Hardening your operating system

Topic

New Reply

ON SECURITY By Susan Bradley Several years ago, it was considered a best practice to protect business computer systems by “hardening” them. You would
[See the full post at: Hardening your operating system]

Susan Bradley Patch Lady/Prudent patcher

5 users thanked author for this post.

fisher75, a, lmacri, windbg, Alex5723

Reply | Quote

Replies

Susan Bradley wrote:

(Tip: I had to remind my 95-year-old dad to turn the lights on in the room so that FaceID would work!)

FaceID uses an infrared camera, so it should work even in total darkness.

Reply | Quote

I speak from experience with Merrill Lynch’s implementation-it needs light.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

They have their own version? Is that what your dad uses?

Reply | Quote

b wrote:

FaceID uses an infrared camera, so it should work even in total darkness.

From experience, it does work in total darkness.

1 user thanked author for this post.

b

Reply | Quote

Good post. I am glad you were successfully able to “uninstall” it. However, I will always advise people to do an image backup (terabyte, macrium, etc) of your SSD or disk before you
1) tell windows update to check for updates, or
2) tell WuMgr to apply selected updates.
Going back is then child’s play.

Do not rely on that uninstall feature. An update touches many things that cannot be “un-touched”. imho!

I no longer use WuMgr as, after using it for years, I ran into a situation where I, correctly or not, perceived that WuMgr had rendered normal windows update completely non-workable and had to completely regen/rebuild/reinstall win 11. YMMV! I know that some here use it and trust it.

Reply | Quote

My Firefox browser is currently configured to use DNS over HTTPS (DoH) with maximum protection at Settings | Privacy & Security | DNS over HTTPS. I live in Canada and the default provider is CIRA Canadian Shield from the Canadian Internet Registration Authority but I can choose an alternate provider like Cloudflare (which I believe is the default provider in the U.S.) or specify a custom provider. See the Firefox support article Configure DNS over HTTPS Protection Levels in Firefox for more information.

If I added a free service like Cisco’s OpenDNS that Susan mentioned in her article and enter their DNS server IPs (Primary DNS: 208.67.222.222 / Secondary DNS: 208.67.220.220) in my router settings I assume that would simultaneously protect all devices that connect to my router, but are there any other advantages? I took a quick look at the OpenDNS Home service at https://signup.opendns.com/homefree/ and gather you can use software to apply pre-defined web content filters to specific devices (e.g., to block inappropriate content on a computer used by a child) but I doubt that’s something I need.

Also, does it matter if I use different DNS providers in my default Firefox browser (e.g., CIRA Canadian Shield) vs my router (e.g. OpenDNS), and would one take precedence over the other?
————
Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.3693 * Firefox v120.0.1 * Microsoft Defender v4.18.23100.2009-1.1.23100.2009 * Malwarebytes Premium v4.6.6.294-1.0.2201 * Macrium Reflect Free v8.0.7690

1 user thanked author for this post.

windbg

Reply | Quote

lmacri wrote:
does it matter if I use different DNS providers in my default Firefox browser (e.g., CIRA Canadian Shield) vs my router (e.g. OpenDNS), and would one take precedence over the other?

A useful way to think about this might be to recognize that on most small networks you’re usually dealing with two – and possibly three – levels of DNS: (1) router/DHCP server (“network” level, in home settings likely defaults to ISP DNS unless manually configured otherwise), (2) device (“system” level, likely defaults to network DNS unless manually configured otherwise), and possibly (3) application (if available likely defaults to system DNS unless manually configured otherwise). And if all are behaving properly, then the lowest applicable level DNS setting *should* be used.

So if pc on home network is using default setup and pulling system DNS from router/DHCP server, then network DNS will be used as system DNS by pc. Or, as mentioned, system DNS on pc instead may be manually configured to use alternate DNS.

Firefox application, at lowest level, allows multiple settings to configure browser-specific DNS behavior:
– “Increased Protection” setting allows configuration of custom secure DNS provider, with auto-fallback to system DNS
– “Max Protection” setting allows configuration of custom secure DNS provider, without auto-fallback to system DNS
– “Off” setting bypasses secure DNS option entirely – system DNS is used

Short answer: for Firefox browser, configured Firefox DNS settings should override higher-level DNS settings.

