It is important to note, that after hardening a system, one has to test to see if the applications that you run still runs as expected. The ideal candidate of this project is a home user with no need for communications among PCs in the LAN. That is because the more network ports you open, the less secure you become.
For details of the Automated Configuration files, see the Automated Configuration section near the bottom of this document. They will also be mentioned as when applicable in each section though out the document.
Things you need downloaded beforehand IMPORTANT: Check the SHA hash and the Digital Signatures of files you download, if provided. If you are under attack, the attacker can perform a man-in-the-middle and modify your downloading and send you installers bundled with Rootkits to maintain their presence. I use QuickHash.
SHA is an integrity verifier. If you use Hash Tool to generate a SHA256, and compare it against the one given at the official download site, you are assured that you have downloaded an unmodified copy.
To see the Digital Signatures of a file, right click on a file, choose Properties, then Digital Signature tab. This reveals the company that signed the file. Then click on the Name of Signer, then Details button. It should say "This digital signature is OK". If it does not say that, then the file has been modified - discard it. Check that the signature is signed by the correct company name.
The Edge browser has SmartScreen. It is a reputation checker. SmartScreen looks at many things and it revokes trust when a download has done bad things on a user's computer. So if the file has a signature, it can revoke trust of anything signed with that signature if the signature has a bad reputation.
Firefox and Chrome also has similar protection. But they don't have data that only MS can know, because Windows sends a lot of data back to MS.
Firefox's SHA256 file is located at: https://releases.mozilla.org/pub/firefox/ . You have to go down into the current version's directory to locate the SHA256SUMS file. Then you generate the SHA256 of the firefox file you downloaded with HashTool or QuickHash, highlight and copy that; then open the SHA256SUMS file and CTRL-F, CTRL-V and Find.
Chrome doesn't post their SHA's. The explanation I found is that a unique ID is embedded into each download, so SHA wouldn't work for them.
Guard your installers carefully. Because attackers will try to infect them to maintain a presence on your machine. They know that after re-installing Windows, you will use them to re-install your favorite programs. If you store your installers on a USB memory stick, take care not to insert it into a online machine. Or buy a usb stick with a write protect switch from Amazon. As an added precaution, before you use each installer, check to see if it's signature is valid.
Today's malware/hack tools are very powerful and can survive a plain reformat reinstall of Windows. It is now standard practice to wipe the HD or SSD entirely with zeros when performing recovery.
To do so, use Rufus to create a USB out of the Parted Magic iso file. Start Rufus, go to boot selection and Select the iso file. Click Start.
Bring that over to the PC being installed, insert the USB and press the key to enter the BIOS. Set the Boot Order to try the USB first.
Boot the USB and when the desktop comes up, select Erase Disk icon. If you have a SSD, then choose Smart Erase - it will only take a few minutes. If you have a spinning hard drive, then choose then other options to zero fill the drive.
Most recent machines within the last 8 years have Secure Boot. This checks the boot up sequence against known signature so that a malware infected machine can remediate (automatically, I think). However, this makes some older CD and USB memory sticks not bootable. To boot older media you have to go into BIOS and unselect Secure Boot, and select Legacy.
As per normal, to securely install an OS, one should install it disconnected from the network. If you are using an Ethernet cable, disconnect the cable. If you are on WiFi, go turn off WiFi in your router, or simply power off your router.
To perform an upgrade from Windows 7 or 8.1, boot that version of Windows and run 'setup' from the DVD drive/USB memory stickif you want to keep your data. If not boot the USB and key in your Win 7 or 8 product key.Right after you reach the Desktop after install, right click on the Network icon in the systray, select Open network & internet settings, click Change adapter options, right click in Ethernet and WiFi and disable them. Because WiFi supports peer to peer networking, which works without a router.
