New PC/Laptop Onboarding - Unboxing to Free Play
Last Updated: 2018-02-07
New Computer? Some Problems
Hello! Us nerds, we buy and build a lot of laptops and desktops. We obtain a lot of tablets, embeds, and mobile devices, too, but that's a subject of another article.
If you've looked out this guide you're probably technical. Feel free to print it off for family who are getting new devices or - if you, like me, get to be the family IT monkey - follow this guide pre-emptively if you're in the giving mood!
It cannot be overstated that for any device, security starts basically on unboxing. This guide isn't necessarily intended to provide you security against a targeted attacker, let alone prevent a thorough Mossading. If direct, targeted attacks are in your threat model, you need a much stricter security regimen. This is middling security, against casual or automated attack, meant to provide non-technical people with a good guide to setting up their system securely, and keeping it that way essentially automatically.
Why should I care?
Because banking trojans, password theft, identity theft, ransomware, and the like all suck. Chances are, if you have a computer, you run a fair amount of your life off it. Whether you think anyone would steal what you have on it is your own issue. I personally worry about that, but I also recognize it's a little concieted to worry about that sort of thing. That having been said, whether anything you have is of anything other than sentimental value is irrelevant. If my computer were ransomwared (or even just had the disk trashed by a less sophisticated issue), I would be out quite a bit of time, effort, and irreplacable photographs and save files and what not.
Or I would be, if I hadn't followed this guide more or less religiously since well before I wrote it.
What is the most secure computer/operating system?
The one that's kept up to date and used correctly. Seriously. Religious wars over OS of choice aren't part of the scope of this document. That having been said, every OS has its own pros and cons and you have to weigh them accordingly. For example, QubesOS is not going to be appropriate for the non-technical home user for at least the next several years. Ubuntu and other linux distros are very accessible, but have their own flaws. So do the perennial favourites of Windows and MacOS, though.
OS selection is, for the average user, a matter of preference rather than security.
Step I. Unboxing and First Boot
Whether you're dealing with a laptop or a desktop, step one is to make sure the seals on the box are intact, if the hardware was purchased new. There's some thought to suggest that only buying brand-new hardware is ideal, whether in terms of hardware longevity or threat surface reduction. I personally don't have a horse in that race. Most of my equipment is either old enough to be obsoleted entirely or at least purchased "lightly used". Intact seals mean that your hardware hasn't been tampered with since manufacture - if it's a used item don't bother disassembling it. The risk of hardware tampering pre-purchase is minimal as hell. I'm not aware of any reported case. Checking the seals provides another protection - it can be a condition of warranty. Which reminds me: keep your reciepts! File them away somewhere memorable but boring like a filing cabinet.
Set everything up and power the system on. When the UEFI/BIOS screen (usually the manufacturer's logo) appears, press the appropriate key to get dropped into the UEFI interface. On a lot of computers this is either F2 or delete, but it varies by manufacturer and model so don't be shocked if neither of those work and you have to look it up.
Once you're in the UEFI interface, find the security options menu and set the UEFI and Admin passwords. Make them as secure as you can considering on most systems they have to be alphanumeric (in my experience anyway). Throw them immediately into your password manager. These passwords prevent anyone else from making changes to your UEFI settings - including you, so don't forget them, because resetting them is a bit of an adventure, and on some models, beyond the scope of even an enthusiastic owner. Save and Exit the UEFI menu, and wait for the operating system to load.
Step II. Operating System First Boot
If this is brand new hardware, this step applies to you. Regardless of OS, follow any installation steps that appear and complete first-time configuration that way. Allow the OS to boot up fully, connect to your local network, and download any and all available updates.
If you bought this hardware second-hand, I highly recommend reinstalling the OS, which is also a great time for me to plug that linux distros have come a long way since the previous decade and that my personal experience with Ubuntu 16.04 LTS has been that it is HIGHLY useable. In a few months there's even a new LTS version coming out that you might also enjoy.
Regardless of the operating system you choose, you're going to want to make a few considerations:
- Hostnames/Comptuer Label: There are two schools of thought on hostnames, and ultimately no clear winner between them. If you are naming a device that will likely just sit on a home network (a desktop PC or laptop with which you rarely travel), go ahead and set a recongizable, specific hostname using whatever naming convention you like. If you're concerned about privacy, and spend a lot of time as a guest machine on remote networks, it won't necessarily hurt to use the default. That having been said, I would argue that in the latter case you are more likely to be tracked by MAC than by hostname. Avoiding that degree of tracking is beyond the scope of this document.
- Use the latest ISO: If you are performing a fresh install of the OS it will behoove you to get the latest ISO from the developer for your use in the installation. This will cut down (but likely not eliminate) the amount of time you need to spend installing updates post-installation. It is strongly advisable to verify the signature of the ISO if at all possible as well. If you are unsure how to do this, it may be better to stick to the image the device came with.
- Default/First Account: All modern operating systems of which I am aware (at least, any you are likely to use) are based around the concept of allowing/including multiple users. This actually serves a function beyond setting up the computer to allow multiple people to use it; security, if used correctly. In this case, I'm advising you to use a slightly-watered-down version of the least necessary permissions model. So, this first account that the OS is prompting you to create, this administrative account, is not for any user's daily use. Feel free to give it a basic name (avoid system or root, but administrator is, frankly, fine), and absolutely give it a strong password, which you should store in a password manager.
Step III. Hardening
For a home user with an ordinary threat model, the OS is probably sufficient right out of the box - so says conventional wisdom! I respectfully disagree. The default state of most operating system instalations is one of maximized compatibility. People like to be able to plug and play. For your non-technical relatives (or even you yourself), at first glance, this appears desireable. And it is, to a limited extent.
However, the more plug-and-play you are, the more attack surface you present on your system - that is, the more ways an attacker can get access. WannaCry, 2017's big Ransomeware scare, was wormable (self-spreading) because it exercised a really weird vulnerability in a program meant to interface to a particular kind of print/file sharing service. Most home users - hell, most businesses - weren't even using it. Didn't matter, it was on by default.
The process of minimizing these exposed services is referred to as Hardening.
Step IIIa. Hardening on Windows
I'm not going to pretend to be the world leader on Windows security, mostly because I chiefly use Windows as insecurely as possible. For further reading on the web consult Decent Security. However, there are a few things you'll want to do:
- Enable Updates: I know the old saw about windows update mostly being there to interrupt you in the middle of your browsing and take up more and more of your hard drive. I'm not necessarily even going to argue the point. But those updates exist for a reason. No piece of software - especially not one with the size and complexity of an operating system - is going to ship in a perfect state. There will be bugs, and bugs are how attacks are possible. Keeping windows update active repairs a lot of those bugs. Running win 10? Good news, it's virtually impossible to turn those updates off in the first place. A lot of people were angry about that decision, and I seem to be in the minority.
- Uninstall Your Extra Antivirus: Commercial AV solutions provide no real security benefit over the windows default, and mostly exist to upload your files to their own servers (if they're detected as malicious), and nag you to buy annual subscriptions. Running multiple AVs on a system is also counterproductive. So Norton or McAffee or whatever can disappear. Kill it, and save your money.
- Enable Windows Defender: Shock and horror, I like microsoft's anti-malware program, Windows Defender. I like that it's installed natively, and that its free for the lifecycle of your device's current OS. What I don't like is that a lot of manufacturers, perversely, disable it by default so that they can ship some other AV with it. While you're in it, go ahead and turn on automatic scanning (Daily at 2AM works for most users, provided you leave your computer on overnight), and make sure "check for latest updates before running scan" is also selected. The default settings are otherwise just dandy for the average home user's defaults, so leave them.
- Set an administrator password: When you created the first account on this computer, it was by default an administrative account. That's fine, since you need one of those, but it needs a strong password. Go ahead and set one, either by generating a random string to use or using the CorrectHorseBatteryStaple method. This password also goes in your password manger.
- Create a Daily Use Account: You're not going to use the admin account again unless you want to install something. I mean it. When I'm setting up computers for my untechnical relatives, I don't even give them the password to the Admin account. Here's the threat: If you are logged in as admin, a token exists which tells the computer that the admin is authenticated. An attacker - human or software - can steal this token and use it to exercise badness. This isn't just a problem from computer to computer but this kind of attack is how big data breaches at large companies happen as well. So do yourself a favour in advance - make yourself a daily-use account that doesn't have admin privledges; several, if the computer is going to be shared. For the most part, you aren't going to notice any difference. Once this is done, for now, stay logged in as admin.
- Set up Backups: Windows provides a backup program of a sort through system restore, but I consider the windows backup utility kind of hard to use, and System Restore by default is only going to help you if the system itself isn't physically damaged (or god forbid, stolen or lost). As a developer of backup software I am admittedly biased and clearly unsatisfied by most current offerings. Since my software, Tapestry, isn't currently ready for windows use (or non-technical users, for that matter), I recommend using the Windows Backup tool. Make sure you back up to a seperate device from the computer itself. Set these backups to run automatically. For most home users, once a month is fine. The device needs to be connected during backup, however, so set yourself a reminder to do that.
- Enable Full-Disk Encryption: If you are fortunate enough to have Win10 Pro, Enterprise, or education, enable Bitlocker, especially if you are using this device for work, and especially if it's portable (a laptop or hybrid tablet). Full-Disk Encryption protects all the data on the computer at rest while the computer is powered off.
- Install Software/Hardware of Choice: While you're still admin, this is a good time to install anything you are going to use that didn't ship with your computer. Hook up your chromecast, printer, home NAS, or whatever. Install Office, your browser of choice, any games or other software you bought the computer for. Get that out of the way.
- Disable Windows Services: This could be an article in and of itself. For the most part, a non-technical home user doesn't need either version of SMB. They probably also don't need FTP, SSH, or (lawd)Telnet. Check with a skilled windows user to see what you can get away with turning off. A little google-fu goes a long way here, and the precise selection is left as an exercise to the reader.
- Log out as Admin: Log completely out as admin, then log in as yourself. Your computer is now ready to use.
IIIb: Hardening on MacOS
MacOS comes out the box pretty hardened already, and their aggressive (and mandatory) updates tend to keep things that way. For now, just make sure to do the following:
- Leave Root Disabled: This is the default, and keep it that way. In much the same way that most of the time the user doesn't need admin access on Windows, the user almost never needs root on a Mac. I had a MacMini that I used for three or four years in college, and in spite of using it pretty aggressively I never once needed Root.
- Set a Strong Password on the Default Account: Again, store it in your password manager. And again, we aren't going to use this for much.
- Set up a Standard Account for Daily Use: Like the difference between Admin and Non-Admin windows users, there are a whole class of attacks against MacOS that can be avoided if the primary user isn't Admin. Standard Users under MacOS can even install and remove apps without needing admin credentials, so go ahead and set one or more of those up for your daily use.
- Set up Time Machine: A lot of security-related tasks are handled transparently through MacOS's updates system, but one of the most important, and most neglected, things to do is set up data backups. Time Machine does this beautifully and efficiently. My wife has stored something like three years worth of backups on a 2TB USB Hard Disk and has never needed to intervene with it. Schedule your updates to happen automatically, too. The computer will prompt you when it wants you to connect the backup disk, and in my experience Time Machine is lightweight enough that even when its running the computer is still perfectly usable.
IIIc: Hardening Some Other OS
You have gone way out of scope my friend. Chances are, if you're technical enough to want another OS on your computer, you're technical enough that you've already researched the pros and cons of the OS in question and have found a relevant hardening guide.
IV: Use-After Free
Okay, so we're through the meat and potatoes of the guide now, but I do have a few pointers gleaned over the years. This section is mostly aimed at the reader who serves as the family IT guy, or the moderately technical user. I have just a few parting thoughts.
Try and limit the amount of software - of any type - you install. If you do have to install something, make sure that you actually have to install it. Don't go downloading every flash or java plugin you are prompted for. If you found a video you can't watch with VLC, I doubt very much you found a video. When selecting software for a less-technical user's PC, or even for your own, go for versitility, reputatability, and reliability. Microsoft Office is fine. LibreOffice is better because it makes Macro execution kind of... borky. And its free. Install VLC. If there's a video or audio file that VLC can't parse, the fault is usually in the file itself.
Oh, and if you have a less-technical relative who you provide tech support for, get comfortable with two ideas: they are going to look at porn on their machine, and that is going to mess with their security model. Security updates and AV are going to help, but only to a limited extent.
If your untechnical friends are also of the pirate nature, urge them to become technical, or stop. When I left for college and started making an actual income I also stopped using bitTorrent quite so regularly, and mysteriously, my issues with regular infection of my windows machine suddenly stopped! I have a rule with my friends and family that is quite well known: the first time you mess up your computer trying to steal Pirates of the Carribian 19 or Final Fantasy 287 or whatever, I will help you. The second time you do it, I'm giving you a copy of my diagnostics distro and telling you to figure it out yourself.
Most of them choose to start streaming instead of downloading after the second time.