Here I’m documenting the methods and software I personally use to protect my Windows 7, 8.1, and 10 systems from malware, while also accomplishing good privacy and excellent system stability and performance. I’ll update this thread as I think of things to add to it. It’s a necessarily complex subject, because security in today’s world is just that way.
Update: I have applied this strategy to Windows 10 Creator’s Update and it works.
My uses for Windows are primarily for serious computing – content and software development – and business management (I run a small software engineering business). I don’t game. As a software engineer I have always had a strong interest in making Windows into all it can be since its first releases, and that includes improving on the out-of-box security landscape.
I balance the effort I’m willing to expend against what I do to keep secure. You may not choose the same balance. I do try to minimize the work I have to do to maintain a secure setup.
In overview:
- I try to be smart about what I do online.
- I’m careful about what software I run.
- I shun cloud integration, preferring local and more “traditional” desktop computing.
- I have a lot of layers of “watch-my-back” protection implemented, including the following. Some of these are beyond the typical, “traditional” layers:
- Connecting the systems on my LAN to the Internet through a router
- Blocking a big list of online servers from being contacted
- Reconfiguring my web browser to minimize exposure
- Running a deny-by-default 3rd party firewall package
- Running updated anti-malware software
- Doing good backups often
- I run high reliability hardware.
- I do daily backups and I could restore to bare metal if need be.
I’m not here to suggest you do what I do. If you read this and become a little more educated, and maybe do just some of these things if you aren’t already, I believe you may benefit.
I can assure you that what I do works – markedly better than an out-of-box Windows setup. And it protects even our non-Windows systems. It doesn’t unreasonably limit what I can do, and isn’t difficult to keep up.
I’ll go into some detail…
Think First
————————-
First and foremost, always just think about what you’re doing. Avoid doing risky things if the integrity of your computing environment and your data are important to you.
Treat software from every source with suspicion, and web sites with contempt. The authors all want something from you. In the simplest case they would like you to find value in their software and possibly pay them (donate, buy). In more complex cases they seek to deliver ads or even malware to your system, at your expense.
If a deal on a piece of software seems to be too good to be true, it probably is. Raise your suspicion even higher.
Check out the software you’re considering downloading and running. Look online for others’ comments about it. Look at reviews. Read forum posts, and ask on forums with people you respect. Use online services like virustotal.com to check the site or software before downloading or running it.
Set up a virtual machine (which can be easily discarded or reverted) for first testing software you don’t feel comfortable installing on your critical system. I use VMware Workstation Pro – a commercial product that’s well worth a few hundred bucks. However, there are less expensive alternatives, both from VMware and others.
Summary: Use common sense. Hoping you don’t get malware is not a strategy.
A Well-Configured NAT/Home Router
———————————————————————-
Having a well-setup “home” router at your connection to the Internet provides a tremendous security boost insofar as Network Address Translation-based routing – i.e., which isolates the systems on your LAN (Local Area Network) from the addressing of the WAN (Wide Area Network) – will block all incoming attempts to connect to your systems (note that this doesn’t account for IPv6 tunneling, which I cover below).
It’s a bit like putting a one-way valve between your system(s) and the world. Your computer or device on the LAN can connect out (and get responses back), but hackers, bots, etc. can’t connect in to your computer and try to break in. A really good example is that, unless configured to do so, such a router won’t allow an attempt to exploit bugs in the SMB interface (port 445), such as the current NSA-leaked DoublePulsar exploit might try to do.
I’ve made sure that the following router “features” are tweaked in my Cisco router:
- I changed the default network name and admin password!
- Remote administration is disabled – i.e., there is no ability to connect from the WAN and control the router.
- ICMP responses are blocked, meaning no one can discover my router is even there with ping.
- Features, such as Dynamic DNS, which I don’t need are disabled.
The idea is to ensure external systems cannot initiate connections with your systems, and that your presence on the Wide Area Network is as stealthy as possible. Go through every setting, and if you don’t understand what it does, do some research and/or ask questions. Those features are there for your benefit, and it’s not a given that you need every bell and whistle enabled to get the most secure experience out of your gear.