Before we go on to hardening, it would be wise to create a drive image using Macrium at this point to capture a clean virgin Windows install. That way, if you want to undo all the hardening in one swoop, you can re-image the machine using this image file
AutoPlay is a problem when it comes to removable devices like USB memory sticks and CDs. Because it will run whatever program it is set for whenever you insert it. Hackers are known to casually leave CDs around in public washrooms and label it something like 'layoff positions for next quarter', Once inserted, their hacking tools will run in the background and call back to its master server. AutoPlay is the successor to AutoRun, and can be disabled in Windows. Do this for every account.
NOTE: It is essential to disable AutoRun and AutoPlay as the very first thing, because attackers will infect your USB memory sticks in an effort to remain in control of your machine even after you re-install Windows and proceed to re-install software off a memory stick.
Go to Settings > Devices > AutoPlay, set AutoPlay to off.
Right click on the clock in Systray and set the time and time zone with Adjust Date/Time. This is important because all logging is recorded with the date and time, and if the proper time, date and time zone is not set, then Log Viewer will have the wrong time for all events.
You can use the Windows Defender Antivirus included with Windows 10, it is quite good. If you really want to use a 3rd party antivirus, you must remember to do program updates frequently, especially around the time of Windows new releases. To proceed, install your antivirus program now. You would also need to specify a outbound firewall rule to allow the antivirus to fetch signature updates. Google for "<YourAntiVirusName> offline installer' and use that version because you should not go online before hardening.
Install your drivers that comes with the motherboard, like your chipset drivers, sound drivers etc.
Order of installation:
One of the main concepts underlying hardening is least privilege. It means to configure your accounts so that it is only capable of doing tasks the user account normally does, and nothing else. So a banking Windows user account can only go to various financial sites and run accounting software; and the blogging Windows account only goes to the blog site; and the Windows admin account doesn't go online at all (more on that later. None of the above accounts surfs around aimlessly or run applications unrelated to it's designated role.
Create accounts not by user'a name, but by the tasks you have to do. For example, machine administration, general surfing, blogging, accounting and banking ... etc. (Role Based Access Control (RBAC)) This will make it easier to detect intrusions. For example if you one day notice that your banking Windows user account is using OneDrive, then clearly something is wrong; someone else is on your machine and is saving your data online for later retrieval
Another angle to approach this least privilege idea is to apply a concept called need-to-know. E.g. your gaming Windows account has no business knowing what you do to manage your finances. So you create separate Windows accounts for each, and you can restrict access to your financial accounting software to only the banking Windows account. You can do this by right clicking on the accounting application and choose Properties > Security; then remove the Users group (which is the group name for all non-admins), and add the banking Windows account giving it the right to read and execute.
If a certain piece of data is top secret, you should not risk having it exposed to the internet at all - install that program on an older standalone and non network connected machine; no Ethernet cable, no WiFi.
One of the first things you should do in line with least privilege is to create a Standard user account, and use that account for your daily work. Only login to the administrative account to install programs, configure networking, or do system maintenance tasks. Because when you are working in a Standard account, any malware or attacker that makes it onto your system will inherit your privilege and not have admin privileges to make system wide modifications. And that is a win for you.Hardening means to configure your system so that it is only capable of doing things you normally do, and nothing else. So, that means that if a feature in Windows is not used, it is to be turned off, or disabled. One part of hardening is minimization of capabilities.
The reason behind it, is that the more features you enable, the larger your attack surface is. It means you have more to defend. And one vulnerable spot is all it takes to get hacked. The more features you have, the more potential bugs ( some security related ) you have. Now attackers know a lot about the security bugs in the system - that's how they attack. If you go live on the internet with all features turned on, the attacker would have a lot of choices. If you disable unused and insecure features, then they would have less to play with. If you disable a feature today and some hacker finds a vulnerability in that feature in the future, you will have already dealt with the problem.Hardening also deals with tightening of firewall rules. Concepts like Default Deny ties into it. If you don't want to read the whole document, go find the "Windows Defender Firewall" section and at least read that. The firewall is the front gate defense mechanism that an attacker will encounter, and you should configure it carefully. It is also the last chance of stopping a malware from calling home.