Hope this helps.

Reply | Quote

It seems to me with all the software available to create a video of any person saying anything, that any energy spent on using image or voice to protect anything is pointless. I don’t get it. Use something else!!!!!!

As to browsing, using something like uBlock plus doing everything through a robust router can help keep you away from a lot, but simply not being stupid is the key… You should be bullet-proof per GRC (Gibson)(Shields up – free – common ports and UPnP). Since (Commodore and RS and DOS-)3.11 I have yet to get a virus.

1 user thanked author for this post.

Mark

Reply | Quote

a wrote:

It seems to me with all the software available to create a video of any person saying anything, that any energy spent on using image or voice to protect anything is pointless. I don’t get it. Use something else!!!!!!

Voice perhaps, but if you think Face ID is insecure you should probably read about the technology it uses: Face ID — Wikipedia

Which “something else” would you consider more secure (since Apple claims Face ID is twice as secure as a fingerprint)?

Reply | Quote

Voice perhaps, but if you think Face ID is insecure you should…

I was just wondering about voice biometrics.  I’d be concerned if my voice (or image) was widely available in public, but it isn’t.  I have no illusions about my personal information, too many hacks for that to have been kept private. But my voice……..?????

I don’t have any doubt that AI can duplicate voice biometrics –  if not today, then very soon.  However, I thought Voice Biometrics was still a good option.  I can’t imagine how someone would be able to clone my voice…am I being naive? How would criminals clone someone’s voice if that voice is not available in public???

Reply | Quote

Schwab used voice biometrics for ID over the telephone by saying a certain phrase, but it was well before AI.  I don’t know if they have stopped now.

How would criminals clone someone’s voice if that voice is not available in public?

Don’t know the answer, but between youtube, tiktok, etc. millions have public exposure.  A real smorgasbord.

 

 

Desktop Asus TUF X299 Mark 1, CPU: Intel Core i7-7820X Skylake-X 8-Core 3.6 GHz, RAM: 32GB, GPU: Nvidia GTX 1050 Ti 4GB. Display: Four 27" 1080p screens 2 over 2 quad.

Reply | Quote

Don’t know the answer, but between youtube, tiktok, etc. millions have public exposure. A real smorgasbord.

Smorgasbord, that’s so true!  I don’t have any exposure there, but millions do, as you say……probably enough to keep the baddies busy for a while ; D

Schwab’s implementation doesn’t rely on the sound of your voice, it’s more like a verbal password – which seems better to me than voice biometrics.

I don’t know a lot about AI but I think it is both exciting and frightening…..maybe a little more frightening than exciting : o  Mostly due to my ignorance.  I need to educate myself and get a basic understanding.

Reply | Quote

Schwab’s implementation doesn’t rely on the sound of your voice

Well, it seems as though they did.  See what you think.  It was only used when calling on the phone to speak to a Rep, and was an early filter in the verification sequence.  Schwab is no longer using it, but here’s how it worked:

The initial automated set up entailed repeating “At Schwab my voice is my password” three times.  Then, when calling to speak to a rep, one of the voice prompts would ask you to speak the pass phrase.  If accepted, the voice prompts continued. When a live Rep came on the line, they would further ask for answers to your verification questions, etc.

Once I had my wife speak the phrase, and it was, thankfully, rejected.

Desktop Asus TUF X299 Mark 1, CPU: Intel Core i7-7820X Skylake-X 8-Core 3.6 GHz, RAM: 32GB, GPU: Nvidia GTX 1050 Ti 4GB. Display: Four 27" 1080p screens 2 over 2 quad.

Reply | Quote

b wrote:

a wrote:

It seems to me with all the software available to create a video of any person saying anything, that any energy spent on using image or voice to protect anything is pointless. I don’t get it. Use something else!!!!!!

