Windows 10
Windows 10
Windows 10
Harden Windows 10 - A Security Guide gives detailed instructions on how to secure Windows 10
machines and prevent it from being compromised. We will harden the system to eliminate lots of
attack surface and impede attackers. Vulnerable services and unnecessary networking protocols
will be disabled. Layers of security will be added to protect our system, private documents,
browsers and other applications. Firewall rules, ACLs and Software Restriction Policy are some
of the settings we will set up. Then, continuing the security process, we will set up patch
monitoring to notify us of insecure applications which require patching. Then we will set up
event monitoring to monitor admin account uses and all unusual events. And we will setup
baselines so that we can regularly compare against the current running system to ensure it has not
been modified. And finally we want to monitor the current threat landscape and be able to react
to emerging security threats in time. Good security consists of deter, deny, delay and detection.
Hardening covers the first 3. We will cover all 4 in this guide.
In today's environment, criminals attack vulnerable PCs to gain access personal data for id theft
purposes, to steal your credit card data and to conduct business espionage. So any PC is game for
intrusion and it is not an elaborate thing, attacking a PC only requires a few minutes.
The Windows 10 Hardening Guide is below and all of the hardening steps are contained in this
document. There is an optional Configuration Pack which automates some of the configuration
steps and also provides the ACLs to partition away hacker friendly admin command line tools.
Some settings can only be reached with the Configuration Pack. Performing all the steps
manually takes 3-4 hours and the Configuration Pack saves time by letting you import certain
configs.
Due to technical difficulties, we are not able to offer instant download for the Configuration
Packs, orders will be emailed out every day after 5am EST
Importance of Testing
It is important to note, that after hardening a system, one has to test to see if the applications that
you run still runs as expected. The ideal candidate of this project is a user with no need for
communications among PCs in the LAN. That is because the more network ports you open, the
less secure you become.
Testing was done on Windows 10 Pro 64 bit and Windows 10 64 bit machines.
After hardening, all control panel items are tested working, with the following exceptions:
Settings > System > Notifications & actions. Can't generate notifications at will.
Settings > System > Notifications & actions > Show alarms ... on Lock screen - does not
work on CTRL-ALT-DEL lock screen - Normal behavior
Settings > System > Apps & features > Manage optional features > Add a feature. I don't
know another language
Settings > System > Offline maps > Maps update > automatically update maps - can't test
this
Settings > System > Default Apps > Choose default app by protocol - dont know how this
works
Settings > Devices > Printers & scanners - process highly dependant on specific printer
driver involved
Settings > Devices > Connected devices - have no new devices to install
Settings > Devices > Mouse & touchpad > Additional mouse options. ClickLock. - don't
understand how it works
Settings > Devices > Typing > Spelling autocorrect and highlight - has no effect in
Notepad, don't understand how it works
Settings > Devices > AutoPlay - not enabled for security reasons
Settings > Network & Internet > VPN - I have no VPN service
Settings > Network & Internet > Dial-up - I am not using dial-up
Settings > Network & Internet > HomeGroup - this guide deems it insecure to share
everything to everyone using a single password
Settings > Network & Internet > Proxy - don't have a proxy server
Settings > Accounts > Your account > Add a work or school account - don't have those
Settings > Accounts > Sign-in options > Add Pin - Pins cannot be used on CTRL-ALT-
DEL login screens
Settings > Accounts > Work access - do not have infrastructure
Settings > Accounts > Sync your settings - Need a MS Account and another PC to test
sync with. Not tested.
Settings > Time & Language > Region & language - don't know another language
Settings > Ease of Access > Closed caption > Caption effects - does not seem to have
effect on Preview
Settings > Ease of Access > Closed caption > Background and window > Window color -
does not seem to have effect on Preview
Settings > Ease of Access > Keyboard > Other settings - dont understand how it is
supposed to work
Settings > Privacy - I don't have any 3rd party apps to test privacy settings with
Settings > Update & Security > Recovery > For Developers - not tested
Control Panel > Administrative Tools > Component Services - it requires deep knowledge
of COM and DCOM
Control Panel > Administrative Tools > iSCSI Initiator - I don't have this equipment
Control Panel > Administrative Tools > Performance Monitor - I am not familiar with it,
so I don't know what is normal, ie what should be showing and what shouldn't be.
Control Panel > Credentials Manager - I don't have any servers nor saved web passwprds
Control Panel > Ease of Access Center > make touch and tablets easier to use - I am not
on a tablet.
Control Panel > Home Group - this guide deems it insecure to share everything to
everyone using a single password
Control Panel > Recovery > Create a Recovery Drive - I don't have the equipment
Control Panel > Region > Administrative > Change System Locale - not tested
Control Panel > RemoteApp and Desktop Connections - I don't have such resources
Control Panel > Security and Maintenance > Change Windows SmartScreen settings - not
changed, because default is secure
Control Panel > Speech Recognition - I don't have a microphone to test with
Control Panel > Troubleshooting - there are too many scenarios to run each
troubleshooter
For details of the Automated Configuration files, see the Automated Configuration section near
the bottom of this document. They will also be mentioned as when applicable in each section
though out the document.
Lets Begin
Service Packs ( At time of this writing, there are no Service Packs for Windows 10 )
Your downloadable applications, and the latest version of Adobe Flash and Adobe Reader
(most people use flash and reader)
There is a free tool called WSUS Offline Update, which can download updates for all Windows
platforms and create a ISO image file. Just burn this image file to DVD and slip it into your PC
and it will commence installing the updates.
Note that it will only download KB's that are in MS Security Bulletins, which are all the critical
and important downloads; so you will still have to do a Windows Update afterwards to fetch the
ordinary non-critical updates. This tool eliminates a critical gap in Windows installation. That is
when you only have services packs installed but are missing all post service pack updates. An
attacker can attack you while you are updating online and vulnerable. The tool is available from
here: http://www.wsusoffline.net/. The site is in German and English.
So the plan is to run this tool on another PC to fetch the updates, and take the updates disc to the
machine you are installing.
On the main screen, select the platforms which you want updates for, and checkmark Create ISO
images 'per selected product and language', then click the Start button.
After it finishes, check the iso sub folder to locate the ISO image file. Note that this is a DVD
image file. You need to right click on it and select 'Burn disc image'. Or you can use the free
ImgBurn utility if you are not on Win 7 or Win 8.
Installation Settings
As per normal, to securely install an OS, one should install it disconnected from the network..If
you are using an ethernet cable, disconnect the cable. If you are on WiFi, Right click on Start
button > go to Control Panel > Network and Sharing Center > Change Adapter Settings and
right click disable the WiFi interface.
To perform an upgrade from a previous version of Windows, boot that version of Windows and
run 'setup' from the DVD drive/USB memory stick. Do not boot with the ISO and do a clean
install, as you won't be able to Activate your Windows 10 afterwards.
After you have done 1 upgrade and activated that, then you can boot the DVD created with MS
Media Creation Tool, and perform a 'clean install'. MS will remember your PC from your last
activation.
During the install of Windows 10, there are options that you have to choose from.
At the beginning screen, it will offer to download updates as part of the install. Select 'not
right now'. The installation process is not hardened, and cannot withstand attacks. Unplug
from the network or disable WiFi..
Then after a few reboots, it will ask you about personalization, click on "Customized
settings" at the bottom of the screen
Personalize your speech, typing ... Off
Let Skype (if installed) help you connect ... Choice is up to you, if you want to use Skype
Location: Turn on Find my Device and let Windows and apps request your location ... Off
Use SmartScreen online services to help protect ... It is safer to have Windows check if
downloads are trustworthy, but, you are giving MS knowledge of what you download,
you decide.
Get updates and send updates to other PCs on the internet ... It downloads updates faster
if you share updates with other PCs, but you are downloading from an unknown PC on
the internet, you decide.
The reason behind it, is that the more features you enable, the larger your attack surface
is. It means you have more to defend. And one vulnerable spot is all it takes to get
hacked. The more features you have, the more potential bugs ( some security related )
you have. Now attackers know a lot about the security bugs in the system thats how
they attack. If you go live on the internet with all features turned on, the attacker would
have a lot of choices. If you disable unused features, then hed have less to play with.
One of the first things you should do in line with least privilege is to create a Standard
user account, and use that account for your daily work. Only login to the administrative
account to install programs, configure networking, or do system maintenance tasks.
Because when you are working in a Standard account, any malware or hacker that makes
it onto your system will inherit your privilege and not have admin privileges to make
system wide modifications. And thats a win for you.
Remember that an attacker will have all the access that you have at the that moment of
attack. So if you have important data stored in that account's Document folder, they will
have the same access. ( more on that later ) So, if you have secret level data, it is best to
store them in an account which you don't surf with.
From a different perspective, a Standard account is a barrier to other accounts, and is also
a container for attacks. If you have your services set up correctly and don't allow the
command RunAs, ( it is the Seondary Logon service ), then automated attacks and
hackers cannot gain access to your other accounts. If you notice different behaviour of
your browser or something that looks like virus activity, you can rebuild your account
and delete the old one as part of a recovery procedure.