Create all the user accounts now. It will be more difficult to create accounts later when everything is hardened. (You will need to run Restore Windows Services.bat and re-run Harden Services.bat again after finishing) Go to Settings > Accounts > Family & other users > Other users and click on 'Add someone else to this PC'. Then, switch to that account and sign in; letting Windows complete the account creation process.
Now that you have separate accounts, when you have to move things across accounts, you can use the \Users\Public\Documents or \Users\Public\Downloads or \Users\Public\Pictures etc folders as a temporary holding place. Because the Public folder is accessible to all accounts.
Control Panel, select 'View by: Small Icons'. This shows all the configurations choices available.
When MS released Vista, there were some complaints about UAC asking for confirmation to do this, that and the other. So MS made a compromise in Windows 7 and allow customers to choose what level of prompting they want. Know that turning completely off UAC also means turning off Protected Mode in Internet Explorer, and not too many people realize that a major piece of protection is now turned off. UAC pops up mostly during the setup phase, once you have finished setting up your computer, you will rarely encounter it.
Control Panel\All Control Panel Items\User Accounts\Change User Account Control Settings
Move slider to top
Windows network has 3 network types, domain, private and public. Work and home are similar and are labeled as 'private' under it's firewall tool. The private setting is set to allow 'network discovery', so that Windows is allowed to talk to other PCs. The public setting is the most secure and is meant to be used at cafe hotspots, airports etc. If your network contains insecure PCs, then you should set the network profile to public. The domain setting cannot be chosen by the user, and is used after the PC has joined a domain. Since we are hardening the PC, we want the most secure setting, and only allow Windows to talk when it is called for. So for those that intend to join a domain, choose the private profile; and if not, choose the public profile.
If you selected Private and later want to change it to Public or vice versa, here's how:In order for a attacker to hack you remotely, he needs to interact with a network facing program running on your PC. Some networking components implement protocols. Networking protocols are grammar rules for bits and bytes to communicate with other PCs. And each has weaknesses. So unless your environment requires that a protocol must be used, we will want to disable all except the bare essentials. More protocols mean a larger attack surface.
The only protocol you really need is IPv4. And most networking equipment requires IPv4 in order to function. IPv6 will be increasingly necessary as we have run out of IPv4 addresses. As of this section's writing ( Windows ver 1803; May 2018) big ISP's has begun shipping IPv6 capable router/modems.NetBIOS over TCP/IP is not required because NetBIOS is already active without this option. Disabling NetBIOS over TCP/IP should limit NetBIOS traffic to the local subnet.
The Discovery protocols are used to provide a nice graphical map of your network. For home users, this is not needed, as there is only one router. You would only get to see a picture depicting your PCs connected to your router. For Domain users, this feature is automatically turned off once you join the domain.
File and Printer Sharing should only be enabled if you plan to share some of your folders on the network or if you want to share your locally connected printer over the network. If printer sharing is desired, it is better to get a printer that has networking built in, so that when attacked, they only gain access to a printer instead of your PC. Disable this feature unless absolutely required.
Control Panel\Network and Sharing Center\Change Adapter SettingsSelect 'Internet Protocol version 4 (TCP IPv4), click Properties, click Advanced,
In line with layers of security, besides deactivating security protocols, we will be disabling services that serve these protocols. (see 'disabling vulnerable services' section below)
If you have the Automated Configuration Pack, you can open "No Netbios.reg". Then reboot the computer.
If you have the Automated Configuration Pack, you can double click on "NoTCPIP6 All.reg" to disable all TCP/IP6, or you can double click on "NoTCPIP6 Tunnels.reg" to disable all tunneling protocols.
TCP/IPv4 has a feature that allows an attacker to specify the exact path a packet will take to reach it's destination. It is seldom used and could allow an attacker to map out a network or reach machines which are normally off the internet. ( Ones which have a random gateway specified.) This is undesirable and can allow the attacker to reach your SIEM like Logalyze, for instance. Open regedit and go to this address: HKLM\System\CurrentControlSet\Services\TCPIP\Parameters and make a DWORD DisableSourceRouting and set it to 1.
