Our goal is to prevent our Windows 8.1 machines from being compromised by hackers. We will harden the system to eliminate lots of attack surface and impede hackers. Layers of security will be added to protect our system, private documents, browsers and other applications. Then, continuing the security process, we will set up patch monitoring to notify us of insecure applications which require patching. Then we will set up event monitoring to monitor admin account uses and all unusual events. And we will setup baselines so that we can regularly compare against the current running system to ensure it has not been modified. And finally we want to monitor the current threat landscape and be able to react to emerging security threats in time. Security is all these steps that begins with, but not end at, hardening the machine.
Windows is a general purpose operating system, and as such, has many built in features desiggned to fit many uses. As more and more lines of code accumulate, there are bound to be bugs. And programmers talk about bugs per 1000 lines of code as a common simple measurement. It is unavoidable to have bugs in code, and Windows 8.1 is no different. In fact, in large projects such as Windows, it is common to ship out code while there are still low priority bugs that are unfixed. And these could number in the low thousands. Then, there are the not-yet-discovered bugs that only surface when certain features are used in combination.
A properly hardened PC will deny and deter hackers with layers of protection. Sometimes, depending on the vulnerability, it will be completely mitigated because that feature is turned off. Other times, a zero day vulnerability might enable a hacker to get in, but once inside, they will find a locked system, try to wreck something and leave. Their ultimate prize is to gain admin/system rights to your PC and totally control your system. With a hardened system, they won't reach their goal. And with security monitoring, even if they obtained admin rights, their victory will be short lived.
You may not have any reason for a hacker to attack your systems other than being low hanging fruit. (system is exposed and vulnerable) Then again, your personal data (for ID theft) , work data (to sell to competitors), and credit card use (for selling them in the black market) is tempting enough for criminal hackers. And hacking is not an elaborate thing, the attackers just get in, install their tools and leave, and those tools automatically report to their servers.
Importance of Testing
It is important to note, that after hardening a system, one has to test to see if the applications that you run still runs as expected. The intended audience of this project is a home user with no need for inter-PC communications
Testing was done on Windows 8.1 Home
Limited
testing has been done after performing the hardening procedures below.
After
hardening, all control panel items are tested working, with the
following
exceptions: About
this Hardening Guide Let
there be no mistake, if your system has already been compromised,
following the
advice given here will not help you,
because there is no telling what backdoors
and botnets clients have been installed on your system. You cannot
fight back
at someone who already has administrator control of your system. You
can
implement something and they will just disable it. You best chance of
survival
is to re-install your legit copy of Windows and then hardening it to
prevent
further attacks from happening. There
are
several Automated Configuration files which sets the following: The
Acess
Control Lists for command line tools is made for 64 bit Windows only.
Note
that 32 bit Windows is not covered by the ACL config file.
There are many
more executables on a 32bit machine. Lets
Begin Things
you need downloaded beforehand. Critical
Windows Updates Since
the
release of Windows 8.1 Preview, there has been critical updates that
could stop
you from performing Windows Check for Updates. If you have
attackers on your
tail, you may very well be stopped from obtaining critical updates. Or
that you
may be compromised when you go online to fetch updates.
There
is a free tool called WSUS Offline Update, which can download updates
for all Windows platforms and create a ISO image file. Just burn this
image file to DVD and slip it into your PC and it will commence
installing the updates. Note that it will only download KB's that are
in MS Security Bulletins, which are all the critical and important
downloads; so you will still have to do a Windows Update afterwards to
fetch the ordinary non-critical updates. This tool eliminates a
critical gap in Windows installation. That is when you only have
services packs installed but are missing all post service pack updates.
An attacker can attack you while you are updating online and
vulnerable. The tool is available from here: http://www.wsusoffline.net/
. The site is in German and English. As
per normal, to securely install an OS, one should install it
disconnected from the network.. On the Settings screen, choose Customize button Do you want to find PCs, devices and content ... Choose
"No, for networks in public spaces" Update PCs and apps. Leave both of the choices to ON Help protect your PC and your privacy. Leave both of the
choices to ON. Check online for Solutions: Leave both choices to ON. Help improve Microsoft producgts and services: Leave both
choices to OFF Share info with Microsoft and other services: Leave the
top 5 of the choices to OFF and set "Get better protection from malware
..." to ON'
You
should download service pack(s) on a different computer and copy it to
the
computer being installed and run it. We don't want to connect the
computer to
the network without the minimal set of patches. Further down this
document,
when network configuration is complete, we will connect online and
fetch
security patches ASAP. Do not surf the net while performing any step
prior to
completion of Check for Updates, because your browser is missing a lot
of
security patches.
One
of
the main concepts underlying hardening is least privilege. It means to
configure
your system so that it is only capable of doing things you normally do,
and
nothing else. So, that means that if a feature in Windows is not used,
it is to
be turned off, or disabled. The
reason behind it, is that the more features you enable, the larger your
attack
surface is. It means you have more to defend. And one
vulnerable spot is all
it takes to get hacked. The more features you have, the more potential
bugs (
some security related ) you have. Now hackers know a lot about the
security
bugs in the system – that’s how they attack. If you go live on the
internet
with all features turned on, the hacker would have a lot of choices. If
you
disable unused features, then he’d have less to play with. One
of
the first things you should do in line with least privilege is to
create a
Standard user account, and use that account for your daily work. Only
login to
the administrative account to install programs, configure networking,
or do
system maintenance tasks. Because when you are working in a Standard
account,
any malware or hacker that makes it onto your system will inherit your
privilege and not have admin privileges to make system wide
modifications. And
that’s a win for you. Remember
that an attacker will have all the access that you have at the that
moment of
attack. So if you have important data stored in that account's Document
folder,
they will have the same access. ( more on that later ) So, if you have
secret
level data, it is best to store them in an account which you don't surf
with. From
a different perspective, a Standard account is a barrier to other
accounts, and is also a container for attacks. If you have your
services set up correctly and don't allow the command RunAs, ( it is
the Seondary Logon service ), then automated attacks and hackers cannot
gain access to your other accounts. If you notice different
behavior
of your browser or something that looks like virus activity, you can
rebuild your account and delete the old one as part of a
recovery
procedure.
Display
all Control Panel settings Control
Panel, select 'View by: Small Icons'. This shows all
the configurations
choices available. Turn
UAC to the max When
MS
released Vista, there were some complaints about UAC asking for
confirmation to
do this, that and the other. So MS made a compromise in Windows 7 and
allow
customers to choose what level of prompting they want. Know that
turning
completely off UAC also means turning off Protected Mode in Internet
Explorer,
and not too many people realize that a major piece of protection is now
turned
off. UAC pops up mostly during the setup phase, once you have finished
setting
up your computer, you will rarely encounter it. Control
Panel\All Control Panel Items\User Accounts\Change User Account Control
Settings Move
slider to top Specifying
the gateway We
will
perform hardening on networking components first, without connecting to
the
internet. This requires that the computer be connected to a
gateway/router, in
order to to change the network/firewall profile between Private and
Public.
Temporarily specifying any live PC as the gateway will work. After
hardening
networking, you can set up the correct gateway, and we will then
connect to the
internet to get Windows Updates. Control
Panel / Network and Sharing Center / Ethernet,/ Properties / select
Internet
Protocol Version 4 (TCP/IPv4) / Properties button, Then select “Use the
following Ip address”. For
the
ip address, you need to manually specify one for the time being. I am
assuming
that your router automatically hands out ip address in the 192.168.x.x
range. Your
freshly installed PC will default to obtain its ip address from the
router.
Open a command prompt and type in “ipconfig”. Take note of the “IPv4
address
and the Gateway address. Type the IPv4 address into the Properties
window and
change the last 3 digits to any number less than 254. The Subnet mask
will be
filled in for you when you click on that space. Then for the Gateway,
type in a
ip address of any live PC on the network. ( you will have to go to that
PC and
type “ipconfig” to see its ip address. ) Set
up
Firewall Profile Windows
network has 3 network types, domain, private and public. Work and home
are
similar and are labeled as 'private' under it's firewall tool. The
private
setting is set to allow 'network discovery', so that Windows is allowed
to talk
to other PCs. The public setting is the most secure and is meant to be
used at
cafe hotspots, airports etc. If your network contains insecure PCs,
then you
should set the network profile to public. The domain setting cannot be
chosen
by the user, and is used after the PC has joined a domain. Since we are
hardening the PC, we want the most secure setting, and only allow
Windows to
talk when it is called for. So for those that intend to join a domain,
choose
the private profile; and if not, choose the public profile. Control
Panel
\ Network and Sharing Center ・
When you plug in
the ethernet cable, set network to Public, which is the most restictive
and
secure. Note:
if
you selected Private and later want to change it to Public, the only
method for
Windows 8.1 that I am aware of involves using PowerShell. Right
click on PowerShell and then click Run as Admin, then type in this:
Get-NetConnectionProfile and
you
will get something similar to this:
Name
: Network
InterfaceAlias
: Ethernet
InterfaceIndex
: 3
NetworkCategory
: Public
IPv4Connectivity
: Internet
IPv6Connectivity
: Internet note
the
Name, and then type this, replacing the word Network with the name
found above:
Set-NetConnectionProfile
-name "Network" -NetworkCategory public Use
only Bare Essential Network protocols In
order
for a hacker to hack you remotely, he needs to interact with a network
facing
program running on your PC. Some networking components implement
protocols.
Networking protocols are grammar rules for bits and bytes to
communicate with
other PCs. And each has weaknesses. So unless your environment requires
that a
protocol must be used, we will want to disable all except the bare
essentials.
More protocols mean a larger attack surface. The
only
protocol you really need is IPv4. And most networking equipment
requires IPv4
in order to function. IPv6 will be increasingly necessary as we have
run out of
IPv4 addresses, but as of this writing, IPv6 is still not very popular.
If
you
have a IPv6 router, then you can skip over all configurations in this
guide
that mention v6.
as it is turned on by default by Microsoft. Some routers do not
understand
IPv6, and some ISPs don't support it either. So MS made several tunnel
components that tunnels IPv6 inside IPv4 to the outside. This in effect
bypasses the security offered by your NAT-router and hardware firewall.
