Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 2 [3]

Author Topic: Microsoft Windows and Security Considerations  (Read 10585 times)

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5260
    • Thinkbroadband Quality Monitors
Re: Microsoft Windows and Security Considerations
« Reply #30 on: June 26, 2021, 12:34:35 AM »

Having a gaming PC you honestly have to throw caution to the wind.

When Ubisofts launcher updates, it asks THREE TIMES for Administrator privileges.  God only knows what its doing, and that's just one example.
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

NEXUS2345

  • Reg Member
  • ***
  • Posts: 235
Re: Microsoft Windows and Security Considerations
« Reply #31 on: July 06, 2021, 11:27:19 AM »

In my experience, if a user wants to secure their PC more than standard, they can purchase a Pro license for Windows and stick the Microsoft security baselines on it, then create a separate admin and standard users for admin and daily use respectively. This should provide more than enough security against the average threat of today. In truth, consumers and even businesses are vastly more exposed to things like phishing emails and malicious websites than they are malicious executables in this day and age.

Especially in terms of businesses, the most common thing I see working as a security professional is attackers exploiting exposed RDP instances with no 2FA. I think that is probably 50-60% of the jobs we see coming in. For some context, I work for a very large cyber security consultancy based in the UK as a security improvement and remediation consultant.

I would urge people to have a read of this article from Kevin Beaumont (https://doublepulsar.com/the-hard-truth-about-ransomware-we-arent-prepared-it-s-a-battle-with-new-rules-and-it-hasn-t-a93ad3030a54) as it by far and away explains why security still isn't improving over time.

But anyway, in terms of security on Windows 10, the base installation is still significantly more secure than a base installation of Windows 7 thanks to a number of features introduced with Windows 10. The security baselines from Microsoft sure this up significantly and make it much harder for network based attacks to be used. The final pillar is protection against malicious executables and similar attacks, which I will say that Microsoft Defender tends to do an extremely good job at these days as do most of the anti-malware products available from other vendors. I also recommend for the extremely security conscious who are worried about zero day vulnerabilities to look at a solution called 0patch, which provides micro-patches to quickly fix major vulnerabilities including the recently disclosed "Print Nightmare" vulnerability.
Logged
Security improvement and remediation consultant with infrastructure specialisation

IDNet Openreach FTTP 1000/115 + Asus RT-AX92U | Virgin Media 200 + SuperHub 3 + Synology MR2200ac mesh | Sky 80/20 with WiFi Guarantee on Huawei 288 cabinet

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: Microsoft Windows and Security Considerations
« Reply #32 on: July 06, 2021, 10:52:43 PM »

Ultimately it comes down to a few things.

Most people have the mindset that as long as you keep windows patched, and have some form of anti malware on your PC then you are golden.

But the reality is the most dangerous malware is one that spreads before a patch is published, otherwise known as 0day malware.  Many anti virus solutions likewise struggle with 0day, they may be good at finding older malware, but struggle on malware that is fresh out of the door.

The better way is to have the OS in a more secure configuration out of the box, one big step to that is to stop using admin accounts by default, this was originally Microsoft's plan when UAC got introduced, but for whatever reason it never came to fruit and here we are many years later still not using LUA's by default.

The windows firewall allows applications that dont even have elevated permissions to add rules to it, as well as been by default in a fairly open configuration.

Powershell ships in a open configuration.

Windows still uses the insecure by nature svchost, rundll.

Applocker is still not activated on consumer versions of windows.

Defender protected folder feature has an internal whitelist which cannot be disabled, likewise UAC by default has a internal whitelist however it can be disabled.

Most of these flaws exist because windows is still built for end user convenience, and also market segmentation as some features are deemed enterprise only.  One of the new features that will be enabled by default in Windows 11 was originally enterprise only, but Microsoft have been gradually moving it over to consumer.

Chrome has me concerned as well, what the browser is capable of is scary, if you look into its permissions system, it allows websites to hook directly into cameras, microphones, usb devices, the filesystem, a virtual filesystem, windows installer api and more.  All exploits waiting to happen.  Essentially google have built an OS into chrome, as a substitute for taking over the PC OS market.
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Microsoft Windows and Security Considerations
« Reply #33 on: July 10, 2021, 08:40:25 AM »

To put my earlier posts in context; what you do with hardening your own machine is one thing, if you’re hardening a machine that will be abused by possibly witless employees of your customer is another. I worked as a sysadmin and security consultant for about eight years,  and developed hardened  configurations and installation tools for customers. I also used a very similar hardened configuration on myself, and I never logged into my own machines as an adminstrator unless absolutely necessary, e.g. for making system changes.

Some horrible apps had to be tweaked to make them run under a standard user account with no admin privileges. Where such horrid apps had to be used but really wouldn’t run under a standard user account despite my best app-hacking efforts, I set them up to be run inside a VM, thus making the customer happy that using the essential app was possible and no security compromise was made.

I really do recommend this tip. Any apps that you don’t trust or which won’t run under a standard user account, use them in a VM.

A lot of my earlier post should have been qualified as being from a context that is now very out of date, because I have been retired due to ill-health for ten years, and of course so much has changed since then that that might as well be the stone age, but the core best practices are still very much worth adopting while in some cases more modern techniques may have supplanted the old advice given earlier.
Logged
Pages: 1 2 [3]