If you have the Automated Configuration Pack, you can double click on the file "Disable Source Routing.reg"
The intention of UPnP is ease of configuration, so such things as games can auto-configure the firewall to let other players from the internet join in. However, with users each poking holes into your firewall with UPnP, pretty soon it will be Swiss cheese and cease to function as a firewall. It is better to configure firewall rules manually so that each firewall rule is known and accounted for. If your hardware firewall or router has an option to disable UPnP, do so.
Regedit
HKLM\Software\Microsoft\DirectplayNATHelp\DPNHUPnP
right click on right pane, new dword:32 bit,named UPnPMode
Double click on that and set the value to 2.
If you have the Automated Configuration Pack, you can double click on the file "UPnP.reg"
When you run the command 'netstat -abn', it will show you which ports are open and listening to the network. Normally, you would want to close those ports unless you really need them. Windows 10's listening processes and their port numbers are RPCss ( 135 ), eventlog service ( 49409 ), Spoolsv ( 49410 ), schedule ( 49411 ), lsass.exe ( 49414 ). (The port numbers above 49152 can change between reboots), However, the default firewall policy for inbound traffic is to 'block' for all network profiles ( domain, private, public ). That means nobody can touch those listening ports unless the firewall is off, or you have made inbound 'allow' rules to pass traffic onto those processes. This has been verified by connecting to them with telnet and all attempts failed, unless one turns off the firewall or makes 'allow' rules. Also, as far as I can determine, all of those processes are essential to Windows, especially RPCss and lsass.
The basic principle for configuring firewalls is 'default deny'. That means all traffic is to be blocked unless you have made a rule to allow it. Those rules are your 'whitelist' of known good and currently used applications, services and protocols.
Window's firewall's default policy is set to inbound deny and outbound allow all. 'Outbound allow all' eases configuration, doesn't follow the default deny principle, and is not ideal. MS's policy of Outbound:Allow is what it is because they reason that they have an onboard antivirus program, so all programs on a PC are clean and uninfected. Thus, they reason, all programs can be allowed outbound. Now we know that their antivirus can fail to find malware - that's why there is a healthy choice of anti-malware programs on the market. So, we should set the firewall to Outbound:Block, to stop any malware calling back to their home base. Then we allow each program outbound privilege on a case by case basis. Like allowing MS Edge to call outbound to port 80 (http) and port 443 (https). It is best to be very specific and detail oriented when allowing outbound access. We do not want to allow blanket access to ports 80 or 443 without specifying the browser program because malware writers know these 2 ports are generally allowed, and they will try to tunnel thru these 2 ports to reach their malware servers. By also specifying the browser program, in addition to the ports, their malware can be stopped.Likewise, there are other ports that are generally open: like UDP port 53 (DNS). For this firewall rule, we can specify the destination ip address. For example Cloudflare's 1.1.1.1 and 2606:4700:4700::1111, or Quad9's 9.9.9.9 and 2620:fe::fe. This narrowly specified rule also helps stop malware from abusing this port to call malware servers.
Another is port that is generally left wide open is UDP port 68 (dhcp client). This is a default firewall rule because MS cannot know in advance where our DHCP server is. To find out, open a terminal and type "ipconfig /all" - it will give you the DHCP Server address. DHCPv6 talks to your ISP to get an address, so again this is unspecified in the default rule.
Most people don't know that you have to turn outbound blocking on. But when you turn on Outbound:Block, you will quickly run into a problem. it is missing a feature that tells you what programs it has blocked outbound. And because of MS's stance of Outbound:Allow, there is no such feature in Windows Defender Firewall to report a deny for an outbound program. There is a free add-on called BiniSoft Windows Firewall Control that can solve this problem. Without BiniSoft, after installing a program that needs to connect to the net, like your antivirus program, you have to test those exe files one by one to see which is responsible for talking and then allow that exe to talk with a outbound rule.
