Practical tips to improve computer security
Is it possible to drastically increase computer security in a few steps? Installing the anti-virus and updating the software are important but not the most important. In this guide, we explain how to drastically increase the chances of an effective and preventive defense against malware and exploits.
Some of the following recommendations will be familiar to advanced users, but even they will find interesting sets of software and tools in this guide. We guarantee that using our tips will increase the level of computer protection so high that the preventive defense against 0-day exploits or fileless viruses will be implemented in real-time.
Guide to start with the necessary basics, that is:
- The current operating system is the best protection against known exploits.
- A system without programs would be useless, so the installed software, for example, an office package or a PDF file viewer, should be kept up-to-date. This is the best form of defense against malware exploiting vulnerabilities.
- Virus databases of antivirus programs update automatically, but the antivirus files are not always updated. Do not suspend anti-virus updates to a newer version, because the manufacturer usually added new features or repaired the code, eliminating the chance for hackers to fool the security.
- Do not work on an account with administrator privileges. Create a normal user account for yourself, and enter the administrator password when elevating the privileges (as Linux users do).
- Set up automatic backups. You can synchronize important files with the Google Drive, Dropbox or Microsoft OneDrive cloud. Remember that the disk in the cloud has a system of restoring previous versions of files (in case of encryption of data by ransomware).
Adherence to the above-mentioned advice will drastically increase the chance of effective repulse. If we succumb to a clever social engineering attack, they will not always be enough, which is why we describe in detail the system functions and external tools that will help protect the computer better.
EMET / Windows Defender Exploit Protection
EMET (Enhanced Mitigation Experience Toolkit) is a free program from Microsoft that imposes "restrictions" on applications, including DEP or ASLR. In one sentence, EMET makes life difficult for exploits by preventing the exploitation of software vulnerabilities. Although technologies such as: blocking data execution by marking memory fragments (DEP), randomizing the address under which data is stored (ASLR) and blocking the header override (SEHOP) do not guarantee that the gaps will not be used, however, they hinder it to a maximum extent exploits to penetrate the system and programs.
EMET after July 31, 2018 will not be supported. After that day, users of systems older than Windows 10 will be left to themselves in accordance with the Windows 7 and Windows 8.1 blanking policy. This is the official position of Microsoft. This means that not only the EMET software will not be developed, but the vulnerabilities found in it will not be fixed. We recommend all victims to install alternative anti-exploit or whitelist software:
- SpyShelter Firewall or SpyShelter Premium (solid Polish product that you need to be interested in)
- VoodooShield Pro
- Zemana Anti-Logger
- Malwarebytes Anti-Exploit
EMET in Windows 10 has been replaced with the Windows Defender Exploit Protection module integrated with the antivirus. Users of the latest ten should include all available security. The module configuration can be found in the Update and Security -> Windows Security -> Open the Windows Defender Security Center -> Application and Browser Control -> Exploit Protection Settings.
Microsoft made sure that EMET would be available in Windows 10 as an integral part of the Windows Defender antivirus. Some of the security features previously available only for EMET have been built into the Windows 10 operating system, which now extends beyond the scope of what was previously allowed by EMET. Currently, EMET in Windows 10 is a relic of the past. It became completely unnecessary. And yes, it's true that Windows Defender guarantees better protection than it used to be - the antivirus is being systematically expanded. However, as the latest anti-virus protection test against exploits shows, native Microsoft system solutions have proved to be worse in securing the Windows environment than software created by third parties. For system security and those provided by third parties, it is always worth to approach with limited trust and check the correctness of the configured solution. The default settings are not always the best.
AppLocker by Microsoft limits the running of applications, scripts, installers or DLLs from the indicated locations by imposing restrictions on them. AppLocker is available in Windows 10, but to use it you need to have a version of Windows 10 Enterprise or Windows 10 Education.
To activate AppLocker, go to Local Security Policy -> Application Control Policy -> AppLocker.
After you've defined rules based, e.g., on the attributes of files from a digital signature, including the publisher, product name, file name, and version, you can, for example, create rules based on the publisher attribute that remains unchanged in all updates, or you can create rules for the specified version of the file. This is useful when the software automatically downloads updates from the Internet - it has a digital signature of the publisher, which is still the same developer.
AppLocker is a very powerful whitelisting tool that also enables you to:
- Assigning rules to a security group or an indicated user.
- Creating rule exceptions, for example, you can create a rule that allows running all processes in Windows except for powershell.exe.
- Creating rules in the denny-by-default protection model.
- Use the audit only mode to observe system behavior before implementing changes.
- Importing and exporting rules.