Tunneled traffic can't be seen by IPv4 hardware firewalls and all such
traffic
will be allowed to pass unhindered. NetBIOS
over TCP/IP is not required because NetBIOS is already active without
this
option. Disabling NetBIOS over TCP/IP should limit NetBIOS traffic to
the local
subnet. The
Discovery protocols are used to provide a nice graphical map of your
network.
For home users, this is not needed, as there is only one router. You
would only
get to see a picture depicting your PCs connected to your router. For
Domain
users, this feature is automatically turned off once you join the
domain. File
and
Printer Sharing should only be enabled if you plan to share some of
your
folders on the network or if you want to share your locally connected
printer
over the network. If printer sharing is desired, it is better to get a
printer
that has networking built in, so that when attacked, they only gain
access to a
printer instead of your PC. Disable this feature unless absolutely
required. Control
Panel\Network and Sharing Center Ethernet
\ Properties button uncheckmark
the following: ·
Client
for MS Networks ·
File
and Printer Sharing for Microsoft Networks ·
QoS ·
Microsoft
Network Adapter Multiplexor Protocol ·
Microsoft
LLDP Protocol Driver ·
Link
Layer Topology Discovery Mapper IO Driver ·
Link
Layer Topology Discovery Responder ·
Internet
protocol version 6 Select
'Internet Protocol version 4 (TCP IPv4), click Properties, click
Advanced, ·
click
'DNS' tab, uncheckmark 'register this connections address in DNS' ·
click
'WINS' tab, select 'Disable NETBIOS over TCP/IP' Disable
IPV6 Totally As
mentioned previously, IPv6 tunneling bypasses the security of your IPv4
router
and hardware firewall. If you have an IPv6 router, then skip this
section. See
this
page: http://support.microsoft.com/kb/929852
( Note
that the FixIts do not work on Windows 8 ) You
want
to do it manually: Run
'Regedit', Under
the registry key
“HKLM\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters”, right
click on the right pane, create an New entry of type DWORD(32bit)
called
DisabledComponents, Then
double click on it and enter one of the following: ·
FFFFFFFF
to disable all IPv6 components, except the IPv6 loopback interface,
which can't
be deactivated. ·
0x01
to disable IPv6 all tunnel interfaces. These include Intra-Site
Automatic
Tunnel Addressing Protocol (ISATAP), 6to4, and Teredo. If you have a
IPv6
router, then you want to choose this one. Note
that
the value "0" is the default setting. Disable
unused tcpip6 Devices When
disabling features, I like to disable their components too. So even
though IPv6
is disabled above, I still disable the Wan Miniport IPv6 driver, Teredo
driver,
ISATAP and IPv6 ARP driver. Control
Panel / Device Manager, View menu / Show Hidden Devices ·
/System
Devices\Remote Desktop Device Redirector Bus ·
/Network,
disable Microsoft ISATAP adapter (Ipv6 tunnel) ·
/Network.
disable Microsoft Kernel Debug Network Adapter Reboot. Disable
IGMP I
have
never seen this protocol used. When something is unused, least
privilege says
it should be disabled. Start
button\All Programs\Accessories\command prompt, right click, click on
"run
as administrator" at the bottom of the screen and paste in this command: Netsh
interface
ipv4 set global mldlevel=none Disable
port 1900 UPnP The
intention of UPnP is ease of configuration, so such things as games can
auto-configure the firewall to let other players from the internet join
in.
However, with users each poking holes into your firewall with UPnP,
pretty soon
it will be Swiss cheese and cease to function as a firewall. It is
better to
configure firewall rules manually so that each firewall rule is known
and
accounted for. If your hardware firewall or router has an option to
disable
UPnP, do so. Regedit HKLM\Software\Microsoft\DirectplayNATHelp\DPNHUPnP right
click on right pane, new dword:32 bit,named UPnPMode Double
click on that and set the value to 2. Disable
SMB v1 protocol SMB
is
the file sharing protocol used for File and Printer Sharing and
inter-process
communication. It has 3 versions. MS does not recommend disabling v2 or
v3.
Version 2 was released with Vista. Version 3 is new to Windows 8 and
Server
2012 and has a encryption feature. There has been worms which attack
SMB
shares, and depending on the payload, could gain complete control of
the
machine. For further information on disabling all versions of SMB, read
this: http://support.microsoft.com/kb/2696547 To
disable SMB v1, open a Powershell prompt with admin rights, and type in:
Set-SmbServerConfiguration
-EnableSMB1Protocol $false To
re-enable SMB v1, use this:
Set-SmbServerConfiguration
-EnableSMB1Protocol $true Disabling
Listening Ports When
you
run the command 'netstat -abn', it will show you which ports are open
and
listening to the network. Normally, you would want to close those ports
unless
you really need them. Windows 7's listening processes and their port
numbers
are RPCss ( 135 ), Wininit.exe ( 49152 ), eventlog service ( 49153 ),
Schedule
service ( 49154 ), services.exe ( 49155 ), lsass.exe ( 49156 ). (The
port
numbers above 49152 can change between reboots), However, the default
firewall
policy for inbound traffic is to 'block' for all network profiles (
domain,
private, public ). That means nobody can touch those listening ports
unless the
firewall is off, or you have made inbound 'allow' rules to pass traffic
onto
those processes. This has been verified by connecting to them with
telnet and
all attempts failed, unless one turns off the firewall or makes 'allow'
rules.
Also, as far as I can determine, all of those processes are essential
to
Windows, and they cannot be stopped without crippling the PC. Router
and Hardware Firewalls Buy
a
router that has Stateful Packet Inspection ( SPI ) firewall. This kind
of
firewall will monitor outbound traffic and only allow
matching return traffic.
Like when you surf to a web site, your browser initiate a request to
the site,
and the site returns the web page. Buy one even if you have only 1 PC.
And if
you are using a cable modem which only has 1 Ethernet port, you
definitely need
one. More
expensive hardware firewall routers will have more tools, like
configurable
rules, sending logs to remote syslog servers, and fancier protection
like
spotting syntactical illegal ip packets. For an example of small/medium
size business
product, take a look at the www.sonicwall.com
site.
They have products
which integrates a firewall, gateway antivirus and antispyware, and VPN. Windows
Advanced Firewall, turn on outbound blocking and logging The
basic
principle for configuring firewalls is 'default deny'. That means all
traffic
is to be blocked unless you have made a rule to allow it. Those rules
are your
'whitelist' of known good applications and protocols. Window's
firewall's default policy is set to inbound deny and outbound allow
all.
'Outbound allow all' eases configuration, doesn't follow the default
deny
principle, and is not ideal. We don’t want malware to be able to call
back to
their master servers. Most
people don't know that you have to turn outbound blocking on. When
outbound
blocking is turned on, it only allows the programs and services you
specify to
talk to the net. Malware will have a hard time reporting back to their
servers.
However, it is missing a feature that tells you what programs it has
blocked
outbound. So after installing a program that needs to connect to the
net, like
your antivirus program, you have test those exe files one by one to see
which
is responsible for talking and allow that exe to talk with a outbound
rule. Control
Panel/Administrative Tools/Windows Firewall with Advanced Security /"Windows
Firewall Properties" link Click
on
each Profile (Domain, Private, Public) tab ·
change
Outbound connection = Block ·
Specify
Logging settings for Troubleshooting > Customize ·
Size
Limit = 32767 KB (which is the max size allowed) ·
Log
Dropped packets = Yes ·
Specify
Settings that control Windows Firewall Behavior > Customize ·
Allow
Unicast Response: No The
Windows 7 version of this document is accompanied by a policy file
which can be
imported. However, with Windows 8.1 this is not possible because there
are
rules which include a user account ID. Thus a policy from one PC cannot
be
imported by another because the account IDs in a policy will not be
present on
the new PC. -----
Firewall Rules ------ HowTo
allow a windows service outbound: Click on Outbound Rules on the left,
click on
'New Rule', select 'Custom', next to 'Services' click customize, select
'Apply
to this service', scroll and find 'Windows Update', next, ports and
protocol -
(no change), next, IP addresses ( no change ), next, select 'Allow The
Connection'. Checkmark all profiles,next. Give the rule a name, eg
"Allow
service X". HowTo
Allow a program outbound: Click on Outbound Rules on the left, click on
'New
Rule', Select "Program", next, select "This program Path"
and click on "Browse" button, Navigate to program folder and select
the EXE, next, select "Allow the connection", Checkmark all
profiles,next. Give the rule a name, eg "Allow Program X". HowTo
Allow communication to a destination port # and IP address: Click on
Outbound
rules on the left. Click on 'New Rule'. Select 'Custom'. next. Select
'All
Programs'. next. For 'Protocol Type' select 'TCP' or 'UDP' as the case
may be.
