StartSafe - Preparing a computer for the Internet
Advanced StartSafe Measures
The Minimal StartSafe steps described in the sections above are the absolute minimum steps required for all computers. These steps are equivalent to buckling a seat belt before driving in an area prone to wrecks. The following steps are more advanced, requiring additional computer knowledge and/or a willingness to trade some convenience, time, or functionality for additional risk reduction. These steps are oriented toward individuals more proficient with computers or as guidelines for support staff implementing organizational standards.
- Windows specific:
- Upgrade to Internet Explorer 11. It has many features and improvements to reduce risk over previous versions.
- Install and use the Microsoft Enhanced Mitigation Toolkit and enable it for all your installed applications.
- Tell your computer to store more information about what it is doing. This may help you troubleshoot or determine damage in the event of a breach.
- Log more information by enabling more audit options using Local Security Policy under Administrative tools. Example: process tracking.
- Set auditing on highly sensitive files. This will create event log entries when those highly sensitive files are accessed or changed. Doing so may tell you if a malware process or other user accessed your highly sensitive file. (Note: Mistakes in the set up of Local Policies, file permissions, or file auditing may result in severe operational difficulties)
The following steps are generally harder to accomplish and have more operational impact than the previous steps
Use Windows AppLocker or Software Restriction Policies which can prevent your computer from running unwanted programs. Antivirus sofware attempts to stop bad programs and is not very successful these days. Tools like AppLocker only let good programs run which is a lot easier to do right but may have more operational impact. A middle ground solution that doesn't involve identifying all possible good software is to configure it so it will only run programs from administrator controlled locations. A step by step example using Software Restriction Policies can be found at http://www.mechbgon.com/srp (external site). (Note: Mistakes in the set up of AppLocker or SRP configurations may result in severe operational difficulties)
Disable scripting and other browser functionality that increases risk. This can be done relatively easy in the Firefox browser using the NoScript add-on making it practical for everyday use. Not so much for other browsers. With Internet Explorer, you can disable scripting in the "Internet" zone by setting security to "High" and add sites needing scripting to the "Trusted Sites" zone as necessary but this isn't really practical or effective for a general use computer.