goal is to
prevent our Windows 7 machines from being compromised. We
will harden the
system to eliminate lots of attack surface and impede hackers. Layers
security will be added to protect our system, private documents,
other applications. Then, continuing the security process, we will set
monitoring to notify us of insecure applications which require
we will set up event monitoring to monitor admin account uses and all
events. And we will setup baselines so that we can regularly compare
the current running system to ensure it has not been modified. And
want to monitor the current threat landscape and be able to react to
security threats in time. Security is all these steps that begins with,
end at, hardening the machine.
Know that viruses, trojan horses, botnets and worms are all created by hackers. They are just automated means to attack you. What the hacker has done is create a program that automates his method of attack and spread them. While you may not have an attacker actively pursueing you, all his creations are out there nevertheless, and is a well distributed way of getting possession of your PC.
Windows is a general purpose operating system, and as such, has many built in features designed to fit many uses. As more and more lines of code accumulate, there are bound to be bugs. And programmers talk about bugs per 1000 lines of code as a common simple measurement. It is unavoidable to have bugs in code, and Windows 7 is no different. In fact, in large projects such as Windows, it is common to ship out code while there are still low priority bugs that are unfixed. And these could number in the low thousands. Then, there are the not-yet-discovered bugs that only surface when certain features are used in combination.
A properly hardened PC will deny and deter attacker with layers of protection. Sometimes, depending on the vulnerability, it will be completely mitigated because that feature is turned off. Other times, a zero day vulnerability might enable an attacker to get in, but once inside, they will find a locked system, try to wreck something and leave. Their ultimate prize is to gain admin/system rights to your PC and totally control your system. With a hardened system, they won't reach their goal. And with security monitoring, even if they obtained admin rights, their victory will be short lived.
Importance of Testing
It is important to note, that after hardening a system, one has to test to see if the applications that you run still runs as expected. The ideal candidate of this project is a home user with no need for communications among PCs in the LAN and SMB organizations with one domain server. That is because the more network ports you open, the less secure you become.
Testing was done on Windows 7 Home Premium, Professional, Ultimate & Enterprise 64 bit machines and a Windows 2008 R2 Server. There are differences between the operating systems, Ultimate has 146 services while Enterprise has 150, Professional has 148 and Home Premium has 144.
Limited testing has been done after performing the hardening procedures below. For Windows Professional and above, I test the following
• the computer can join a domain
• a domain user can login to the computer.
• Folder Redirection works.
After hardening, all control panel items work, with the following exceptions:
• "Remote App and Desktop Connections" because I don't have a server setup to test this feature.
• Administrative Tools > iSCSI Initiator, because I don't have that kind of hardware.
• "Location and Other Sensors", because I don't have that kind of hardware
• "Speech Recognition" because I don't have a microphone to test with.
• "Sync Center" because I don't have test devices that need synchronizing.
• "Troubleshooting" because there are too many scenarios to run each troubleshooter
• Administrative Tools > Component Services is not tested, because it requires deep knowledge about DCOM.
• Administrative Tools > Performance Monitor, because I am not familiar with it, so I don't know what is normal, i.e. what should be showing and what shouldn't be.
• If you create a new standard user account after hardening, it defaults to the Windows Classic theme, you need to set the theme back to Windows 7 Aero theme manually.
About this Hardening Guide
Let there be no mistake, if your system has already been compromised, following the advice given here will not help you, because there is no telling what backdoors and botnets clients have been installed on your system. You cannot fight back at someone who already has administrator control of your system. You can implement something and they will just disable it. You best chance of survival is to re-install your legit copy of Windows and then hardening it to prevent further attacks from happening.
This guide is made for standalone Windows Home Premium systems. There is another version for Windows Professional, Windows Ultimate, Windows Enterprise and Domain joined systems.
There are 2 automated configuration files and a Restore file. Items covered are:
• hardening Windows Services
• applying Access Control Lists to Windows command line tools.
• What events to log
• Event Log size.
• UAC settings for admin and standard users.
• Accounts that are allowed remote network access (which we configure to none)
• Passwords complexity requirements and Account lockouts.
The automated configuration includes Access Control Lists (ACLs) for command line tools. It is made for 64 bit Windows only. 32 bit machines are not covered. There are many more executables in a 32bit machine.
There is also a series of Custom View xml files for Event Viewer.
There is also a firewall policy file which can be imported to establish firewall settings and rules.
What you will need pre-downloaded
Disable IPv6, from here: http://support.microsoft.com/kb/929852
There are several FixIt modules. use either "Disable IPv6" (entirely) or "Disable IPv6 tunnel interfaces" (disabling just the tunnels if you have an IPv6 router) The reason is given in the guide.
Critical Windows Updates
Since the release of Windows 7 SP1, there has been critical updates that could stop you from performing Windows Updates. If you have attackers on your tail, you may very well be stopped from obtaining critical updates. Or that you may be compromised when you go online to fetch updates.
There is a free tool called WSUS Offline Update, which can download updates for all Windows platforms and create a ISO image file. Just burn this image file to DVD and slip it into your PC and it will commence installing the updates. Note that it will only download KB's that are in MS Security Bulletins, which are all the critical and important downloads; so you will still have to do a Windows Update afterwards to fetch the ordinary non-critical updates. This tool eliminates a critical gap in Windows installation. That is when you only have services packs installed but are missing all post service pack updates. An attacker can attack you while you are updating online and vulnerable. The tool is available from here: http://www.wsusoffline.net/ . The site is in German and English.
So the plan is to run this tool on another PC to fetch the updates, and take the updates disc to the machine you are installing.
Once you have downloaded and extracted the zip file. Right click on 'UpdateGenerator.exe' and select Properties then Compatiblity tab. Checkmark 'Run this program is compatibility mode' and select Windows XP. Then run the program.
On the main screen, select the platforms which you want updates for, and checkmark Create ISO images 'per selected product and language', then click the Start button.
After it finishes, check the iso sub folder to locate the ISO image file. Note that this is a DVD image file. You need to right click on it and select 'Burn disc image'. Or you can use the free ImgBurn utility if you are not on Win 7 or Win 8.
Install Service Packs offline
You should download service pack 1 on a different computer and copy it to the computer being installed and run it. We don't want to connect the computer to the network without the minimal set of patches. Further down this document, when network configuration is complete, we will connect online and fetch security patches ASAP.. Do not surf the net while performing any step prior to Windows Update, because your browser is missing a lot of security patches.
Install Critical and Important Updates
Use the updates disc create by WSUS Offline Update and install the patches.
One of the main concepts underlying hardening is Least Privilege. It means to configure your system so that it is only capable of doing things you normally do, and nothing else. So, that means that if a feature in Windows is not used, it is to be turned off, or disabled.
The reason behind it, is that the more features you enable, the larger your attack surface is. It means you have more to defend. And one vulnerable spot is all it takes to get hacked. The more features you have, the more potential bugs (some security related) you have. Now attackers know a lot about the security bugs in the system – that’s how they attack. If you go live on the internet with all features turned on, the attacker would have a lot of choices. If you disable unused features, then he’d have less to play with.
One of the first things you should do in line with least privilege is to create a Standard user account, and use that account for your daily work. Only login to the administrative account to install programs, configure networking, or do system maintenance tasks. Because when you are working in a Standard account, any malware or hacker that makes it onto your system will inherit your privilege and not have admin privileges to make system wide modifications. And that’s a win for you.
Remember that an attacker will have all the access that you have at the that moment of attack. So if you have important documents stored in that account's Document folder, they will have the same access. (more on that later). So, if you have secret level data, it is best to store them in an account which you don't surf with.
From a different perspective, a Standard account is a barrier to other accounts, and is also a container for attacks. If you have your services set up correctly and don't allow the command RunAs, ( it is the Seondary Logon service ), then automated attacks and hackers cannot gain access to your other accounts. If you notice different behavior of your browser or something that looks like virus activity, you can rebuild your account and delete the old one as part of a recovery procedure.
Display all Control Panel settings
Control Panel, select 'View by: Small Icons'. This shows all the configurations choices available.
Turn UAC to the max
When MS released Vista, there were some complaints about UAC asking for confirmation to do this, that and the other. So MS made a compromise in Windows 7 and allow customers to choose what level of prompting they want. Know that turning off UAC also means turning off Protected Mode in Internet Explorer, and not too many people realize that a major piece of protection is now turned off. UAC pops up mostly during the setup phase, once you have finished setting up your computer, you will rarely encounter it.
Control Panel\All Control Panel Items\User Accounts\Change User Account Control Settings
Move slider to top
Specifying the gateway
We will perform hardening on networking components first, without connecting to the internet. This requires that the computer be connected to the gateway/router, in order to change the network/firewall profile between Private and Public. Temporarily specifying any live PC as the gateway will work. After hardening networking, you can set up the correct gateway, and we will then connect to the internet to get Windows Updates.
Control Panel, Network and Sharing Center, Local Area Connection link, Properties, select Internet Protocol Version 4 (TCP/IPv4), Properties button, Default Gateway. Enter the ip address of any live PC on the network.
Set up Firewall Profile
Windows network has 4 network types, domain, work, home and public. Work and home are similar and are labeled as 'private' under it's firewall tool. The work and home settings are set to allow 'network discovery', so that Windows is allowed to talk to other PCs. The public setting is the most secure and is meant to be used at cafe hotspots, airports etc. If your network contains insecure PCs, then you should set the network profile to public. The domain setting cannot be chosen by the user, and is used after the PC has joined a domain. Since we are hardening the PC, we want the most secure setting, and only allow Windows to talk when it is called for. So for those that intend to join a domain, choose the work profile; and if not, choose the public profile.
Control Panel \ Network and Sharing Center
・ Change network location to Public.
Use only Bare Essential Network protocols
In order for a attacker to hack you remotely, he needs to interact with a network facing program running on your PC. Some networking components implement protocols. Networking protocols are grammar rules for bits and bytes to communicate with other PCs. And each has weaknesses. So unless your environment requires that a protocol must be used, we will want to disable all except the bare essentials. More protocols mean a larger attack surface.
The only protocol you really need is IPv4. And most networking equipment requires IPv4 in order to function. IPv6 will be increasingly necessary as we have run out of IPv4 addresses, but as of this writing, IPv6 is still not very popular.
If you have a IPv6 router, then you can skip over all configurations in this guide that mention v6. as it is turned on by default by Microsoft. Some routers do not understand IPv6, and some ISPs don't support it either. So MS made several tunnel components that tunnels IPv6 inside IPv4 to the outside. This in effect bypasses the security offered by your NAT-router and hardware firewall. Tunneled traffic can't be seen by IPv4 hardware firewalls and all such traffic will be allowed to pass unhindered.
NetBIOS over TCP/IP is not required because NetBIOS is already active without this option. Disabling NetBIOS over TCP/IP should limit NetBIOS traffic to the local subnet.
The Discovery protocols are used to provide a nice graphical map of your network. For home users, this is not needed, as there is only one router. You would only get to see a picture depicting your PCs connected to your router. For Domain users, this feature is automatically turned off once you join the domain.
File and Printer Sharing should only be enabled if you plan to share some of your folders on the network or if you want to share your locally connected printer over the network. If printer sharing is desired, it is better to get a printer that has networking built in, so that when attacked, they only gain access to a printer instead of your PC. Disable this feature unless absolutely required.
Control Panel\Network and Sharing Center
Local Area Connection\ Properties button
uncheckmark the following:
Select 'Internet Protocol version 4 (TCP IPv4), click Properties, click Advanced,
Disable IPV6 Totally
As mentioned previously, IPv6 tunneling bypasses the security of your IPv4 router and hardware firewall. If you have an IPv6 router, then skip this section.
See this page: http://support.microsoft.com/kb/929852
There are several FixIt modules. I would choose either "Disable IPv6" (entirely) or "Disable IPv6 tunnel interfaces" (disabling just the tunnels if you have an IPv6 router).
Disable unused tcpip6 Devices and NETBT
NetBT driver is NetBIOS. The TCP/IP NetBIOS Helper service depends on it. When you disable the NetBT driver, there will be no NetBIOS functionality whatsoever. If this is a standalone machine, this is what you want.
When disabling features, I like to disable their components too. So even though IPv6 is disabled above, I still disable the Wan Miniport IPv6 driver, Teredo driver, ISATAP driver and IPv6 ARP driver.
Control Panel / Device Manager, View menu / Show Hidden Devices
(To close port 445, one needs to additionally disable the Server service, see Services section below )
I have never seen this protocol used. When something is unused, least privilege says it should be disabled.
Start button\All Programs\Accessories\command prompt, right click, select "run as administrator"
paste in this command:
Netsh interface ipv4 set global mldlevel=none
Disable port 1900 UPnP
The intention of UPnP is ease of configuration, so such things as games can auto-configure the firewall to let other players from the internet join in. However, with users each poking holes into your firewall with UPnP, pretty soon it will be Swiss cheese and cease to function as a firewall. It is better to configure firewall rules manually so that each firewall rule is known and accounted for. If your hardware firewall or router has an option to disable UPnP, do so.
right click on right pane, new dword:32 bit,name it UPnPMode
Double click on that and set the value to 2.
Disabling Listening Ports
When you run the command 'netstat -abn', it will show you which ports are open and listening to the network. Normally, you would want to close those ports unless you really need them. Windows 7's listening processes and their port numbers are RPCss ( 135 ), Wininit.exe ( 49152 ), eventlog service ( 49153 ), Schedule service ( 49154 ), services.exe ( 49155 ), lsass.exe ( 49156 ). (The port numbers above 49152 can change between reboots), However, the default firewall policy for inbound traffic is to 'block' for all network profiles ( domain, private, public ). That means nobody can touch those listening ports unless the firewall is off, or you have made inbound 'allow' rules to pass traffic onto those processes. This has been verified by connecting to them with telnet and all attempts failed, unless one turns off the firewall or makes 'allow' rules. Also, as far as I can determine, all of those processes are essential to Windows, and they cannot be stopped without crippling the PC.
Router and Hardware Firewalls
Buy a router that has Stateful Packet Inspection ( SPI ) firewall. This kind of firewall will monitor outbound traffic and only allow matching return traffic. Like when you surf to a web site, your browser initiate a request to the site, and the site returns the web page. Buy one even if you have only 1 PC. And if you are using a cable modem which only has 1 Ethernet port, you definitely need one.
More expensive hardware firewall routers will have more tools, like configurable rules, sending logs to remote syslog servers, and fancier protection like spotting syntactical illegal ip packets. For an example of small/medium size business product, take a look at the www.sonicwall.com site. They have products which integrates a firewall, gateway antivirus and antispyware, and VPN
Windows Advanced Firewall, turn on outbound blocking and logging
The basic principle for configuring firewalls is 'default deny'. That means all traffic is to be blocked unless you have made a rule to allow it. Those rules are your 'whitelist' of known good applications and protocols.
Window's firewall's default policy is set to inbound deny and outbound allow all. 'Outbound allow all' eases configuration, doesn't follow the default deny principle, and is not ideal. We don’t want malware to be able to call back to their master servers.
Most people don't know that you have to turn outbound blocking on. When outbound blocking is turned on, it only allows the programs and services you specify to talk to the net. Malware will have a hard time reporting back to their servers. However, it is missing a feature that tells you what programs it has blocked outbound. So after installing a program that needs to connect to the net, like your antivirus program, you have test those exe files one by one to see which is responsible for talking and allow that exe to talk with a outbound rule.
If you have the Automated Configuration package, you can set the following instructions up in one step.
Control Panel / Administrative Tools / Windows Firewall with Advanced Security / Import Policy, select “Firewall Policy Win 7 Home Premium 64 Standalone.wfw”
Control Panel/Administrative Tools/Windows Firewall with Advanced Security
/"Windows Firewall Properties" link
Click on each Profile (Domain, Private, Public) tab
- change Outbound connection = Block
- Specify Logging settings for Troubleshooting > Customize
-- Size Limit = 32767 KB
-- Log Dropped packets = Yes
- Specify Settings that control Windows Firewall Behavior > Customize
--Allow Unicast Response: No
----- Firewall Rules ------
HowTo allow a windows service outbound: Click on Outbound Rules on the left, click on 'New Rule', select 'Custom', next to 'Services' click customize, select 'Apply to this service', scroll and find 'Windows Update', next, ports and protocol - (no change), next, IP addresses ( no change ), next, select 'Allow The Connection'. Checkmark those profiles as given in the rule.. Give the rule a name, eg "Allow service X".
HowTo Allow a program outbound: Click on Outbound Rules on the left, click on 'New Rule', Select "Program", next, select "This program Path" and click on "Browse" button, Navigate to program folder and select the EXE, next, select "Allow the connection", Checkmark those profiles as given in the rule. Give the rule a name, eg "Allow Program X".
HowTo Allow communication to a destination port # and IP address: Click on Outbound rules on the left. Click on 'New Rule'. Select 'Custom'. next. Select 'All Programs'. next. For 'Protocol Type' select 'TCP' or 'UDP' as the case may be. For 'Remote Port', select 'Specific Ports'. Then type in the port number(s) below. next. For 'Remote address this rule applies to' select 'These ip addresses'. Click 'Add' button, and in the following dialog box, type in an ip address into 'This ip address or subnet'. ok. next. Select 'Allow the connection'. next. Checkmark those profiles as given in the rule. next. Give the rule a name, eg "Allow out to port ### on server YYY.
The following rules applies to all 3 profiles: Domain, Private and Public
Outbound/ allow service 'Windows update'
Outbound/ allow service 'Windows Time'
Outbound/ allow program '\Windows\HelpPane.exe' (Windows Help, enables fetching online help )
Outbound/ allow program '\program files\windows defender\msacui.exe'
Outbound/ allow program <Firefox/Chrome/Opera, whichever browser you use>
Outbound/ allow program \program files\Internet explorer\iexplore.exe
Outbound/ allow program \program files x86\Internet explorer\iexplore.exe
Outbound/ allow program <your antivirus update program>
Outbound/ allow program “%ProgramFiles% (x86)\Secunia\PSI\psia.exe”
Outbound/ allow program “%ProgramFiles% (x86)\Secunia\PSI\psi.exe”
Outbound/ allow program <path to Live Messenger>
Outbound/ allow program '\windows\ehome\ehshell.exe' (Windows Media Centre)
Outbound/ allow program '\windows\ehome\mcupdate.exe' (Windows Media Centre)
Outbound/ allow program '\Program files\Windows Media Player\wmplayer.exe'
Outbound/ disable all Core Networking rules that mentions IPv6, Teredo, and ICMPv6
Outbound/ disable Core Networking IPHTTPS
Outbound/ disable Core Networking IGMP-out
Outbound. disable all Core Networking rules that mention Group policy
Outbound/ disable the 2 rules that mentions HomeGroup
Outbound/ disable all rules for Remote Assistance
Outbound/ disable all Network Discovery rules for private profile (NB-Datagram-out, NB Name out, LLMNR UDP Out, Pub-WSD-out, SSDP-out, UPnP-Host-Out, UPnP-Out, WSD-Events-Out, WSD-EventsSecure-Out and WSD-Out.)
Outbound/ allow <Adobe Flash Update service>
Outbound/ allow <Adobe Acrobat Update service>
Outbound/ allow Core Networking DHCP-out
InBound/ allow Core Networking ICMPv4 in
InBound/ allow Core Networking DHCP in
InBound/ disable Core Networking IPHTTPS in
InBound/ disable Core Networking IGMP in
InBound/ disable all Core Networking rules that mentions IPv6, Teredo, and ICMPv6
InBound/ disable the 2 rules that mentions HomeGroup
InBound/ disable all Network Discovery rules for private profile (NB Datagram in, NB Name in, LLMNR UDP In, Pub-WSD-In, SSDP-In, UPnP-In, WSD-Events-In, WSD-EventsSecure-In, WSD-In)
InBound/ disable all rules for Remote Assistance
The following rules applies to all 3 profiles: Domain, Private and Public
Inbound/ allow program <Mcafee Site Advisor dir>siteadv.exe
Inbound/ allow service '<SA Service>' ( Mcafee site advisor )
If you imported the given firewall policy, all of the rules above are setup for you, except for rules in angle brackets <>.
Installing a 3rd Party Firewall
If you want, you can install another software firewall, although the Windows 7 firewall is quite good. Note that installing a third party firewall will automatically disable the Windows 7 one, because having 2 firewalls will cause conflicts. For example, currently, the Comodo firewall is top rated, However, the part which I don't like is that it has an internal list of programs which it designates as "safe". I prefer my own white list, containing programs that I know and approve, like in the rules list above. It also has to do with Least Privilege, because one doesn't want rules to allow programs connecting out to the internet if one never uses them. If you do want to use Comodo, then set the firewall to use "Custom Policy". In this mode, the firewall will prompt and tell you about both "safe" and unknown applications that try to connect to the internet, giving you the authority to decide. The good thing about using a third party firewall like Comodo is that it tells you what applications are trying to connect outbound, whereas Windows Firewall doesn't. And it does make for easier operation. However, some native Windows features like Network Discovery are not supported out of the box. So if you want to enable that feature, you will have some configuring to do.
Install MalwareBytes Anti-Exploit
This is a very important part of safe guarding your PC from exploits..
This guide used to recomment EMET 5,2, but the download for this version has been removed by Microsoft now that EMET 5.5 is released. However, the new version requires the Secondary Logon service active. And by having access to Secondary Logon service, attackers can use the runas command line tool to invoke administrative rights. One of the core design goals of the guides's hardening approach is to deny attacks even if the attacker knows your admin password. This could be result of shoulder surfing - simply noting your password as you type it by looking over your shoulder. Or it can be that a keylogger has been installed on your system. The necessity of having the Secondary Logon service active is unacceptable, and that is why this guide now recommends MalwareBytes Anti-Exploit. Or if you have previously downloaded EMET 5.2, you can use that.
MalwareBytes Anti-Exploit Free has fewer protection mechanisms than EMET, but it protects browsers and java by default. The paid version protects MS Office and Adobe Reader plus some other apps also. Since browsers are a primary attack vector nowadays, this is a good tool to have.
The program needs no configuration.
Software Restriction Policy
When activated, Software Restriction Policy will prevent any program from running except if it is residing in \Program Files or \Windows. That means any downloaded malware in Temporary Internet Files or elsewhere will not be able to run. ( browsers and plug-ins sometimes have vulnerabilities to let infected web sites to force them to download ) Since you will be running as a standard user daily, that malware cannot install itself to the above 2 locations, because you need admin rights to do so. So you are covered against unwanted programs running. Plus, if you are sharing your computer with other people, you can now rest assured that they cannot install programs or modify your system in any way.
Feature not available in Windows Home Premium.
Simple Software Restriction Policy 1.2 by IWR Consultancy
SRP1.2 is a free tool that provides the majority of the functionality of Windows’ own SRP in a small program that sits in the systray. And it works on Windows 7 64bit Home Premium.
This program provides crucial protection to Windows 7 Home Premium. After installation, only programs in \Program Files and \Windows will execute. So in order to run the BAT files of this guide’s automated configuration, you need to choose the tool’s UnLock from the right click menu, which will give you 30mins of unlocked time.
The program installs into \Windows\SoftwarePolicy. Configuration is done via an .ini file that can be accessed and edited from its menu. There are some configuration items that needs modification. Right click on the program’s systray icon and choose Configure. Notepad will start.
Edit this following item and change the value from 0 to 2, like below::
Next, add the following lines underneath [Disallowed]
Lastly, if you use the Opera browser, find in the [LimitedApps] section the line 'Opera=...' and place a semicolon (;) in front of the line to exclude Opera from protection, because Opera v22 (the latest version as of this writing) will not function with this enabled.
Save the file, exit Notepad and apply the policy
The above configures the program to require a Windows admin account password. And it secures the mentioned paths under \Windows which can be modified by users to prevent malware from executing from in there.
Also, you can add a “;” in front of these lines to remove extra menu items, as they add clutter to the right click menu:
;Printers and Faxes=control printers
Disabling Vulnerable Services
Most people are aware that services can be security problems, and that some should be disabled. The culprits are partially network services that listen to the net. In order for a attacker to hack you remotely, he needs to interact with a network facing program running on your PC. Anything that takes input from the net is candidate for manipulation by attackers. When one looks at the list of services that are disabled below, one might say that there are no known exploits for such and such a service. But the principle again is least privilege. Only those services that are needed should be active. And we don't want to wait until an exploit becomes public knowledge and then take action. Least privilege is a pro-active, preventative concept.
There are various servers in the list of services which listens 24x7 to everybody sending them stuff.( which includes exploits ) Like the simply named 'Server' service that is responsible for File and Printer sharing. Another server is UPnP Device Host, which lets other PCs interact with devices on this PC. Components that allow remote management are also turned off - like Remote Registry, WMI Performance Adapter and Windows Remote Management. The first allow other PCs to change your registry; the second lets other PCs get performance data from this PC and the third allows remote shell access. The Secondary Logon service is turned off, because it let command line users run programs as admin. It requires the admin's password, but then attackers have all day to figure that out. DNS Client is turned off because it only caches previous DNS request results, and does not fetch results, and is the target of attacks which poisons the cache with fake DNS entries. HomeGroup is the new file sharing mechanism in Windows 7, and the whole network's shared stuff (all material from all PCs) is secured via 1 password. With the File and Printer Sharing way, at least you can have different logons for different PCs. I have left 3 services on Automatic start, which do react to inputs from the net, and they are Network Location Awareness, Network List Service and Network Connections. These services tell other windows programs about your network and allows you to choose your firewall profile (public or private).
If you do not use DHCP, don't disable the DHCP Client service. There is a hidden dependancy of Windows Firewall and it relies on DHCP Client on being Automatic start.
There is another angle to services that makes some more desirable targets, and that is the account that runs them. Services, just like any program, are run by an account. The System account is all powerful and is equal in power to administrators. A network facing service which use this account, like the WMI Performance Adapter, will be prized, A service running as System will also be targeted by attackers who gained entry into a Standard account, they will try to take over the service to gain System rights. (This is called "escalation of privilege").
There are some services which activate if you have the right equipment, like Adaptive Brightness, which works with computers that have a light sensor. Microsoft iSCSI initiator service, Bluetooth support service, Fax, SmartCard. SmartCard removal policy and WWAN autoconfig are all dependent on specific hardware. In my personal configuration, they are all disabled, because I don't have them.
When you configure services, clicking on each will display a description. If that is not enough for you, you can check out http://blackviper.com to see if they have any additional information.
If you have the Automated Configuration package, you can set up the services with one command
Right click on “Harden Win 7 Home Premium 64 Standalone A.bat” and choose “Run as admin”
Start button/Control Panel/Administrative Tools/Services
Right click on the following services, choose Properties and set Startup Type to Disable.
Name (Original Mode) (what it does)
Computer Browser (manual) (finds other PCs in the network)
Distributed Link Tracking Client (automatic) (maintain shortcuts if source file name has changed)
DNS client (automatic) (caches previously looked up domain names)
Function Discovery Provider Host (manual) (HomeGroup)
Function discovery resource publication (manual) (HomeGroup)
HomeGroup Listener (manual) (HomeGroup)
HomeGroup Provider (manual) (HomeGroup)
Internet Connection Sharing (disabled) (makes PC act as router)
IP Helper (automatic) (IPv6 tunneling)
Link Layer Topology discovery mapper (manual) (network discovery)
Media Center Extender service (disabled) (turns PC into media server)
Net. TCP port Sharing service (disabled)
Network Access Protection Agent (manual) (reports security configuration)
Parental controls (manual) (empty stub for compatibility with Vista)
Peer Name Resolution Protocol (manual)
Peer Networking Grouping (manual) (HomeGroup, remote assistance)
Peer Networking Identity Mgr (manual) (HomeGroup, remote assistance)
Performance Counter DLL Host (manual) (allows remote query to performance counters)
Performance Logs & Alerts (manual) (collects remote and local perf data)
PnP-X Ip Bus Enumerator (manual) (uses SSDP)
PNRP Machine Name Publication Service (manual) (server that responds with a machine name)
Quality Windows Audio Video Experience (manual) (multimedia server)
Remote Access Auto Connection Mgr (manual)
Remote Access Connection Manager (manual) (dialup, VPN)
Remote Desktop Configuration (manual)
Remote Desktop Service (manual) (server allowing remote control)
Remote Registry (manual)
Routing and Remote Access (disabled)
Secondary logon (manual)
Secure Socket Tunneling Protocol service (manual) (VPN)
Server (automatic) (HomeGroup, File and Printer Sharing)
SNMP Trap (manual)
SSDP Discovery (manual)
Tablet PC Input Service (manual)
TCP/IP NetBIOS Helper (automatic)
Telephony (manual) (affects Remote Access Connection mgr/ VPN)
UPnP Device host (manual)
Web Client (manual)
Windows Connect Now (manual) (Wireless Setup - simplified configuration)
Windows Error Reporting Service (manual) (reports system problems to MS and fetches solutions)
Windows Event Collector (manual) (allow remote subscription to log events)
Windows Media Player Network Sharing service (manual)
Windows Remote Management (manual) (Server, listens for remote requests )
WinHTTP Web Proxy auto discovery (manual) (proxy discovery and some kind of http api )
WMI Performance Adapter (manual) (provides performance data to other PC collecting it)
Workstation (automatic) (HomeGroup)
The last thing you need to do in preparation for connecting online to do Windows Update is to install your antivirus program. You would also need to specify a outbound firewall rule to allow the antivirus to fetch signature updates.
At this point, you have hardened networking components. Setup the correct gateway. Switch to your Standard account. Connect now to internet. Immediately do Windows Update. If you use MS Office or other MS software, enable Microsoft Update. DO NOT SURF the net while updates are going on, as Internet Explorer is still unpatched and vulnerable. Note also that you have to Check for Updates more than once, as MS prepares updates in batches, and another batch may follow the current one.
If you wish, you may want to defer Microsoft Update until we reach the end of this guide, when all attack venues are covered.
Disable Firewall temporarily to allow the following script to run.
Control Panel/Administrative Tools/Windows Firewall with Advanced Security
/"Windows Firewall Properties" link, Private or Public profile, Outbound : Allow
Then open an elevated command prompt and run the following:
Then set Outbound back to block.
Install All Software, update firewall rules
Install antispyware and antimalware Then install Secunia's PSI, Adobe PDF Reader, your browser, Flash , your Office suite, your printer driver and all other applications.
If you use MS Office, then go do Microsoft Update now.
Remember to update your firewall rules to allow the programs that need the internet, like Flash and Adobe Acrobat Reader which now have their own update service, so add allow outbound rules for those services. Also your browser needs to reach outbound to the internet.
Next, go back into EMET and add programs that take input from the internet to EMET’s protect apps list.(E.g. your browsers like Firefox and Chat program) This includes programs that take input from downloaded material. (E.g. Adobe Reader, media player, MS Word, Excel and PowerPoint)
One of the most important things to do is to update EVERYTHING on your computer, constantly, that means Windows Update and updating all programs and plug-ins. It is very important to know that security patches closes the holes that malware/hackers need to get onto your computer. Patching the security holes is the ultimate preventative measure that treats the source of the problem.
It is known that attackers reverse engineer MS patches to exploit the vulnerabilities. It only takes a few days for them to do so, so be sure to patch on time. MS's patch schedule is on the second Tuesday of each month.
Windows Update supplies security fixes to Windows and its programs like Internet Explorer. If you use a buggy IE, then hacked websites can install viruses/malware unbeknown to you.
If you use other MS products like MS Office, Windows Update has an option to supply patches for those too, you have to click on "Get update for other Microsoft products" on the Windows Update app.
Adobe Flash is another component that lots of people forget about. Go to Adobe.com and download the latest one. And if you use other browsers, use them to visit Adobe to install the latest Flash for them too, because there are separate Flash exe/plug-ins for each browser. Adobe Flash recently implemented an automatic update feature to Flash, if you install Flash, you must make an outbound allow firewall rule for the service.
Secunia offers a free program called PSI (http://secunia.com/vulnerability_scanning/personal/ ) that detects which of your installed programs are missing security patches. This is a lifesaver . After installing, it will scan your pc on a schedule. It will tell you about insecure programs, and link you to patch downloads. If a patch for a security hole does not yet exist, it will tell you, so that at least you can stop using that program for a while. This is a very important part of maintaining security of your machine.
Run Windows Media Center, go through the steps and let it initialize everything, then exit
Turn off AutoRun
Download and install the FixIT given in the above link. AutoRun is a problem when it comes to removable devices like USB memory sticks and CDs. Because it will run whatever program it is set for whenever you insert it. Hackers are known to casually leave CDs around in public washrooms and label it something like 'layoff positions for next quarter', Once inserted, their hacking tools will run in the background and call back to its master server.
Turn off Gadgets platform
Microsoft has issued an advisory stating that the sidebar/gadgets platform is very insecure. They have taken the gadgets store offline and issued a FixIt to disable Gadgets. The FixIt is located here:
Data Execution Prevention is a technology that foils some types of attacks when they are coded in a certain way. By default, this feature is enabled but protects only Windows executables. You want to enable it to protect all programs, like your Firefox, Opera, Acrobat Reader and others.
If you have already installed EMET as per above, then this feature will be disabled because EMET has taken over the handling of DEP.
Right Click Computer/ Properties/ Advanced System Settings
/Performance Settings button/ Data Execution Prevention Tab
Select "Turn on DEP for all programs ..."
Disable dump file creation
Dump files are memory dumps, and everything in memory are saved to a file. This is used for debugging problems with your system. However, passwords and all confidential stuff that are running currently are also saved to this file. You should enable this feature only when you are experiencing problems and need to debug.
Computer > Properties > Advanced System Settings > Startup and Recovery Settings - settings button
Write debugging info: None.
Disallow Remote Assistance
Remote assistance allow a helper to control your PC with complete desktop, keyboard and mouse access. This is not a attacker favorite as there is built in protection that allow only the invited to take control. However, there are fake Microsoft phone scams that lure users into giving them remote access, and you will want to protect your users.
Computer/Properties/Advanced System settings/Remote tab
Un-checkmark allow remote assistance
Let Windows make more Restore Points available
System Restore can be a life saver when you encounter system errors. Setting it to use more disk space and making more restore points is good policy
Right click Computer/Properties/Advanced Systems Settings/System Protection tab
Configure button/create bigger system restore cache
Enable Visibility into Windows hidden files
You want to be able to see all files and folders in Windows. If you do not do this step, attackers can hide their installed tools from you. Although the attacker can also install a rootkit which also hides their files, they may not be able to get that far into your system to do so.
Windows Explorer/ Organize/ Folder and search options / View tab
CHECKMARK items below
• Always show menus
• Display the full path in the title bar
• Show hidden files, folders and drives
UNCHECK items below
• hide empty drives in computer folder
• hide extensions for known file types
• hide protected operating system files
Configure Screen Saver
Unattended PCs are obvious security risks. But many people fail to take care of this via this simple setting. Most larger companies that are security aware have strict rules to enable this and not to leave PCs logged in and unattended.
Right click on desktop and choose Personalize / Screensaver. Configure it to wait 10 minutes, and check mark "On resume, display Logon screen"
Turn off un-needed Windows Features
Control Panel/ Program and Features
Turn Windows Features on or off
turn off these:
- Tablet PC Components
- Windows Gadget platform
You don't want any programs to run automatically, because inserted media (like your friend's USB memory sticks) may contain viruses. It is better to open the program yourself and navigate to media.
Control Panel > AutoPlay. Choose 'Take No Action' for everything
Uncheck "Use AutoPlay for all media and devices"
Do this for all user accounts.
Control Panel/ Windows Defender
Tools menu, Microsoft SpyNet, select 'Join with Advanced Membership'. (or else you won't be prompted with spyware notifications)
If you use MS Security Essentials as your antivirus, it will disable Windows Defender, and you can skip this step.
Display Administrative Tools
Right click Start Button/ Properties / Start Menu, Customize/ Scroll to bottom
Find 'System Administrative Tools', set it to 'Display on All Programs Menu and Start Menu'
Least Privilege part 2
If you look at \Windows\System32 folder, you will see a lot of exe programs. Some of them are GUI components needed by the system. And the rest are command line programs used to administrate Windows. A Standard user account doing daily work has little use for these command line programs, as they are intended for IT administrators. In accordance with Least Privilege, these command line admin tools should be partitioned away from the User group. In the Automated Configuration part 1 section below, there is a configuration file that does this.
After configuration, the command line administrative tools can only be accessed from an admin account using an elevated command prompt.
Attackers aim to get use of three accounts, the admin account, the "Administrator" account, and the System account. The admin account is needed for configuring the system, so it needs full access to command line tools and we cannot avoid this. The 'Administrator' account is by default disabled. And the System account is used by some services. In testing, it is revealed that the System account cannot be constricted or else our Restore BAT wouldn't work. So in the provided configuration file, command line tools are set so that only members of the administrators group and 'TrustedInstaller' can invoke them. (The System account gets inherited rights)
As an example, few people are aware that there is a command line FTP program, as most people use their browsers to download. This program is used mainly by attackers who need to bring over their tools once they gained command prompt access.
Also, after using the automated configuration, all command line programs are set to no-execute from low integrity programs. Thus, a attacker gaining a foot hold by exploiting a security bug in Internet Explorer (which is low integrity) will find that she has no access to any command line tools.
Browsers and Security
Internet Explorer is still the most popular browser because it is installed by default. Because browsers are the primary interface to the web, and used by everyone, they are a PRIMARY vector of attack. attackers will attack a website and modify it to deliver malware, using security holes in the browser. Or they can send attacks forging the address of a web page you are on. ( If you have a tab of your favorite web site always open, they can forge that web site's address and send attacks).
Internet Explorer has an important defence mechanism, called Protected Mode. It is another name for Integrity Levels. Basically, the entire system is marked as Medium integrity. While frequently attacked programs like Internet Explorer is marked as Low integrity. Low integrity cannot modify Medium. So even if someone compromises IE and gains access to your PC, they cannot modify your system. You can set the integrity level of a program yourself, so you can make Firefox or other browsers use Protected Mode as well.
Popular alternatives to IE are Firefox, Opera and Chrome. There have been security holes discovered in them just like IE, but they are reputed to be more secure, primarily because they don’t use ActiveX. There are ActiveX code libraries strewn about in Windows, and many are not safe for web use. Attackers often make IE call to these ActiveX code modules as a means of attack.
Set IE to use Protected Mode Always
Control Panel/Internet Options/Security Tab
Checkmark Protected Mode for all zones
Login to EACH user account and repeat.
Set IE to use ActiveX Filtering
Open Internet Explorer, Gear icon / Safety / checkmark ActiveX Filtering
Login to EACH user account and repeat.
Set IE to use Enhanced Protected Mode
Control Panel/ Internet Options/ Advanced tab. Scroll to Security section. Checkmark 'Enable Enhanced Protected Mode'.
IE has this stupid distinction about the source of a web page. By default, if a web server is within your network (like a company web server), then Protected mode is disabled. Well, if a attacker wants to attack your network, they would just simply attack your web server first, and let his tools spread when internal visitors use the infected company web server.
Mozilla Firefox is open source software. Proponents of open source say because the code is open for all to inspect, it makes for a safer product. (as opposed to IE, which only a limited number of MS programmers work on). Mozilla has also once called on white hat hackers to help test attack Firefox. But whether or not this is an ongoing engagement is unclear.
To cover the angle of malicious ads, there is plug-in called AdBlock Plus. This plug-in removes all ads from sites. Its side benefit is that sites load faster without the ads.
There is another Firefox plug-in call WOT (web of trust). This plug-in marks search engine results with ratings. If a site is known to deliver malware, you will see a red danger icon next to it. And you can click on the icon to see detailed ratings by threat category. The ratings are driven by community help. WOT is now also available for Internet Explorer.
There is another free plug-in by Mcafee called SiteAdvisor. It also marks search engine results with a safety rating icon, and this product works with both IE and Firefox..
Low Integrity Firefox
As mentioned above, you can enhance Firefox's security by setting it to low integrity. Open an elevated command prompt and copy and paste in following commands, one line at a time, substituting <yourAccName> with your account name:
icacls "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" /setintegritylevel low
icacls "C:\Users\<yourAccName>\AppData\Local\Temp" /setintegritylevel(oi)(ci) low /t
icacls "C:\Users\<yourAccName>\AppData\Local\Mozilla" /setintegritylevel(oi)(ci) low /t
icacls "C:\Users\<yourAccName>\AppData\Roaming\Mozilla" /setintegritylevel(oi)(ci) low /t
icacls "C:\Users\<yourAccName>\Downloads" /setintegritylevel(oi)(ci) low /t
icacls "C:\Users\<nextAccName>\AppData\Local\Temp" /setintegritylevel(oi)(ci) low /t
icacls "C:\Users\<nextAccName>\AppData\Local\Mozilla" /setintegritylevel(oi)(ci) low /t
icacls "C:\Users\<nextAccName>\AppData\Roaming\Mozilla" /setintegritylevel(oi)(ci) low /t
icacls "C:\Users\<nextAccName>\Downloads" /setintegritylevel(oi)(ci) low /t
Note that in order for Firefox to run as low integrity, it required the setting of \AppData\Local\Temp folder also to low integrity, which was previously medium. This folder may contain sensitive temporary data from other applications. An intruder gaining access through Firefox may be locked into low integrity mode and can't change system settings, but he can glean data from this folder, which may be undesirable.
Opera is another alternative browser. The thing that is good about them is that they patch up publicly disclosed vulnerabilities quite quickly. There is also a WOT plugin for this browser.
Low integrity Opera
Run the following commands in an elevated command prompt:
icacls "C:\program files\opera x64\opera.exe" /setintegritylevel low
"C:\Users\sec web\AppData\Local\Opera Software"
/setintegritylevel(oi)(ci) low /t
icacls "C:\Users\sec web\AppData\Roaming\Opera Software" /setintegritylevel(oi)(ci) low /t
Note: every time you update Opera or Firefox, you have to re-run the command that makes the exe a low integrity program. ( ... setintegritylevel low )
Chrome has 2 versions, one is for ordinary users and one is for business. The ordinary one installs itself into \users\...\appdata, thus allowing users to install the product without IT dept's blessing. That is, if software restriction policy has not been turned on. The business edition installs into \Program Files (x86), like what normal 32 bit programs usually do. You should use the business edition.
Sandboxing your Browser
There is a program called Sandboxie ( http://www.sandboxie.com/ ) which applies the sandbox security concept to protect any browser. Basically, the protected browser is made to look within a small directory, but it thinks that that directory is drive C. Sandboxie, and any sandbox in general, does not aim to prevent an attack, but instead contains the attack, within that directory. If the attack creates folders and files, it will be created in that directory. If it installs hacking tools and malware, they will all be confined to that directory. All your downloads will also arrive into that directory first, and Sandboxie will help move it back to the outside world. And everything in that directory can be wiped away with one click. In the Unix world, the concept is called chroot, and is traditionally used to prevent compromised server services from affecting the rest of the system. This program is vital to securing your browser.
a sandbox for each user. this is assuming that you have different user
for different uses. Like one for online banking, and one for your writing/posting your blog.
This is so that anything that gets into one sandbox cannot lift data belonging to another sandbox.
Right click on the sandbox and choose Sandbox Settings.
Tip, if you have a favorite site that requires login, and you allow the site remember your login, you can start the browser outside of Sandboxie to quickly login and let the site save a cookie. Then restart the browser using Sandboxie. Sandboxie will copy the cookies from outside to the sandbox when initiating.
Block Low Integrity Programs from Accessing Your Documents
There is also an option where low integrity programs can be made so that they can't even read medium integrity locations. That’s what the commands below do. When you execute the commands, your desktop, document, pictures, videos and music folders will be unreadable to any programs marked as low integrity. The last command above makes the Downloads folder a low integrity folder. This is necessary because you need a place to save your downloads.( Low can't write to Medium) You will also want to create an Upload directory, and copy the file which you want to upload there. Because this Upload folder has not been processed by chml, the low integrity browser can read this folder.
Since you also have a Standard User account, run the commands below stating your Standard User account too. Note: this measure only protects you against attacks to your low integrity programs like Internet Explorer. (and Firefox or Opera, if you followed the above instructions) But since browsers are primary vectors of attack, this security measure is important. You can also experiment and set other internet facing programs to low integrity, like your chat program.
Visit http://www.minasi.com/apps/ to download chml.exe
Then right click on command prompt and choose 'run as administrator".
Then execute the following commands for Each user.
cd "\user\<yourAccName>\downloads\chml" ( or wherever you saved chml )
chml "c:\users\<yourAccName>\desktop" -ws:s:(ml;cioi;nwnrnx;;;me)
chml "c:\users\<yourAccName>\documents" -ws:s:(ml;cioi;nwnrnx;;;me)
chml "c:\users\<yourAccName>\pictures" -ws:s:(ml;cioi;nwnrnx;;;me)
chml "c:\users\<yourAccName>\videos" -ws:s:(ml;cioi;nwnrnx;;;me)
chml "c:\users\<yourAccName>\music" -ws:s:(ml;cioi;nwnrnx;;;me)
chml "c:\users\<yourAccName>\downloads" -i:l
This feature is unfortunately unavailable to Domain clients who use Folder Redirection. Because the folders being redirected, like Documents, do not exist on the client machine.
AppLocker is new to Windows 7 Ultimate. It is more flexible than SRP. Configuration details omitted.
You should have strong passwords to safe guard your accounts, particularly the admin accounts. The first account created when you install Windows is an administrative account. So you need to protect that. There is also a hidden account called “Administrator” which you should also protect with a password, but it first has to be enabled, as it is disabled by default. So enable the Administrator account, set a password, then disable it again.
Your passwords should be long ( 15+ characters ) and also use upper and lowercase, numbers and symbols. The best way is to create passphrases. For example, take the sentence “James T Kirk is the captain of the USS Enterprise 1701″. That would form the password “JTKitcotUSSE1701″. Throw in symbols and it becomes “JTK$itcot%USSE1701′. This password is now long and complex enough to foil attacks.
It is not secure to use the same password everywhere. Some people think it is OK to use the same password for email, banking, Facebook, windows login and so on. If your password is discovered, ( say by a keylogger ) the next logical thing is to try that on your email account. Once they get access to your email, they can use the ‘forgot my password’ feature of many web sites to have them email over your access password for that site. And very shortly everything will be compromised. Password attack programs either use a brute force approach or a dictionary approach. The brute force method tries every combination of numbers and letters. The dictionary approach tries out known words. These password attack programs are fast and can test thousands of passwords per minute. A short password is crackable in no time. A secure site would have safety features like locking your account after several failed tries or making you answer the security questions. But not every site is secure like that. And those weak sites are the primary target of password attack programs.
It is also prudent to password protect your BIOS, so that people cannot boot your PC. Also, you should change the boot order in the BIOS so that it boots the hard drive first, rather than the CD/DVD. If an attacker can insert a Linux Live CD and start up your PC, then they will be able to mount your hard drive and read all data from it, and all Windows security will be bypassed.
Physical security is very important and should not be overlooked. If someone has physical access to your PC, then they could bypass a lot of the hardening that was done.
For example, if a attacker could access your PC and boot up a Linux Live CD, he could then read and copy off all files from the Windows disk partition. Or he could remove your hard drive and put it into another PC as a secondary drive and get data off that way. Either way, Window's password security will be of no use, because Windows was never started.
BitLocker Drive Encyption
BitLocker is a full disk encryption feature of Windows 7 Ultimate and Enterprise. When that is active, the whole drive is encrypted and will not be readable with other copies of Windows or Linux. This eliminates the offline attacks as mentioned above.
Feature not available in Window Home Premium. Details omitted.
For those who don't have Windows Ultimate, you can use a different form of semi 2 factor authentication, but it doesn't protect you from offline attacks. Windows has a feature called syskey, which can store the decryption key to your login passwords on a USB key. The login passwords are not stored as plain text in Windows, they are encrypted. The key to decrypt those passwords can be stored onto drive A.
A lot of computers now don't come with a floppy drive, and the label drive A is unused. First you insert your USB memory key, then right click on Computer and choose Manage. Then go to Disk Management, right click on the USB memory stick, (which is probably label as drive F), choose Change Drive Letter and Path. Then click the Change button and make it drive A.
Now you run syskey. Click on the Update button; choose Store Startup Key on Floppy Disk. Then insert the USB memory key, and the decryption key will be stored on the memory stick.
Once that is done, when you boot Windows, it will prompt you to insert the 'floppy disk' in order to continue booting.
The syskey method of 2 factor authentication is good, now anyone booting the computer will need the USB memory stick; as well as know your login password.
Intrusion Detection – part 1
Good security partly consists of deter, deny and delay. That is what hardening does. Good security is also about detection: Detection of unwanted changes like unauthorized account creations, chains of password guessing etc. Fortunately, a lot of things are tracked in the event logs. Windows’ Event Viewer holds a lot of information about your system (Control Panel > Administrative Tools > Event Viewer). One cannot claim to know what is going on in a system without examining the logs periodically.
Microsoft created a Security Monitoring and Attack Detection Planning Guide.
In the guide, it examines what security monitoring one should do and provides the relevant Event IDs. In the section below, those Event IDs are placed into Custom filters, which allows you to monitor for signs of intrusion.
Note that the guide gives Event ID's for Windows XP. With Vista and Windows 7, you need to take the given Event ID and add 4096 to get the correct event under these 2 newer operating systems.
Make Event Log files Bigger
(also covered by automated configuration part 2)
You may not discover an intrusion right on the first day when they get in. Very often, the discovery comes several weeks to months later. You will need to retain log entries, and the default log sizes allow for too short a period.
Control Panel/Administrative Tools /Event Viewer
Expand 'Windows Logs'. Right click on Application, Properties and set log size to 1000000. Do the same for 'Security' and 'System'.
Security Events to Monitor for
Create Custom Views to monitor for the following Event IDs;
If you have the Automated Configuration package, you can import the settings one by one from the folder “Event Viewer Custom Views”.
HOWTO: click 'Create Custom View'. Select 'By Log', pull down 'Event Logs', Checkmark 'Windows Logs', Move to the field <All Event IDs> and copy and paste in the event id numbers, click OK and name the view.
4723,4724 - Change Password
4720,4726,4738,4781 - Delete, Change Accounts
4608,4609 - Startup, Shutdown
4613 - Clear Security Log
4616 - Change System Time
4617 - Unable to Log
4714,4705 - Privilege assigned or removed
4708,4714 - Change audit policy
4717,4718 - System access granted or removed
4739 - Change domain policy
16390 - Administrator account lockout
4727-4730,4731-4734,4735,4737,4784,4755-4758 - Group changes
4624,4636,4803,4801 - Account logons
4625,4626,4627,4628,4630,4635,4649,4740,4771,4772,4777 - Logon failures ( KEYWORD: Audit Failure )
4672 - Admin account logons
4698 - Schedule new job
4656 - Access refused to object
3004,3005 - Windows defender finds something
4664 - Create hard link to audited file
865 - Software restriction triggered
1000 - Application Error ( Event Level: CHECKMARK "Error" )
1002 - Application Hang ( Event Level: CHECKMARK "Error" )
1037 - Protected Mode violation
7031 - Service terminated unexpectedly
4697 - Install a Service
4663 - Access audited file
CHECKMARK: Critical, Warning and Error. Event Sources:EMET. – EMET incidents
The above 'custom view' filters are in the folder "Event Viewer Custom Views". Simply choose 'Import Custom View' to import each xml file one by one.
The above items are important to review. For example, too many login failures may mean that someone is try to guess passwords to login to your account. Another important one is Application Hang; if you see Internet Explorer hang, you should run anti-virus and anti-malware scans promptly.
Intrusion Detection – part 2: Baselines
Intrusion detection also has to do with seeing that things aren't different from what is normal. Your PC was running perfectly on day 1 after hardening, is it doing anything different today? To answer that question, we need baselines.
What we want to know is what programs are normally running when we first login. If we know that, then we can be sure that we aren’t contaminated with spyware or other hacking tools. There are 2 programs we want to get, all free. The first one is AutoRuns, available from here: http://technet.microsoft.com/en-us/sysinternals/bb963902
It doesn’t have a setup program, just download, unzip, create a folder under \Program Files and copy the files there.
AutoRuns lists all of the places in the registry where programs are set to auto launch. Right click on it, and choose Run as admin, and use File/Save to take a snapshot of your PC’s current settings. Later on during your regular system checkups, you can use the File/Compare feature to see if anything is different. New entries show up in green. If all green entries are good, then save the file again with todays date, and do the comparison with the new file in the next scheduled check. Note that each user account has separate autoruns. You have to right click on Autoruns and choose 'Run as admin' and there will be a Users menu. You need to do compares using each account. Name the files you save with Autoruns like "autoruns - <username> - <date>.arn"
The second program is Process Explorer, available here:
This program is like Task Manager, but it shows more info. Many malware name themselves with familiar Windows program names, trying to hide themselves. Login to your admin account, then right click on Process Manager and choose 'run as admin', go to View/Select Columns and checkmark ‘command line’. Then do a File/Save. The resulting text file is now a snapshot of what normally runs when you first login.
When you do a comparison using Process Explorer, note that you cannot use a file comparison tool like ‘fc’ (file compare) to check for differences, that is because the PID (process identifier) for each program/process would be different on different boot-ups. You would have to do a visual check of the command line.
Next, reboot your PC and open an elevated command prompt with 'run as admin', and type
“netstat -abn > netstat-baseline.txt
The netstat program shows you a list of programs that are listening and connecting to the net. If a attacker connects to your PC, his program would have to connect back from your PC to his PC, and his program would show up here in this list.
Driverquery is a command line tool in Windows, What it does is list all the drivers in use. Some virus and rootkits now come in the form of a driver. When you perform you routine checks, first run this:
driverquery > out.txt
If this is the first snapshot, then rename the out.txt to driverquery-out.txt.
Next time, run these 2 lines;
driverquery > out.txt
fc out.txt driverquery-out.txt
Fc will display the differences between out.txt and driverquery-out.txt. If there are lots of changes, fc will not be able to synchronize the sections in the files. Then you'll have to open up 2 notepads side by side and scroll through the files manually to see what has changed.
In most cases, new drivers are caused by Windows Update. You will have to go online and read that month's MS Security Bulletin to see if the new patches would have deployed new drivers. If that doesn't reveal anything, you'll have to check to see if the new drivers are also present in another machine.
Now we have 4 baselines, save them onto a USB memory stick for use in comparisons later. One should also save the Autoruns, and Process Explorer files onto the memory stick as well. Because, after an attack, programs may get altered or rendered unusable You Have to keep the baselines on a USB memory stick because attackers will modify your baselines to make you think nothing has changed.
Last thing when doing baseline comparisons is to run “sfc /scannow” to determine if any system files has been modified. SFC contains the correct windows files signatures and makes a comparison to the current setup. It will also fix the problem.
Intrusion Detection – part 3
You should definitely install antivirus and antispyware programs. However note, you can only have one realtime antivirus program. The realtime capability monitors file access and file modifications as they happen. And having more than one realtime antivirus will cause problems. Having more than one anti-spyware program usually doesn’t cause problems.
There are also a lot of fake antivirus programs floating around, so make sure you find the reviews before installing one. The fake ones report of non-existent infections and just ask you for your money and do nothing. Some will even stop you from going to legitimate antivirus program sites, stop your programs from working and make you think you are infected with a virus. If you happen to have installed a fake antivirus, there is one anti-malware program that can remove it. It’s called MalwareBytes.
Bear in mind that no antivirus/anti-spyware program will catch everything you encounter. There has been a study that was done that found that the best detection rate is around 60%. Vendors can’t hope to have captured and analyzed ALL the viruses out there, because lots of new ones are introduced every day.
Yes, you can’t fully trust your antivirus program to do a perfect job. To be on the safe side, use online scanners once in a while to do a double check. There are quite a few of them: TrendMicro Housecall, BitDefender, Kapersky, Panda and ESET.
If you download stuff from P2P and bittorents, beware. Lots of infected programs are floating around. And they would even work as expected, except that they will also get you infected. And those viruses tend to be new ones, so most likely your antivirus program will not even beep. You have been warned. The best that you could do is upload the file to virustotal.com and let them run your file against their 39 antivirus programs, and then decide if you want to keep the file or not. You have to remember that it is hackers who release pirated software, cracks and keygens, and they seed these files on P2P and bittorrent. And most likely, they also want to own your PC.
Security suites are very popular. For example, Norton 360 includes antivirus, anti-spyware, anti-rootkit, smart firewall, network monitoring, parental controls, anti-spam and more. They certainly seem to be value for your money. But when weighing effectiveness, many choose a best of breed, mix and match, solution. For example: one can use ESET antivirus and anti-spyware, Webroot anti-spyware, Windows 7 firewall, NetNanny parental control, Gmail’s anti-spam and Gmer anti-rootkit.
For your maintenance routine. You should do 2 things.
1. Check that your antivirus is still alive and active. Go to http://www.eicar.org/86-0-Intended-use.html . And copy that test virus line of text, paste it into notepad and try to save it, Your antivirus should detect it.
2. Do an antivirus scan.
Keyloggers and Screen Grabbers
This class of spyware deserves mentioning on their own. Unlike other hacker attacks, these do not aim to penetrate and gain admin rights, but they are deployed by criminal hackers. They function in a standard account. Their aim is to capture credentials to your web accounts like banking account numbers and passwords, email account and others. Antivirus programs do not detect them. To counter these, I know of 2 programs, Zemana AntiLogger. (http://www.zemana.com) which has anti-keylogger as well as anti-screen grabber functions. The other one is KeyScrambler (http://www.qfxsoftware.com) which is only a anti-keylogger. Zonealarm Extreme Security also incorporates an antikeylogger and antiscreengrabber too.
Security as a Process
Security is a process, that is ongoing after we perform hardening. Your hardened Windows Windows 7 is good and now has multiple layers of security, but new vulnerabilities will be discovered in various software that you use and weaken your stance. Take the case of the browser; attackers target browsers all the time, and new security holes will be revealed. One has to know when these holes are discovered, and take steps to mitigate.
The first step is to know about the new vulnerabilities. The following websites report on security matters :
You should visit them once a week to learn of new security vulnerabilities. The articles will tell you about new security holes in applications or OS, which version it applies to, and give a brief description of the weakness. Sometimes, the software vendor will inform us of some configuration change for you to apply for the time being, until they make a patch ready. Also, the articles may tell us if attacks using the vulnerability has been spotted in use.
This information are of great help for you to maintain security. To continue on our browser example, lets say the new vulnerability involves an ActiveX component that is called via Internet Explorer. Then you might mitigate that by using another browser for the time being, and monitor the vendor’s site for a new version release. Or Microsoft may issue an advisory informing us to how to disable an ActiveX through settings in the registry. Or you may decide that using that browser together with Sandboxie would contain the threat. Or you may decide to disable scripting features of the browser. (Secunia’s PSI program will also tell you when new security patches or program versions have been made, as mentioned previously). The main thing is that you get to know about potential problems from these web sites and takes steps to mitigate.
Next, as part of the security process, you have to monitor your system and detect attacks. You have to perform those log checks, baseline comparisons, and virus scans (as mentioned earlier) on a regular basis, like every 1 or 2 weeks. We are being lax here already, for in a secure environment, they use tools to monitor logs on a real time basis. Monitoring is crucial, as even the most hardened systems will have holes in its defenses. We cannot think that our hardened system is impervious.
After a few months of use, computer settings change invariably: new software installed, new devices added, etc. We now have to check that all security settings are still in place. For example, are the user accounts still standard accounts, or has one been changed to admin for temporary problem troubleshooting? Has the firewall been set to OutBound Allow during installation of a program and left forgotten? So, after you put those locks on the doors, are they still locked? Or has there been tampering? We have to revisit the hardening process and check everything. This is to ensure that the system is still as secure as day one
Automated Configuration 1
There are 3 inf files in the Home Premium package.
The other packages for other editions of Windows include an extra Domain.inf for machines that join a server Domain.
If you wish to revert the changes to out of box defaults, use the 'Restore’' inf file. Note that the restore file is only capable of restoring the changes that the Harden A inf file makes. All other manual configurations made in this document will need to be undone manually.
The “Harden Win 7 Home Premium 64 Standalone A” contains
The Restore A will restore these two to out of box configuration.
The “Harden Win 7 Home Premium 64 Standalone B” contains what is in “A” and these configuration items;
· Password age and length requirement settings: 13 characters and good for 90 days
· Account lockout condition : upon trying 50 bad passwords
· Account lockout duration: 15 minutes
· Deny network logon to certain accounts: Guests, Anonymous Logon, Administrator, NETWORK SERVICE, SERVICE, SYSTEM, LOCAL SERVICE
· System, Application and Security Event Log size: 1000000 kb
· Have Event Viewer show success and failure events for Account Logons, Account Management, Policy Change and System events.
· Limit local account use of blank passwords to console logon only: enabled
· Audit the access of global system objects: disabled
· Audit the use of Backup and Restore privilege: disabled
· Shut down system immediately if unable to log security audits: disabled
· Allow undock without having to log on: enabled
· Allow to format and eject removable media; Administrators and Interactive users
· Prevent users from installing printer drivers.
· Domain member: Digitally encrypt or sign secure channel data (always): enabled
· Domain member: Digitally encrypt secure channel data (when possible): enabled
· Domain member: Digitally sign secure channel data (when possible): Enabled
· Domain member: Maximum machine account password age: 30 days
· Domain member: Require strong (Windows 2000 or later) session key: enabled
· Do not display last logon user name; enabled
· Do not require pressing CTRL-ALT-DEL: disabled
· Number of previous logons to cache: 2 logons
· Prompt user to change password before expiration: 14 days
· Require smart card: disabled
· Smart card removal behavior: Lock workstation
· MS network client: Digitally sign communications (always): enabled
· MS network client: Digitally sign communications (If server agrees); enabled
· MS network server: Amount of idle time required before suspending session: 15 minutes
· MS network server: Digitally sign communications (always): enabled
· MS network server: Digitally sign communications (if client agrees): enabled
· Network access: Allow anonymous SID/Name translation: disabled
· Network access: Do not allow anonymous enumberation of SAM accounts: enabled
· Network access: Do not allow anonymous enumberation of SAM accounts and shares: enabled
· Network access: Do not allow storage of passwords and credentials for network authentication: disabled
· Network access: Let Everyone permissions apply to anonymous users: disabled
o Network access: Remotely accessible registry paths: System\CurrentControlSet\Control\ProductOptions
o System\CurrentControlSet\Control\Server Applications
o Software\Microsoft\Windows NT\CurrentVersion
· Network access: Remotely accessible registry paths and sub-paths:
o Software\Microsoft\Windows NT\CurrentVersion\Print
o Software\Microsoft\Windows NT\CurrentVersion\Windows
o Software\Microsoft\OLAP Server
o System\CurrentControlSet\Control\Terminal Server
o System\CurrentControlSet\Control\Terminal Server\UserConfig
o System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
o Software\Microsoft\Windows NT\CurrentVersion\Perflib
o MS Security Compliance Manager explains that MS Baseline Security Analyzer uses Remote Registry to work. The Remote Registry service is disabled in our current configuration, but can be re-enabled for this if needed. So these 2 registry settings have no bearing until Remote Registry service is re-enabled. These 2 settings are left as is because Windows 7 Home Premium has no tool to modify the settings in case you want to use MS Baseline Security Analyzer.
· Network access: Restrict anonymous access to Named Pipes and Shares: enabled
· Network access: Shares that can be accessed anonymously: blank
· Network access: Sharing and security model for local accounts: Classic – local users authenticate as themselves
· Network security: Do not store LAN Manager hash value on next password change: enabled
· Network security: Force logoff when logon hours expire: disabled
· Network security: LAN Manager authentication level: Send NTLMv2 response only, Refuse LM and NTLM
· Network security: LDAP client signing requirements: Negotiate signing
· Network security: Minimum session security for NTLM SSP based (including secure RPC) clients: Require NTLMv2 session security, Require 128 bit encryption
· Network security: Minimum session security for NTLM SSP based (including secure RPC) servers: Require NTLMv2 session security, Require 128 bit encryption
· Recovery console: Allow automatic administrative logon: disabled
· Recovery console: Allow floppy copy and access to all drives and all folders: disabled
· Shutdown: Allow system to shut down without having to log on: enabled
· Shutdown: Clear virtual memory pagefile: disabled
· System cryptography; Use FIPS compliant algorithms for encryption, hasing and signing: disabled
· System objects: Require case insensitivity for non-Windows subsystems: enabled
· System objects: Strengthen default permissions of internal system objects (e.g. Symbolic links): enabled
· System settings: Optional subsystems: blank
· System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies: disabled
· User Account Control; Admin Approval Mode for Built-in Administrator account: enabled
· UAC: Allow UIAccess applications to prompt for elevation without using the secure desktop: disabled
· UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode: Prompt for credentials
· UAC: Behavior of the elevation prompt for standard users: Automatically deny elevation requests
· UAC: Detect application installations and prompt for elevation: enabled
· UAC: Only elevate executables that are signed and validated: disabled
· UAC: Only elevate UIAccess applications that are installed in secure locations: enabled
· UAC: Run all administrators in Admin Approval Mode: enabled
· UAC: Switch to secure desktop when prompting for elevation: enabled
· UAC: Virtualize file and registry write failures to per-user locations: enabled
These UAC settings above can be reversed by visiting Control Panel > User Accounts if you find it too tedious to keep on keying in your password. They are included in the configuration because it is a MS recommended setting.
These additional settings are added to configuration B separately because their some of the original setting values are undefined. And the command line tool cannot set items to undefined. But Home Premium does have the command line tool to apply these MS recommended settings as set out in Security Compliance Manager. So there is no ‘Restore B’.
To configure, right click on “Harden Win 7 Home Premium 64 Standalone A.bat” or “Harden Win 7 Home Premium 64 Standalone B.bat” and choose “Run as Administrator”.
Also provided in the package are Event Viewer 'custom view' xml files. These xml files setup filters for select event IDs, so that you get to see, for example, all login failures, in one screen, In Control Panel,> Administrative Tools > Event Viewer, simply click on ‘Import Custom View’ to import them one by one.
Also provided in the package is the firewall policy. There are one for standalone workstations and another for domain workstations. Only the standalone version is provided in the Home Premium package, as Home Premium cannot join domains. In Control Panel > Administrative Tools > Windows Firewall with Advanced Security, simply click on ‘Import Policy’ to import all the firewall settings and rules.
I am charging $5 for the automated configuration package. The configuration pack is available at : http://hardenwindows7forsecurity.com . All settings found in the configuration files are given in this document except for the Local Security Policy settings and the Access Control Lists (ACL). The ACLs enforce Least Privilege and is your last line of defense, and a very strong one. An intruder that made it onto your system while you are using a Standard account will have no way to execute any commands and modify your system.
Doing the automated configurations by hand will take you 3 to 4 hours of tedious work, and $5 is a fair price to ask for.
Automated Configuration 2
Microsoft has a tool called 'Security Compliance Manager' It has several sets of configurable security settings which can be applied for many of their products. The settings deal with Local Security Policies and Group Policies. It is available from here: http://technet.microsoft.com/en-us/library/cc677002.aspx What is great about this tool is that it provides explanations to all settings, a vulnerability summary and a countermeasure section for each setting. The settings can be applied to a whole domain as well as individually to standalone PCs. The tool also includes a restore to defaults feature, which is a lifesaver when settings don’t work as desired.
Configuration section omitted in Home Premium version of this document, because SCM uses Group Policy, which is a feature that Home Premium doesn’t have.
Applying Security Compliance Manager GPO Backups to Server 2008R2
Configuration section omitted in Home Premium version of this document
Last things to do
Run Secunia PSI, If you haven't yet done so.
Disable flash in your admin account. Internet Explorer > Gear > Manage Addons > Toolbars and Extensions > Show All Addons > Shockwave Flash Object > Disable button.
Disable Autoplay for all user accounts: Control Panel > AutoPlay. Choose 'Take No Action' for everything
Uncheck "Use AutoPlay for all media and devices"
Set IE to turn on ActiveX Filtering for all accounts. Gear icon > Safety > ActiveX Filtering.
Set IE to use Protected Mode for all zones. Gear icon > Internet options >Security tab > click each icon ( Internet, Local Intranet, Trusted sites, Restricted sites ),check mark Enable Protected Mode for each. Do this for all user accounts.
Control Panel/ Internet Options/ Advanced tab. Scroll to Security section. Checkmark 'Enable Enhanced Protected Mode' for all accounts.
Run Acrobat Reader to setup security.
Edit > Preferences
> Security Enhanced. Protected View : All Files
> Security Enhanced: Create Protected Mode Log File.
> Security Enhanced: Uncheckmark Automatically Trust Sites from my Win OS Security Zones.
> Trust Manager: Uncheckmark Allow Opening of Non-PDF file attachments
> Trust Manager: Internet Access from PDF outside the web browser – Change Settings button, select Block PDF file access to all web sites.
cd "\user\<yourStandardAccName>\downloads\chml" ( or wherever you saved chml )
chml "c:\users\<yourStandardAccName>\desktop" -ws:s:(ml;cioi;nwnrnx;;;me)
chml "c:\users\<yourStandardAccName>\documents" -ws:s:(ml;cioi;nwnrnx;;;me)
chml "c:\users\<yourStandardAccName>\pictures" -ws:s:(ml;cioi;nwnrnx;;;me)
chml "c:\users\<yourStandardAccName>\videos" -ws:s:(ml;cioi;nwnrnx;;;me)
chml "c:\users\<yourStandardAccName>\music" -ws:s:(ml;cioi;nwnrnx;;;me)
chml "c:\users\<yourStandardAccName>\downloads" -i:l
chml "C:\Users\<yourStandardAccName>\AppData\Local\Opera" -i:l
chml "C:\Users\<yourStandardAccName>\AppData\Roaming\Opera" -i:l
Create a System Restore Point
Do an Image Backup of the Hard Drive
This is important, your last option of recovery from an attack is restoring from backup. This backup saves all of the settings you have done so far so you don't have to repeat them when you need to reinstall Windows. There is a free image backup tool called Macrium Reflect, available from here: http://www.macrium.com/reflectfree.aspx . Use the tool to create a drive image and store it in an external USB hard drive. Don't forget to create the rescue CD.
Installation of New Software
When installing new software, sometimes the setup program needs to connect to the internet to download components. And also, it may create a exe inside a temp folder to do the downloading, and the exe is automatically removed when install finishes. On such occasions, it may not be possible to create an outbound allow rule for that exe. So the only solution would be to go to Windows Firewall with Advanced Security and temporarily set Outbound to allow for the Public profile. Just remember to set Outbound back to block when you have finished setting up that new program.
Remember to add the application to EMET if it is a internet application or it takes input from files downloaded from the internet