When you plug in the ethernet cable after hardening, set network to Public, which is the
most restrictive and secure.
Note: if you selected Private and later want to change it to Public, the only method for
Windows 10 that I am aware of involves using PowerShell.
Right click on PowerShell and then click Run as Admin, then type in this:
Get-NetConnectionProfile
Name : Network
InterfaceAlias : Ethernet
InterfaceIndex : 3
NetworkCategory : Public
IPv4Connectivity : Internet
IPv6Connectivity : Internet
note the Name, and then type this, replacing the word Network with the name found
above:
The only protocol you really need is IPv4. And most networking equipment requires IPv4
in order to function. IPv6 will be increasingly necessary as we have run out of IPv4
addresses, but as of this writing, IPv6 is still not very popular.
If you have a IPv6 router, then you can skip over all configurations in this guide that
mention v6. as it is turned on by default by Microsoft. Some routers do not understand
IPv6, and some ISPs don't support it either. So MS made several tunnel components that
tunnels IPv6 inside IPv4 to the outside. This in effect bypasses the security offered by
your NAT-router and hardware firewall. Tunnelled traffic can't be seen by IPv4 hardware
firewalls and all such traffic will be allowed to pass unhindered.
NetBIOS over TCP/IP is not required because NetBIOS is already active without this
option. Disabling NetBIOS over TCP/IP should limit NetBIOS traffic to the local subnet.
The Discovery protocols are used to provide a nice graphical map of your network. For
home users, this is not needed, as there is only one router. You would only get to see a
picture depicting your PCs connected to your router. For Domain users, this feature is
automatically turned off once you join the domain.
File and Printer Sharing should only be enabled if you plan to share some of your folders
on the network or if you want to share your locally connected printer over the network. If
printer sharing is desired, it is better to get a printer that has networking built in, so that
when attacked, they only gain access to a printer instead of your PC. Disable this feature
unless absolutely required.
o QoS
Select 'Internet Protocol version 4 (TCP IPv4), click Properties, click Advanced,
Run 'Regedit',
right click on the right pane, create an New entry of type DWORD(32bit) called
DisabledComponents,
o FF to disable all IPv6 components, except the IPv6 loopback interface, which
can't be deactivated.
o 0x01 to disable IPv6 all tunnel interfaces. These include Intra-Site Automatic
Tunnel Addressing Protocol (ISATAP), 6to4, and Teredo. If you have a IPv6
router, then you want to choose this one.
Reboot.
Disable IGMP
I have never seen this protocol used. When something is unused, least privilege says it
should be disabled.
Regedit
HKLM\Software\Microsoft\DirectplayNATHelp\DPNHUPnP
Go to Control Panel > Programs and Features > Turn Windows Features on or off.
Uncheckmark SMB 1.0/CIFS File Sharing Support
Disabling Listening Ports
When you run the command 'netstat -abn', it will show you which ports are open and
listening to the network. Normally, you would want to close those ports unless you really
need them. Windows 10's listening processes and their port numbers are RPCss
( 135 ), eventlog service ( 49409 ), Spoolsv ( 49410 ), schedule ( 49411 ), lsass.exe
( 49414 ). (The port numbers above 49152 can change between reboots), However, the
default firewall policy for inbound traffic is to 'block' for all network profiles ( domain,
private, public ). That means nobody can touch those listening ports unless the firewall is
off, or you have made inbound 'allow' rules to pass traffic onto those processes. This has
been verified by connecting to them with telnet and all attempts failed, unless one turns
off the firewall or makes 'allow' rules. Also, as far as I can determine, all of those
processes are essential to Windows, and they cannot be stopped without crippling the PC.
More expensive hardware firewall routers will have more tools, like configurable rules,
sending logs to remote syslog servers, and fancier protection like spotting syntactical
illegal ip packets. For an example of small/medium size business product, take a look at
the www.sonicwall.com site. They have products which integrates a firewall, gateway
antivirus and antispyware, and VPN. These usually costs $400 and up.
As an alternative, there are free Linux distributions that offer almost the same features,
like IPFire and pfSense. See the section Intrusion Detection part 4 below.
Most people don't know that you have to turn outbound blocking on. When outbound
blocking is turned on, it only allows the programs and services you specify to talk to the
net. Malware will have a hard time reporting back to their servers. However, it is missing
a feature that tells you what programs it has blocked outbound. So after installing a
program that needs to connect to the net, like your antivirus program, you have test those
exe files one by one to see which is responsible for talking and allow that exe to talk with
a outbound rule.
If you have the Automated Configuration Pack, you can right click on "netsh-
advfirewall - if using TCPIPV6.bat" or "netsh-advfirewall - if not using
TCPIPV6.bat" and choose Run as admin. This will set up all firewall rules and
profile settings.
HowTo allow a windows service outbound: Click on Outbound Rules on the left, click on
'New Rule', select 'Custom', next to 'Services' click customize, select 'Apply to this
service', scroll and find 'Windows Update', next, ports and protocol -(no change), next, IP
addresses ( no change ), next, select 'Allow The Connection'. Checkmark all profiles,next.
Give the rule a name, eg "Allow service X".
HowTo Allow a program outbound: Click on Outbound Rules on the left, click on 'New
Rule', Select "Program", next, select "This program Path" and click on "Browse" button,
Navigate to program folder and select the EXE, next, select "Allow the connection",
Checkmark all profiles,next. Give the rule a name, eg "Allow Program X".
The following rules applies to all 3 profiles: Domain, Private and Public
\Windows\ImmersiveControlPanel\SystemSettings.exe
o Outbound/ disable all Core Networking rules that mentions IPv6, IPHTTPS,
IGMP, Teredo, and ICMPv6
o InBound/ allow <Core Networking ICMPv4 in> (enable this rule if you want to
be able to ping your machine)
o InBound/ disable all Core Networking rules that mentions IPv6, Teredo, and
ICMPv6
o InBound/ disable all Network Discovery rules for private profile (NB Datagram
in, NB Name in, LLMNR UDP In, Pub-WSD-In, SSDP-In, UPnP-In, WSD-
Events-In, WSD-EventsSecure-In, WSD-In)
o InBound/ disable Search (don't know why search needs a inbound rule, search
reaches outbound)
o InBound/ disable <Mail and Calendar> (Disable if you don't use MS accounts)
Firewall rules that need Manual disabling even if you have the Automated
Configuration Pack and ran the 'netsh-advfirewall.bat"
---------------------------
My Personal Rules
---------------------------
If you have the Automated Configuration Pack, you can right click on
"netsh advfirewall - my personal rules.bat" and choose Run as Admin.
The following rules are set on my machine because I don't have the equipment
mentioned, like WiFi or Xbox. Also I don't intend to get MS Office because I use
open source Libre Office (free).
Some apps install Inbound allow rules to itself. When you install an app, you should
check the Inbound rules to see if any new rules have appeared, and disable those if you
don't want inbound traffic to that app. Note that an inbound rule to an app essentially
makes that application a server. That is, it will accept any transmission to the PC and can
be exploited
-----------------------------------------------------
FIPS and Windows Advanced Firewall
-----------------------------------------------------
Do NOT enable FIPS in Local Security Policy > Local Policies > Security Options, or
else you will not be able to Import Firewall Policy.
Local Security Policy > Local Policies > Security Options > System cryptography: Use
FIPS compliant algorithms .."
You can use gmail or yahoo mail or outlook.com or hotmail.com addresses for this "MS
Account". If you use a gmail or yahoo mail account, Windows will create a mirror
account on outlook.com that uses the same name and password. It will also migrate your
phone number over to this account. The phone number is used for 2nd factor
authentication when you go do Billing things.
You should do everything possible to protect this MS account, because it is used to hold
your credit card number. When you first use Win Store to purchasing anything, Windows
asks you for your credit card number and stores it online in this MS account. Also
Cortana uses your MS account to store notes about your past queries and other personal
information. So dont use it for email or instant messaging. (so that the account name is
not circulated) And dont enable Onedrive. A compromised MS account will give the
attacker access to all these things. Secure it with a complex and long passphrase. ( see
how to create a strong passphrase below ). Although MS uses 2nd factor authentication
when you go to outlook.com and check your Billings and credit card details, it does not
use 2nd factor authentication when you use the credit card to buy stuff, it only asks for
your passphrase. So once your passphrase is cracked, the hacker can go on a shopping
spree, in addition to being able to log on to your PC.
A workaround for this is to pay for the WinApps you want to install and immediately go
to outlook.com to remove the credit card info from the account.
WARNING: an MS account is a semi-admin. She can install Win Apps from the Store
even if she is not an admin account. And depending on the Win App, the installation
could open inbound 'allow' firewall rules which will make your PC vulnerable.
Modifying firewall rules used to require admin rights but MS has apparently decided to
bypass this. So, create an MS account only for an admin person and never for a user, as a
user cannot be trusted to treat security as important. All a user wants at the moment is to
try out that new software.
If you have to use MS accounts for your users, you can put a ban on the Windows Store.