Site and Domain Blacklisting
————————————————————-
Central to my philosophy of “an ounce of prevention is worth a pound of cure”, I have taken steps to prevent my systems from ever contacting online servers known to deliver bad things.
You might ask: Known how? You’d be surprised how much good information on that subject is available freely online.
Allowing online software to be brought into your system and run without your vetting it first is a risky thing. Blacklisting seeks to prevent your system from ever loading software from sites known to serve ads or malware, or which seek to track you – it’s as simple as that. And it’s very effective! Benefits include a faster browsing experience and protection against software other than a browser contacting a bad site.
I do blacklisting several ways:
- I use the system’s hosts file to resolve a list of sites to 0.0.0.0, which essentially aborts communications attempts with the blacklisted systems immediately, without your system ever going to the network.
- I run DNS proxy server software package called “Dual DHCP DNS Server” with a local database of sites that are not to be resolved. Only those DNS requests not resolved by the blacklist are sent on to an online OpenDNS server.
- I use a well-managed online DNS server (OpenDNS), which itself refuses to resolve bad site names into addresses. DNS server addresses: 208.67.222.222 and 208.67.220.220
- For general browsing, I’ve switched to a not-quite-mainstream browser, Pale Moon. I have installed only two (great) add-ons: uBlock Origin, which I have set to use a large set of online blacklists, and uMatrix, which by default disallows many web components (like scripts) from being run from sites other than the one actually being visited. It’s amazing how many things web designers try to get your browser to do that you don’t want it doing.
Key to items 1 and 2 above is that I run a scheduled process that every day gathers blacklist data from a number of very good online sources and compiles it into lists suitable for use as a hosts file and input to the DNS proxy server. The online sources I have chosen manage their blacklists very well, with goals that align well with mine, and get this: The lists are free for personal use. My blacklist strategy keeps itself up to date daily. New sites are added and sites that are no longer threatening are removed almost every day.
For item 1 I have a script that updates the local PC’s hosts file per the online sources called HostsCompiler.bat. It and all attendant command line filters it needs from the GnuWin32 toolkit can be found here.
For item 2 I use a software package called Dual DHCP DNS Server (just the DNS part) running on a Windows 7 system I have on my LAN, which is on 24/7. It’s an open source package, which I have modified to expand the wildcard list capacity and built for 64 bits. I have my router supply its LAN address to every system on the LAN via DHCP, so every system gets my blacklist’s protection. My PCs all avoid visiting sites that deliver ads and malware or seek to track, as do iPad, Apple TV, Android phone, etc. devices that connect to our wifi.
I wrote a script that updates two configuration files (individual servers and wildcarded specs) for the Dual Server package called DNSListCompiler.bat. It and all attendant command line filters can be found here.
Why have both a hosts file and DNS blacklisting? Each of the files has a section at the beginning that you can manage manually. It’s not hard to imagine wanting to block more specific things in a given hosts file than are blacklisted LAN-wide with the DNS proxy software. And it never hurts to have multiple layers of protection.
I can’t stress enough how well-managed the free online lists are, and yet they are resources fairly few folks know about.
Communications Blocking via Firewall
———————————————————————-
Beyond the blacklisting listed above, what if a program has a built-in IP address, or a program you don’t want communicating online tries to contact a known server (*cough* telemetry *cough* privacy invasion)?
This is where good firewall software comes into play. In my case I use the 3rd party Sphinx Windows Firewall Control package Network/Cloud Edition. Why not use the Windows Firewall? Beyond the user interface being poor for developing and managing a complex configuration, I avoid it because Microsoft inserts secret, hidden rules into it. No thanks. And the Sphinx firewall in particular has one extraordinary feature: It works by name in an ongoing way, meaning that if you want to block xyzzy.com you need not worry about what addresses that site resolves into now or in the future. The firewall software takes care of name to address management for you.
