protection that I usually install.
I also tend to use non-persistant VMs for banking.
Rmkml
6 Posts
EMET is also a good free underlying protection that I usually install.
I also tend to use non-persistant VMs for banking.
Rmkml
6 Posts
In addition to AV, I have my family set up with host based ad-blocking - someonewhocares.org and mvps/hosts. I also install heimdal agent, and privacywares private firewall. Using host based blocking has been a most effective measure to keep my family from badness after they have clicked a dodgy link.
Rmkml
1 Posts
MSE is the current AV choice, looking into others though since MS seems to be letting it flounder. As much as I'd like to dump them; JAVA, Flash, and IE have to stay. There are still too many necessary sites requiring them. Secuna PSI is worth looking into again, maybe the previously mentioned ninite.

I insist on setting up non-privileged accounts for regular use. Each person has their own account. For a shared home computer this eliminates complaints of changed backgrounds or other preferences. Additionally, the built-in parental controls rely on separate accounts. Unfortunately, each child's account is administered separately. Blacklisting NSFW or NSFchildren has to be done for each account.
G.Scott H.

48 Posts
My recipe:

- DNS: Reconfigure with OpenDNS on router and/or PCs.
- AV: When I may never touch the PC again, MSE; if it's a system I'll be seeing more regularly Avast! (yearly re-registration required)
- Second Opinion AV: install HitManPro and configure for startup scans
- Hardening: EMET 4.0 and import the "popular software" profile
- User Accounts: Different password protected profile for each user; limited users whenever possible, especially for kids.
- Windows Update: configure to run at a time the computer is likely to be powered-on, i.e. 8pm.
- FileHippo Updater: check 3rd party apps for updates
- LogMeIn Free / TeamViewer: pre-emptively install it for the next time they run into trouble...

Not perfect, but seems to work pretty well.
G.Scott H.
3 Posts

Sign Up for Free or Log In to start participating in the conversation!