Steps to improve your digital security (Windows + Linux)

Linux
1

Windows Laptops/Desktops

  1. Configure UAC (User Account Controls) this will make all programs downloading, installing, and updating ask for normal user, or administrator permissions. Here is how to raise UAC if it is not preconfigured or set to default values.

To start, hit the Windows Key + R to open the run box. Then type into the box, Control Panel, and hit OK. Select “User Accounts” and then select “User Accounts (Classic View)” Select “Change User Account Settings” If you are prompted, select yes to continue.

Move the Slider all the way up to always notify. Then just hit OK to save and exit.

  1. Set BIOS ADMIN Password. To start, shutdown your computer. On boot hit F2 + Delete or just F1 repeatedly to enter the BIOS menu. You should see the following screen or something similar.

1200×687 1.04 MB

You should then find an option that says “Set Administrator Password” (Navigate through the menu with the right and left arrow keys, and up and down keys) and hit enter. Then enter and confirm the password.

  1. Change Secure Boot. If you are still the BIOS go to the Boot or Advanced tab. You should see something like “BIOS mode” if it is on legacy, change it to UFEI. Also look for an area called boot order disable USB booting and network booting. You should then go to the exit tab, and hit save and exit.

  2. Configure and Optimize Windows Firewall. Go to your control panel and select “System and Security” navigate to “Windows Defender” and click on “Firewall.” Choose turn Windows Firewall on or off, and turn it on for domain private and public network settings.

When you install or run an application for the first time, you should now see something like this,

Only allow programs with sensitive information to run on “Domain” and “Private” Networks. If you want more information about Windows Firewall, here are some sites that will further elaborate.

Microsoft - Windows Defender Firewall

How to Optimize Windows Firewall Security

  1. Disable Built in Admin Account: To disable built in admin account open powershell as normal user (admin if the following command does not work) and paste:

net user administrator /active:no

The account should then be disabled. For more info, visit the page below.

Microsoft- Disable Admin Account

  1. Change Default SSH Password. This is very important so someone cannot just SSH onto your laptop and run malicious software without your permission. To change the ssh password do the following. Login as powershell for both your user account and input the following command.

net user [username or Administrator] [new password]

If you want to learn more about SSH and how to use it, please see this website

Microsoft -Configure SSH

  1. Install 3rd Party Antivirus. Windows Defender is good for basic tasks, however a 3rd party antivirus, like Avast Free is a better option for detection and securing your system.

To install avast, goto Avast | Download Free Antivirus & VPN | 100% Free & Easy and download the setup.exe file. Run the setup files and go through the steps.

When it is done, you should see a screen somewhat like this. After installing, you should run a full scan and clean your PC.

ChromeOS and Linux Machines

  1. Change Root and Normal User Password. Open the terminal as the normal user, and type

passwd

You should see something like this

Enter your old or system default password (look for your distros default) and change it. When you are done with your user account, type the following.

sudo -i

And enter your password. You are now in the Root (superuser) account. Go through the same steps to change your password as before, and exit.

  1. Installing and configuring UFW (Uncomplicated Firewall.)

*Note setting up this firewall might break some applications, and you may have to write custom rules for each program. If you do not want to do this, just skip this part of the tutorial.

To start, you should login as root through the SU or Sudo -i just as before. Now we are going to update your system. To do so, enter the following:

Sudo apt-get update -y

Through the update process, it might prompt you to do something. Always say yes or just input the default values. Next we are going to install UFW. Type the following.

sudo apt install ufw -y

After the install you can use nano or vim to edit the config file. Type

sudo nano /etc/default/ufw/

To enter the config file. You should then see something like this

Now I know that it looks overwhelming, but stay with me. Arrow down to the IPV6 and change the Value to yes. Then hit ctrl + x the system will prompt you if you want to save. Hit the y key and then the enter key to save and exit nano. Then type:

sudo ufw disable && sudo ufw enable

Then type

sudo ufw default deny incoming

And

sudo ufw default deny outgoing

Your system is now blocking all incoming and outgoing connections. To enable browsing and internet use type

sudo ufw allow out to any port 80

sudo ufw allow out to any port 443

sudo ufw allow out to any port 53

sudo ufw reload

sudo ufw status verbose

If this does not work consult your programs and distro for more help and information.