Sphinx is a fully rigorous and capable commercial firewall package that uses the underlying Windows Base Filtering Engine, and can be set up to match a philosophical goal of mine: Allow no communications that have not been previously approved. To this end, I’ve developed custom configurations that I would call deny-by-default, but with rich sets of exceptions to allow some things that one expects to communicate online, like web browsing and security certificate management.
It’s the first firewall package I’ve run across that can provide the sophisticated level of control over communications that I want (“deny by default”) without bringing on a monstrous maintenance headache. Once set up I’ve got it to be almost “set it and forget it”. Pretty much, changes are only needed when I install new software.
One key thing I do is to have the firewall normally set up to block communications with Windows Update servers. That way even if the Windows Update process gets started it cannot get data to update the system. I absolutely require that to be under my control, and to allow my system to get updates I have to reconfigure the zone I have assigned to the svchost.exe process to allow updates. Then when I’m done checking or installing updates I configure it back. In practice this doesn’t take very long.
The firewall comes with a reasonable default configuration. However, I did it over completely (call me a control aficionado). Some time ago I published my preferred configurations for Windows 7, 8.1, and 10 online. I haven’t changed them much since. These could serve as examples for others to build upon when customizing their own Sphinx firewall configurations.
Or you could start from scratch, as I did. There’s some trial and error, but if you’re not impatient you could learn a lot about what software is communicating with what servers.
I’ve published more here on AskWoody about my use of the Sphinx firewall here:
https://www.askwoody.com/2016/sphinx-windows-firewall-control/
Browser Reconfiguration to Make It More Restrictive
———————————————————————————————
In my opinion, Internet Explorer has one of the most configurable and powerful security models. Incredibly, it’s set up by Microsoft to be overly permissive! For that reason it has gotten a bad name, but actually can be well locked-down so that it won’t run dangerous active content from just any old site online in the Internet Zone.
This ability to lock it down is central to my browsing strategy.
And yes, I know IE is destined to be deprecated. However, it’ll be supported through the life of my chosen Win 8.1 OS, which should be good until 2023 or so.
I have specifically configured Internet Explorer to disallow almost everything active from the Internet Zone, which is where sites you haven’t chosen to be in another zone reside. This includes NOT allowing ActiveX controls to run, NOT allowing scripts to do fancy things (but it does allow minimal scripting), and disabling many of the dozens of other features. I’ve published a list of screen grabs showing my preferred settings here:
https://www.askwoody.com/forums/topic/secure-attention-sequence/#post-95567
I also run almost no Add-ons, and I even disable most of the ones set up by Microsoft out of the box.
All this blacklisting and browser de-configuration and you’d think my browsing experience would be stunted, right? But no, I can get to the content I want – just without the ads and malware. I am able to watch videos on YouTube, download software, read forums and articles, search for things with Google…
You may choose to use a different browser. That’s fine; most of the others can also be set up to avoid running software from sites online either by settings or plug-ins (e.g., that block Flash from running without specific approval).
What is the result of all of the above in combination on my browsing experience? No ads, no malware, no tracking, and faster loading of just the content from web pages I really want to see!
Leveraging the above-mentioned constantly-being-updated lists can be done several ways, and possibly the easiest is to use a browser add-on that simply blocks attempts to surf to servers and sites that serve ads, do tracking, and attempt to download malware. I prefer Pale Moon – a FireFox derivative that cares about your privacy – and the uBlock Origin add-on, which stops browsing to many, many sites. I don’t see ads, I don’t get malware, yet I DO virtually always see the site content.
If you don’t block ads, you really should.
Windows Networking Reconfiguration
——————————————————————–
I think I’ve mentioned that Windows comes configured in some ways not the most secure… The things I’ve done to reconfigure Windows Networking to improve my own security picture are:
- Remove “HomeGroup” networking.
- Deconfigure SMB1 support, needed only for compatibility with ancient operating systems, which I do not have on my network.