For 'Remote Port', select 'Specific Ports'. Then type in the port
number(s)
below. next. For 'Remote address this rule applies to' select 'These ip
addresses'. Click 'Add' button, and in the following dialog box, type
in an ip
address into 'This ip address or subnet'. ok. next. Select 'Allow the
connection'. next. Checkmark all profiles,next. Give the rule a name,
eg
"Allow out to port ### on server YYY. The
following rules applies to all 3 profiles: Domain, Private and Public Outbound/
allow service 'Windows update' Outbound/
allow service 'Windows Time' Outbound/
allow program '\Windows\HelpPane.exe' (Windows Help, enables fetching
online
help ) Outbound/
allow program '\program files\windows defender\MpCmdRun.exe" Outbound/
allow program <Firefox/Chrome/Opera, whichever browser you
use> Outbound/
allow program \program files\Internet explorer\iexplore.exe Outbound/
allow program \program files x86\Internet explorer\iexplore.exe Outbound/
allow program \Windows\ImmersiveControlPanel\SystemSettings.exe Outbound/
allow program \windows\system32\UserAccountBroker.exe Outbound/
allow program <your antivirus update program> Outbound/
allow program “%ProgramFiles% (x86)\Secunia\PSI\psia.exe” Outbound/
allow program “%ProgramFiles% (x86)\Secunia\PSI\psi.exe” Outbound/
allow program "c:\windows\explorer.exe" Outbound/
allow program %SystemRoot%\System32\svchost.exe Outbound/
allow program \windows\WinStore\WSHost.exe Outbound/
allow program \windows\system32\wwahost.exe Outbound/
allow program \windows\system32\AuthHost.exe Outbound/
allow program \windows\system32\RunTimeBroker.exe Outbound/
allow program '\Program files\Windows Media Player\wmplayer.exe' Outbound/
allow program '\Program files (x86)\Windows Media Player\wmplayer.exe' Outbound/
allow program <Adobe Flash Update service> Outbound/
allow program <Adobe Acrobat Update service> Outbound/
allow program \windows\system32\wermgr.exe Outbound/
allow program \windows\system32\windowsanytimeupgradeui.exe Outbound/
allow program <\windows\system32\skydrive.exe> ( if you
choose to use
Skydrive ) Outbound/
allow Core Networking DHCP-out Outbound/
disable all Core Networking rules that mentions IPv6, IPHTTPS, IGMP,
Teredo,
and ICMPv6 Outbound/
disable the 2 rules that mentions HomeGroup Outbound/
disable all rules for Remote Assistance Outbound/
disable Proximity Sharing over TCP Outbound/
disable all Network Discovery rules for private profile
(NB-Datagram-out, NB
Name out, LLMNR UDP Out, Pub-WSD-out, SSDP-out, UPnP-Host-Out,
UPnP-Out,
WSD-Events-Out, WSD-EventsSecure-Out and WSD-Out.) Outbound/
disable Play To functionality x 2 Outbound/
disable Play To Streaming x 3 OutBound/
disable <Mail, Calendar and People> ( Disable if you
don't have MS accounts ) InBound/
allow Core Networking ICMPv4 in InBound/
allow Core Networking DHCP in Inbound/
allow program <Mcafee Site Advisor dir>siteadv.exe Inbound/
allow service <SA Service> ( Mcafee
site advisor ) InBound/
disable Core Networking IPHTTPS in InBound/
disable Core Networking IGMP in InBound/
disable all Core Networking rules that mentions IPv6, Teredo, and ICMPv6 InBound/
disable all Network Discovery rules for private profile (NB Datagram
in, NB
Name in, LLMNR UDP In, Pub-WSD-In, SSDP-In, UPnP-In, WSD-Events-In,
WSD-EventsSecure-In, WSD-In) InBound/
disable the 2 rules that mentions HomeGroup InBound/
disable Play To functionality x 2 InBound/
disable Play To SSDP Discovery InBound/
disable Play To Streaming Server x 9 ( HTTP, RTCP, RTSP, ) InBound/
disable Play To UPnP Events InBound/
disable Proximity Sharing over Tcp InBound/
< disable Reader> InBound/
disable all rules for Remote Assistance InBound/
disable <Mail Calendar and People> ( Disable if you don't
use MS accounts ) Some
apps
install Inbound allow rules to itself. When you install an app, you
should
check the Inbound rules to see if any new rules have appeared, and
disable
those if you don't want inbound traffic to that app. Note
that an inbound
rule to an app essentially makes that application a server. That is, it
will
accept any transmission to the PC and can be exploited Setting
up a Microsoft Account Setting
up the system to use a MS Account for login is needed if you plan to do
purchases through the Windows app Store.
However,
it is not recommended that your admin account be an MS
account,
because it is exposed on the net on Outlook.com and allows
hackers to crack your
password before even touching your network or your computer.
You
can use gmail or yahoo mail or outlook.com or hotmail.com addresses
for this "MS Account". If
you use a gmail or yahoo mail account, Windows will
create a mirror account on outlook.com that uses the same name
and password. It will also migrate your phone number over to
this
account. The phone number is used for 2nd factor authentication when
you go do Billing things.
A
workaround for this is to pay for the WinApps you want to
install and immediately go to outlook.com to remove the credit
card info from the account. WARNING:
an MS account is a semi-admin. She can install Win Apps from the Store
even if
she is not an admin account. And depending on the Win App, the
installation
could open inbound 'allow' firewall rules which will make your PC
vulnerable. Modifying firewall rules used to require
admin
rights but MS has apparently decided to bypass this. So, create an MS
account
only for an admin person and never for a user, as a user cannot be
trusted to
treat security as important. All a user wants at the moment is to try
out that
new software. If
you
have to use MS accounts for your users, you can put a ban on the
Windows Store.
Open
Regedit, and navigate to
HKLM\Software\Policies\Microsoft\WindowsStore Make
a Dword32 named RemoveWindowsStore And
set the value to 1. Setting
RemoveWindowsStore to 0 will reactivate the Store.
Installing
a 3rd Party Firewall If
you
want, you can install another software firewall, although the Windows 8
firewall is quite good. Note that installing a third party firewall
will
automatically disable the Windows 8 one, because having 2 firewalls
will cause
conflicts. For example, currently, the Comodo firewall is top rated,
However,
the part which I don't like is that it has an internal list of programs
which
it designates as "safe". I prefer my own white list, containing
programs that I know of and approve, like in the rules list above. It
also has
to do with Least Privilege, because one doesn't want rules to allow
programs
connecting out to the internet if one never uses them. If you do want
to use
Comodo, then set the Comodo firewall to use "Custom Policy". In this
mode, the firewall will prompt and tell you about both "safe" and
unknown applications that try to connect to the internet, giving you
the
authority to decide. The good thing about using a third party firewall
like
Comodo is that it tells you what applications are trying to connect
outbound,
whereas Windows Firewall doesn't. And it does make for easier
operation. Software
Restriction Policy When
activated, Software Restriction Policy will prevent any program from
running
except if it is residing in \Program Files or \Windows. That means any
downloaded malware in Temporary Internet Files or elsewhere will not be
able to
run. ( browsers and plug-ins sometimes have vulnerabilities to let
infected web
sites to force them to download ) Since you will be running as a
standard user
daily, that malware cannot install itself to the above 2 locations,
because you
need admin rights to do so. So you are covered against unwanted Desktop
programs
running. Feature
not available in Windows 8.1 Home. Simple
Software
Restriction Policy 1.2 by IWR Consultancy Simple
SRP1.2 is a
free tool that provides the majority of the functionality of Windows’
own SRP
in a small program that sits in the systray. And it works on Windows
8.1 64bit. This
program provides
crucial protection to Windows 8.1 . After
installation, only
programs in \Program Files and \Windows will execute. So in order to
run the
BAT files of this guide’s automated configuration, you need to choose
the
tool’s UnLock from the right click menu, which will give you 30mins of
unlocked
time. The
program installs
into \Windows\SoftwarePolicy. Configuration is done via an .ini file
that can
be accessed and edited from its menu. There are some configuration
items that need
modification. Right click on the program’s systray icon and choose
Configure.
Notepad will start. Edit
this following
item and change the value from 0 to 2, like below:: AdminMenuPasswordLevel=2 Next,
add the
following lines underneath [Disallowed] c:\windows\debug\WIA=1 c:\windows\Registration\CRMLog=1 c:\windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}=1 c:\windows\System32\com\dmp=1 c:\windows\System32\FxsTmp=1 c:\windows\System32\spool\PRINTERS=1 c:\windows\System32\spool\drivers\color=1 c:\windows\System32\Tasks=1 c:\windows\SysWOW64\com\dmp=1 c:\windows\SysWOW64\FxsTmp=1 c:\windows\SysWOW64\Tasks=1 c:\windows\Tasks=1 c:\windows\Temp=1 c:\windows\tracing=1
Lastly,
if you use the Opera browser, find in the [LimitedApps] section the
line 'Opera=...' and place a semicolon (;) in front of the line to
exclude Opera from protection, because Opera v22 (the latest version as
of this writing) will not function with this enabled.
Save
the file, exit
Notepad and apply the policy. The
above configures
the program to require a Windows admin account password. And it secures
the
mentioned paths under \Windows which can be modified by users to
prevent
malware from executing from in there. Also,
you can add a
“;” in front of these lines to remove extra menu items, as they add
clutter to
the right click menu: ;(C:\)=explorer.exe
C:\ ;Control
Panel=control.exe ;Printers
and Faxes=control printers ;Network
Connections=ncpa.cpl ;Computer
Management=compmgmt.msc ;Disk
Management=diskmgmt.msc ;Registry
Editor=regedit.exe ;Task
Manager=taskmgr.exe ;Windows
Firewall=firewall.cpl ;Command
Prompt=cmd.exe ;Salamander=salamand.exe Disabling
Vulnerable Services
Most
people are aware that services can be security problems, and that some
should
be disabled. The culprits are partially network services that listen to
the
net. Anything that takes input from the net is candidate for
manipulation by
hackers. When one looks at the list of services that are disabled
below, one
might say that there are no known exploits for such and such a service.
But the
principle again is least privilege. Only those services that are needed
should
be active. And we don't want to wait until an exploit becomes public
knowledge
and then take action. Least privilege is a pro-active, preventative
concept. There
are
various servers in the list of services which listens 24x7 to everybody
sending
them stuff.( which includes exploits ) Like the simply named 'Server'
service
that is responsible for File and Printer sharing. Another server is
UPnP Device
Host, which lets other PCs interact with devices on this PC. Yet
another server
is Remote Desktop Services. This allows outsiders to connect to and
control the
PC - to have a secure PC, there should be no remote-anything.
Components that
allow remote management are also turned off - like Remote Registry,
WMI
Performance Adapter and Windows Remote Management. The first allow
other PCs to change your registry;
and the second lets other PCs get performance data from this
PC, and the third allows remote shell access. The Secondary
Logon
service is turned off, because it let command line users run programs
as admin.
It requires the admin's password, but then hackers have all day to
figure that
out. DNS Client is turned off because it only caches previous DNS
request
results, and does not fetch results, and is the target of attacks which
poisons
the cache with fake DNS entries. HomeGroup is the new file sharing
mechanism in
Windows 7, and the whole network's shared stuff (all material from all
PCs) is
secured via 1 password. With the File and Printer Sharing way, at least
you can
have different logons for different PCs. I have left 4 services on
Automatic
start which do react to inputs from the net, and they are Network
Location
Awareness, Network List Service, Network Connections, and Network Store
Interface Service. These services tell other windows programs about
your
network and allows you to choose your firewall profile (public or
private). There
is
another angle to services that makes some more desirable targets, and
that is
the account that runs them. The System account is all powerful and is
equal in
power to administrators. A network facing service which use this
account, like
the WMI Performance Adapter or the Printer Extensions and
Notifications, will
be prized, A service running as System will also be targeted by hackers
who
gained entry into a Standard account, they will try to take over the
service to
gain System rights. (This is called "escalation of privilege"). There
are
some services which activate if you have the right equipment, like.