  1. Uninstall out of date file sharing and networking tools.

*Note some users may have programs that rely on or need to use these tools. If so you can skip this part of the tutorial

A Lot of tools like FTP, Telnet, and SH are now obsolete and vulnerable to man in the middle attacks and packet sniffing. Especially on linux systems, it is important to remove these programs if they are installed. Todo so, input the following in your terminal.

sudo apt-get --purge remove xinetd nis yp-tools tftpd atftpd tftpd-hpa telnetd rsh-server rsh-redone-server

  1. Setting up Fail2bAN. Fail2Ban is a tool designed to stop tools like xhydra brute forcing ssh passwords. Fail2Ban if a password is wrong too many times, blocks the IP. To install and setup type the following in your terminal.

sudo apt-get install fail2ban

*then you need to edit the config file

sudo vim /etc/fail2ban/jail.conf/

sudo systemctl restart fail2ban.service

Fail2ban is now installed and configured.

  1. Install Lynis. Lynis is a system hardening tool and vulnerability scanner. It will check your system for updates, vulnerable packages, and additional ways to secure your system. To install Lynis open the terminal and type the following.
git clone https://github.com/CISOfy/lynis

cd lynis && ./lynis audit system

After this Lynis will install and run on your system. If you want to further secure your system, or want extra tools. Go to the site below.

40 ways to secure your linux system

Thank you for reading this guide on how further secure Windows and Linux systems. If you have anything to add, please comment down below!

-CKJones

4 Likes
2

May I ask what the reasons are for setting UAC notification to max, why you think Windows Defender is not sufficient and need a third party application, and why Avast?

1 Like
3

Hello DTM! UAC helps prevent malware damaging your PC. You can also run apps in a better security context and can see what the program wants to do when it executes.
I do not like Windows Defender, because it can significantly slow down your computer and has limited features for the people that security matters to.
I chose Avast because personally, I think it is the best free antivirus for windows and is good for scanning and does not have a huge impact on your computers performance.
I hope that you find this helpful!

1 Like
4

Thanks for your quick response.

Do you have any further details about how UAC does this?

What is the better security context and how can I see what the program wants to do when it executes? Is that just the UAC prompt or is it something different?

Which limited features? Are they available in another version of the product?

Can you elaborate on why it’s good for scanning?

1 Like
5

Hello @dtm, sorry for not responding quicker. On the topic of UAC, I found this article that might come in handy. How User Account Control Works | Microsoft Learn

On Windows Defender, I do not like how it has poor zero day threat protection, as well as a lack of a password manager and VPN. However, it can also just go down to your usage. If you are a normal user that just browses the web, and stays at home. Windows Defender is just fine. I just feel that for higher risk or security requirements, Windows Defender just cannot cut it.

The reason that I recommended the Avast Free Antivirus, is that it can also help protect your computer from ransomware and can scan your WiFi networks for vulnerability’s and threats.

I hope that you found this helpful!
-CKJones

6

Windows Defender was never designed to have mitigations against vulnerable code. The whole point of Windows Defender is to be a traditional anti-virus, scanning files on disk and checking files in memory. The biggest pain in the ass for offensive operations is when defender is paired with ATP through MDE using behavioral-detections. These obviously aren’t perfect but when it comes down to clicking that malicious OneNote document it helps when it works.