HKLM\Software\Policies\Microsoft\WindowsStore
The program installs into \Windows\SoftwarePolicy. Configuration is done via an .ini file
that can be accessed and edited from its menu. There are some configuration items that
need modification. Right click on the programs systray icon and choose Configure.
Notepad will start.
Edit this following item and change the value from 0 to 2, like below::
AdminMenuPasswordLevel=2
Locate [CustomPolicies] and add the following line:
"C:\ProgramData\Microsoft\Windows Defender\Definition Updates"=1
Now extract the AccessChk.zip file that was downloaded. Then create a 'find SRP block
paths.bat' with the following lines:
accesschk -w -s -q -u Users "C:\Program Files"
accesschk -w -s -q -u Users "C:\Program Files (x86)"
accesschk -w -s -q -u Users "C:\Windows"
accesschk -w -s -q -u Everyone "C:\Program Files"
accesschk -w -s -q -u Everyone "C:\Program Files (x86)"
accesschk -w -s -q -u Everyone "C:\Windows"
accesschk -w -s -q -u "Authenticated Users" "C:\Program Files"
accesschk -w -s -q -u "Authenticated Users" "C:\Program Files (x86)"
accesschk -w -s -q -u "Authenticated Users" "C:\Windows"
accesschk -w -s -q -u Interactive "C:\Program Files"
accesschk -w -s -q -u Interactive "C:\Program Files (x86)"
accesschk -w -s -q -u Interactive "C:\Windows"
Place the bat file into the folder where you extracted Accesschk.exe, and run it file to find
out which folders on your system you need to add to the Disallowed section.
Lastly, if you use the Opera browser, find in the [LimitedApps] section the line 'Opera=...'
and place a semicolon (;) in front of the line to exclude Opera from protection, because
Opera v30 (the latest version as of this writing) will not function with this enabled.
Also, you can add a ; in front of these lines to remove extra menu items, as they add
clutter to the right click menu:
;(C:\)=explorer.exe C:\
;Control Panel=control.exe
;Printers and Faxes=control printers
;Network Connections=ncpa.cpl
;Computer Management=compmgmt.msc
;Disk Management=diskmgmt.msc
;Registry Editor=regedit.exe
;Task Manager=taskmgr.exe
;Windows Firewall=firewall.cpl
;Command Prompt=cmd.exe
;Salamander=salamand.exe
There are various servers in the list of services which listens 24x7 to everybody sending
them stuff.( which includes exploits ) Like the simply named 'Server' service that is
responsible for File and Printer sharing. Another server is UPnP Device Host, which lets
other PCs interact with devices on this PC. Components that allow remote management
are also turned off - like Remote Registry and Windows Remote Management. The first
allow other PCs to change your registry; and the second allows remote shell access. The
Secondary Logon service is turned off, because it let command line users run programs as
admin. It requires the admin's password, but then attackers have all day to figure that out.
DNS Client is turned off because it only caches previous DNS request results, and does
not fetch results, and is the target of attacks which poisons the cache with fake DNS
entries. HomeGroup is a file sharing mechanism and the whole network's shared stuff (all
material from all PCs) is secured via 1 password. With the File and Printer Sharing way,
at least you can have different logons for different PCs. I have left 6 services on
Automatic/Manual start which do react to inputs from the net, These services tell other
windows programs about your network and allows you to choose your firewall profile
(public or private). One of them is related to Direct Access, which only can be used in an
environment that has Windows Servers, but I found that disabling it causes networking to
malfunction.
There is another angle to services that makes some more desirable targets, and that is the
account that runs them. The System account is all powerful and is equal in power to
administrators. A network facing service which use this account, like the WMI
Performance Adapter or the Printer Extensions and Notifications, will be prized, A
service running as System will also be targeted by attackers who gained entry into a
Standard account, they will try to take over the service to gain System rights. (This is
called "escalation of privilege").
There are some services which activate if you have the right equipment, like Microsoft
iSCSI initiator service, Bluetooth support service, Fax, SmartCard, SmartCard removal
policy and WWAN autoconfig are all dependent on specific hardware. In my personal
configuration, they are all disabled, because I don't have them. In particular, Bluetooth
support service is one that ought to be disabled if one doesn't have any bluetooth
peripherals; it is a networking component that can be abused by attackers, and there are
free hacking tools available. It is not disabled in the default configuration file because I
don't want someone to apply the config and suddently find that their keyboard or mouse
doesn't work.
When you configure services, clicking on each will display a description. If that is not
enough for you, you can check outt http://blackviper.comm, sometimes they have
additional information.
If you have the Automated Configuration Pack, you can set up the services
by right clicking on "Harden Win 10 Services.bat" and choosing "Run as
Administrator"
Items in <angle brackets> are optional and not set up in the Automated Configuration
file.
Right click on the following services, choose Properties and set Startup Type to Disable.
---------------------------------------------------
Interactive service detection: (manual) only old services do interaction with desktop.
practice not encouraged by MS
Infrared monitor service (manual) starts a file transfer automatically when it connects
IP Helper:(automatic) enables IPv6 tunnels over IPv4. We dont want tunnels; non-
inspectable by firewalls.
KTMRM for distributed transaction coordinator (manual) disabled because it is not used.
Link layer topology discovery mapper: (manual) draws a map of your network. not
needed
Network connected devices auto setup:(manual) devices can still be manually setup
Remote Desktop Services UserMode Port Redirector (manual) remote desktop. Not used
SNMP trap:(manual) disabled because SNMP responds to queries over the network
UPnP device host:(manual) disabled becuase no hosting of devices allowed for other pc's
Windows Camera Frame Server (manual) enables sending camera video to multiple apps
simultaneously, what if for example a spyware app is running in the background.
WARNING: Geolocation service:(manual) used by cortana, If you disable this one, you won't be
able to reset it back to normal again. Current Windows bug as of 2015-Aug-19
----------------------------
My Service Settings
----------------------------
Below are additional Service settings that I use on my machine. They are not suitable for
everyone; most of the services listed are disabled because I don't have the equipment parts for
that service to function, like smart card reader, iSCSI or bluetooth. Also I rarely print anything,
so printing is disabled
If you have the Automated Configuration Pack, my personal additional settings are
in "My Personal Win 10 Disabled Services.BAT".
Internet explorer ETW collector service: (manual) could be disabled if you don't use IE.
Microsoft Account Sign in Assistant (manual) MS Accounts not used by me, you decide
Sensor monitoring service:(manual) not used by me. don't have screen briteness control.
Smart card removal policy:(manual) dont have smartcard device. if hacked will lock pc.
Touch keyboard and handwriting panel service:(manual) dont have such device
Distributed COM ( or DCOM ) was invented by MS to answer the perceived need to enable
distributed computing. At one time, this was all the rage. But it turned out not popular. Imagine
running code from some source on the internet on your PC. We want to disable this.
Start button > All apps > Windows Administrative tools > Component Services. Computer
Servies > Computers > right click on My Computer; choose Properties. Go to Default Protocols
tab. Under DCOM protocols, remove Connection oriented TCP/IP.
However, if we stop user and admin accounts from login through the network, then Simple
Software Restriction Policy 1.2 will stop working. However we are still protected by Windows
Firewall. So the accounts that are denied are: Guests, Anonymous Logon, NETWORK
SERVICE, SERVICE, and LOCAL SERVICE.
This guide used to recomment EMET 5.2 for other versions of Windows, but MS has pronounced
that it is not compatible with Windows 10. EMET 5.5 has been released. However, the new
version requires the Secondary Logon service active. And by having access to Secondary Logon
service, attackers can use the runas command line tool to invoke administrative rights. One of the
core design goals of the guides's hardening approach is to deny attacks even if the attacker knows
your admin password. This could be result of shoulder surfing - simply noting your password as
you type it by looking over your shoulder. Or it can be that a keylogger has been installed on
your system. The necessity of having the Secondary Logon service active is unacceptable, and
that is why this guide now recommends MalwareBytes Anti-Exploit.
MalwareBytes Anti-Exploit Free has fewer protection mechanisms than EMET, but it protects
most browsers and java by default. The paid version protects MS Office and Adobe Reader plus
some other apps also. Since browsers are a primary attack vector nowadays, this is a good tool to
have. The program needs no configuration.
Install Antivirus
The last thing you need to do in preparation for connecting online to do Check for Updates is to
install your antivirus program. You would also need to specify a outbound firewall rule to allow
the antivirus to fetch signature updates. Windows 10 comes with Windows Defender antivirus. If
you want to use this default antivirus, then nothing needs to be done except allowing it outbound
in the firewall (already listed in above firewall rules configuration) Some antivirus products also
require other files added to the firewall outbound rules - like ESET antivirus, which has a file
called "ekrn.exe" that intercepts web browsing and inspects traffic.
Activate Windows
At this point, you have hardened networking components. Switch to your Standard
account..Connect now to internet. There are 3 things you need to check before you can perform
activation.
1. Open Start > All apps > Windows Administrative Tools > Services. And start these 2
services:
Microsoft Sign-in assistant
Windows Update
If they are not running, then set them to Manual start, and Start the service.
