[Welly Wu]

Does anyone here use a Windows XP based secure desktop utility program? If so, then do you have any recommendations? I want to use something more secure than the Windows XP screen saver program which I know is a joke when it comes to high grade security. I will use the program on my own PC only and I do not have any need for network secure desktop software. Obviously, I don't want to restrict my access to critical programs or components within Windows XP; I just want to be able to push a button and know that unauthorized access is virtually impossible. Thanks.

 

[MuZI]

Zone Alarm?

 

[The_Mac]

firstly, set a strong password for your personal account on your machine (a combination of at least two of the following: uppercase characters, lowercase characters, numbers, symbols, at least 8 characters long, and without any semantic value. for example EhK)93P0l would be a strong password. And use a VERY strong password for the administrator account (12+ characters, and all 4 classes of character))

Next, disable the welcome screen, and then you're all set. Whenever you want to leave your machine just hold the windows key and press L, that will lock the machine (logout).

This is more secure than most, and quite trouble free, but it can be circumvented using any number of programs that can read or alter the passwords for the WinXP accounts. (I use MicroSCOPE when I need to do that).

 

[Welly Wu]

The_MAC:

I did read the CERT and UPENN papers on desktop security and I am employing all of their recommendations thus far. Furthermore, I do have a very strong 30+ character alpha/numeric/symbolic password which I change at least twice every week without fail (this is my ingrained personal habit) and I have disabled the guest account in Windows XP Professional. All I need left to do is to get a top rated and award winning secure desktop software program. I'm doing some research on line and I'm getting confused. I want something that is award winning and sophisticated with one-click lock down of my LAN network, Internet connection, e-mail, and Windows XP Professional OS that utilizes a separate RSA encryption system / algorithm password apart from my Windows XP Professional administrator password. What do you recommend?

 

[The_Mac]

Quote:

Originally Posted by Welly Wu The_MAC: I did read the CERT and UPENN papers on desktop security and I am employing all of their recommendations thus far. Furthermore, I do have a very strong 30+ character alpha/numeric/symbolic password which I change at least twice every week without fail (this is my ingrained personal habit) and I have disabled the guest account in Windows XP Professional. All I need left to do is to get a top rated and award winning secure desktop software program. I'm doing some research on line and I'm getting confused. I want something that is award winning and sophisticated with one-click lock down of my LAN network, Internet connection, e-mail, and Windows XP Professional OS that utilizes a separate RSA encryption system / algorithm password apart from my Windows XP Professional administrator password. What do you recommend?

Out of curiosity, why the paranoia? Is the machine in a location that is commonly wandered by strangers and frequently left unattended for extended periods? Is the machine physically secure? (all switches, accesses, etc locked or disabled?)

A little more background would really help me understand your goals here. (Most people never need anything more than a screensaver password and the vast majority of people can't get past that, which is why I'm curious).

 

[Welly Wu]

Yes and yes to both questions. My only goal is to get a secure desktop utility program and all indications are pointing to Spytech SpyLock 4.0. Do you know anything about this program?

I am both curious and fascinated by security -- financial, technology, personal -- and I only need this secure desktop utility program to complement my robust system of multi-layered computer security.

 

[Stephonovich]

This probably isn't what you're looking for, but a lot of USB flash drives (Sony Microvault is what I have) have software along with them that lets you use it as a dongle. Plug it in, run the program, unplug it, and it's locked down until you plug the drive back in. On mine, at least, Ctrl-Alt-Del is disabled when it's running. Of course, you can just reboot the computer and you're in... But that's the same with anything.

Also of note, if you're really paranoid, get a lock for your optical drives. Someone could pop a live Linux distro in (like Knoppix), reboot, crack your passwords, and be in. Or just steal your files without bothering to get passwords.

(-:Stephonovich

 

[Welly Wu]

Quote:

Originally Posted by Stephonovich This probably isn't what you're looking for, but a lot of USB flash drives (Sony Microvault is what I have) have software along with them that lets you use it as a dongle. Plug it in, run the program, unplug it, and it's locked down until you plug the drive back in. On mine, at least, Ctrl-Alt-Del is disabled when it's running. Of course, you can just reboot the computer and you're in... But that's the same with anything. Also of note, if you're really paranoid, get a lock for your optical drives. Someone could pop a live Linux distro in (like Knoppix), reboot, crack your passwords, and be in. Or just steal your files without bothering to get passwords. (-:Stephonovich

Stephonovich:

Thanks for the USB dongle key suggestion but I do not want to rely on that type of physical security; I know what you're talking about but I just don't think it is the right match for me based on my goals and needs. My research is telling me that a secure desktop software program can restrict and disable floppy drives, optical drives, USB ports, and other security loopholes without relying upon an external physical device to initiate a lock-down sequence.