- Deconfigure IPv6 tunneling: Teredo, ISATAP, and 6to4 via these commands:
-
netsh interface teredo set state disabled
netsh int ipv6 isatap set state disabled
netsh int ipv6 6to4 set state state=disabled undoonstop=disabled
Executable blocking
——————————————————-
There are some executables I simply don’t allow to run.
It’s often possible to identify executables whose sole job is to send telemetry or otherwise make unwanted online contacts.
I always, for example, remove OneDrive system integration. I also remove executable permissions from such executables as LogTransport.exe, SkypeBrowserHost.exe, VSHub.exe, and others that I’ve identified don’t offer me any direct value but are responsible for sending data abroad. And I’ve disabled a number of scheduled jobs and services. In some cases I’ve even had to tweak registry entries to keep the system from even trying to start unwanted programs.
I tend to use the facilities that Windows provides to prevent executables from running, but there are good software packages out there that can help less technical users accomplish the desired effects. Some good ones that come to mind to help you know why programs are running are Autoruns by SysInternals, and ShellExView by Nir Sofer.
Above all, know what’s running on your computer, and try to understand whether it really needs to be there.
Anti-Malware Software and Scans
———————————————————-
With all of the above in place, an active anti-malware scanner isn’t really particularly necessary. Incredible as it may seem, I don’t ever see Windows Defender block anything and MalwareBytes scans are always clean.
However, that doesn’t mean you should do without an active line of defense. I recommend Microsoft Security Essentials for Windows 7, and the default Windows Defender for Windows 8 and 10. I’ve found that even if you block Windows Updates, the MpCmdRun.exe component goes out and gets updates on its own. That’s a separate executable from the Windows Update service, so it’s easy to allow it to do its thing through the firewall while maintaining protection against unwanted system updates.
One good aspect of using Microsoft’s in-built protection is that it virtually never spits out false positives.
Even with Windows Defender on duty, I also choose to regularly scan my systems for malware that might have gotten through using MalwareBytes AntiMalware free edition. It never hurts to check for malware against a second well-managed database. I have a script scheduled to pop the MalwareBytes UI up first thing in the morning and I just initiate a scan and move the window off to the side. I have terabytes of data yet it updates itself and finishes in under 10 minutes. With SSD storage, the scan isn’t terribly intrusive so I can get on with my work.
Physical Security and Backup
—————————————————————–
It goes without saying that you want to keep your system secure, you need physical security. In my home office, I am “Secured by Beretta”. But beyond that for my critical data I have chosen high reliability hardware (e.g., workstation class machines with ECC RAM, high MTBF disks). I have a high quality HVAC system, good UPS power backup, and high quality wiring.
Even with all that, I have multiple backups that run regularly, some every 3 hours, some nightly.
I’m particularly fond of Western Digital MyBook external USB drives for backup. Each computer has several of them attached, and I have several I swap in occasionally, do full system image backups, and remove to a secure location.
With Win 8.1 there’s not an easy way to schedule a System Image backup like there was with Windows 7, so I schedule the following command:
wbadmin start backup -allCritical -vssFull -quiet -backupTarget:G:
That is, by the use of the -vssFull switch, integrated with the Volume Snapshot Subsystem, which means that the nightly backup is actually incremental, and with a large 8 TB MyBook I actually accumulate enough snapshots that I could restore my system from any of a month’s or more prior night’s backups.
I can also access individual files from those snapshots through 3rd party Z-VSScopy software.
Even with that capability, I’ve scheduled a number of other file backups based on Robocopy with a ton of switches to make them either mirror the source or accumulate files from the source without deletion (e.g., for protection against my deleting files accidentally).
Also, I make sure the System Protection feature is enabled. This affords the opportunity to do a System Restore operation if needed, and this usually works if invoked from the bootup WinREcovery environment. Possibly not well-known is that the VSS-integrated wbadmin backups show up as Restore Points, so I not only have the ability to do a full restoral if I have a hardware failure, but I can also choose from all the accumulated incremental snapshot backups to do a System Restore if I were to need to do so.
I’ll update this post as I think of other things, and I welcome your comments and questions.
-Noel
