[stevebrot]

Yes for sure, but have to do something stupid to get attacked, social engineering thing.

Share your external IP and we will see how long you last


Steve

[beachgardener]

I have said enough, time to exit this thread.

[PDL]

Wow, you guys are a trip.

As for me, I have several versions of Windows running on my devices, (Server 2003 (XP kernel), Vista (32 bit for comparability), Windows 8.1 and 10) and I have one Linux machine that I am having issues with and will probably have to re-install or the hardware is broken. I do have a Windows 2000 box sitting on the floor that has not be turned on since 2001.

I started out with PC's on a TRS-80 Model I, switched to Microsoft MS-DOS at v2.0 and have moved on through the follow on OS versions to Windows 10. I was on the Windows 95, Window 3.0 and Windows NT beta teams. After I received my degree in CS (DEC PDP-11 and a Apple II (for UCSD Pascal - I had Turbo Pascal on my TI-Pro)) I worked on Big Iron (MVS, VM, I worked with Research people using the CDC and Cray) and various PC vendors (Compaq, HP, IBM, Dell and some no names that no longer exist).

I was my engineering groups PC coordinator that implemented all the desktop computers for the organization and brought one, if not the first, production Windows NT server into the company. I still have the Certificate of appreciation for assisting with writing up the first corporate wide Windows NT security guideline and implementation document. I introduced and wrote setup processes for Windows NT (v3.0, 3.51 and 4.0 - Workstation and Server). At the next corporation I worked for I introduced Windows 2000 (Workstation and Server) and XP to the Software Engineering group and the basic setup ended up being the basis for their corporations global roll-out of both OS's to well over 100,000 PCs across the planet (hence Global Network).

At the personal level, I have never had a significant virus infestation on any of my devices. (A Microsoft Word macro issue - but no real viruses)

While on the job the guidelines we used really did not allow for most viruses to get past our firewall. (Not a PC issue in itself, but our security officer locked the campus firewall down to where we had to get technical reasons to open a port to the (get this) Global Corporate Network). If the vendor or software engineer could not justify using a port, it was blocked by default. While I worked there, we missed Code Red and other misbehavior's of the era and had no breaches i.e. nothing, nada, zip for the 9 years I was there.

All that said, here are some basic rules:

1. Always do day-to-day work with a reduced privileged account.
2. When using a high privileged account (Administrator Group- Windows, root Linux/OSX) Never - ever - go to the internet unless you are absolutely sure that the target is not sending malware.
3. Turn on Adblocker, or your favorite blocker, in your browser of choice.
4. Never by default have your browser store passwords - EVER.
5. Use passphrases, not Words. i.e. Pentax1stheB#st-thing-going - Don't use this one as it is in the "public" arena (No, I do not use this anywhere).
6. Get a password vault and use it to keep your passphrases off of the Post It Notes®.
7. Run a full virus scan aka "deep scan" at least once a month.
8. Get security updates on a regular basis.
9. Buy a large (I have a 8TB drive) for full system backups.
10. Backup your DATA (yeah I am yelling) as you see fit on something that is not usually connected to your base device.
11. If you are running Windows - Rename the "Administrator" built in account to something else. Bob, John, Sue, Mustang - anything but Administrator. I do not believe that root can be renamed to something else on Linux or OSX.
12. If you are using Windows 10 - spend the money to upgrade to Pro where you can turn a great deal of the supposedly bad stuff off.

[stevebrot]

All that said, here are some basic rules:

Always do day-to-day work with a reduced privileged account.
When using a high privileged account (Administrator Group- Windows, root Linux/OSX) Never - ever - go to the internet unless you are absolutely sure that the target is not sending malware.
Turn on Adblocker, or your favorite blocker, in your browser of choice.
Never by default have your browser store passwords - EVER.
Use passphrases, not Words. i.e. Pentax1stheB#st-thing-going - Don't use this one as it is in the "public" arena (No, I do not use this anywhere).
Get a password vault and use it to keep your passphrases off of the Post It Notes®.
Run a full virus scan aka "deep scan" at least once a month.
Get security updates on a regular basis.
Buy a large (I have a 8TB drive) for full system backups.
Backup your DATA (yeah I am yelling) as you see fit on something that is not usually connected to your base device.
If you are running Windows - Rename the "Administrator" built in account to something else. Bob, John, Sue, Mustang - anything but Administrator. I do not believe that root can be renamed to something else on Linux or OSX.
If you are using Windows 10 - spend the money to upgrade to Pro where you can turn a great deal of the supposedly bad stuff off.

Dang! That looks a lot like my list. You forgot one point

13. Unless you have a very special reason, NAT your Internet gateway and configure for zero open ports.

I am guilty of laxity on this last point in that my CenturyLink approved DSL router is configured by them to both listen for instructions and call home. I so much need to configure it as DSL bridge only and host the gateway on a proper router with a proper firewall.


Steve

(...forgot as I am typing this that my other computer is turned off when it should be verifying its RAID and doing its weekly deep Av scan...)

