Replies

The idea is to narrow down or pinpoint known bad DNS servers. And, to insure when you change DNS on your computer that it really kicks in as the router may over-ride the DNS setting in your computer.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

1 user thanked author for this post.

admin

There is no need to guess about DNS. This page

https://routersecurity.org/testdns.php

links to a dozen different services that report on your current DNS servers. These services should work whether your DNS servers were assigned by the router, your computer or a VPN.

If you have this Windows Update problem, please check your DNS before and after rebooting your router, or, before and after configuring DNS on your computer.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

6 users thanked author for this post.

rc primak, Elly, SueW, Norio, admin, Microfix

You might want to try blocking CompatTelRunner with an outbound firewall rule which prevents it from phoning home. The procedure is documented here in the section on blocking programs

https://www.michaelhorowitz.com/KillingWindowsUpdate.php

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

1 user thanked author for this post.

Microfix

I would think this is a fluke, something went wrong with GWX removal way back when.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

2 users thanked author for this post.

Microfix, satrow

This PC is the exception, not the rule. As for updates, on Dec 3, 2018 Windows Update was run and all available patches were installed. That said, the computer did go long stretches without any Windows patches. The previous run of Windows Update was Feb. 2018

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

2 users thanked author for this post.

Steve, Microfix

Many routers can kick children offline on a schedule. However they normally key off MAC addresses which works most of the time, but not all the time as MAC addresses can change.  The router I prefer can block children by creating an SSID just for them. The availability of that SSID can be scheduled to turn on/off as desired. In addition, it can assign the children’s SSID to a VLAN to isolate their devices from other devices in the home. Using a VLAN also lets you assign child-friendly DNS servers to the SSID used by children. These DNS servers can block hate/porn/etc. While most routers can only create two SSIDs/networks, this one (Pepwave Surf SOHO) can create 16. You could do one SSID for each child if you want them to have a different schedule. The downside  is that its a single router, so not a match for anyone needing the wide coverage offered by a mesh system. For more on the router see
https://www.routersecurity.org/pepwavesurfsofo.php

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

1 user thanked author for this post.

Steve

Karlston wrote:

One important thing is to have created rescue media and tested it before it’s needed…

Of course, there is only so much restore testing that can be done. If you actually do a full restore and make a mistake, it may not be fixable… Best way to test restoring is with a new computer, if you have that luxury.

My experience with image backups is that it is often confusing. On the backup side, which partitions really need to be copied? Do you need to backup Track zero? Backup all sectors or just used sectors? Not to mention incremental backups which I avoid. On the restore side too, track zero has always confused me. Then too there are partition resizing issues when restoring.

So yes, any and all advice is great.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

anonymous wrote:

Addressing your first question, yes the connection will remain metered status while switching users. Also, Microsoft has demonstrated the ability to override metered status when it suits them.

Where did you read about Microsoft over-riding the metered status? And, in my testing, limited though it was, a restricted/standard user had the metering off, even though an Admin user on the same machine had it on.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

Yes, a problem with this approach is the first time you connect to a new Wi-Fi network, it is not metered by default so Windows Update does its thing.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

1 user thanked author for this post.

Perq

Great links, thanks.

DNS blockages in a router have the advantage of working for all PCs on the LAN. But, any computer using a VPN bypasses the router for both DNS and firewalling. DNS blockages on one computer were, I thought, impractical because each subdomain has to be specified individually and this Microsoft doc does not do that.

For example, if you want to block *.hwcdn.net as per the Microsoft documentation, how would you? DNS, at least the hosts file, does not do generic. You would have to block a.hwcdn.net and b.hwcdn.net and c.hwcdn.et, etc etc. So, what specifically do block in DNS?

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

You didnt say what software you are using to backup or the type of backup. Some software can be told to ignore read errors. You can expect to find an option like this in a disk image backup program. That way you get the 99.9% of the your files/sectors backed up.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

For more on blocking Windows Update see

Killing Windows Update on Windows 10 – a cheat sheet

https://www.michaelhorowitz.com/KillingWindowsUpdate.php

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

Zaphyrus wrote:

I use a combination with metered connection and Wushowhide …

If you switch Windows users, does the metered connection remain on? For Ethernet? For Wifi SSIDs?

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

Maybe you could Ask Leo at http://www.askleo.com  or @askleo

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

Woody is right. Windows, macOS and Linux are dead men walking. iOS and ChromeOS are the future. Some examples:

ChromeOS has a very secure Guest mode, something legacy desktop OSs do not. And, it self-updates in a far more sophisticated way than the ancient OSs. And, it requires no active care and feeding, something the legacy desktop systems don’t even have on their radar. And, the ChromeOS firewall, when using Guest mode, has no open ports. Another thing you do not see in legacy systems (Did not test non-Guest mode)

Not to mention, Chromebooks can run Android apps and, coming soon, Linux apps (to a few models). Plus, there is a beta version of software that runs some Windows apps too. Give me Notepad++ on a Chromebook and I’m happy.

 

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com