Microsoft
iSCSI initiator service, Bluetooth support service, Fax, SmartCard.
SmartCard
removal policy and WWAN autoconfig are all dependent on specific
hardware. In
my personal configuration, they are all disabled, because I don't have
them.
In particular,
Bluetooth
support service is one that ought to be disabled if one
doesn't have any bluetooth peripherals; it is a networking component
that can be abused by hackers, and there are free hacking
tools available. It is not disabled in the configuration file because I
don't want someone to apply the config and suddently find that their
keyboard or mouse doesn't work.
When
you
configure services, clicking on each will display a description. If
that is not
enough for you, you can check out http://blackviper.com
, sometimes they have
additional information. If
you have the
Automated Configuration package, you can set up the services by right
clicking
on "Harden Win 8.1 Home 64 Services.bat" and choosing "Run as
Administrator" Items
in
<angle brackets> are optional and not setup in the
Automated
Configuration file. Start
button/Control Panel/Administrative Tools/Services Right
click on the following services, choose Properties and set Startup Type
to
Disable. - Name
(Original
Mode) (what it does) --------------------------------------------------- Computer
Browser (manual) (finds other PCs in the network) Distributed
Link Tracking Client (automatic) (maintain shortcuts if source file
name has
changed) DNS
client (automatic) (caches previously looked up domain names) Family
Safety (manual) (compatability stub for Vista apps) Function
Discovery Provider
Host
(manual) (HomeGroup) Function
discovery resource publication (manual) (HomeGroup) HomeGroup
Listener (manual) (HomeGroup) HomeGroup
Provider (manual) (HomeGroup) Internet
Connection Sharing (disabled) (makes PC act as router) IP
Helper
(automatic) (IPv6 tunneling) KtmRm
for
Distributed Transaction Coordinator (manual) (MS recommends to stop
this
service if not needed) Link
Layer Topology discovery mapper (manual) (network discovery) Microsoft
iSCSI Initiator Service (manual) (allows LAN or Internet based storage) Net.
TCP
port Sharing service (disabled) NetLogon
(manual) (logon to Windows Server) Network
Access Protection Agent (manual) (reports security configuration) Network
Connected Devices Auto-Setup (manual) (autosetup devices in the network) Network
Connectivity Assistant (manual) (works with DirectAccess to provide
setup of network
devices. Relies on DNS client, IP Helper, Network Store Interface
Service and
Base Filtering Engine) Peer
Name
Resolution Protocol (manual) Peer
Networking Grouping (manual) (HomeGroup, remote assistance) Peer
Networking Identity Mgr (manual) (HomeGroup, remote assistance) Performance
Counter DLL Host (manual) (allows remote query to performance counters) Performance
Logs & Alerts (manual) (collects remote and local perf data) PNRP
Machine Name Publication Service (manual) (server that responds with a
machine
name) <Printer
Extensions and Notifications> (manual) (receives input from
remote printers
and runs printer custom dialog boxes. Runs as LocalSystem if exploited) Quality
Windows Audio Video Experience (manual) (multimedia server) Remote
Access Auto Connection Mgr (manual) Remote
Access Connection Manager (manual) (dialup, VPN) Remote
Desktop Configuration (manual) Remote
Desktop Service (manual) (server allowing remote control) Remote
Desktop Service UserMode Port Redirector (manual) Remote
Registry (disabled) (allow remote PCs to modify your registry) Routing
and Remote Access (disabled) Secondary
logon (manual) (allow command line runas option to run programs as
admin) Secure
Socket Tunneling Protocol service (manual) (VPN) <Sensor
Monitoring Service> (manual) (disable if you don't have any
light sensors
etc) Server
(automatic) (HomeGroup, File and Printer Sharing) SNMP
Trap
(manual) SSDP
Discovery (manual) TCP/IP
NetBIOS Helper (automatic) Telephony
(manual) (affects Remote Access Connection mgr/ VPN) UPnP
Device host (manual) Web
Client (manual) Windows
Connect Now Config Registra (manual) (Wireless Setup - simplified
configuration) Windows
Error Reporting Service (manual) (reports system problems to MS and
fetches
solutions) Windows
Event Collector (manual) (allow remote subscription to log events) Windows
Media Player Network Sharing service (manual) Windows
Remote Management (manual) (Server, listens for remote requests ) WMI
Performance Adapter (manual) (provides performance data to other PC
collecting
it) Work
Folders (manual) (sync folders with server) Workstation
(automatic) (HomeGroup, AD) Stop
Logins from the Network. There
should be no logins available from the network. However, if we stop
user and
admin accounts from login through the network, then Simple Software
Restriction
Policy 1.0 will stop working. However we are still protected by Windows
Firewall. So the accounts that are denied are: Guests,
Anonymous Logon,
Administrator, NETWORK SERVICE, SERVICE, SYSTEM, and LOCAL SERVICE. The
settings
for “Deny access to this computer from the Network” is included in the
Services bat file above. Install
EMET ( Enhanced Mitigation Experience Toolkit ) This
is a very important part of safe guarding your PC from exploits. Install
EMET. Run
EMET,
click on Configure System button, and set the following :
DEP
- always on.
SEHOP
- always on
ASLR
- application opt in. defaults:
DEP
: application Opt In
SEHOP
: application Opt In
ASLR:
application Opt In
Pinning:
Enabled Click
"Apps" button, then "Add Application" button, and locate ·
\Windows\System32\wuauclt.exe ·
\Windows\servicing\trustedinstaller.exe ·
Your
antivirus’s service, if it has one. Add
all
your browsers, chat programs and other Internet facing programs. This
includes
all program that take input from downloaded material, like media
players, Adobe
Reader etc. Read
the
accompanying documentation to see what protection EMET offers. Install
Antivirus The
last
thing you need to do in preparation for connecting online to do Check
for
Updates is to install your antivirus program. You would also need to
specify a
outbound firewall rule to allow the antivirus to fetch signature
updates.
Windows 8 comes with Windows Defender antivirus. If you want to use
this
default antivirus, then nothing needs to be done except allowing it
outbound in
the firewall (already listed in above firewall rules configuration)
Some
antivirus products also require other files added to the firewall
outbound
rules - like ESET antivirus, which has a file called "ekrn.exe" that
intercepts web browsing and inspects traffic. Check
for Updates At
this
point, you have hardened networking components. Setup the correct
gateway. Switch
to your Standard account. Connect now to internet.
Immediately do Check for
Updates. Control
Panel > Windows Update. then click on ‘Check for Updates’ on the
left. DO
NOT
SURF the net while updates are going on, as Internet Explorer is still
unpatched and vulnerable. Note
also
that you have to Check for Updates more than once, as MS prepares
updates in
batches, and another batch may follow the current one. If
you wish, you may want to defer Microsoft Update until we reach the end
of this guide, when all attack venues are covered. Install
All Software, Update Firewall Rules Install
antispyware and antimalware Then install Secunia's PSI, Adobe PDF
Reader, your
browser, Flash , your Office suite, your printer driver and all other
applications. If
you
use MS Office, then go do Microsoft Update now: Charms
bar / Search / choose Settings / type in 'update' / choose “Install
Optional
Updates”. Click on “get updates for other Microsoft products – Find out
more”.
Follow instructions on IE screen. Then
do
Check for Updates again. Remember
to update your firewall outbound rules to allow the programs that need
the
internet, like Flash and Adobe Reader which now have their own update
service,
so add allow outbound rules for those services. Also your browser and
Secunia
PSI (see below) need to reach outbound to the internet. Patching One
of
the most important things to do is to update EVERYTHING on your
computer,
constantly, that means Windows Update and updating all programs and
plug-ins.
It is very important to know that security patches closes the holes
that
malware/hackers need to get onto your computer. Patching the
security holes is
the ultimate preventative measure that treats the source of the problem. It
is
known that hackers reverse engineer MS patches to exploit the
vulnerabilities.
It only takes a few days for them to do so, so be sure to patch on
time. MS's
patch schedule is on the second Tuesday of each month. Calendar a
repeating
entry on your cellphone. Windows
Update supplies security fixes to Windows and its programs like
Internet
Explorer. If you use a buggy IE, then hacked websites can install
viruses/malware unbeknown to you. Adobe
Flash is another component that lots of people forget about. Luckily,
two
browsers, Internet Explorer and Google Chrome, will fetch Flash updates
automatically, so you don't have to do a thing. If you use Firefox,
Opera or
another browser, then you need to download the Flash plugin for them.
Adobe
Flash recently implemented an automatic update feature to Flash, if you
install
Flash, you must make an outbound allow firewall rule for the service. Secunia
offers a free program called PSI
(http://secunia.com/vulnerability_scanning/personal/
)
that detects which
of your installed programs are missing security patches. This is a
lifesaver..
After installing,
it will scan your pc on a schedule. It will tell you about insecure
programs,
and link you to patch downloads. If a patch for a security hole does
not yet
exist, it will tell you, so that at least you can stop using that
program for a
while. This is a very important part of maintaining security
of your machine. Turn
off AutoRun, AutoPlay AutoPlay
is a problem when it comes to removable devices like USB memory sticks
and CDs.
Because it will run whatever program it is set for whenever you insert
it.
Hackers are known to casually leave CDs around in public washrooms and
label it
something like 'layoff positions for next quarter', Once inserted,
their
hacking tools will run in the background and call back to its master
server.
AutoPlay is the sucessor to AutoRun, and can be disabled in Windows. Open
the
Charms bar, and goto Search, click on Settings, and type in AutoPlay.