 

[bangraman]

It depends on how serious you are about it and how much you're able to spend. I use RSA's ACEServer with the SecurID fobs on my work-related computers which store client information. The startup cost of the ACEserver, fobs, etc (minus the server hardware you'll need) was about GBP£6,000. This is only the start of an 'airtight desktop', but I've found it's an effective first step.

 

[The_Mac]

Spylock will work, but I'm just wondering if you'll be paying for more than you really need, that's all.

but then again, an ounce of prevention if worth a pound of cure, and the finaancial impact of even a minor security breach can be huge (depending on the function and information on the machine). I'd had the impression from your first post that this was for your personal machine at home, which is why I was wondering about your zealousness, but if it's for a business environment, then for sure spylock is an excellent tool.

And Stephonovich, the machine is (I'm assuming) in a locked cabinet or in an otherwise secure location that's not user accessible, and it has no exposed USB ports. Even still, an intrepid hacker could cut the wire to a USB mouse or keyboard then splice in and get some degree of interaction that way, which is why Spylock shuts that down as well. Spylock can be set to automatically run at logon, and even the windows logon screen would be enough to thwart most people who just try to reboot and go from there. But even after that, Spylock is a second layer.

Go for it Welly

 

[Stephonovich]

Ah; I was under the impression this was a personal machine. No, a dongle wouldn't be very good, then. Although, seriously, a dongle is (IMO) the most secure possible way to secure a machine, provided the software for it is well written. It's extremely difficult to copy, can't be bypassed, and is very easy to spot if it's missing.

Security is really just about layers. A software suite may be able to lock down your system, but someone could still load a Live CD and bypass everything. So you get physical locks for your drives. They could still plug in an external drive, so you get a locking case. A dongle is one possible piece of a security layer, as is a software suite.

(-:Stephonovich

 

[Wodgy]

Welly, since this is a home PC you need to guard against three things:
1) someone across the network stealing your data
2) someone gaining physical access to your computer
3) someone stealing your hardware.

To guard against #1 you need to put your computer behind a firewall or NAT box. Software firewalls are not good enough. You should turn on the built-in Windows XP firewall, but that is not enough. You need a proper firewall box. Software firewalls like Zonealarm, etc. are okay but generally not worth the money because they do not provide comparable protection to a hardware firewall.

To guard against #2, a passworded Windows screensaver is fine. Seriously. It uses exactly the same login mechanism as Windows itself. Don't buy into the hype and buy unnecessary add-on products.

#3 is the most dangerous. If someone steals your hardware you risk them gaining access to all the data stored therein. To prevent this, turn on NTFS encryption for each of your hard drives and encrypt all the files. Once you do this, if someone gains physical access to your hard drive, they will not be able to read your files. Password-protected dongles/USB keyfobs are unnecessary (and often laughable) gimmicks. You can format a USB key drive to NTFS and turn on NTFS encryption on it just like you can on a regular hard drive. There is no need to buy or use proprietary software solutions. Don't fall for the advertising/gimmicks/hype. Microsoft's NTFS has been audited for C2-level security by the US Department of Defense. None of the commercial products priced at consumer levels have.

 

[grinch]

Quote:

Originally Posted by Stephonovich Security is really just about layers. A software suite may be able to lock down your system, but someone could still load a Live CD and bypass everything. So you get physical locks for your drives. They could still plug in an external drive, so you get a locking case. A dongle is one possible piece of a security layer, as is a software suite.

you could set your machine to boot straight from the hard disk in the bios, and lock that down with a heavy duty password. but of course, if they had access to the actual machine they could pull the bios battery and reset it.

i find that a windows password is enough for me and i lock my machine whenever i walk away from it. i'm much more into strengthening my wireless network with wpa encryption etc. than simply keeping people from using my desktop.