2. Check your Date & Time, and your Time Zone is correct. You may have to disable
automatic time zone.
Or,you can open an elevated command prompt and run the following:
slmgr.vbs /ato
DO NOT SURF the net while updates are going on, as Edge and Internet Explorer are still
unpatched and vulnerable.
Note also that you have to check for updates more than once, as MS prepares updates in batches,
and another batch may follow the current one.
If you wish, you may want to defer Windows Update until we reach the end of this guide, when
all attack venues are covered.
Settings > Update & Security > Windows Update >Advanced Options > checkmark Give me
updates for additional Microsoft Products.
Remember to update your firewall outbound rules to allow the programs that need the internet,
like Adobe Reader which now have their own update service, so add allow outbound rules for
those services. Also your browser, antivirus and Secunia PSI (see below) need to reach outbound
to the internet.
Patching
One of the most important things to do is to update EVERYTHING on your computer,
constantly, that means Windows Update and updating all programs and plug-ins. It is very
important to know that security patches closes the holes that malware/hackers need to get onto
your computer. Patching the security holes is the ultimate preventative measure that treats the
source of the problem.
It is known that attackers reverse engineer MS patches to exploit the vulnerabilities. It only takes
a few days for them to do so, so be sure to patch on time. MS's patch schedule is on the second
Tuesday of each month. Calendar a repeating entry on your cellphone.
Windows Update supplies security fixes to Windows and its programs like Edge and Internet
Explorer. If you use a buggy Edge, then hacked websites can install viruses/malware unbeknown
to you.
Adobe Flash is another component that lots of people forget about. Luckily, two browsers,
Internet Explorer and Google Chrome, will fetch Flash updates automatically, so you don't have
to do a thing. If you use Firefox, Opera or another browser, then you need to download the Flash
plugin for them. Adobe Flash has an automatic update feature for Flash, if you install Flash, you
must make an outbound allow firewall rule for the service. An alternative to Flash is HTLM 5.
Many sites are supporting this now, and you may find that you don't need Flash anymore.
Sign on Security
It is very important to guard your sign on passphrases, espcially your admin account one.
attackers will try to trick you into giving out the passphrase by installing a tojan that looks like
the Windows sign on screen and upon seeing this most users will key in their passphrase without
question. Microsoft has made a feature whereby you need to press CTRL-ALT-DEL in order to
reach the sign on screen, because the special key sequence CTRL-ALT-DEL can only be trapped
by the operating system. This feature is normally only active when a PC is part of a corporate
network that has Windows Servers. However it can be enabled without Windows servers. To do
so, go to Start, type in 'netplwiz' and go to the advanced tab. There you will see the option to turn
on CTRL-ALT-DEL sign in screen;
Another MS security feature is not displaying the account name in the sign on screen, even when
the user is currently signed on and has locked the system by pressing WinKey-L. This means the
attacker needs to get both the account name and the passphrase right and significantly enhances
security.
If you have the >Automated Configuration Pack, you can right click on Harden Win
10 Security options.bat and choose Run as admin to enable the do not display last
user feature. Further down the document, all the settings in Security options are
given.
Privacy
Under Start > Settings > Privacy is a whole lot of apps that uses your private info. Some of them
are used by Cortana, the new artificial intelligence personal assistant, like Speech, inking &
typing, and Location. The privacy settings are per account, except Location, which is a system
wide setting which can only be enabled by admins. So you can use a particular MS account to
experiment with Cortana. (Cortana needs an MS account)
OneDrive
Onedrive lets you keep your documents, pictures and PC settings on the net, ready for syncing to
all of your PCs. However, your personal files are sitting there on the internet 24x7x365 waiting
for someone to crack your password. This is not secure to say the least.
Another issue is that OneDrive currently breaks Software Restriction Policy (including SSRP).
The executable is located in \Users\<yourAccountName>\AppData\Local\Microsoft\OneDrive\,
the folder is user writable. The problem is that if we extend SRP to allow programs to execute
from this folder, then an attacker can place his tools in this folder and they will get the same
permissions, all because the folder is under \Users\, and is user writable. If we make the SRP rule
mention the executable, the attacker can overwrite the exe with his own program. So, do NOT
create a rule in SSRP to allow OneDrive to execute. Sign-in to to those MS Account accounts
and run Task Manager, go to the startup tab, and disable OneDrive from starting up upon sign-
in.
Enable DEP
Data Execution Prevention is a technology that foils some types of attacks when they are coded
in a certain way. By default, this feature is enabled but protects only Windows executables. You
want to enable it to protect all programs, like your Firefox, Opera, Acrobat Reader and others.
Right Click Computer/ Properties/ Advanced System Settings /Performance Settings button/ Data
Execution Prevention Tab
Computer > Properties > Advanced System Settings > Startup and Recovery Settings - settings
button
Windows Explorer/ View pull down menu / Options button / Change Folders and Search
options / View tab
Go to Settings > Personalize > Lock Screen > Screen Saver settings, configure it to wait 10
minutes, and check mark "On resume, display Logon screen"
Attackers aim to get use of three accounts, the admin account, the "Administrator" account, and
the System account. The admin account is needed for configuring the system, so it needs full
access to command line tools and we cannot avoid this. The 'Administrator' account is by default
disabled. And the System account is used by some services. In testing, it is revealed that the
System account cannot be constricted or else our Restore BAT wouldn't work. So in the provided
configuration file, command line tools are set so that only members of the administrators group
and 'TrustedInstaller' can invoke them. (The System acount gets inheritied rights) Also, in line
with layers of security, the command line admin programs are denied execution by low integrity
processes.
As an example, few people are aware that there is a command line FTP program, as most people
use their browsers to download. This program is used mainly by attackers who need to bring over
their tools once they gained command prompt access.
In the Configuration Pack, the Dual Admin BAT creates an installation admin (you
choose the actual account name) and restricts it from running admin command line
tools, and administration GUI apps. In addition, it removes oridnary user accounts
from accessing admin command line tools. After configuration, the command line
administrative tools ( plus regedit, regedt32 and tasksched ) can only be accessed
from a full admin account using an elevated command prompt. Also, only the full
admin account has take ownership right. Right click on the BAT file and choose Run
as Admin.
Note: the dual admin BAT script does not assign a password to the Install Admin. Sign on into
the Install Admin account and give it a passphrase.
In effect, the only special rights this installation admin account possess are the right to write
anywhere in the hard drive, (like the Program Files folder, which only an admin can write to).
and to write to any registry key. This seems very generous, but the fact is we are not able to
restrict it further. This account would then be used when you install a program, which is a very
common task for an admin role.
Very often, an attacker will install a Remote Access Tool/Trojan (RAT) to monitor the victim.
This program is just like an ordinary program that provides remote access like Window's own
Remote Desktop or the commercial program TeamViewer. It can view our screens, see what we
type and control the PC by running any program. They are very hard to detect, especially if the
attack does not make any changes to your system and just watches you. The goal is to hamper
this RAT. The RAT will get all the permissions of the account that you sign into and require an
online connection. So here is the second step; we will make our full privilege admin account go
offline when used. This will buy us time to find and eliminate the RAT.
Run 'gpedit.msc'
navigate to Local Computer Policy > User Configuration > Windows Settings > Scripts
Logon/Logoff.
You can verify this when you sign on to the full admin account by looking at the Internet icon in
the systray - it will have the red X when you logon to the account.
Note: the bat files reference the network adpater name. In the majority of cases, they are called
Ethernet and Wi-Fi. But if you have multiple network adapters, then the names will be different
and the network adapter name needs to be changed, and you have to edit the BAT files and look
for the words 'Ethernet' and 'Wi-Fi' and replace them. The adapter names you currently have is
shown at Control Panel > Network and Sharing Center > Change Adapter Settings.
To test the Install Admin account's ability to properly run install programs, the following
programs were tested:
Libre Office
FireFox
It is known that security programs requires additional rights to set themselves up, that is why
security programs were tested among other programs. Avira, BitDefender, Voodoo Shield failed
to install. And WSUS Offline fails to run. They require the usage of the full privilege admin
account. Ordinary installation programs like VLC typically don't require as many rights. The aim
is to reduce usage of the full admin account and lessen the risk. For normal programs, use the
install admin account first, then if it fails, use the full admin account. To enable your full admin
account's internet access, right click on the internet icon in the systray, select 'open network and
sharing center', click on 'Change adapter settings'. Then right click on the adpater and choose
Enable.
For Windows Home version users, there is no gpedit.msc. And Task Scheduler doesn't have a
logoff trigger. But there is another method. Task Scheduler has a login trigger, so we use that to
disconnect the network when the full admin signs in. Task Scheduler can also use an Event ID as
a trigger, and the logoff event is Security 4647. However, the event fires for all accounts, and the
event doesn't tell us who signed out. So we create a sign in text file to mark the full admin
signing in and check for that file when signing off. If the marker file exists, then we reconnect
the network and delete the marker file. There are complications when we use Fast User
Switching to switch from one account to another. The thing to do is to delete the marker file and
reconnect the network when we switch from the full admin to another account. And we
disconnect the network and re-create the marker text file when switching back to the full admin.