Now click
on AutoPlay in the search results. Then set "use AutoPlay for all media
and devices" to off. SkyDrive Skydrive
lets you keep your documents, pictures and PC settings on the net,
ready for
syncing to all of your PCs. However, your
personal files are sitting there on the
internet 24x7x365 waiting for someone to crack your password. This is
not
secure to say the least. If you have setup your PC to use a Microsoft
account,
be sure to configure SkyDrive so that it doesn't sync your documents
and other
private folders. The settings are available from Charms bar >
Search >
search for "PC Settings" > SkyDrive. Then for File Storage
>
turn off 'Save documents to SkyDrive by default'. And Sync Settings
> turn
off Sync your settings on this PC. And Camera roll > select
Don't upload
photos, plus turn off 'automatically upload videos to SkyDrive'. This
has to be done individually to all MS accounts. Enable
DEP
Data
Execution Prevention is a technology that foils some types of attacks
when they
are coded in a certain way. By default, this feature is enabled but
protects
only Windows executables. You want to enable it to protect all
programs, like
your Firefox, Opera, Acrobat Reader and others. If
you
have already installed EMET as per above, then this feature will be
disabled
because EMET has taken over the handling of DEP. Right
Click Computer/ Properties/ Advanced System Settings /Performance
Settings button/ Data Execution Prevention Tab
Select
"Turn on DEP for all programs ..." Disable
dump file creation Dump
files are memory dumps, and everything in memory are saved to a file.
This is
used for debugging problems when your system crashes. However,
passwords and
all confidential stuff that are running currently are also saved to
this file.
You should enable this feature only when you are experiencing problems
and need
to debug. Computer
> Properties > Advanced System Settings > Startup
and Recovery
Settings - settings button Write
debugging info: None. . Disallow
Remote Assistance Computer/Properties/Advanced
System settings/Remote tab Un-checkmark
allow remote assistance Let
Windows make more Restore Points available System
Restore can be a life saver when you encounter system errors. Setting
it to use
more disk space and making more restore points is good policy Right
click Computer/Properties/Advanced Systems Settings/System Protection
tab Configure
button/create bigger system restore cache . Enable
Visibility into Windows hidden files You
want
to be able to see all files and folders in Windows. If you do not do
this step,
hackers can hide their installed tools from you. Although the attacker
can also
install a rootkit which also hides their files, they may not be able to
get
that far into your system to do so. Windows
Explorer/ View pull down menu / Options button / Change Folders and
Search
options / View tab CHECKMARK
items below ・
Always show menus ・
Display the full
path in the title bar ・
Show hidden files,
folders and drives UNCHECK
items below ・
hide empty drives
in computer folder ・
hide folder merge conflicts ・
hide extensions for
known file types ・
hide protected
operating system files Windows
Explorer/ View pull down menu / ·
checkmark
File Name Extensions ·
checkmark
Hidden Files Configure
Screen Saver Unattended
PCs are obvious security risks. But many people fail to take care of
this via
this simple setting. Most larger companies that are security aware have
strict
rules to enable this and not to leave PCs logged in and unattended. Right
click on desktop and choose Personalize / Screensaver. Configure it to
wait 10
minutes, and check mark "On resume, display Logon screen" Least
Privilege part 2 If
you
look at \Windows\System32 folder, you will see a lot of exe programs.
Some of
them are Windows' GUI components and needed by the system. And some are
command
line programs used to administrate Windows. A Standard user account
doing daily
work has little use for these command line programs, as they are
intended for
IT administrators. In accordance with Least Privilege, these command
line admin
tools should be partitioned away from the User group. If
you have the
automated configuration package, you can set up the file permissions by
right
clicking on "Harden Win 8 Home 64 ACLs.bat" and choosing "Run as
Administrator" After
configuration, the command line administrative tools can only be
accessed from
an admin account using an elevated command prompt. Attackers
aim to get
use of three accounts, the admin account, the "Administrator"
account, and the System account. The admin account is needed for
configuring
the system, so it needs full access to command line tools and we cannot
avoid
this. The 'Administrator' account is by default disabled. And the
System
account is used by some services. In testing, it is revealed that the
System account cannot be constricted or else our Restore BAT wouldn't
work. So in the
provided configuration file, command line tools are set so that only
members of
the administrators group and 'TrustedInstaller' can invoke them. (The
System acount gets inheritied rights) As
an
example, few people are aware that there is a command line FTP program,
as most
people use their browsers to download. This program is used mainly by
hackers
who need to bring over their tools once they gained command prompt
access. Turn
on File History File
History saves your documents, pictures, music, contacts and IE
favorites every
hour to a removable drive ( or USB key ). It does it every hour by
default and
keeps versions of the files as they change. This is a very convenient
method of
performing backups and should be used. Just remember to
unplug the USB key
when you shut down the computer and carry it with you, or else your
attackers
will gain access to all your files. On
the
Charms bar, go to Search and type in "history" and choose "File
History Settings" Browsers
and Security Internet
Explorer is still the most popular browser because it is
installed by default.
Because browsers are the primary interface to the web, and used by
everyone,
they are a PRIMARY vector of attack. Hackers will attack a website and
modify
it to deliver malware, using security holes in the browser. Or
they can send
attacks forging the address of a web page you are on. ( If you have a
tab of your favorite web site always open, they can forge that web
site's address and send attacks). Internet
Explorer has an important defense mechanism, called
Protected Mode. It is another name for Integrity Levels. Basically, the
entire
system is marked as Medium integrity. While frequently attacked
programs like
Internet Explorer is marked as Low integrity. Low integrity cannot
modify
Medium. So even if someone compromises IE and gains access to your PC,
they
cannot modify your system. You can set the integrity level of a program
yourself, so you can make Firefox or other browsers use Protected Mode
as well. Popular
alternatives to IE are Firefox, Opera and Chrome. There have been
security
holes discovered in them just like IE, but they are reputed to be more
secure,
primarily because they don’t use ActiveX. There are ActiveX code
libraries
strewn about in Windows, and many are not safe for web use. Attackers
often
make IE call to these ActiveX code modules as a means of attack. Set
IE
to use Protected Mode Always Control
Panel/Internet Options/Security Tab Checkmark
Protected Mode for all zones Login
to
EACH user account and repeat. Set
IE
to use ActiveX Filtering Open
Internet Explorer, Gear icon / Safety / checkmark ActiveX Filtering Login
to
EACH user account and repeat. IE
has
this stupid distinction about the source of a web page. By default, if
a web
server is within your network (like a company web server), then
Protected mode
is disabled. Well, if a hacker wants to attack your network, they would
just
simply attack your web server first, and let his tools spread when
internal
visitors use the infected company web server. Set
IE11 to use Enhanced Protected Mode Windows
8
has Enhanced Protected Mode that protects your private files and
folders like
the Document folder. However, to remain compatible to plugins like 3rd
party
toolbars etc, Enhanced Protected Mode has to be manually enabled. Go to
Control
Panel > Internet Options > Advanced; scroll the
Settings list to
Security section and checkmark "Enable 64 bit Processes for Enhanced
Protected Mode". Note that by doing this, some plugins may not
work.
Note:
the above settings are a per user setting, so you have to enabled this
individually
for EACH
account. I will remind you of this at the end of this document. ——————————- Mozilla
Firefox
is open source software. Proponents of open source say because the code
is open
for all to inspect, it makes for a safer product. (as opposed to IE,
which only
a limited number of MS programmers work on). Mozilla has also once
called on
white hat hackers to help test attack Firefox. But whether or not this
is an
ongoing engagement is unclear. Firefox
can be made more secure if you install certain plug-ins. The most
popular one
is NoScript, which blocks JavaScript from executing until you mark a
site as
trustworthy, or opt to temporarily allow scripting. IE can block
JavaScript
too, but the controls to do so is buried in Internet Options menu and
not as
quickly accessible as NoScript, and it can’t be automatically enabled
per site.
So security that is usable wins. JavaScript blocking is a feature
because many
browser security holes are activated by scripting, so again, when it is
not
needed, it should be disabled. Unfortunately some sites require
JavaScript to
operate correctly. However, there is a flaw in the thinking that a site
can be
marked as trustworthy forever. Because 1) even popular and trusted
sites can be
attacked and modified. 2) Some sites subscribe to ad banners which they
have no
control over, and sometimes the banners are made maliciously. To
cover
the angle of malicious ads, there is plug-in called AdBlock Plus. This
plug-in
removes all ads from sites. Its side benefit is that sites load faster
without
the ads. There
is
another Firefox plug-in call WOT (web of trust). This plug-in marks
search
engine results with ratings. If a site is known to deliver malware, you
will
see a red danger icon next to it. And you can click on the icon to see
detailed
ratings by threat category. The ratings are driven by community help.
WOT is
now also available for Internet Explorer. There
is
another free plug-in by Mcafee called SiteAdvisor. It also marks search
engine
results with a safety rating icon, and this product works with both IE
and
Firefox.. Low
Integrity Firefox As
mentioned above, you can enhance Firefox's security by setting it to
low
integrity. Open an elevated command prompt and copy and paste in
following
commands, one line at a time, substituting <yourAccName>
with your
account name: icacls
"C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"
/setintegritylevel low icacls
"C:\Users\<yourAccName>\AppData\Local\Temp"
/setintegritylevel(oi)(ci) low /t icacls
"C:\Users\<yourAccName>\AppData\Local\Mozilla"
/setintegritylevel(oi)(ci) low /t icacls
"C:\Users\<yourAccName>\AppData\Roaming\Mozilla"
/setintegritylevel(oi)(ci) low /t icacls
"C:\Users\<yourAccName>\Downloads"
/setintegritylevel(oi)(ci)
low /t icacls
"C:\Users\<nextAccName>\AppData\Local\Temp"
/setintegritylevel(oi)(ci) low /t icacls
"C:\Users\<nextAccName>\AppData\Local\Mozilla"
/setintegritylevel(oi)(ci) low /t icacls
"C:\Users\<nextAccName>\AppData\Roaming\Mozilla"
/setintegritylevel(oi)(ci) low /t icacls
"C:\Users\<nextAccName>\Downloads"
/setintegritylevel(oi)(ci)
low /t Note
that in order
for Firefox to run as low integrity, it required the setting of
\AppData\Local\Temp folder also to low integrity, which was previously
medium.
