Security → Please critique my advice to "typical end-users"

I’m thinking about putting a CD together for friends, family, and coworkers with many commonly recommended security programs on it.
I plan on using the following text as the CD cover:


Recipe for safe Win XP usage with broadband

Cost..Description
50....Hardware firewall (basic router (read the manual and lock it down))
00....Software firewall (ZA or Kerio)
00....AdAware
00....Spybot S&D
00....JavaCool SpywareBlaster
00....Antivirus (AVG and Avast come to mind)
00....Windows update
00....Update your AV, Firewall, and Spyware rules on a regular basis
00....Firefox web browser (make it your default)
00....** Turn off unnecessary services (blackviper.com)
00....Test your ports
........DSLReports.com ("Tests+Tools" >> "Port Scan")
........GRC.com (Shields up)
00....Thunderbird or any other email program that has common-sense enabled
00....Don't click on executables from un-trusted sources (this includes your mom)
00....Don't install warez (there are good and free alternatives)
00....** don’t run as admin (if possible)
00....Change Windows explorer to show hidden files and NOT to hide file extensions
00....* Don’t forward emails claiming that you’ll get money for forwarding emails
----
50

** Might be too difficult for some users
* Privacy related (email harvesting)


Any suggestions or corrections?

I'm also planning on making an html menu that will navigate the user to the appropriate directory or website to find the item in question, plus scripts for doing some of the above tasks automatically.

I’m already aware that the F.A.Q. here at DSLR covers most of these points, but I want to create a distributable and easy to use CD that includes the kitchen sink and doesn’t require the user to search the web for the desired file.

Does a CD like this already exist?

Should I include anything about hosts files?

Thanks in advance, and severe criticism is highly encouraged!

"Does a CD like this already exist?"

Sort of...

»Public AntiVirus CD - Updated Week of 2004-12-20

It does already exist, but there's no harm in putting together another one. Perhaps what is in NyQuil's will be of use as additions for wozster. More than one can certainly be combined or used in its entirety. The thought of doing something for family and friends like that is very nice and most helpful.

Very nice,

A great addition would be an html file showing this with click to install links.

Good, but seems more complicated and/or time consuming than a lot of people would go for.

A NAT box, antivirus, Windows Update, and Firefox (or IE and Adaware or something) should do it for most people. Turning off services seems like a waste of time if they're going to be on a private network. Port scanning seems unnecessary as well - especially with GRC! Newbies (the people you're targeting) might get scared by Steve Gibson's "stealth test FAILED!" crap, when it's really no big deal. And three anti-spyware programs could be overkill - one (AdAware) has always done it for me, even on horribly infected computers.

The tips are right-on though.

> 00....Software firewall (ZA or Kerio)

Not convinced this is entirely necessary. The WinXP firewall is okay (assuming it is properly configured, and not suffering from SP2-RTM's confusion about what a local network is).

An extra software firewall's real use it to allow egress filtering as well as ingress blocking. That's a useful extra layer of protection for someone who knows what they're doing, but a potential source of extra confusion for a newb.

> 00....** Turn off unnecessary services (blackviper.com)

Some are more ** than others. You can turn a fair bit off quite safely.

> 00....Thunderbird or any other email program that has common-sense enabled

Thunderbird does not have common-sense enabled by default, alas. Remember to set it to display mails as Plain Text or it will be subject to address-confirmation+cookie attacks. The 'block remote images' option is *not* sufficient to stop Thunderbird making HTTP requests from mails.

I'd add:

00....enable viewing of the My Computer Zone using the registry hack, and lock down its settings.

Even if IE is not in use, there are other ways the IE core can get launched with potentially dangerous consequences.

It's a bit ** in itself, but you could make a handy .reg file to do it and include it on the CD.

Nice list!

I would only change a few things. Kerio is way too complicated for the newbie/average user. Perhaps Sygate?

As for turning off unnecessary services, Elder Geek is more conservative than Black Viper. I think it is a more appropriate site for the newbie/average user for this reason.

»www.theeldergeek.com/ser ··· uide.htm

I also recommend Spywareguard. It is generally set it and forget it.

It can be easily installed but you have to manually add the shortcut (that it downloads to your desktop) to the documents and settings/ startmenu / programs / startup folder - to make it automatically start up in all user accounts.

For nontech savy users, I also usually just have them use the XP firewall. I also disable remote assistance and file and printer sharing in the XP firewall exceptions (unless they need file and printer sharing).

Kerio is probably too much for the average user. ZA Free is okay, but you would have to configure it for them to preserve privacy. Windows firewall behind NAT router is simplest best option for your target market.

Many believe Spybot plus Ad-Aware is best combination rather than either alone. And both are easy to use.

BlackViper would be a disaster for the average user. There are often posts in the MS-help forum from folks who have disabled too many services based on that site and who are seeking help to recover. Sometimes referred to as "yet another victum of the black viper." It's a good site for you, but do you really think it works for the average user?

Is a stand alone e-mail program better or worse than a web-based e-mail program for the average user?

Make Mozilla or Firefox a must and display how to set the options for privacy and security. (cookies, java, javascripts, images, popup blocker, history, cache)

Thank you all very much, your advice is greatly appreciated!

My advice for the typical end user is much simpler. Personally, I don't think most people would actually follow your advice simply because it's too much to them. They want quick and easy fixes, and just want it to work.

My list is:
- Let me clean it up, or reinstall Windows themselves (I have guides from BlackViper and Paul Thurrot with pictures).
- Make sure XP SP2 is installed.
- Install Mozilla Firefox and set it as the default web browser.
- Install an Anti Virus. I usually recomend Symantec Corporate Anti Virus.
- Install Ad-Aware, and I tell them to run it monthly or weekly.

This is the simplest guide I can come up with that Grandma can faithfully do, and keep her PC working for at least a year. So far, this has worked on about 5 family PCs, and 4 people through family connections.