Create a 'Sign in Scripts' folder within 'Program Files'. Go to file Properties > Security >
Advanced. Change owner to the main admin. Then remove inherited rights. Then give main
admin account Full rights. And give the Users group Read and Execute, List folder contents, and
Read rights (the default).
Then create a 'Sign in Log' folder within 'Program Files'. Go to file Properties > Seucrity >
Advanced. Change owner to main admin. Then remove inherited rights. . Then give main admin
account Full rights. And give the Users group special rights: click on 'Show advanced
permisions. Checkmark the following:
Read attributes,
Write attributes,
Read permissions,
AdminSignIn.bat
AdminSwitchesOut.bat
AdminSwitchesIn.bat
AdminSignOut.bat
Now we create 5 scheduled tasks. The first one is for the full admin sign in to disconnect the
network adpater and create a marker file. Ensure that you are signed in as the full admin.
Checkmark Open properties dialog for this task when I click finish
Click Finish
Click OK
Next, we make a scheduled task for full admin switch out, re-enables the network and deletes the
marker file.
Right click on Task Scheduler Library,
Triggers tab
New button
OK
Actions tab
New button
Settings tab
OK
OK
Next, we make a scheduled task for switching to full admin . (Fast user switching) Which again
creates the marker file and disconnects the network adapter.
Triggers tab
New button
OK
Actions tab
New button
Settings tab
OK
OK
Next we create a scheduled task for full admin signing out. This checks to see if the marker file
exist, then re-connect the network adapter, and we delete the marker file after checking.
When running the task, use the following user account: full admin account
select 'Basic'
Log: Security
OK
Action tab
Browse to 'AdminSignOut.bat'
Settings tab
OK
Lastly we create a scheduled task for system startup, say if you restart the system while signed
on as full admin. So we want to always startup the system on a connected state, without a marker
file lingering on from last session.
When running the task, use the following user account: System account
Triggers tab
Browse to 'AdminSignOut.bat'
OK
The whole set of scheduled tasks is designed disconnect the network adapter for the full admin,
when he signs in, or when his account is switched to. And we reconnect the network adapter
when he switches to another account or signs out.
One of the methods of disconnecting from the network is to use: 'netsh interface set
interface name="Ethernet" admin=disabled' or 'netsh interface set interface name="Wi-
Fi" admin=disabled'
To check if the file exists and do something use 'if exist c:\log\AdminSignIn.txt ( do
something )'
New to ver 4 of Dual Admin, it is now possible to run the following networking commands in
the Install Admin account:
netstat
nslookup
ipconfig
ping
tracert
pathping
This in essence makes the Install Admin also the Network Admin. The commands allow one to
do some network diagnosis and has only one security feature: netstat's '-b' command option. The
'-b' option allows one to see which program is doing the network connection. To an attacker who
ia already on your PC, this offers little value as they can see what networking programs you have
in the folder Program Files already. This netstat option also allows you to see if there are any
foreign programs that is connecting out, and maybe you might be able to catch the attacker's tool
in action. Note that the firewall rules for these commands have not been created yet, and the
commands will still fail initially in the Network Admin account. You have to create the allow
rules for these program to do outbound connection. AND you have to also allow the ICMPv4
protocol outbound in order for ping, tracert, and pathping to work.
The System account is present in almost all files and folders, but it doesn't need to be as far it can
be determined. Attackers also can use escalation of privilege attacks to get to use the System
account because it is as powerful as an admin. You can choose Edit and Remove to take the right
away.
However, the Configuration Pack BAT files need System to work, that is, if you
unzipped the Configuration Pack into Documents. To work around this, you can
create a Security folder under your Users\<YourAccount>\ folder and extract the
files there. Just remember to move the contents back to the Documents folder when
you're done.
The Administrators group is present so that any admin can access your files in an emergency.
This can be removed to ensure that the Install Admin can't get at your files. Because the Install
Admin has internet access, a RAT (Remote Access Trojan) can use that account to get your files
if access is granted for the Administrators group. Removing the ACL entry will ensure that your
data stays private. The downside of this is when you need to remove this account using Start >
Settings > Accounts > Family and Other People, the Documents folder can not be deleted and
will be orphaned. If the account will never be removed, or if you can remember to re-instate the
Administrators group, then this rule can be deleted.
Since you also have a Standard User account, run the commands below stating your Standard
User account too. Note: this measure only protects you against attacks to your low integrity
programs like Internet Explorer. (and Firefox or Opera, if you followed the above instructions)
But since browsers are primary vectors of attack, this security measure is important. You can also
experiment and set other internet facing programs to low integrity, like your chat program.
Go to Settings > Update & Security >Backup and click on "Add a drive"
Open Edge, click on settings (the "..." button. Click on Settings, then 'View advanced settings'.
.Turn off 'Use Adobe Flash'. Many sites now use HTML 5, which also does videos. And so you
no longer need Flash to view videos any more. Flash has had many security vulnerabilities
discovered and currently (2015-08-07) has a few vulnerbilities unpatched, and you need to
constantly baby sit it and update it.
.Turn on 'Help protect me from malicious sites and downloads with SmartScreen Filter'
Because browsers are the primary interface to the web, and used by everyone, they are a
PRIMARY vector of attack. attackers will attack a website and modify it to deliver malware,
using security holes in the browser. Or they can send attacks forging the address of a web page
you are on. ( If you have a tab of your favorite web site always open, they can forge that web
site's address and send attacks).
Internet Explorer was the most popular browser because it is installed by default. Edge may
soon surpass it in popularity because it is pinned to the task bar.
Internet Explorer has an important defense mechanism, called Protected Mode. It is another
name for Integrity Levels. Basically, the entire system is marked as Medium integrity. While
frequently attacked programs like Internet Explorer is marked as Low integrity. Low integrity
cannot modify Medium. So even if someone compromises IE and gains access to your PC, they
cannot modify your system. You can set the integrity level of a program yourself, so you can
make Firefox or other browsers use Protected Mode as well.
Popular alternatives to IE are Firefox, Opera and Chrome. There have been security holes
discovered in them just like IE, but they are reputed to be more secure, primarily because they
dont use ActiveX. There are ActiveX code libraries strewn about in Windows, and many are not
safe for web use. Attackers often make IE call to these ActiveX code modules as a means of
attack.
IE has this stupid distinction about the source of a web page. By default, if a web server is within
your network (like a company internal web server), then Protected mode is disabled. Well, if a
attacker wants to attack your network, they would just simply attack your web server first, and
let his tools spread when internal visitors use the infected company web server.
Windows 8 has Enhanced Protected Mode that protects your private files and folders like the
Document folder. However, to remain compatible to plugins like 3rd party toolbars etc,
Enhanced Protected Mode has to be manually enabled. Go to Control Panel > Internet Options >
Advanced; scroll the Settings list to Security section
Note: the above settings are a per user setting, so you have to enabled this individually for EACH
account. I will remind you of this at the end of this document.
Mozilla Firefox is open source software. Proponents of open source say because the code is
open for all to inspect, it makes for a safer product. (as opposed to IE, which only a limited
number of MS programmers work on). Mozilla has also once called on white hat hackers to help
test attack Firefox. But whether or not this is an ongoing engagement is unclear.
Firefox can be made more secure if you install certain plug-ins. The most popular one is
NoScript, which blocks JavaScript from executing until you mark a site as trustworthy, or opt to
temporarily allow scripting. IE can block JavaScript too, but the controls to do so is buried in
Internet Options menu and not as quickly accessible as NoScript, and it cant be automatically
enabled per site. So security that is usable wins. JavaScript blocking is a feature because many
browser security holes are activated by scripting, so again, when it is not needed, it should be
disabled. Unfortunately some sites require JavaScript to operate correctly. However, there is a
flaw in the thinking that a site can be marked as trustworthy forever. Because 1) even popular
and trusted sites can be attacked and modified. 2) Some sites subscribe to ad banners which they
have no control over, and sometimes the banners are made maliciously.
To cover the angle of malicious ads, there is plug-in called AdBlock Plus. This plug-in removes
all ads from sites. Its side benefit is that sites load faster without the ads.
There is another Firefox plug-in call WOT (web of trust). This plug-in marks search engine
results with ratings. If a site is known to deliver malware, you will see a red danger icon next to
it. And you can click on the icon to see detailed ratings by threat category. The ratings are driven
by community help. WOT is now also available for Internet Explorer.
There is another free plug-in by Mcafee called SiteAdvisor. It also marks search engine results
with a safety rating icon, and this product works with both IE and Firefox..
As mentioned above, you can enhance Firefox's security by setting it to low integrity. Open an
elevated command prompt and copy and paste in following commands, one line at a time,
substituting <yourAccName> with your account name:
Note that in order for Firefox to run as low integrity, it required the setting of
\AppData\Local\Temp folder also to low integrity, which was previously medium. This folder
may contain sensitive temporary data from other applications. An intruder gaining access
through Firefox may be locked into low integrity mode and can't change system settings, but he
can glean data from this folder, which may be undesirable.