This folder may contain sensitive temporary data from other
applications. An
intruder gaining access through Firefox may be locked into low
integrity mode
and can't change system settings, but he can glean data from this
folder, which
may be undesirable. ---------------------- Opera
is another
alternative browser. The thing that is good about them is that they
patch up
publicly disclosed vulnerabilities quite quickly. There is also a WOT
plugin
for this browser. Low
integrity Opera Run
the
following commands in an elevated command prompt: icacls
"C:\program files (x86)\opera\opera.exe" /setintegritylevel
low icacls
"C:\Users\sec web\AppData\Local\Opera Software"
/setintegritylevel(oi)(ci) low /t Note:
every time you
update Opera or Firefox, you have to re-run the command that makes the
exe a
low integrity program. ( ... setintegritylevel low ) ---------------- Chrome
is Google’s browser,
it is also open source, mostly. It’s architecture allocates high-risk
components, such as the HTML parser, the JavaScript virtual machine,
and the
Document Object Model (DOM), to its sandboxed rendering engine. It
prevents
modifications to your Windows system. This sandbox is designed to
protect one
from unpatched security holes. It also uses IE’s Protected Mode in
Vista, Windows
7 and 8. Recently, Chrome has also added a sandbox around Adobe Flash,
to
prevent security bugs in Flash from compromising a system. Google also
pays
white hat hackers to test attack its product, and there has been
numerous
security flaws discovered this way. Google is doing this right. Chrome
is also
capable of automatically updating itself. And also, Google has a
special deal
with Adobe and gets Flash updates automatically. These two
things save a lot
of time. Chrome
has 2 versions, one is for ordinary users and one is for business. The
ordinary
one installs itself into \users\...\appdata, thus allowing users to
install the
product without IT dept's blessing. That is, if software restriction
policy has
not been turned on. The business edition installs into \Program Files
(x86),
like what normal 32 bit programs usually do. You should use the
business
edition. Sandboxing
your Browser There
is
a program called Sandboxie ( http://www.sandboxie.com/
)
which
applies the sandbox security concept to protect any browser. Basically,
the
protected browser is made to look within a small directory, but it
thinks that
that directory is drive C. Sandboxie, and any sandbox in general, does
not aim
to prevent an attack, but instead contains the attack, within that
directory.
If the attack creates folders and files, it will be created in that
directory.
If it installs hacking tools and malware, they will all be confined to
that
directory. All your downloads will also arrive into that directory
first, and
Sandboxie will help move it back to the outside world. And everything
in that
directory can be wiped away with one click. This program is vital to securing
your browser. Create
a sandbox for each user. this is assuming that you have different user
accounts
Right
click on the sandbox and choose Sandbox Settings. Tip,
if you have a favorite site that requires login, and you allow the
site remember your login, you can start the browser outside of
Sandboxie to quickly login and let the site save a cookie. Then restart
the browser using Sandboxie. Sandboxie will copy the cookies from
outside to the sandbox when initiating.
Block
Low Integrity
Programs from Accessing Your Documents There
is also an
option where low integrity programs can be made so that they can't even
read
medium integrity locations. That’s what the commands below do. When you
execute
the commands, your desktop, document, pictures, videos and music
folders will
be unreadable to any programs marked as low integrity. The last command
above
makes the Downloads folder a low integrity folder. This is necessary
because
you need a place to save your downloads.( Low can't write to Medium)
You will
also want to create an Upload directory, and copy the file which you
want to
upload there. Because this Upload folder has not been processed by
chml, the
low integrity browser can read this folder. Since
you also have a
Standard User account, run the commands below stating your Standard
User
account too. Note: this measure only protects you against attacks to
your low
integrity programs like Internet Explorer. (and Firefox or Opera, if
you
followed the above instructions) But since browsers are primary vectors
of
attack, this security measure is important. You can also experiment and
set
other internet facing programs to low integrity, like your chat program. Visit
http://www.minasi.com/apps/
to
download chml.exe Then
right click on
command prompt and choose 'run as administrator". Then
execute the
following commands for Each user. cd
"\user\<yourAccName>\downloads\chml" ( or
wherever you saved
chml ) chml
"c:\users\<yourAccName>\desktop" -i:m -nr -nw -nx chml
"c:\users\<yourAccName>\documents" -i:m
-nr -nw -nx
chml
"c:\users\<yourAccName>\pictures" -i:m
-nr -nw -nx
chml
"c:\users\<yourAccName>\videos" -i:m
-nr -nw -nx
chml
"c:\users\<yourAccName>\music" -i:m
-nr -nw -nx
chml
"c:\users\<yourAccName>\downloads" -i:l This
feature is
unfortunately unavailable to Domain clients who use Folder Redirection.
Because
the folders being redirected, like Documents, do not exist on the
client
machine. Run
'gpedit.msc' Computer
config/administrative templates/windows components/app
compatability/prevent
access to 16 bit applications=enable Feature
not available in Windows 8.1 Home. AppLocker AppLocker
is new to Windows 7 Ultimate. It is more flexible than Software
Restriction
Policy (SRP). Feature
not available in Windows 8.1 Home. Passwords You
should have strong passwords to safe guard your accounts, particularly
the
admin accounts. The first account created when you install Windows is
an
administrative account. So you need to protect that. There is also a
hidden
account called “Administrator” which you should also protect with a
password,
but it first has to be enabled, as it is disabled by default. This is
done with
the following command at an elevated command prompt:
net
user Administrator <password> Your
passwords should be long ( 15+ characters ) and also use upper and
lower case,
numbers and symbols. The best way is to create passphrases. For
example, take
the sentence “James T Kirk is the captain of the USS Enterprise 1701″.
That would form the password “JTKitcotUSSE1701″. Throw in symbols and
it
becomes “JTK$itcot%USSE1701′. This password is now long and complex
enough to foil attacks. It
is not
secure to use the same password everywhere. Some people think it is OK
to use
the same password for email, banking, Facebook, windows login and so
on. If
your password is discovered, ( say by a keylogger ) the next logical
thing is
to try that on your email account. Once they get access to your email,
they can
use the ‘forgot my password’ feature of many web sites to have them
email over
your access password for that site. And very shortly everything will be
compromised. Password attack programs either use a brute force approach
or a
dictionary approach. The brute force method tries every combination of
numbers
and letters. The dictionary approach tries out known words. These
password
attack programs are fast and can test thousands of passwords per
minute. A
short password is crackable in no time. A secure site would have safety
features like locking your account after several failed tries or making
you
answer the security questions. But not every site is secure like that.
And
those weak sites are the primary target of password attack programs. Enforce
long password/passphrase See
Automated Configuration section. —————————- It
is
also prudent to password protect your BIOS, so that
people cannot boot
your PC. Also, you should change the boot order in the BIOS so that it
boots
the hard drive first, rather than the CD/DVD. If an attacker can insert
a Linux
Live CD and start up your PC, then they will be able to mount your hard
drive
and read all data from it, and all Windows security will be bypassed. Activate
Windows Disable
Firewall temporarily to allow the following script to run. Control
Panel/Administrative Tools/Windows Firewall with Advanced Security /"Windows
Firewall Properties" link, Private or Public profile, Outbound : Allow Then
open
an elevated command prompt and run the following:
slmgr.vbs
/ato Then
set
Outbound back to block. Physical
Security Physical
security is very important and should not be overlooked. If someone has
physical access to your PC, then they could bypass a lot of the
hardening that
was done. For
example, if a hacker could access your PC and boot up a Linux Live CD,
he could
then read and copy off all files from the Windows disk partition. Or he
could
remove your hard drive and put it into another PC as a secondary drive
and get
data off that way. Either way, Window's password security will be of no
use,
because the hard drive's copy of Windows was never started. BitLocker
Drive Encryption BitLocker
is a full disk
encryption feature of Windows 8.1 Pro, Enterprise and tablet editions.
When
that is active, the whole drive is encrypted and will not be readable
with
other copies of Windows or Linux. This eliminates the offline attacks
as
mentioned above. Feature
not available on Home, not elaborated. Syskey For
those
who don't have Windows Pro, you can use a different form of semi 2
factor
authentication, but it doesn't protect you from offline attacks.
Windows has a
feature called syskey, which can store the decryption key to your login
passwords on a USB key. The login passwords are not stored as plain
text in
Windows, they are encrypted. The key to decrypt those passwords can be
stored
onto drive A. A
lot of
computers now don't come with a floppy drive, and the label drive A is
unused.
First you insert your USB memory key, then right click on Computer and
choose
Manage. Then go to Disk Management, right click on the USB memory
stick, (which
is probably label as drive F), choose Change Drive Letter and Path.
Then click
the Change button and make it drive A. Now
you
run "syskey". Click on the Update button; choose Store Startup Key on
Floppy Disk. Then insert the USB memory key, and the decryption key
will be
stored on the memory stick. Once
that
is done, when you boot Windows, it will prompt you to insert the
'floppy disk'
in order to continue booting. The
syskey method of 2 factor authentication is good, now anyone booting
the
computer will need the USB memory stick; as well as know your login
password. Intrusion
Detection – part 1 Good
security partly consists of deter, deny and delay. That is what
hardening does.
Good security is also about detection: Detection of unwanted changes
like
unauthorized account creations, running of malware and other unwanted
apps,
etc. Fortunately, a lot of things are tracked in the event logs.
Windows’ Event
Viewer holds a lot of information about your system (Control Panel
>
Administrative Tools > Event Viewer). One cannot claim to know
what is going
on in a system without examining the logs periodically. Microsoft
created a Security Monitoring and Attack Detection Planning Guide. http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=21832
In
the guide, it examines what security monitoring one should do
and provides the relevant Event IDs.
In the section below,
those Event IDs are placed into Custom filters, which allows you to
monitor for
signs of intrusion. Note
that the guide gives Event ID's for Windows XP. With Vista,
Windows 7 and Windows 8, you need to take the given Event ID and add
4096 to get
the correct event under these 3 newer operating systems.
Make
Event Log files Bigger (also
covered by automated configuration part 2) You
may
not discover an intrusion right on the first day when they get in. Very
often,
the discovery comes several weeks to months later. You will need to
retain log
entries, and the default log sizes allow for too short a period. Control
Panel/Administrative Tools /Event Viewer Expand
'Windows Logs'. Right click on Application, Properties and set log size
to 1000000.