 

[Welly Wu]

LAN & Wi-Fi PROTOCOLS:
1. Enable DHCP Server and use the absolute minumum number of DHCP users
2. 802.11G or 54MB/S mode only
3. I change my SSID twice per week
4. I disabled SSID Broadcast
5. I change my Wireless Channel once per week
6. I use WPA Pre-Shared Key and WPA AES Algorithm with a 15+ character alpha/numeric/symbolic combining both UPPER and lower case WPA Shared Key (I change this key twice randomly each week)
7. Group Renewal Key is under 90 seconds
8. I enabled a Wi-Fi Wireless MAC Filter and permit only PCs with manually inputted MAC Addresses of each 802.11b/g Wi-Fi enabled device
9. I changed my RTS Threshold, Fragmentation Threshold, and Beacon Interval (I change this once per week)
10. I enabled HARDWARE FIREWALL PROTECTION and Block Anonymous WAN Requests
11. I enabled a MAC Filter for all of my computers connected via Category 5e / RJ45 cables and permit 24 hour access for only PCs with manually inputted MAC and corresponding IP addresses
12. I change my router's password twice randomly each week
13. I disabled Remote Management and I set up a KERIO Personal Firewall to block port 8080
14. I disabled uPnP
15. I check for firmware updates for my router each week and update frequently
16. I check my DHCP Clients Table once per week to ensure the validity of PCs using my LAN & Wi-Fi networks

INTERNET PROTOCOLS:
1. I use Mozilla FireFox 0.9 with TLS 1.0 and SSLs 2.0 / 3.0 and I use my own personal certificates with OCSP validation for all certificates
2. I use Mozilla ThunderBird 0.7 with personal certificates and verified security devices
3. I use FileZilla with 128bit SSH encryption to upload and download critical files to my Comcast FTP site
4. Internet Explorer: I don't use it

ENCRYPTION PROTOCOLS:
1. I enabled Windows XP Professional encryption for all of my fixed disks and removable disks
2. I use PGP Personal 8.0.3 with an RSA 4096bit signed key with a personal photo and a 30+ character alpha/numeric/symbolic with UPPER and lower case passphrase
3. I use PGP Disk using my PGP RSA 4096bit signed public key to secure my Iomega ZIP disks to store my most critical data
4. I use PKWARE SECUREZIP 8.0.x and BZIP2/Maximum compression along with a AES 256bit key with a separate 10+ character alpha/numeric/symbolic with UPPER and lower case password to compress and secure my most critical data that is DOUBLE ENCRYPTED with my PGP RSA 4096bit public key as well
4. I use the built in Iomega Read/Write password

MICROSOFT WINDOWS XP PROFESSIONAL SP-1a PROTOCOLS:
1. Disabled automatic updates, system restore, remote management
2. Disabled file & printer sharing
3. ENCRYPTED select directories on my HDD
4. Disabled guest account
5. Disabled fast user switching
6. Disabled Welcome Logon Screen
7. I change my password randomly twice per week and I use a 25+ character alpha/numeric/symbolic with UPPER and lower case password
8. I use X-SETUP PRO to do close some more obscure security loopholes
9. I disabled Active Desktop
10. I disabled using a wallpaper
11. I do a Windows Update twice per week
12. I read ARSTechnica
13. I read the Carnegie Mellon CERT bulletins, alerts, and website
14. I read Microsoft Windows Expert columnists
15. I read both PC Magazine and PC World
16. Windows XP Professional FIREWALL ENABLED on ALL COMPUTERS and both SERVER and MY PC have KERIO PERSONAL FIREWALL 4 installed and configured
17. Awaiting to install the Microsoft Windows XP Professional Service Pack 2 patch
18. Automatic deletion of system swapfile upon reboot / shutdown

MICROSOFT OFFICE XP PROFESSIONAL:
1. I uninstalled it
2. I don't use it

Spybot Search&Destroy PROTOCOLS:
1. I setup for automatic scanning for spyware, adware, and malware every 24 hours
2. I setup for automatic database updates every 24 hours

VCOM SYSTEMSUITE 5.0 PROTOCOLS:
1. Automatic weekly HDD, Registry checkups
2. Automatic weekly VCOM SystemSuite 5 updates
3. Automatic monthly HDD and registry defragments
4. Automatic weekly HDD S.M.A.R.T. checks
5. Automatic weekly disk cleanup
6. Automatic weekly full system diagnosis and checkup
7. Automatic anti-virus scans every 12 hours
8. ENABLED firewall

DANTZ RETROSPECT PROFESSIONAL 6.5.X PROTOCOLS:
1. Automated weekly master & differential backups
2. Setup a third separate DES encrypted password for my backup sets
3. Manual backup of Retrospect Snapshots onto DOUBLE ENCRYPTED ZIP disks
4. Automatic double backup Retrospect Catalog onto 1. DVD +RW and 2. DVD-R media combined

PERSONAL FINANCES PROTOCOLS:
1. I change my banking routing number, credit card numbers, debit card numbers, PINs once every quarter
2. I read financial newspapers, books, and watch tv programs
3. I just hired a certified financial planner to help me "cover my bases"

 

[RickG]

Umm, ok...no hint of paranoia here.

Uh Uh...none at all!