Defending against vulnerable code is a completely different function and classification. Mitigations that were spawned in Windows NT were subsequently named EMET and later Windows Exploit Guard which has a collection of mitigations that address making the use of unpatched software or vulnerable software harder to exploit. The latest mitigations that Microsoft has pushed out and expounded upon from Windows 10 is increased security leveraged through Hyper-V called Virtualization Based Security (VBS). Though Core Isolation is not enabled by default HVCI now is enabled by default in Windows 11 and has proven very difficult to get around.

In fact no vendor has 0-day protection, they have n-day protection through the use of patches, mitigations and good scanners. But it still can be bypassed if you know enough about your target and what they’ll do to view that resume.

7

Thanks for this, it was helpful.

Can you clarify what “zero day threat protection” is and how to assess its effectiveness for a product?

What does a high risk or security requirements environment look like? Does Defender not cut it because of its “zero day threat protection?”

I see a lot of AV products do this, how does Avast do it better?

What threats exist in WiFi networks and how does AV protect the threats and vulnerabilities?

8

Hello @dtm, thank you for your response. I suppose that “Zero Day Threat Protection” could be just keeping all programs up to date. Or just auto-optimizing programs for security. I am sorry for the misconception.

I guess what I was trying to say in a high risk security environment, was a big business or government network. Areas that more hackers would target. With that in mind, you would need a stronger antivirus like CrowdStrike or Avast. These platforms can be configured to stop downloads, or stop a program from running. It would also be easier to mass manage these platforms and push out patches for the computers.

While Avast is certainly not the best at protecting against ransomware, as a free solution. It is definitely the most complete package. A lot of services like Mcafee have no, or limited free antivirus capability.

Avast’s WiFi inspector can scan your network for vulnerable devices, and also checks your router for misconfiguration, weak or default WiFi passwords, firmware vulnerabilitys, Non encrypted and unsecured networks, and open network ports. It can then inform you of these issues for you to fix.

I hope that you found this helpful, and I am sorry for the miscommunication.
-CKjones

9

Security matters to me and I just disable Windows Defender and have nothing on my system. Have never had an issue thus far.

Case-in-point would be if a new vulnerability in the tcpip.sys driver was found and was wormable what would avast or any anti-virus do to stop a wormable 0-day RCE running as SYSTEM through a Microsoft signed Windows driver?

Anti-virus products and Endpoint Detection Response products are fundamentally different solutions to the same problem.

Do you have a source that proves that?

Why would you want anyone scanning your network for you? Especially a Anti-Virus product doing “security” testing? Who’s to say that Avast doesn’t get a copy of your WiFi traffic since it has a network presence?

10

Hello, @c0z, I think that in theory Avast should scan everything, even Windows files through a 100 point checklist to determine if they are safe. If a file is unrecognized, Avast uses CyberCapture to copy and analyze that file. You can find more info here: How does Avast detect new malware?

As far as I can tell, Mcafee only has free trials, browser extensions, and disk cleaners. There is a malware detection tool from them called Mcafee Stinger, but it is no substitute for an antivirus.

Avast Network Inspector is an official tool from a trusted brand. I think that it is a secure and private tool for diagnosing network security issues. Again though, that is my opinion. If you do not feel safe or that it is copying your WiFi traffic. Just do not use it.

I hope you found this helpful!
-CKJones

11

Thanks! This helped a lot!

12

Very welcome, glad this helped!

13

This post was flagged by the community and is temporarily hidden.

14
  1. Open Avast Antivirus, and go to Protection - and then Network Scanner
    image
    image1010×674 51.1 KB
  2. Click Scan Network
    image
    image1010×674 34.8 KB
  3. If you are on a home network select Home or a public one, select Public
    image
  4. Wait while Network Scanner checks for security issues.

For More info go to: https://support.avast.com/en-us/article/use-network-inspector/#pc

15

For windows ive been using OOSU10, pretty helpful for windows

2 Likes
16

@CKjones , thanks for the great post! i have really enjoyed the followup comments thread too( very healthy discussion :slight_smile: ). it’s been an eye opener for me in some contexts.

17

Thank you! I am glad this helped!

2 Likes