Do the same for 'Security' and 'System'. Security
Events to Monitor for
Create
Custom Views for the following Event IDs; (see
also
Automated Configuration part 1) HOWTO:
click 'Create Custom View'. Select 'By Log', pull down 'Event Logs',
Checkmark
'Windows Logs', Move to the field <All Event IDs> and
copy and paste in
the event id numbers, click OK and name the view. - 4723,4724
- Change Password 4720,4726,4738,4781
- Delete, Change Accounts 4608,4609
- Startup, Shutdown 4613
-
Clear Security Log 4616
-
Change System Time 4617
-
Unable to Log 4714,4705
- Privilege assigned or removed 4708,4714
- Change audit policy 4717,4718
- System access granted or removed 4739
-
Change domain policy 16390
-
Administrator account lockout 4727-4730,4731-4734,4735,4737,4784,4755-4758
- Group changes 4624,4636,4803,4801
- Account logons 4625,4626,4627,4628,4630,4635,4649,4740,4771,4772,4777
- Logon failures ( KEYWORD: Audit Failure ) 4672
-
Admin account logons 4698
-
Schedule new job 4656
-
Access refused to object 3004,3005
- Windows defender finds something 4664
-
Create hard link to audited file 865
-
Software restriction triggered 1000
-
Application Error ( Event Level: CHECKMARK "Error" ) 1002
-
Application Hang ( Event Level: CHECKMARK "Error" ) 1037
-
Protected Mode violation 7031
-
Service terminated unexpectedly 4697
-
Install a Service 4663
-
Access audited file CHECKMARK:
Critical, Warning and Error. Event Sources:EMET. – EMET
incidents The
above
'custom view' filters are in the folder "Event Viewer Custom Views".
Simply choose 'Import Custom View' to import each xml file one by one. The
above
items are important to review. For example, too many login failures may
mean
that someone is try to guess passwords to login to your account.
Another
important one is Application Hang; if you see Internet Explorer hang,
you
should run anti-virus and anti-malware scans promptly. Intrusion
Detection – part 2: Baselines Intrusion
detection also has to do with seeing that things aren’t different from
what is
normal. Your PC was running perfectly on day 1 after hardening, is it
doing
anything different today? To answer that question, we need baselines. What
we
want to know is what programs are normally running when we first login.
If we
know that, then we can be sure that we aren’t contaminated with spyware
or
other hacking tools. There are 2 programs we want to get, all free. The
first
one is AutoRuns, available from here: http://technet.microsoft.com/en-us/sysinternals/bb963902 It
doesn’t have a setup program, just download, unzip, create a
folder under \Program Files (x86) and copy the files there. AutoRuns
lists all of the places in the registry where programs are set to auto
launch.
Right click on it, and choose Run as admin, and use File/Save to take a
snapshot
of your PC’s current settings. Later on during your regular system
checkups,
you can use the File/Compare feature to see if anything is different.
New
entries show up in green. If all green entries are good, then save the
file
again with todays date, and do the comparison with the new file in the
next
scheduled check. The
second program is Process Explorer, available here: http://technet.microsoft.com/en-us/sysinternals/bb896653 This
program is like Task Manager, but it shows more info. Many
malware name themselves with familiar Windows program names, trying to
hide
themselves. Login to your admin account, then right click on Process
Manager
and choose 'run as admin', go to View/Select Columns and checkmark
‘command
line’. Then do a File/Save. The resulting text file is now a snapshot
of what
normally runs when you first login. When
you
do a comparison using Process Explorer, note that you cannot use a file
comparison tool like ‘fc’ (file compare) to check for differences, that
is
because the PID (process identifier) for each program/process would be
different on different boot-ups. You would have to do a visual check of
the
command line. Next,
reboot your PC and open an elevated command prompt with 'run as admin',
and
type netstat
-abn > netstat-baseline.txt The
netstat
program shows you a list of programs that are listening and connecting
to the
net. If a hacker connects to your PC, his program would have to connect
back
from your PC to his PC, and his program would show up here in this list. Driverquery
is a command line tool in Windows, What it does is list all the drivers
in use.
Some virus and rootkits now come in the form of a driver. When you
perform you
routine checks, first run this: driverquery
> out.txt If
this
is the first snapshot, then rename the out.txt to driverquery-out.txt. Next
time, run these 2 lines; driverquery
> out.txt fc
out.txt driverquery-out.txt Fc
will
display the differences between out.txt and driverquery-out.txt. If
there are
lots of changes, fc will not be able to synchronize the sections in the
files.
Then you'll have to open up 2 notepads side by side and scroll through
the
files manually to see what has changed. In
most
cases, new drivers are caused by Windows Update. You will have to go
online and
read that month's MS Security Bulletin to see if the new patches would
have
deployed new drivers. If that doesn't reveal anything, you'll have to
check to
see if the new drivers are also present in another machine. Now
we
have 4 baselines, save them onto a USB memory stick for use in
comparisons
later. One should also save the Autoruns, and Process Explorer files
onto the
memory stick as well. Because, after an attack, programs may get
altered or
rendered unusable You Have to keep the baselines on a USB memory stick
because
attackers will modify your baselines to make you think nothing has
changed. Last
thing when doing baseline comparisons is to run “sfc /scannow”
to determine if
any system files has been modified. SFC contains the correct windows
files
signatures and makes a comparison to the current setup. It will also
fix the
problem. Intrusion
Detection – part 3 You
should definitely install antivirus and antispyware programs. However
note, you
can only have one realtime antivirus program. The realtime capability
monitors
file access and file modifications as they happen. And having more than
one
realtime antivirus will cause problems. Having more than one
anti-spyware
program usually doesn’t cause problems. Windows 8.1 has Windows
Defender
installed by default, which is an antivirus program. It will also scan
ActiveX
components before use and does network behaviour monitoring. For
a
list of antivirus programs to consider, go to http://av-comparitives.org
or http://virusbtn.com.
These 2 sites run test on antivirus programs to see how effective they
are. There
are
also a lot of fake antivirus programs floating around, so make sure you
find
the reviews before installing one. The fake ones report of non-existent
infections and just ask you for your money and do nothing. Some will
even stop
you from going to legitimate antivirus program sites, stop your
programs from
working and make you think you are infected with a virus. If you happen
to have
installed a fake antivirus, there is one anti-malware program that can
remove
it. It’s called MalwareBytes. ( https://www.malwarebytes.org)
MalwareBytes has a free
version, which
doesn't
include real time detection and automatic signature updates. It is a
very good
tool to have, just remember to update the signatures before doing a
scan. Bear
in
mind that no antivirus/anti-spyware program will catch everything you
encounter. There has been a study that was done that found that the
best
detection rate is around 60%. Vendors can’t hope to have captured and
analyzed
ALL the viruses out there, because lots of new ones are introduced
every day. Yes,
you
can’t fully trust your antivirus program to do a perfect job. To be on
the safe
side, use online scanners once in a while to do a double check. There
are quite
a few of them: TrendMicro Housecall, BitDefender, Kapersky, Panda and
ESET.
Google for "online scan" and you will see them. If
you
download stuff from P2P and bittorents, beware. Lots of infected
programs are
floating around. And they would even work as expected, except that they
will
also get you infected. And those viruses tend to be new ones, so most
likely
your antivirus program will not even beep. You have been warned. The
best that
you could do is upload the file to virustotal.com and let them run your
file
against their 39 antivirus programs, and then decide if you want to
keep the
file or not. You have to remember that it is hackers who release
pirated
software, cracks and keygens, and they seed these files on P2P and
bittorrent.
And most likely, they also want to own your PC. Security
suites are very popular. For example, Norton 360 includes antivirus,
anti-spyware, anti-rootkit, smart firewall, network monitoring,
parental
controls, anti-spam and more. They certainly seem to be value for your
money.
But when weighing effectiveness, many choose a best of breed, mix and
match,
solution. For example: one can use ESET antivirus and anti-spyware,
Webroot
anti-spyware, Windows firewall, NetNanny parental control, Gmail’s
anti-spam
and Gmer anti-rootkit. For
your
maintenance routine. You should do 2 more things. 1.Check
that your
antivirus is still alive and active. Go to http://www.eicar.org/86-0-Intended-use.html
. And copy that test
virus line of text, paste it into notepad, save it and try to open it
again.
Your antivirus should detect it. 2.Do
an antivirus scan. Keyloggers
and Screen Grabbers This
class of spyware deserves mentioning on their own. Unlike other hacker
attacks,
these do not aim to penetrate and gain admin rights, but they are
deployed by
criminal hackers. They function in a standard account. Their aim is to
capture
credentials to your web accounts like banking account numbers and
passwords,
email account and others. Antivirus programs do not detect them. To
counter
these, I know of 2 programs, Zemana AntiLogger. (http://www.zemana.com)
which has anti-keylogger as well as
anti-screen grabber functions. The other one is KeyScrambler (http://www.qfxsoftware.com)
which is only a anti-keylogger. Security
as a Process Security
is a process, that is ongoing after we perform hardening. Your hardened
Windows
Windows 8.1 is good and now has multiple layers of security, but new
vulnerabilities will be discovered in various software that you use and
weaken
your stance. Take the case of the browser; hackers target browsers all
the
time, and new security holes will be revealed. One has to know when
these holes
are discovered, and take steps to mitigate. The
first
step is to know about the new vulnerabilities. The following
websites report on
security matters : http://www.theregister.co.uk/security/ http://www.sans.org/newsletters/risk/ http://www.microsoft.com/technet/security/advisory/default.mspx You
should visit them once a week to learn of new security vulnerabilities.
The
articles will tell you about new security holes in applications or OS,
which
version it applies to, and give a brief description of the weakness.