[Digitalis]

The list @PDL provided is very thorough and certainly a good place to start with securing any system.

One thing that is important to know about network security, is that if you have a hardware firewall and set it up properly there is absolutely no need to use a software one. If you have to deal with less than secure connections or websites of questionable legitimacy I will use a Virtual machine connected to a Virtual network - the VM is itself sandboxed in such a way if malware/trojans/exploits are used against me any damage caused is contained and largely inconsequential.

Two step authentication is very good for securing websites that contain personal information, if it is offered - use it.

Always do day-to-day work with a reduced privileged account.

I'm guilty of this sin, I'll admit I'm a bit of a control freak when it comes to my Pc's so I prefer to use higher privileged accounts than I probably should. My non-Admin NAS accounts on the other hand are heavily restricted, some folders on my backup devices are read only while several others are flat out access denied.

Use passphrases, not Words

+1 I certainly agree with this, and I use a nonsense phrase rather than any references to literature.

Get a password vault and use it to keep your passphrases off of the Post It Notes®.

Again, I have Sinned here. I do store some of my passphrases in hard copy, but they are only readable under a difficult to produce and specific frequency of light, and even then they are still in code.

Buy a large (I have a 8TB drive) for full system backups.

+1 I have hundreds of terabytes of on site backup and off site. Plus a copy of data that I keep stored at work on servers I helped build and maintain.

f you are running Windows - Rename the "Administrator" built in account to something else. Bob, John, Sue, Mustang - anything but Administrator. I do not believe that root can be renamed to something else on Linux or OSX.

+1 I do this by default, Unfortunately for Linux Root cannot be renamed - it is one of the few things in Linux that is set in stone. But for windows, only use Admin accounts when you really have to.

[stevebrot]

+1 I do this by default, Unfortunately for Linux Root cannot be renamed - it is one of the few things in Linux that is set in stone.

Don't forget the evil minion...sudo...


Steve

[WorksAsIntended]

Backup on a single hdd is a very bad idea.

[Serkevan]

Again, I have Sinned here. I do store some of my passphrases in hard copy, but they are only readable under a difficult to produce and specific frequency of light, and even then they are still in code.

And here I am committing most everything to memory...

[Digitalis]

And here I am committing most everything to memory

if you knew what I know about cryptography, you would know how futile that would be right now.

[Serkevan]

The passwords are generally pretty long strings of words in different languages with special characters, numbers and caps thrown in between (or l33t sp34k at random), so they are pretty easy to remember and pretty hard to decipher, but yeah, I know I should probably be a bit more thorough.
Playing videogames means I'm in a constant minefield and I'm about to give up on a couple games that will force Easy Anticheat (kernel "totally not spyware" level) in the coming months. Bummer, but I'm not installing that. At this rate I will probably have to give up on online multiplayer altogether.

[fs999]

Always do day-to-day work with a reduced privileged account.
When using a high privileged account (Administrator Group- Windows, root Linux/OSX) Never - ever - go to the internet unless you are absolutely sure that the target is not sending malware.
Turn on Adblocker, or your favorite blocker, in your browser of choice.
Never by default have your browser store passwords - EVER.
Use passphrases, not Words. i.e. Pentax1stheB#st-thing-going - Don't use this one as it is in the "public" arena (No, I do not use this anywhere).
Get a password vault and use it to keep your passphrases off of the Post It Notes®.
Run a full virus scan aka "deep scan" at least once a month.
Get security updates on a regular basis.
Buy a large (I have a 8TB drive) for full system backups.
Backup your DATA (yeah I am yelling) as you see fit on something that is not usually connected to your base device.
If you are running Windows - Rename the "Administrator" built in account to something else. Bob, John, Sue, Mustang - anything but Administrator. I do not believe that root can be renamed to something else on Linux or OSX.
If you are using Windows 10 - spend the money to upgrade to Pro where you can turn a great deal of the supposedly bad stuff off.

3b. Install NoScript

[WorksAsIntended]

It is right, you cannot rename root on linux, but you can alter pam in a way that root login is only possible in specific ways.
In addition: For ssh the PermitRootLogin is set to no as default on most distros now.

[Digitalis]

ssh the PermitRootLogin is set to no as default on most distros now.

Really? I'm amazed it took that long to do that.

[WorksAsIntended]

Well, there are a lot of debatable things on Gnu/Linux systems too.

[carlb]

Well, as someone who is not very computer literate, I reluctantly "upgraded" to W10 via a new laptop over the weekend, and the best thing I can say is that I'm underwhelmed. Apart from ending up with my personal email account in the Windows 10 email programme (which works like rubbish) rather than Outlook with my business account, the screen resolutions are all over the place. I've got some programmes where some of the text is the right size but other parts are so small I can barely read it.

As a novice I don't know how to fix this (even if it's possible) but from a working point of view it's a mess. I guess I'll just have to do plenty of googling. And if anyone can tell me how to delete my personal email from W10 email and get it back into Outlook then I'd be very grateful.

I should have stayed with W7. So should Microsoft - it just worked well.