For example, to increase the security of employee computers, we block the launch of UNLIMITED applications and scripts from the desktop and from temporary locations:
%userprofile%\AppData\Local\Temp %userprofile%\AppData\Local\Temp\* %userprofile%\AppData\Local\Temp\*\* %userprofile%\Desktop\*
Following the denny-by-default principle, we create a special rule that allows running programs only from specific folders:
C:\Program Files (x86)\ C:\Program Files\
By controlling executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd and .bat), Windows Installer files (.msi and .msp) and DLL files (.dll and .ocx) we drastically increase the security of the organization. For free. There is no reason for a computer in the accounting department to have unlimited possibilities to run malicious code through macro viruses or fileless viruses. It is worth creating rules that define only those tools and software that are actually needed for the job.
HIDS for free
Intrusion prevention systems are most commonly found in security programs in the form of an integral or dedicated part of the firewall module. Organizations do not have to decide immediately on expensive to maintain the HIDS and SIEM system. Such a practical application of monitoring system logs, file system and network interfaces is available in the free OSSEC solution.
The OSSEC system is a client-server application. The server is available exclusively for Linux systems, while clients available on Windows, BSD, Solarix, VMware ESX, AIX, HP-UX, Linux and MacOS can monitor system events using heuristics and event signatures.
OSSEC is a powerful and easy-to-use help that only requires time to configure and react to incidents in real time. The financial outlays for security are zero in this case, because the software is free even for companies. The benefits of implementing OSSEC on the network are significant - the agent installed is able to check the integrity of files and registry, detect rootkits, monitor system logs and scan network traffic for known attacks. All events are sent to the central console. Notifications via e-mail are supported, as well as integration with any commercial SIEM solution. Thanks OSSEC administrators will know everything about what has happened so far in the network behind their backs.
VPN connections play an important role in security. VPNs are divided into those in the browser and in the operating system. We recommend installing the VPN client on the system because it encrypts all network traffic. An extension installed in the browser (or integrated with a browser, eg OperaVPN) will only encrypt traffic passing through the HTTP / S protocol on ports 80, 8080 and 443 - and depending on the VPN provider - the connection will use VPN's DNS servers or external provider who will find out which websites the user is visiting. This is another trap lurking on the imprudent who would like to hide from the world. VPNs were not created to protect privacy, but to increase the security of transmitted information.
If we were to recommend a supplier, then NordVPN is probably the best choice. In the most favorable 2-year plan, NordVPN offers more than 4,000 output servers from 62 countries around the world. So there is a lot to choose from. For those who would like to take advantage of the NordVPN offer, we recommend our affiliate link, which will give you a small percentage after each purchase.
NordVPN client applications are available for almost all operating systems: Windows, macOS, iOS, Apple, Linux and many more. NordVPN supports the P2P protocol (not all VPNs do), so you can download whatever you want and feel safe without any problems. In addition, NordVPN uses its own DNS server, so no other DNS communication node will log websites visited. And most importantly, the company NordVPN is registered in Panama and does not store any logs - there is no such obligation.
VPN protects the device owner from imprudence or imprudence when logging into Internet services, but also secures, among others, against the vulnerability of KRACK on Wi-Fi. But above all, it allows you to avoid restrictions on services or websites that have been imposed by government dictatorships (which is especially useful abroad).
Sysmon is another tool available for free to monitor system logs. Again organizations need to consider whether it is worth investing in expensive SIEM solutions, since Sysmon is available around the corner.
Sysmon is part of the SysInternals from Microsoft. Its installation and implementation is trivial. The network has a lot of tutorials and ready-made configurations containing sets of rules that we want to log in, i.e. changes in processes and files on the disk, network communication, loaded drivers and libraries, registry changes, comparison of file hashes, and the same change in the service status Sysmon (e.g. caused by malfunction or malware).
Installation of Sysmon boils down to issuing one command in CMD:
>Sysmon64.exe -i System Monitor v8.00 - System activity monitor Copyright (C) 2014-2018 Mark Russinovich and Thomas Garnier Sysinternals - www.sysinternals.com Sysmon64 installed. SysmonDrv installed. Starting SysmonDrv. SysmonDrv started. Starting Sysmon64.. Sysmon64 started.
To load or import the changed rules, once again run the file in the console and specify the configuration XML:
>Sysmon64.exe -c sysmonconfig-export.xml
The XML file contains an understandable configuration that we can create from scratch or edit the existing one. In the same configuration file, we can create rules with exceptions that exclude process, files, keys, etc. and exceptions containing items of interest to us. For example, to monitor the powershell.exe process, we add a rule :
In the same XML files for the absolute exclusion of the searchIndexer.exe process we add:
After configuring Syson, all changes in the Windows system are saved in the Windows Event in the Applications and Services tree -> Microsoft -> Windows -> Sysmon. Logs can be exported in real time to another tool, eg Splunk or Elk, where we actually get a free EDR platform.
Sysmon is also a tool well-known to malware authors who know how to detect running services and how to recognize Syson running in the background. A more advanced configuration is to harden the settings and change the names of the installed services and the Sysmon driver, which the malware could easily detect or stop. Therefore, it is important that the logs are sent to the external console in real time (in case the service is stopped).
Sysmon is a good and free alternative to EDR solutions. However, you must remember that the software does not have any antivirus features - it can only save logs.
EDR for free
Endpoint Detection and Response (EDR) is a system to collect information about suspicious activity. The main task of this solution is to facilitate safety teams making decisions based on hazard indicators (IoC), managing large amounts of data and prioritizing activities. Simply put, EDR allows you to manage incidents in real time and find traces of intrusions and attacks (infection indicators) on each endpoint. EDR solutions avoid additional security costs, and these commercial counterparts have additional "cleaning" functions for compromised systems (not every EDR can do that).
The free EDR is "MIG" by Mozilla - yes, the one from the Firefox browser. MIG consists of agents installed on all infrastructure systems that are checked in real time to examine file systems, network status, memory or endpoint configurations. In addition, the vulnerability management system and detailed reporting are possible in the Linux system. An extensive description of the MIG system can be found on this page.
A good example of the practical use of MIG is quite a real situation: it is Saturday 6am, when someone made public a critical gap in the PHP application. Published IoC (checksums, filenames or IP addresses) can be helpful in identifying the threat. MIG allows you to quickly check systems for infection indicators:
The agents have been designed to be light, safe and easy to implement. The security of information exchange is enforced with PGP keys that are not stored on the platform, i.e. assuming a situation where the MIG server will be compromised, no one will take control of the agents.
Alternatively, you can use:
- GRR Rapid Response from Google.
- El Jefe from the Spanish company Immunity.
Powershell is a very powerful tool in the hands of an administrator and a hacker, but it is rarely used by an accountant or an ordinary user. It is Powershell that allows you to remotely manage machines in a larger organization, but also gives almost limitless possibilities to the attacker.
In standard situations, criminals use about 50 most common executable commands in Powrshell, including activating fileless malware, which is very difficult to detect. The detection of these scripts is all the more problematic if the malicious code is executed by the Powershell system interpreter. Thanks to this method, it is possible to infect your computer without raising the alarm by the security program.
In Windows 10, Powershell allows you to install Linux and run Linux commands. The WSL function (Windows Subsystem for Linux) makes the popular bash terminal available to Windows 10 users. The operation of malware in the hybrid concept can open a new door for cybercriminals. According to many experts, the bashware threat should be a serious warning, because it opens up new opportunities to bypass security features of third party and Microsoft security products. We have brought this to the attention of the producers and we have carried out such a test.
We recommend completely disabling Powershell in the archaic version 2.0. In Windows 10, open any folder and go to the address: control panel. A traditional panel will open, which is known to all users since Windows XP. Go to Programs -> Disable or enable the Windows function -> Windows PowerShell 2.0.
Thanks to this, in the system we will leave Windows PowerShell version 5, which has the function of anti-malware protection - it scans and prevents malicious scripts from running. PowerShell 2.0 will no longer allow an attack that reduces the version and bypassing the protection against malware. Disabling the "5" should not have any negative effects.
Another recommended security implementation is to enter one of the following commands with administrator privileges:
Restricted: We completely disable running any scripts, e.g. those digitally signed and those downloaded from the network without signature. At the same time we still retain the ability to issue individual commands. This is the recommended setting for most users.
AllSigned: We only run scripts that have a digital signature regardless of whether the script is run locally or downloaded from the network. We recommend this setting to most users.
RemoteSigned: Scripts must be signed by a trusted publisher before they run, but scripts run from the local computer do not have to be signed. In this setting, for example, the macro virus will be able to run any programmed script in PowerShell. We do not recommend this setting for users who do not use PowerShell for work.
Unrestricted and Undefined: By default the Undefined mode is on and its reset to Unrestricted also gives nothing. That's why most malware has the ability to infect the operating system or to download and run malicious scripts, as well as executable files.
So wherever it is not necessary, we activate the Restricted or AllSigned settings. Thanks to this one operation, we will significantly increase the preventive protection of the operating system.
For security reasons, Microsoft has disabled the automatic launch of macros in the Office suite from version 2010. Users of these programs do not have to do anything except realize that all suspicious attachments of Word or Excel documents may have malicious commands that will ignore malicious instructions after ignoring the warning, e.g. download the banking Trojan from the network via the powershell.exe process.