Sometimes,
the software vendor will inform us of some configuration change for you
to
apply for the time being, until they make a patch ready. Also, the
articles may
tell us if attacks using the vulnerability has been spotted in use. This
information are of great help for you to maintain security. To continue
on our
browser example, lets say the new vulnerability involves an ActiveX
component
that is called via Internet Explorer. Then you might mitigate that by
using
another browser for the time being, and monitor the vendor’s site for a
new
version release. Or Microsoft may issue an advisory informing us to how
to
disable an ActiveX through settings in the registry. Or you may decide
that
using that browser together with Sandboxie would contain the threat. Or
you may
decide to disable scripting features of the browser. (Secunia’s PSI
program
will also tell you when new security patches or program versions have
been
made, as mentioned previously). The main thing is that you get to know
about
potential problems from these web sites and takes steps to mitigate. ******* Next,
as
part of the security process, you have to monitor your system
and detect
attacks. You have to perform those log checks, baseline
comparisons, and virus
scans (as mentioned earlier) on a regular basis, like every 1 or 2
weeks. We
are being lax here already, for in a secure environment, they use tools
to
monitor logs on a real time basis. Monitoring is crucial, as even the
most
hardened systems will have holes in its defenses. We cannot think that
our
hardened system is impervious. ******* After
a
few months of use, computer settings change invariably: new software
installed,
new devices added, etc. We now have to check that all security settings
are
still in place. For example, are the user accounts still standard
accounts, or has one been changed to
admin for
temporary problem troubleshooting? Has the firewall been set
to
OutBound Allow during installation of a program and left forgotten? So,
after you put those
locks on the doors,
are they still locked? Or has there been tampering? We have
to revisit the
hardening process and check everything. This is to ensure that the
system is
still as secure as day one. Automated
Configuration If
you
are hardening a standalone machine use:
Harden
Win 8.1 Home 64 Services,bat
Harden
Win 8.1 Home 64 ACLs.bat If
you
wish to revert the changes to out of box defaults, use:
Restore
Home 64.Services.bat
Restore
Home 64 ACLs.bat To
configure, right click on the bat files and choose 'Run as
Administrator'. To
configure manually, open a elevated command prompt ( right click on
Command
Prompt and choose 'run as admin' ) Type in the following command:
SecEdit
/configure /db <any_name>.sdb /cfg
<template.inf> The
<any_name>.sdb
will hold the configured results, you make up the filename, but the
file
extension must be .sdb The
<template,inf> is either one of the templates named above. Also
provided in the package are Event Viewer 'custom view' xml files. These
xml files
setup filters for select event IDs, so that you get to see, for
example, all
login failures, in one screen, Use
this
bat file to setup what events to audit. It also sets up the event log
file
maximum file sizes for Application, Security and System.
Harden
Win 8.1 Home 64 Audit.bat It
sets
up the following: ·
Have
Event Viewer show success and failure events for Account
Logons, Account Management, Policy Change and System events. ·
System,
Application and Security Event Log size: 1000000 kb
Use
this
bat file to setup the password and account lockout settings.
Harden
Win 8.1 Password and Lockout.bat Use
of
this file requires that you understand what the settings do. The
numbers are: ·
Enforce
password history: 24 passwords ·
Maximum
password age: 60 days ·
Minimum
password age; 1 day ·
Minimum
password length: 14 characters ·
Password
must meet complexity requirements Password
history means that the system will remember 24 previous passwords so
that they
cannot be reused so that they are unique. Password
age means that the system will prompt you 14 days before 60 days is up
to
change your password. Minimum password age of 1 day means you cannot
change
your password again until 1 day have passed. This is so that users
cannot
rotate 24 times rapidly and reuse an old password. Minimum
password length is 14 characters. If you use a passphrase, then this
shouldn't
be a problem. Complexity requirement means that the passphrase must
include
upper and lower case, numbers and symbols. The
lockout settings are as follows: ·
Account
lockout threshold: 50 password attempts ·
Account
lockout duration: 15 minutes ·
Reset
lockout counter after: 15 minutes What
these numbers mean is that you are allowed 50 tries to get the right
password.
After that, the system locks up for 15 minutes. So, when you realize
you have
forgotten a password, write down the various passwords that you want to
try and
try to find the right one within 50 tries. After 50 tries, the system
will not
respond until 15 minutes have passed. Unfortunately
this can give rise to a denial of service (DoS) attack, where the
attacker
randomly tries out 50 passwords and her aim isn't to get in but to lock
you out
of the system. If we don't define a threshold number for password
attempts,
then an attacker can use a program to bruteforce or dictionary attack
the
system because they can do so an infinite number of times. If you
realize that
such a DoS attack is taking place, all you can do is unplug the
ethernet cable
and go for a 15 minute break. Some
of
these settings default to 'undefined'. And due to the fact that SecEdit
does
not handle settings that specify 'undefined', no restore bat file is
offered to
reverse these pasword and lockout settings. Lastly,
there is a security options files:
Harden
Win 8.1 Home 64 Security Options.bat This
file
includes a group of security settings, as follows: The
'security options' settings, audit, and 'password and lockout' settings
are
taken from MS Security Compliance Manager tool. The tool is designed to
be used
on Windows 8 Pro and Enterprise editions. Last
things to do Disable
flash in your admin account. Internet Explorer > Gear >
Manage Addons
> Toolbars and Extensions > Show All Addons >
Shockwave Flash Object
> Disable button.
Disable
Autoplay for
all user accounts: Control Panel > AutoPlay. Choose 'Take No
Action' for
everything Uncheck
"Use
AutoPlay for all media and devices" Set
IE to
turn on ActiveX Filtering for EACH account. Gear icon > Safety
> ActiveX
Filtering. Set
IE to
use Protected Mode for all zones. Gear icon > Internet options
>Security
tab > click each icon ( Internet, Local Intranet, Trusted sites,
Restricted
sites ),check mark Enable Protected Mode for each. Do this for all user
accounts. Set
IE to
use Enhanced Potected Mode for all users. Control Panel >
Internet Options
> Advanced; scroll the Settings list to Security
section and checkmark
"Enable 64 bit Processes for Enhanced Protected Mode" Run
Acrobat Reader ( if you have installed it ) to setup security. Edit
>
Preferences >
Javascript, uncheckmark "Enable Acrobat Javascript". >
Security Enhanced. Protected View : All Files >
Security Enhanced: Create Protected Mode Log File. >
Security Enhanced: Uncheckmark Automatically Trust Sites from my Win OS
Security Zones. >
Trust Manager: Uncheckmark Allow Opening of Non-PDF file attachments >
<Trust Manager: Internet Access from PDF outside the
web browser Change
Settings button, select Block PDF file access to all web sites.>
This one is
optional, some times you need to click on an internet link inside a PDF
document. Create
a
System Restore Point This
PC
> Properties > Advanced System Settings > System
Protection tab >
Create button. Do
an
image backup of the hard drive This
is important,
your last line of
defense is restoring from backup. This backup saves all of the settings
you
have done so far so you don't have to repeat them when you need to
reinstall
Windows. There is a free image backup tool called Macrium Reflect,
available
from here: http://www.macrium.com/reflectfree.aspx. Use
the tool to create a drive image and store it in an external USB
hard
drive. Don't forget to create the rescue CD. Installation
of New Software When
installing new software, sometimes the setup program needs to connect
to the
internet to download components. And also, it may create a exe inside a
temp
folder to do the downloading, and the exe is automatically removed when
install
finishes. On such occasions, it may not be possible to create an
outbound allow
rule for that exe. So the only solution would be to go to Windows
Firewall with
Advanced Security and temporarily set Outbound to allow for the Public
profile.
Just remember to set Outbound back to block when you have finished
setting up
that new program.
Remember
to add the application to EMET if it is a internet application or it
takes input from files downloaded from the internet
So
the plan is to run this tool on another PC to fetch the updates, and
take the updates disc to the machine you are installing.
Once you have downloaded and extracted the zip file. Right click on
'UpdateGenerator.exe' and select Properties then Compatiblity tab.
Checkmark 'Run this program is compatibility mode' and select Windows
XP. Then run the program.
On the main screen, select the platforms which you want updates for,
and checkmark Create ISO images 'per selected product and language',
then click the Start button.
After it finishes, check the iso sub folder to locate the ISO image
file.
Note that this is a DVD image file. You need to right click on it and
select 'Burn disc image'. Or you can use the free ImgBurn utility if
you are not on Win 7 or Win 8.
Installation
Settings
If you are disconnected from the network, you will get the
"Your
Account" screen, instead of "Sign in to your Microsoft Account" screen,
create an admin account as usual. If you get the "Sign in the your
Microsoft Account" screen, click the Back icon and disconnect from the
network. Then click Next again. You will then get to create an admin
account as usual. It is not secure to create an admin account
that is
online and available to hackers for cracking your password.
Install
Service Packs offline.
Install
Critical and Important Updates
Use
the updates disc create by WSUS Offline Update and install the patches.
Least
Privilege and Reducing Attack Surface
You
should do everything possible to protect this MS account, because it is
used to
hold your credit card number. When you first use Win Store to
purchasing
anything, Windows asks you for your credit card number and stores it
online in
this MS account. Don’t use it for email or instant messaging. (so that
the
account name is not circulated) And don’t enable Skydrive. A
compromised MS
account will give the attacker access to all these things. Secure it
with a
complex and long passphrase. ( see how to create a strong passphrase
below ). Although MS uses 2nd factor authentication when you go to
outlook.com and check your Billings and credit card details, it does
not use 2nd factor authentication when you use the credit card to buy
stuff, it only asks for your passphrase. So once your passphrase is
cracked, the hacker can go on a shopping spree, in addition to being
able to log on to your PC.
Remote assistance allow a helper to control your PC with complete
desktop,
keyboard and mouse access. This is not a hacker favorite as there is
built in
protection that allow only the invited to take control. However, there
are
phone scams that lure users into giving them remote access, and you
will want
to protect your users and prevent them from compromising your computer.
icacls "C:\Users\sec web\AppData\Roaming\Opera Software"
/setintegritylevel(oi)(ci) low /t
for different uses. Like one for online banking, and one for your
writing/posting your blog.
This is so that anything that gets into one sandbox cannot lift data
belonging to another sandbox.
so that anything that gets into sandbox does not persist on your system
so that anything that gets into this sandbox get terminated when chrome
exits
so that anything that gets into this sandbox cannot acccess the web
Turn
off 16 bit apps