Note: every time you update Firefox, you have to re-run the command that makes the exe a low
integrity program. ( ... setintegritylevel low )
Opera is another alternative browser. The thing that is good about them is that they patch up
publicly disclosed vulnerabilities quite quickly. There is also a WOT plugin for this browser.
If you run Opera using the desktop icon for launcher.exe, Opera is launched as
integritylevel:Untrusted
So there is no need to set integrity level with icacls.
Chrome is Googles browser, it is also open source, mostly. Its architecture allocates high-risk
components, such as the HTML parser, the JavaScript virtual machine, and the Document Object
Model (DOM), to its sandboxed rendering engine. It prevents modifications to your Windows
system. This sandbox is designed to protect one from unpatched security holes. It also uses IEs
Protected Mode in Vista, Windows 7, 8 and 10. Recently, Chrome has also added a sandbox
around Adobe Flash, to prevent security bugs in Flash from compromising a system. Google also
pays white hat hackers to test attack its product, and there has been numerous security flaws
discovered this way. Google is doing this right. Chrome is also capable of automatically updating
itself. And also, Google has a special deal with Adobe and gets Flash updates automatically.
These two things save a lot of time.
Chrome has 2 versions, one is for ordinary users and one is for business. The ordinary one
installs itself into \users\...\appdata, thus allowing users to install the product without IT dept's
blessing. That is, if software restriction policy has not been turned on. The business edition
installs into \Program Files (x86), like what normal 32 bit programs usually do. You should use
the business edition.
Create a sandbox for each user. this is assuming that you have different user accounts for
different uses. Like one for online banking, and one for your writing/posting your blog. This is so
that anything that gets into one sandbox cannot lift data belonging to another sandbox.
Right click on the sandbox and choose Sandbox Settings.
Tip, if you have a favorite site that requires login, and you allow the site to remember your login,
you can start the browser outside of Sandboxie to quickly login and let the site save a cookie.
Then restart the browser using Sandboxie. Sandboxie will copy the cookies from outside to the
sandbox when initiating.
Passwords
You should have strong passwords to safe guard your accounts, particularly the admin accounts.
The first account created when you install Windows is an administrative account. So you need to
protect that. There is also a hidden account called Administrator which you should also protect
with a password, but it first has to be enabled, as it is disabled by default. This is done with the
following command at an elevated command prompt:
Your passwords should be long ( 15+ characters ) and also use upper and lower case, numbers
and symbols. The best way is to create passphrases. For example, take the sentence James T
Kirk is the captain of the USS Enterprise 1701. That would form the password
JTKitcotUSSE1701. Throw in symbols and it becomes JTK$itcot%USSE1701. This
password is now long and complex enough to foil attacks.
It is not secure to use the same password everywhere. Some people think it is OK to use the same
password for email, banking, Facebook, windows login and so on. If your password is
discovered, ( say by a keylogger ) the next logical thing is to try that on your email account.
Once they get access to your email, they can use the forgot my password feature of many web
sites to have them email over your access password for that site. And very shortly everything will
be compromised. Password attack programs either use a brute force approach or a dictionary
approach. The brute force method tries every combination of numbers and letters. The dictionary
approach tries out known words. These password attack programs are fast and can test thousands
of passwords per minute. A short password is crackable in no time. A secure site would have
safety features like locking your account after several failed tries or making you answer the
security questions. But not every site is secure like that. And those weak sites are the primary
target of password attack programs.
BIOS Password
It is also prudent to password protect your BIOS, so that people cannot boot your PC. Also, you
should change the boot order in the BIOS so that it boots the hard drive first, rather than the
CD/DVD. If an attacker can insert a Linux Live CD and start up your PC, then they will be able
to mount your hard drive and read all data from it, and all Windows security will be bypassed.
Physical Security
Physical security is very important and should not be overlooked. If someone has physical access
to your PC, then they could bypass a lot of the hardening that was done.
For example, if a attacker could access your PC and boot up a Linux Live CD, he could then read
and copy off all files from the Windows disk partition. Or he could remove your hard drive and
put it into another PC as a secondary drive and get data off that way. Either way, Window's
password security will be of no use, because the hard drive's copy of Windows was never started.
Therefore, you should keep your office/study room under lock and key
Syskey
For those who don't have Windows Pro, you can use a different form of semi 2 factor
authentication, but it doesn't protect you from offline attacks. Windows has a feature called
syskey, which can store the decryption key to your login passwords on a USB key. The login
passwords are not stored as plain text in Windows, they are encrypted. The key to decrypt those
passwords can be stored onto drive A.
A lot of computers now don't come with a floppy drive, and the label drive A is unused. First you
insert your USB memory key, then right click on Computer and choose Manage. Then go to Disk
Management, right click on the USB memory stick, (which is probably label as drive F), choose
Change Drive Letter and Path. Then click the Change button and make it drive A.
Now you run "syskey". Click on the Update button; choose Store Startup Key on Floppy Disk.
Then insert the USB memory key, and the decryption key will be stored on the memory stick.
Once that is done, when you boot Windows, it will prompt you to insert the 'floppy disk' in order
to continue booting.
The syskey method of 2 factor authentication is good, now anyone booting the computer will
need the USB memory stick; as well as know your login password.
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=218322
In the guide, it examines what security monitoring one should do and provides the relevant Event
Is. In the section below, those Event IDs are placed into Custom filters, which allows you to
monitor for signs of intrusion.
Note that the guide gives Event ID's for Windows XP. With Vista, Windows 7, Windows 8 and
Windows 10, you need to take the given Event ID and add 4096 to get the correct event under
these 3 newer operating systems.
You may not discover an intrusion right on the first day when they get in. Very often, the
discovery comes several weeks to months later. You will need to retain log entries, and the
default log sizes allow for too short a period.
If you have the Automated Configuration Pack, the 'custom view' filters are in the
folder "Event Viewer Custom Views". Simply choose 'Import Custom View' to
import each xml file one by one.
HOWTO: click 'Create Custom View'. Select 'By Log', pull down 'Event Logs', Checkmark
'Windows Logs', Move to the field <All Event IDs> and copy and paste in the event id numbers,
click OK and name the view.
Now that Windows is hardened, most of the vulnerabilities you face will come from applications.
The concepts that underlie protecting apps are the same as protecting the OS. Be careful of apps
that have high privileges, and scrutinise network facing apps. Patching is really important and
upgrade the app when new versions are posted. Monitor Event Viewer's "application hang" and
"application error" custom views - if something fishy is going on and it happened after an
application hang/error then there is a chance that you have been attacked. Be aware of what is
normal and what is not. Know the protection settings that have been applied and know when a
change is made (by an attacker). For example, your full-admin's Documents folder has been set
to only have 1 ACL which is full accesss by the full-admin; if you find that suddenly that another
ACL has been added giving access to, for example, the administrators group then something is
wrong.
What we want to know is what programs are normally running when we first login. If we know
that, then we can be sure that we arent contaminated with spyware or other hacking tools. There
are 2 programs we want to get, all free. The first one is AutoRuns, available from here:
http://technet.microsoft.com/en-us/sysinternals/bb9639022
It doesnt have a setup program, just download, unzip, create a folder under \Program Files
(x86) and copy the files there.
AutoRuns lists all of the places in the registry where programs are set to auto launch. Right click
on it, and choose Run as admin, and use File/Save to take a snapshot of each account's current
settings. Later on during your regular system checkups, you can use the File/Compare feature to
see if anything is different. New entries show up in green. If all green entries are good, then save
the file again with today's date, and do the comparison with the new file in the next scheduled
check.
The second program is Process Explorer, available here: http://technet.microsoft.com/en-
us/sysinternals/bb896653
This program is like Task Manager, but it shows more info. Many malware name themselves
with familiar Windows program names, trying to hide themselves. Login to your admin account,
then right click on Process Manager and choose 'run as admin', go to View/Select Columns and
checkmark command line. Then do a File/Save . The resulting text file is now a snapshot of
what normally runs when you first login.
When you do a comparison using Process Explorer, note that you cannot use a file comparison
tool like fc (file compare) to check for differences, that is because the PID (process identifier)
for each program/process would be different on different boot-ups. You would have to do a
visual check of the command line.
Next, reboot your PC and open an elevated command prompt with 'run as admin', and type
The netstat program shows you a list of programs that are listening and connecting to the net. If
a attacker connects to your PC, his program would have to connect back from your PC to his PC,
and his program would show up here in this list.
Driverquery is a command line tool in Windows, What it does is list all the drivers in use. Some
virus and rootkits now come in the form of a driver. When you perform you routine checks, first
run this:
Fc will display the differences between out.txt and driverquery-out.txt. If there are lots of
changes, fc will not be able to synchronize the sections in the files. Then you'll have to open up 2
notepads side by side and scroll through the files manually to see what has changed.
