Just got a new hard drive, help me secure it?

Throw some ideas. I love unconventional security methods, especially ones that have little-none performance loss.

I'm using a host file from mvps combined with one from another site dedicated to malware (no duplicates, both on my router) and I use spybot to modify my computers host file.

MSE. Fully patched/ updated windows.

No office/ flash installed. Using chrome's flash + google docs.

UAC is disabled, any way to make it enabled for specific folders? I think it would be cool if nothing could run from my temp/downloads folder without admin permissions.

Other ideas?

 

Then why did you disable UAC?

 

Because I don't need it globally. But restricting the two folders that things download to would be nice.

 

Have you come across the 'Safe-Admin' team/project over at WildersSecurity.com?
It's an idea of the WS members Sully and Kees1958 over there.
It might just suit your needs; link

 

Thanks I'll look into that.

I basically want to keep things I download "frozen" or sandboxed until I decide whether to use them or not.

 

Did you disable all UAC notifications (i.e. no more interruptions by UAC) or did you completely disable all UAC mechanisms?

What version of Windows are you using? In Windows 7 Ultimate, you can use AppLocker to achieve this. In Windows XP (but not with the Home edition), Windows Vista (but not with the Home and Starter editions) as well as Windows 7 (but not with the Home and Starter editions) you can also achieve this by using Software Restriction Policies ( "Software Restriction Policies" on technet).

In case you haven't done so already, have a look at " Security is not a solution, it' a concept", which contains good links to some sane security related information. In particular, you might want to look at how to use "integrity levels" for "sandboxing" as well as how to further secure them using user accounts:

Source: http://forum.notebookreview.com/win...it-locker-expertise-needed-3.html#post5901411

 

I have win7 ultimate. I'll look into bitlocker.

Thank you for the links and info.

edit: Those are some really interesting links/ articles.

And UAC is disabled completely, not just the notifications.

 

"AppLocker", not "BitLocker"! BitLocker is Microsoft's low-level encryption, AppLocker is a mechanism to restrict the execution of software.

Some security mechanisms (such as Internet Explorer's "Protected Mode") use UAC to increase security even if notifications are disabled. Setting UAC to "Notifications disabled" should be preferred over completely disabling it whenever possible. If possible, reinstall all applications that have access to the internet after re-enabling UAC ( this has security-related reasons).

Most people don't really bother reading that post and just say it's "stupid jabbering", so... thank you?

 

Haha, sorry. I was reading an article on bitlocker while I posted that =p

And I've read some of your other posts about security and they're always informative and interesting (to me at least)

edit: The only apps to reinstall would be Chrome and Java. That's no problem at all, really.

edit2: Question about UAC: If I have the notifications disabled how will I manage it?

 

Not at all. To you, it will be as if it was disabled. There's no need to interact with or manage UAC at all if you disable notifications (unless you're a developer or have other reasons to dig deep into Windows' inner workings).

 

But then how will it work? From what I understood of UAC it basically just stopped programs from accessing certain parts of the computer without permission. If I don't get a prompt how do I give them permission in the case where they'd need it.

 

That's right, UAC asks you whether or not a process should be elevated (get administrative rights), which would give the process basically full access to the computer. If you set UAC to "No notification", no prompts will appear because processes that ask for elevation will be elevated automatically, so on the surface it's as if UAC was disabled.

 

So what's the benefit?

 

how do i enable UAC but disable notifications? I don't see it in the UAC settings.

edit: I set some rules for my temp folder, program folders, and my downloads folder using applocker.

I'm not sure if I did it properly though but I have it deny p much everything lol

edit2: Ok... having an issue. I just downloaded a .exe (coretemp) into my downloads folder and I was able to run it. I have %OSDRIVE%\Users\myname\Downloads\*

set to action "Deny" for User "Everyone"

How come I can run it? Or is it just that it won't auto-run.

 

UAC will virtualize access to certain areas in the registry and file system in order to enable some applications that would normally require administrative rights to run with limited rights. Also, Internet Explorer will be able to run in "Protected Mode".

There might be other security related benefits, however I don't know of any (and haven't looked for any in the first place).

 

I think I just disabled notifications. IE9 is running in protected mode.

Also, I got applocker to work. It was good but it's not what I need really.

I don't want it to be a "yes" or "no" situation even with exceptions.

I basically want it to prompt me before anything in my temp/ downloads folder tries to run. I don't necessarily want everything in these folders to stop running altogether, I just don't want the running without permission.

 

Put UAC to full. My problem with it is always because I have it on when I first install all of my programs. I haven't really run into anything yet that needs it.

 

You should very seldom see UAC prompts except when installing software or doing system-level tweaking. It's that way for a reason Just deal with them when you're installing software, and once all that dies down you're in the clear. You can disable notifications, but I personally prefer not to. I want to know when something is asking for "root" permissions.

 

Yes, then you just disabled notifications.

You can disallow everything (including your temp folder) and create a separate temp folder that is allowed in AppLocker. This way you can move anything from the temp folder that you want to allow to run into the "tempexecutable" folder. If you disallow anyone except for the group "administrators" to write anything into the "tempexecutable" folder (right-click -> click "Properties" -> "Security" tab), you will be prompted once you attempt to move anything from "temp" to "tempexecutable" via the Explorer. Once you execute something from the "tempexecutable" folder, there's no need to move it back since...

• ...once you executed something, you already decided to trust it.
• ...malicious software running with standard privileges will not be able to modify files inside the "tempexecutable" folder if you only allow "administrators" to do this.

In some cases UAC can not guarantee that you will be informed (and doesn't want to, since that's not what it's there for).

 

I might play around with that Christoph. UAC kind of fulfills what I was hoping for since I have it on globally.

Any other ideas?