The attack usually starts traditionally, that is:
After opening the document, nothing bad is happening. Only clicking on the "enable content" bar causes the entire avalanche of unwanted effects. But you can also prevent this by imposing restrictions on scripts run in PowerShell - a macro virus in this way runs dangerous code.
For users of Microsoft Office, Office 365, Libre Office, Open Office and other office programs, we recommend checking the settings and making sure that the macros are definitely turned off.
Encryption with BitLocker or VeraCrypt
To protect external media and partitions or entire disks, we can use BitLocker. We encrypt the media not to hide anything from law enforcement agencies, but that protected data will not fall into the wrong hands, eg when our laptop or company computer is stolen. Administrators can force the GPO to install "BitLocker to Go" on any portable USB device, thanks to which the organization will be assured that after losing the media, nobody from the outside will have access to the documents stored on it. BitLocker is available in Windows 10 Pro or higher.
Other users can use VeraCrypt as an open source tool used to encrypt data that has more capabilities than BitLocker. Its unique feature is to create a hidden operating system next to the one on which we work. This is especially useful in situations where we will be forced by someone to decrypt the computer. By default, VeraCrypt installs in English, but it is possible to change it to Polish. We change the language by selecting Settings -> Language from the menu.
We do not have to encrypt entire volumes at once. We can do it for selected files, directories, create an encrypted password-protected disk or store confidential data on an encrypted USB storage. In such a secured place, we securely store documents or files with personal data of clients. We are encrypting to secure data and files before opening, and by the way we meet the requirements of the RODO.
Other tips to computer security
Updating programs and system: Text editors, image file browsers and PDF files, especially office packages, should be updated whenever the license does not prohibit or does not cause any compatibility problems. Malware often uses not so much the vulnerability as the incorrectly implemented default configuration, which allows you to deceive the security mechanism and run malicious code anyway. By updating programs and system, we will increase drastically security without additional costs. Companies have an easier task because many antivirus products have modules to manage updates and automatically implement them.
Individual users to check for available program updates should use FileHippo App Manager. Secunia Personal Software Inspector, which has been popular so far, is no longer supported by the manufacturer.
Routers and NAS servers: This is also an important element of security. Non-updated software of the NAS router or NAS may expose the network to the installation of a dangerous script, and in extreme cases, it may threaten to change the device configuration and take over control by a third party.
If your router is not already updated, you can install the alternative OpenWRT software. A list of supported device models is available at this link.
Storing passwords: We are not advocating the storage of passwords in the cloud, but we do not prohibit anyone. Full synchronization between different systems can be achieved by synchronizing the database file with passwords using Dropbox or another disk in the cloud. To store the database of passwords and logins, we recommend KeePass or KeePassX.
Additions to browsers: Browser is a program on the Internet interface, which is most often subjected to attacks. It is also a tool that first gives us information about the security of the site. That's why we recommend extensions for browsers:
- Bitdefender Trafficllight as the perfect website scanner and search results.
- Windows Defender Broswer Protection is a new scanner of files and pages from Microsoft.
- HTTPS Everywhere forces the browser to connect to the encrypted channel with the site, if the site server allows it.
- uBlock Origin blocks advertising, malicious scripts and dangerous websites using external lists.
- NoCoin blocks the cryptocurrency excavator.
- The panopticlick.eff.org scanner will check if we care enough about your privacy based on browser settings and installed plugins.
Firewalls: System or antivirus firewall? Which is better? Both have their advantages and disadvantages. And these are explained in the article from 2012. Most of the information contained there is still valid.
We support the use of firewalls. It is not true that they are a relic of the past. Firewall, provided it is properly configured, can stop fileless malware, while the rest of the antivirus modules did not manage to detect the prepared virus. We have conducted an experience that shows the strengths of using firewalls in security. In addition, firewalls protect against many modern attacks, because they have more or less advanced systems to detect and block intruders.
In addition to firewalls that are integrated with antivirus, we recommend to monitor process connections:
- Comodo Firewall
- TCP Viewer as not a firewall, but a free tool for checking internet connections
Free anti-viruses: A list of the best free anti-viruses for 2018 has been prepared in a separate article. Recommended free anti-viruses securing small businesses and individual clients have been gathered in one place, granting each solution evaluation and appropriate recommendation of AVLab. A brief review of each of these programs was created thanks to many years of experience in conducting tests, market knowledge and the industry itself from the inside. We strongly encourage you to read our rating of anti-viruses.
Backup: When everything fails and all computer security will not work, we should have a backup of the most important files. It does not matter if this recommendation applies to a large or sole proprietorship. Sooner or later everyone will need to restore the data to the state before the hardware failure or encryption by the ransomware.
Do you, dear readers, have your own ways, tools and tips to protect your computer?
Add new comment
Learn more about our offer
We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.