In most cases, new drivers are caused by Windows Update. You will have to go online and read
that month's MS Security Bulletin to see if the new patches would have deployed new drivers. If
that doesn't reveal anything, you'll have to check to see if the new drivers are also present in
another machine.
replacing the date portion of the file name with your current date.
Now we have 5 baselines, save them onto a USB memory stick for use in comparisons later. One
should also save the Autoruns, and Process Explorer files onto the memory stick as well.
Because, after an attack, programs may get altered or rendered unusable You Have to keep the
baselines on a USB memory stick because attackers will modify your baselines to make you
think nothing has changed.
Last thing when doing baseline comparisons is to run sfc /scannow to determine if any system
files has been modified. SFC contains the correct windows files signatures and makes a
comparison to the current setup. It will also fix the problem.
There is a little known program called WinDiff. It is a good file and directory compare tool. It is
provided in Windows XP Professional > Support Tools. If you run the Setup program in Support
Tools folder, it will be installed. The files that you want are:
gutils.dll
SysInspector-AHSDAFSA-081115-2248.xml
windiff.exe
windiff.hlp
You can use WinDiff to compare 2 versions of baseline.bat output, and it will not be confused
when it encounters big sections of differences, unlike the command line program 'fc'.
There are also a lot of fake antivirus programs floating around, so make sure you find the
reviews before installing one. The fake ones report of non-existent infections and just ask you for
your money and do nothing. Some will even stop you from going to legitimate antivirus program
sites, stop your programs from working and make you think you are infected with a virus. If you
happen to have installed a fake antivirus, there is one anti-malware program that can remove it.
Its called MalwareBytes. (( https://www.malwarebytes.org) MalwareBytes has a free version,
which doesn't include real time detection and automatic signature updates. It is a very good tool
to have, just remember to update the signatures before doing a scan..
Bear in mind that no antivirus/anti-spyware program will catch everything you encounter. There
has been a study that was done that found that the best detection rate is around 60%. Vendors
cant hope to have captured and analysed ALL the viruses out there, because lots of new ones are
introduced every day.
Yes, you cant fully trust your antivirus program to do a perfect job. To be on the safe side, use
online scanners once in a while to do a double check. There are quite a few of them: TrendMicro
Housecall, BitDefender, Kapersky, Panda and ESET. Google for "online scan" and you will see
them.
If you download stuff from P2P and bittorents, beware. Lots of infected programs are floating
around. And they would even work as expected, except that they will also get you infected. And
those viruses tend to be new ones, so most likely your antivirus program will not even beep. You
have been warned. The best that you could do is upload the file to virustotal.com and let them
run your file against their 39 antivirus programs, and then decide if you want to keep the file or
not. You have to remember that it is hackers who release pirated software, cracks and keygens,
and they seed these files on P2P and bittorrent. And most likely, they also want to own your PC.
Security suites are very popular. For example, Norton 360 includes antivirus, anti-spyware, anti-
rootkit, smart firewall, network monitoring, parental controls, anti-spam and more. They
certainly seem to be value for your money. But when weighing effectiveness, many choose a best
of breed, mix and match, solution. For example: one can use ESET antivirus and anti-spyware,
Webroot anti-spyware, Windows firewall, NetNanny parental control, Gmails anti-spam and
Gmer anti-rootkit.
Another program you must have is an anti-executable. This class of protection stops any
program from running unless you have clicked on it or that it resides in a small whitelist. So if
you clicked on it, then it runs; if you didn't, then it gets blocked. This stops drive by downloads
where web sites get hacked to deliver malware. Also, many exploits download a malware of their
choosing (mostly RATs) and executes it. Anti-executables is a great class of protection to have.
There are several on the market, like Anti-Executable, AppGuard, No Virus Thanks, and Voodoo
Shield. The last one is free. Note: you have to allow Voodoo Shield outbound in the firewall
Many people rely on their antivirus and antimalware to detect intrusions. Both are necessary, but
when you are dealing with hackers, they will not identify everything. That is because a careful
hacker tries to avoid detection and will not use tools that can be picked up by common security
protection.
One thing you can do is to employ a hardware firewall that has network intrusion detection
system and network intrusion prevention system. Commercial tools costs $400 and up. But there
are several Linux distributions that plays the role of a firewall and IDS/IPS. All you need is an
older computer and an extra network card to deploy them. The ones I prefer are IPFire and
pfSense. Both are straight forward to install and does not require Linux experience. You simply
download the ISO file and burn image to disk, then boot with it and follow the prompts.
IPFire calls the external internet connection RED, and the internal network GREEN. And if you
use 3 ethernet cards, a DMZ can be created labeled ORANGE. You have to assign a network
card to each RED, ORANGE and GREEN zone. You can make the lights on the card light up and
find out which card is which. After install, go to the web ip address you assigned during install
and start configuration, just like configuring a router.
In IPFire the built in intrusion detection is called snort and their intrusion prevention is an add-on
called Guardian. Guardian takes the ip addresses found by snort and blocks them. Add-ons are
available for install from the PakFire pull down menu. Once installed, go to Services > Intrusion
detection and download the free signatures from EmergingThreats. Then you review the rulesets
and disable those rule groups that give alerts for services that you don't have in your LAN. Then
checkmark Guardian and save. The ET rules update approximately once a month, the update is
not automatic. Create an reoccuring appointment in your smartphone
Note: only enable Guardian intrutsion prevention if you are using IPFire as the main router. If
IPFire is behind another router, then it will only see that router as the source of intrusion and
block that.
It is a command line program that is included in many Linux distros. To use this program you
need a ethernet switch which has a mirror port. These managed swtiches use to cost a bit more,
but have come down in price. One example is the TrendNet Solo TL-SG105E 5-port smart
switch which costs $40. Simply designate a port as a mirror port and plug the Linux machine into
it. Then you can start capturing packets from the network with this command:
sudo tcpdump -A -i eth0 -tttt -w <anyFileName>
The command will run and you won't see the command prompt again until you press CTRL-C to
stop the program
Open a new Tab, and you can then read in the capture file with this command:
sudo tcpdump -A -tttt -r <yourFileName> | less
Explanation, the 'sudo' part runs the command as admin, the 'A' parameter specifies showing
packets in ascii. The 'i' parameter is the interface, and eth0 is the default ethernet port on a Linux
machine. The 'tttt' parameter shows the full date. The 'w' parameter is for writing to a file. And
the 'r' parameter is for reading from a file. The '| less' part "pipes" the output to 'less', a program
that lets you scroll down any long document (or else everything will just quickly scroll past and
disappear). When you are finished viewing the output in 'less', typing 'q' will exit 'less'.
You can see the source and destination of each packet, the ports used, and the network packet
contents in ascii. Start tcpdump and then boot up the Windows machine without logging on. This
will allow you to see what network traffic occurs at Windows boot time. Then login into
Windows and restart the read command again.
There would be quite a lot of packets to go thru. Open firefox and go to any web site that can do
'ip to domain' conversion, and type in an ip from tcpdump output. This will tell you the domain
name that the packet is going to. Along with the domain name, it usually states the company
which is managing that network/site. You can then lookup that company's web site. Then identify
the harmless ones that belong to Microsoft and Alkamai (which I think is a server ISP that caters
to coorparate clients like MS) and sites like your antivirus update site. Anything else would be
suspicious, especically if the domain is a home user ISP, or the ip belongs to some company that
is from another country which you don't go to, like 'ru' (Russia) and 'cn' (China)
The beauty of tcpdump is that it can see ALL network packets from the outside of your Windows
machine. So even if you have a rootkit infection, and Windows' netstat tells you nothing is
wrong, tcpdump will reveal the rootkitted admin tool's traffic.
Security as a Process
Security is a process, that is ongoing after we perform hardening. Your hardened Windows
Windows 10 is good and now has multiple layers of security, but new vulnerabilities will be
discovered in various software that you use and weaken your stance. Take the case of the
browser; attackers target browsers all the time, and new security holes will be revealed. One has
to know when these holes are discovered, and take steps to mitigate.
The first step is to know about the new vulnerabilities. The following websites report on security
matters ::
http://threatpost.comm
http://www.theregister.co.uk/security//
http://www.sans.org/newsletters/risk/http://www.sans.org/newsletters/risk/
http://www.microsoft.com/technet/security/advisory/default.mspx
http://www.exploit-db.com
You should visit them once a week to learn of new security vulnerabilities. The articles will tell
you about new security holes in applications or OS, which version it applies to, and give a brief
description of the weakness. Sometimes, the software vendor will inform us of some
configuration change for you to apply for the time being, until they make a patch ready. Also, the
articles may tell us if attacks using the vulnerability has been spotted in use..
This information are of great help for you to maintain security. To continue on our browser
example, lets say the new vulnerability involves an ActiveX component that is called via Internet
Explorer. Then you might mitigate that by using another browser for the time being, and monitor
the vendors site for a new version release. Or Microsoft may issue an advisory informing us to
how to disable an ActiveX through settings in the registry. Or you may decide that using that
browser together with Sandboxie would contain the threat. Or you may decide to disable
scripting features of the browser. (Secunias PSI program will also tell you when new security
patches or program versions have been made, as mentioned previously). The main thing is that
you get to know about potential problems from these web sites and takes steps to mitigate..