Voice perhaps, but if you think Face ID is insecure you should probably read about the technology it uses: Face ID — Wikipedia

Which “something else” would you consider more secure (since Apple claims Face ID is twice as secure as a fingerprint)?

“which something else” – EXCELLENT question. I have absolutely no idea since fingerprints can be easily duplicated I assume and I suspect as soon as genetic ID is created, it will become easily duplicated. “gut feel” will not be useful at present for ID. telepathy does not work well over twisted pair.(though it can certainly work perfectly in parallel.)

EDIT: Tech verification relies on a fixed set of data which will always be mimic-able. A soul-print is constantly varying. Good luck using that with physical reality technology. It will happen, though. IBM has an early prototype of a quantum computer that they are hyping (useful in ’33). 🙂

EDIT2: “Face ID” – if I were a betting person I would bet a few months to a year and the present version will be useless.

Reply | Quote

Note of interest to some: OpenDNS can not work with a router supplied by AT&T for their “Uverse” internet access. AT&T specifically blocks this in the firmware in the router. My router is a NOKIA brand.

OpenDNS can be set up on individual computers, however.

Reply | Quote

F A Kramer wrote:

Note of interest to some: OpenDNS can not work with a router supplied by AT&T for their “Uverse” internet access. AT&T specifically blocks this in the firmware in the router. My router is a NOKIA brand.

OpenDNS can be set up on individual computers, however.

Yes. ISPs are too often guilty of requiring their router to activate their service. I tend to consider any ISP’s router to be suspect in some way – favors the ISP but not necessarily my security. I was lucky in that Starry agreed to use my router if they were able to successfully set my MAC, and they were indeed able. It happens to be an ASUS RT-AC65 (AC1750 capable), but there are many suitable routers out there. Log into it and understand the settings!

Reply | Quote

So I appreciate what you are doing, but why aren’t there more people complaining about their Windows 11 passwords showing up on another users PC?   This is a desktop set up with Windows 11 and a different Microsoft Account!  What if their Desktop get stolen with more than 100 of my passwords, which are also on their tablet?

That other computer also has all my browser history in their Edge history.  This must be really hated by some people, or they didn’t make a huge mistake and update their desktops to Windows 11.

Another issue is that I provided feedback about 6 months ago that fake files were being created in my desktop website files.  Probably by OneDrive?  So, if I “save all” when I update my very large website (~5,000 photos and 130+ videos) will the fake files also be transferred to my website host?

This is just a few of the everyday Windows 11 problems I have.  Seems like no one else is using Windows 11?  I know other engineers, marketing managers, and consultants that are totally avoiding Windows 11 because professionals working together on million-dollar projects have to share a lot of files with many other users, so Windows 10 is the only acceptable operating system at this time.

Large companies are currently blocked from Windows 11, except for their IT departments?  Microsoft has been “taking” copies of my photos since before 2012.  Many of them were deleted since I only get about 50% publishable images, but they are all in OneDrive. I don’t have time to look thru 37,000+ images to clean up the mess.

Reply | Quote

steve1916 wrote:

why aren’t there more people complaining about their Windows 11 passwords showing up on another users PC?

Because they don’t. It’s something you’re doing.
The same with your photos.

cheers, Paul

Reply | Quote

Susan Bradley wrote:

You probably spend as much time surfing on a phone as you do surfing on a computer. Today’s big picture is that there are more and more people who use tablets or phones, touching traditional PCs only at the office. The result? Attackers are targeting business users through email, and home users through browsing.

No, very rarely do I surf on my phone.  My phone is first and foremost a phone and phonebook; that’s its primary use.  I no longer have a landline.  The secondary use for my phone is a Bluetooth music source when I’m driving; I have hundreds of .flac files stored.  I also use its GPS capability as an exercise tracker with an app.

On the very rare occasions when I do surf on my phone, I use Firefox as my default, not the Samsung browser, and since I’m signed into my Firefox profile, all my extensions work for me.

I do use Samsung Wallet, which is available under my fingerprint, and I’m comfortable using that with NFC.  I’m more comfortable using NFC on my phone than on my credit card; it’s an added layer of protection.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote