Merge pull request #90 from matkoniecz/patch-7

floating unneded are
This commit is contained in:
Alicia Sykes 2021-11-17 16:43:34 +00:00 committed by GitHub
commit c410aa9e39
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -342,7 +342,7 @@ Although Windows and OS X are easy to use and convenient, they both are far from
**Use a Security-Focused Operating System** | Advanced | Microsoft, Apple and Google all have practices that violate users privacy, switching to Linux will mitigate most of these issues. For more advanced users, consider a security-focused distro- such as [QubeOS](https://www.qubes-os.org/), which allows for compartmentalization of applications and data, and has strong encryption and Tor networking build in. For some actions, [Tails](https://tails.boum.org/) a live operating system with no memory persistence is as close as you can get to not leaving a data trail on your system. BSD is also great for security, see [FreeBSD](https://www.freebsd.org/) and [OpenBSD](https://www.openbsd.org/). Even a general purpose distro, will be much better for privacy compared to a propriety counterpart: [Fedora](https://getfedora.org/), [Debian](https://www.debian.org/), [Arch](https://www.archlinux.org/) / [Manjaro](https://manjaro.org/), [see more](/5_Privacy_Respecting_Software.md#pc-operating-systems)
**Make Use of VMs** | Advanced | If your job, or any of your activity could endanger your system, or put you at risk, then virtual machines are a great tool to isolate this from your primary system. They allow you to test suspicious software, and analyse potentially dangerous files, while keeping your host system safe. They also provide a host of other features, from quick recovery using snapshots, to the ability to replicate configurations easily, and have multiple VMs running simultaneously. Taking this a step further, VMs can be use for compartmentalization, with a host system performing the single task of spawning VMs (systems like [ProxMox](https://www.proxmox.com/en/), is designed for exactly this). Be aware that virtual machines do not grantee security, and vulnerabilities, named [VM-Escapes](https://en.wikipedia.org/wiki/Virtual_machine_escape), may allow for data in memory to leak into the host system
**Compartmentalize** | Advanced | Security by [Compartmentalization](https://en.wikipedia.org/wiki/Compartmentalization_(information_security)) is a strategy, where you isolate different programs and data sources from one another as much as possible. That way, attackers who gain access to one part of the system are not able to compromise all of the users privacy, and corporate tracking or government surveillance shouldn't be able to link together different compartments. At the simplest level, you could use separate browsers or [multi-account containers](https://support.mozilla.org/en-US/kb/containers) for different activities, but taking it further you could have a virtual machine for each category (such as work, shopping, social etc). Alternativley, consider [Qubes OS](https://www.qubes-os.org), which is designed for exactly this, and sandboxes each app in it's own Xen Hypervisor VM, while still providing great user experience
**Disable Undesired Features (Windows)** | Advanced | Microsoft Windows 10 is far from lean, and comes with many bundles "features" that run in the background, collecting data and using resources. Consider disabling are: Windows Script Host, AutoRun + AutoPlay, powershell.exe and cmd.exe execution via Windows Explorer, and the execution of commonly abused file extensions. In MS Office, consider disabling Office Macros, OLE object execution, ActiveX, DDE and Excel Links. There are tools that may make these fixes, and more easier, such as [HardenTools](https://github.com/securitywithoutborders/hardentools), or [ShutUp10](https://www.oo-software.com/en/shutup10). Note: This should only be done if you are competent Windows user, as modifying the registry can cause issues
**Disable Undesired Features (Windows)** | Advanced | Microsoft Windows 10 is far from lean, and comes with many bundles "features" that run in the background, collecting data and using resources. Consider disabling: Windows Script Host, AutoRun + AutoPlay, powershell.exe and cmd.exe execution via Windows Explorer, and the execution of commonly abused file extensions. In MS Office, consider disabling Office Macros, OLE object execution, ActiveX, DDE and Excel Links. There are tools that may make these fixes, and more easier, such as [HardenTools](https://github.com/securitywithoutborders/hardentools), or [ShutUp10](https://www.oo-software.com/en/shutup10). Note: This should only be done if you are competent Windows user, as modifying the registry can cause issues
**Secure Boot** | Advanced | For Windows users, ensure that [Secure Boot](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot) is enabled. This security standard, ensures that your device boots only to trusted software when the PC starts. It prevents malware, such as a rootkit from maliciously replacing your boot loader, which could have serious consequences. Some Linux distros also work with secure boot (if they've applied to have their boot loaders signed by Microsoft), while others are incompatible (in which case, secure boot will need to be disabled)
**Secure SSH Access** | Advanced | If you access your system remotely, via SSH you should take steps to protect it from automated and targeted attacks. Change the port away from 22, use SSH keys to authenticate, disallow root login with a password and consider using a firewall, and only allow certain IPs to gain SSH access, consider using a Virtual Private Cloud as a gateway. Carry out regular service audits, to discover the services running on your system. For more info, see [this guide, on OpenSSH security tweeks](https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html)
**Close Un-used Open Ports** | Advanced | Some daemons listen on external ports, if they are not needed, then they are [exposed to exploits](https://www.acunetix.com/blog/articles/danger-open-ports-trojan-trojan/). Turning off these listening services will protect against some remote exploits, and may also improve boot time. To check for listening services, just run `netstat -lt`