-1

I run a standard laptop at home (dual-boot Fedora 20 and Windows 7; the Windows side is almost never used). Soon my other computer will be working again; it will have Windows 8.1 and some flavor of Linux.

What is the best way to lock down the system and make it harder to attack? I am interested in solutions that are practical for home use.

Things that come to mind (roughly in order of intrusiveness and security):

  • Run Windows in a separate VM, and various Linux applications in separate SELinux sandboxes.
  • Run each Linux application, as well as Windows, in a separate VM.
  • Switch to QubesOS or another security-focused Linux varient, and drop Windows altogether.

Also, I have noticed that I do a lot of software downloading (from legitimate sites like github -- but even they are not perfect) for development purposes. Should I isolate that in a VM?

Demi
  • 769
  • 1
  • 4
  • 11
  • 1
    Do you have any specific reason to think you face a particularly high threat? In a workstation environment user behaviour is probably a more significant factor than system configuration assuming your system has a typical level of security controls in place. Also, what threats are you trying to mitigate? It's no good running your Windows installation in a VM if you use your banking credentials in that VM and it gets compromised. Isolation only makes sense if you intend to isolate roles (which is again more of a behavioural factor in the case of a workstation). – thexacre Oct 07 '14 at 09:42
  • Running each application in a separate VM is overkill. I think your machine might explode with so many VMs running locally. – RoraΖ Oct 07 '14 at 12:04
  • 1
    It depends. Do you use that computer for work (and/or studying, homework) and some private stuff? In that case, not running as Administrator and disabling SMB on a Windows 7 standard install, as well as installing security updates and **not** installing Adobe Flash and Java will be _perfectly_ safe. Standard install of Fedora, likewise, will keep you perfectly safe. If your work PC may hold a few million dollars of trade secrets, use full disk encryption. If you work for Al-Quaeda, you may need to rig your laptop's lid with C4 and be prepared for waterboarding to extort your password, though. – Damon Oct 07 '14 at 12:16
  • In other words, both Linux and Windows 7 are perfectly safe for the normal, average secrets that a normal, average person has. Unless you do stupid things like run them as root all the time, or install downloadable, web-embeddable exploits (like Flash). No normal person needs SELinux or isolating the operating system in a VM. The harshest thing that may happen to a normal person is the laptop getting stolen, so if personal/valuable data is on it, encryption sure doesn't hurt. – Damon Oct 07 '14 at 12:18
  • If you do plan on going full scale VM for *each* app, you'll be much better off on Qubes. Also consider MBox which should provide you roughly the same benefits as a VM with much less a performance cost. Switch from X11 to Wayland ASAP as well. SELinux will do little for you, except if you're running Fedora where it can help along with Systemd in locking down services you run to the least privilege they need. – Steve Dodier-Lazaro Oct 07 '14 at 15:21
  • @Damon calling a default Linux desktop safe is incorrect. :-) Same for any non-WinRT Windows app or non-sandboxed OS X app. Any vuln in such apps can get all your data stolen and permanent backdoors installed. – Steve Dodier-Lazaro Oct 07 '14 at 15:22
  • @SteveDL: Theoretically, yes. Practically, no. You most probably want to run the web browser in a VM if you go browsing shady porn sites and hacking sites, but then again you shouldn't be doing that thing anyway. But for anyone (anyone who is at least half computer-savy, and isn't the CEO of JP Morgan, or the head of a terrorist cell, or the keeper of a nation's nuclear weapon codes) doing "normal stuff" in a reasonable manner, not installing Java and Flash (and not clicking on `bigtits.gif.exe`) is pretty much enough. I've not been compromised once in over 30 years. – Damon Oct 08 '14 at 10:15
  • @Damon On the day there will be an economic incentive to defeat Linux, it will happen. People like Microsoft or Adobe who report hundreds of hours of testing on their codebase get attacked, so don't expect too much from FOSS apps which usually aren't tested. Try to fuzz evince if you won't take my word; it's too damn easy to find invalid writes. As for porn sites, they only account for a small fraction of infected sites, the main category being blogs by far. Got a security company's report sitting somewhere on my HDD with those numbers, but can't remember which. – Steve Dodier-Lazaro Oct 08 '14 at 12:43

1 Answers1

1

I will assume that since it is a laptop, it will exposed to external threats as you will take it with you, but you are interested in security and hardening of the system to prevent unauthorized access.

VMs are a great way to sandbox your activities without putting your entire machine at risk. You can take a snapshot of the VM's configuration at anytime you like, and if you do something dumb or something happens, who cares! You can restore it. Downside, you have to do everything in your magic VM window.

Hard-Disk encryption. If your laptop gets stolen, full HD encryption is going to be your best line of defense against having your data compromised. There are a number of solutions available that you can find online.

I'm sure that would be sufficient to prevent most data loss in the event of a breach. Just do not store any mission-critical data in your VM and you should be good to go.

Desthro
  • 1,007
  • 5
  • 5