If there can be Christmas in July then I guess another round of New Years’ resolutions in August isn’t too far off. For the past couple of weeks I’ve been trying to live by best practices in a few key areas: following the principle of least privilege, using strong passwords that aren’t reused across multiple sites, and using No-Script in my web browser to protect against malicious scripts.
Let’s say we’ve already got all the low hanging fruits covered like regularly backing up our important files, running an antivirus program (Avast! recommended), and running our systems off a UPS (battery backup) so let’s try to mature and take our lifestyle to following the next level of best practices.
The Principle of Least Privilege
I am frequently rallying on the side of the “No, you cannot be an administrator of your computer.” argument here in my organization. It’s hard and hypocritical to make that argument when my account is administrator level across all machines. You can somewhat justify that argument by saying that I’m aware and responsible for what happens to the computers I’m logged into. Do I really need to be an admin during my lunch break web surfing? No and I shouldn’t be!
To make the argument a little less tongue in cheek, I removed all administrator powers from my account. Now, I’m no longer logged in as an administrator all the time. My job duties, however, require me to be an administrator. For that, I set up another account and gave it admin privileges. Now, whenever I’ll soley be doing administrator tasks, I login with that account. All other times, I login with my standard user account and through some RunAs magic, I’m able to do my job without needing to log off or providing unnecessary escalation to potential risks.
Possible? Yes
Manageable? Yes
Easy? Not quite. It makes for some hassle but it really teaches a lesson in ‘context’ of what domain you’re operating in and from what login.
Not Repeating Passwords
I was bad with passwords for all the different sites I’m registered with. I wasn’t ‘123456’ bad and I actually had a system, but it wasn’t a great system. I used different passwords for different rings of security. If something didn’t have any information or potential of being used incorrectly it got password A. If something was of more secure nature, it got password B, and so on. Sharing passwords between sites was bad and set me up for phishing, XSS, or worse.
Fortunately, I’ve wrangled that bad habit and it has really stuck. Going off of one of the principles from Time Management for System Administrators, I stopped using my brain for remembering passwords. Instead, I use KeePass. I recommended using KeePass over a year ago but it just now made its way into my regular workflow. Now, each site has a strong, randomly* generated password.
Whenever I sign up for a new site, I just open up KeePass and enter the information in there, generate a password, and save it. The generated password can collect additional entropy to seed its randomness and be set to the maximum number of characters and only include the characters allowed like lowercase, capital, digits, special characters, slashes, and some others.
Upon returning to a site, I just open up KeePass and use it to login by copying the password and pasting it into the field. KeePass will automatically clear the clipboard after a set amount of time (12 seconds by default). You can also make use of the Auto-Type feature where you select the user name field on the web form and then select the entry in KeePass and press Ctrl+V. It will automatically enter the user name and then tab and enter the password and hitting enter after. You can edit the autotype feature for each entry in case a website is a little unusual.
KeePass can be portable on your USB drive and has an iPhone and Android app.
Possible? Yes.
Manageable? Yes, it actually makes the modern day password system more manageable and more secure.
Easy? Yes. I tore up the last password sheet people handy me at work for various accounts. Everything is in KeePass. With a back-up of the password database safely kept in another place or two, I feel more confident in knowing my passwords than before and more secure.
*As random as you can get with a computer.
Running Only Approved Scripts
Using No-Script, a Firefox Add-on, allows you to explicity white-list only certain domains to state you trust them and the scripts they’ll be using. Using NoScript makes for a much more cumbersome browsing experience but it also make for a much more secure one. This could include sites like YouTube and 404 Tech Support but exclude domains like Google Analytics or malicious domains.
NoScript can protect against cross-site scripting, clickjacking attacks, malicious PDFs, and malicious Javascript. It can also speed up your browsing session so you’re not waiting for a script to complete. Unfortunately, many times you need a script to be able to view the webpage properly, whether it’s used to display the CSS or validate a form before submission. When you enable a domain, the page is reloaded. Sometimes this can mean having to fill out a form multiple fields if you can’t figure out which domain you need to accept. You can also temporarily approve a domain if you only trust it for this session or you’re not sure it needs to be enabled.
NoScript also shows you how much some sites rely on Javascript, with the picture to the left being a screenshot of how many different scripts TheChive wants to run. Fortunately, using NoScript gets easier over time after you approve the sites you frequent most often and trust.
Possible? Yes.
Manageable? Yes. There is a learning curve but it isn’t drastic.
Easy? Borderline yes. Browsing can feel more tedious at times and with broken pages I might visit them in another browser just to make sure it’s the site that is having issues and not the browser.
Trying to tackle all three issues at the same time made life a little complicated but now that I’m coming out of the learning curves, I think my computing habits are better for it. Any other practices you would recommend as being a best practice?