********
Next,as part of the security process, you have to monitor your system and detect attacks. You
have to perform those log checks, baseline comparisons, and virus scans (as mentioned earlier)
on a regular basis, like every 1 or 2 weeks. We are being lax here already, for in a secure
environment, they use tools to monitor logs on a real time basis. Monitoring is crucial, as even
the most hardened systems will have holes in its defenses. We cannot think that our hardened
system is impervious..
********
After a few months of use, computer settings change invariably: new software installed, new
devices added, etc. We now have to check that all security settings are still in place. For example,
are the user accounts still standard accounts, or has one been changed to admin for temporary
problem troubleshooting? Has the firewall been set to OutBound Allow during installation of a
program and left forgotten?? So, after you put those locks on the doors, are they still locked??Or
has there been tampering? We have to revisit the hardening process and check everything. This is
to ensure that the system is still as secure as day one.
Automated Configuration
Contents:
Note that 32 bit Windows is not covered by the ACL config file. There are many more
executables on a 32bit machine
To configure, right click on the bat files and choose 'Run as Administrator'..
To configure manually, open a elevated command prompt ( right click on Command Prompt and
choose 'run as admin' ) Type in the following command::
The <any_name>.sdb will hold the configured results, you make up the filename, but the file
extension must be .sdb. The <template,inf> is either one of the templates named above..
Also provided in the package are Event Viewer 'custom view' xml files. These xml files setup
filters for select event IDs, so that you get to see, for example, all login failures, in one screen,,
Use this bat file to setup what events to audit. It also sets up the event log file maximum file
sizes for Application, Security and System..
Have Event Viewer show success and failure events for Account Logons, Account
Management, Policy Change and System events..
Use this bat file to setup the password and account lockout settings..
Use of this file requires that you understand what the settings do. The numbers are:
Password history means that the system will remember 24 previous passwords so that they
cannot be reused so that they are unique..
Password age means that the system will prompt you 14 days before 60 days is up to change
your password. Minimum password age of 1 day means you cannot change your password again
until 1 day have passed. This is so that users cannot rotate 24 times rapidly and reuse an old
password..
Minimum password length is 14 characters. If you use a passphrase, then this shouldn't be a
problem. Complexity requirement means that the passphrase must include upper and lower case,
numbers and symbols.
What these numbers mean is that you are allowed 50 tries to get the right password. After that,
the system locks up for 15 minutes. So, when you realize you have forgotten a password, write
down the various passwords that you want to try and try to find the right one within 50 tries.
After 50 tries, the system will not respond until 15 minutes have passed..
Unfortunately this can give rise to a denial of service (DoS) attack, where the attacker randomly
tries out 50 passwords and her aim isn't to get in but to lock you out of the system. If we don't
define a threshold number for password attempts, then an attacker can use a program to
bruteforce or dictionary attack the system because they can do so an infinite number of times. If
you realize that such a DoS attack is taking place, all you can do is unplug the ethernet cable and
go for a 15 minute break.
Use the 'Dual Admin 3.bat' to remove the standard users accounts from accesssing command line
admin tools. This script also sets up a heavily restricted admin account for installing software.
Some of these settings default to 'undefined'. And due to the fact that SecEdit does not handle
settings that specify 'undefined', no restore bat file is offered to reverse these password and
lockout settings..
Audit: Force audit policy subcategory settings (Windows Vista of later) to override audit
policy category settings: enabled
DCOM; Machine launch restrictions: no remote launch and remote activation for all
accounts
Devices: Allowed to format and eject removable media: administrators and interactive
users
Domain member: Digitally encrypt or sign secure channel data (always): enabled
Domain member: Digitally encrypt secure channel data (when possible): enabled
Domain member: Digitally sign secure channel data (when possible); enabled
Domain member: Require strong (Windows 2000 or later) session key: enabled
Domain member: Display user information when session is locked: do not display user
information
Interactive logon: Number of previous logons to cache (in case domain controller is not
available: 4 logons
MS network server; Amount of idle time required before syspending session: 15 minutes
MS network server: Server SPN target name validation level: Required from client
Network access: Do not allow anonymous enumberation of SAM accounts and shares:
enabled
Network access: Do not allow storage of passwords and credentials for network
authentication: disabled
Network access: Restrict anonymous access to Named Pipes and Shares: enabled
Network access: Sharing and security model for local accounts: Classic - local users
authenticate as themselves
Network security: Allow Local System to use computer identity for NTLM: : enabled
Network security: Allow PKU2U authentication requests to this computer to use online
identifies: disabled
Network security: Do not store LAN Manager hash value on next password change:
enabled
Network security; LAN MAnager authentication level: Send NTLMv2 response only,
Refuse LM & NTLM
Network security: Minimum session security for NTLM SSP based (including secure
RPC) clients: Require NTLMv2 session security, Require 128 bit encryption
Network security: Minimum session security for NTLM SSP based (including secure
RPC) server: Require NTLMv2 session security, Require 128 bit encryption
Network security: Restrict NTLM: Incoming NTLM traffic: Deny all accounts
Network security: Restrict NTLM: NTLM authentication in this domain: Deny all
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers: Deny all
System cryptography: Use FIPS compliant algorithms for encryption, hasing and signing:
disabled
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic
links) : enabled
System settings: Use Certificate Rules on Windows Executables for Software Restriction
Policies: disabled
UAC: Allow UIAccess applications to prompt for elevation without using the secure
desktop; disabled
UAC: Behavior of elevation prompt for administrators in Admin Approval Mode; Prompt
for consent on the secure desktop
UAC: Behavior of the elevation prompt for standard users: Automatically deny elevation
requests
UAC: Only elevate executables that are signed and validated: disabled
UAC; Only elevate UIAccess applications that are installed in secure locations: enabled
UAC: Switch to the secure desktop when prompting for elevation: enabled
UAC: Virtualize file and registry write failures to per-user locations: enabled
The 'security options' settings, audit, and 'password and lockout' settings are taken from MS
Security Compliance Manager tool. The tool is designed to be used on Windows 8 Pro and
Enterprise editions.
Last things to do
Disable flash in your admin account. Internet Explorer > Gear > Manage Addons > Toolbars and
Extensions > Show All Addons > Shockwave Flash Object > Disable button..
Disable Autoplay for all user accounts: Control Panel > AutoPlay. Choose 'Take No Action' for
everything
Set IE to turn on ActiveX Filtering for each account. Gear icon > Safety > ActiveX Filtering..
Set IE to IE to use Protected Mode for all zones. Gear icon > Internet options >Security tab >
click each icon ( Internet, Local Intranet, Trusted sites, Restricted sites ),check mark Enable
Protected Mode for each. Do this for all user accounts..
Set IE to use Enhanced Potected Mode for all users. Control Panel > Internet Options >
Advanced; scroll the Settings list to Security section, checkmark "Enable 64 bit Processes for
Enhanced Protected Mode" and 'Enable Enhanced Protect Mode''
Run Acrobat Reader ( if you have installed it ) to setup security.for each accountt
> Security Enhanced: Uncheckmark Automatically Trust Sites from my Win OS Security Zones..
It's a good idea to checkout www.exploit-db.com to look for existance of any attack exploits
before installing any app. Some exploits only work in certain versions of the software. So if you
find an old exploiit, there is a chance it won't work against newer versions. But to be really sure,
you would have to complile the exploit and test it, which if you aren't a programmer, can be
difficult. Be aware of the risk and decide.
Installation of New Software
When installing new software, sometimes the setup program needs to connect to the internet to
download components. And also, it may create a exe inside a temp folder to do the downloading,
and the exe is automatically removed when install finishes. On such occasions, it may not be
possible to create an outbound allow rule for that exe. So the only solution would be to go to
Windows Firewall with Advanced Security and temporarily set Outbound to allow for the Public
profile. Just remember to set Outbound back to block when you have finished setting up that new
program..
Also when Simple Software Restriction Policy is installed, remember that programs will not run
when they are located outside of \Windows or \Program Files. To enable your install program to
run, lets say from your Downloads folder, you have to Right Click on SSRP in the systray and
choose Unlock.
Ensure that Local Seucrity Policy > Security Options > Accounts: Block Microsoft
Accounts is disabled or 'not configured'. It is set to 'not configured' in the Configuration
Pack, which is the default..
Ensure that Control Panel > Administrative Tools > Services > Microsoft Account Sign-in
Assistant is set to manual. Note, this services setting is set to disabled in My Personal
Win 10 Disabled Services in the Automated Confiuration Pack, you can reverse this
setting to manual to allow Cortana to work..
Ensure that Settings > Privacy > Location > Location is set to ON. (can only be done by
an admin account))
Settings > Privacy > Speech, inking, & typing > 'Get to know me' is turned on (for each
account that wants Cortana))
Then when you click on the Cortana search bar at the bottom left of the screen, Cortana will
proceed to ask you to configure things to get started