Important: Before you make any changes to the firewall rules, go to the right side menu and choose 'Export Policy' and name the policy file 'default'. That is because the Restore Default Policy option does not give you back the current defaults; it gives you the defaults from a much older version of Windows 10. MS has been notified.
Start > All apps > Windows Tools > Windows Defender FirewallHowTo allow a windows service outbound: Click on Outbound Rules on the left, click on 'New Rule', select 'Custom', next to 'Services' click customize, select 'Apply to this service', scroll and find 'Windows Update', next, ports and protocol - (no change), next, IP addresses ( no change ), next, select 'Allow The Connection'. Checkmark all profiles,next. Give the rule a name, eg "Allow service X".
HowTo Allow a program outbound: Click on Outbound Rules on the left, click on 'New Rule', Select "Program", next, select "This program Path" and click on "Browse" button, Navigate to program folder and select the EXE, next, select "Allow the connection", Checkmark all profiles,next. Give the rule a name, eg "Allow Program X".
HowTo Allow communication to a destination port # and IP address: Click on Outbound rules on the left. Click on 'New Rule'. Select 'Custom'. next. Select 'All Programs'. next. For 'Protocol Type' select 'TCP' or 'UDP' as the case may be. For 'Remote Port', select 'Specific Ports'. Then type in the port number(s) below. next. For 'Remote address this rule applies to' select 'These ip addresses'. Click 'Add' button, and in the following dialog box, type in an ip address into 'This ip address or subnet'. ok. next. Select 'Allow the connection'. next. Checkmark all profiles,next. Give the rule a name, eg "Allow out to port ### on server YYY.
HowTo Allow or Block a Package: Click on Outbound rules on the left. Click on 'New Rule'. Select 'Custom'. Keep clicking Next button until you see "Allow the connection" and "Block the connection", select the one you want. Click next until you reach Finish, and name the rule. Then choose the rule just created and select Properties. Go to 'Program and Services' tab. Go to 'Application Packages' settings. Go to 'Apply to this application package' and select the package. OK. OK.
The following rules applies to all 3 profiles: Domain, Private and Public
Several rules needs to be customized
Core Networking DNS (UDP) out, go to the rule's Properties > Scope tab and Add the Remote IP Address to your Windows Server's ip (if you have one), and then 9.9.9.9 and 1.1.1.1 and 2620:fe::fe and 2606:4700:4700::1111 .
All routers has a DNS function but Quad9 DNS (9.9.9.9, 2620:fe::fe) checks and disables malware addresses. And the second choice CloudFlare DNS (1.1.1.1, 2606:4700:4700::1111) is super fast.
So, DNS queries will go first to your Windows Server (if you have one) and then Quad9 and ClouldFlare and only they can respond to it. Allways narrow down the firewall rules to ip's which are allowed, if possible. So one wouldn't be possible to add a remote ip scope for your browser because it goes all over the internet.
The outbound rule for C:\Program Files\Windows Defender/MsMpEng.exe has to be used because MS has stopped us from peering inside C:\programdata\microsoft\windows defender\platform to see the exact version number and exe's. This rule allows Windows Defender anti-malware to go online and consult their cloud based rules when scanning.
The last one is related to outbound Windows Time rule. By default, Windows Time service uses time.windows.com for it's time server. You have to go to Control Panel > Date and Time and update your time zone. Then go to the Internet Time tab > Change Settings button and change the server to your router's ip address - some routers have a time server. Then click Update Now twice to test it. If you get a failure then your router doesn't have a time server and you have to leave the destination address open. Because the domain windows.com has a lot of ip addresses; and you cannot predict which server resolves to time.windows.com. You need accurate time and date for a) Windows Activation, and b) when you need to access Event Viewer - it helps to see the real time when an event happened, so that you can correlate events between machines, especially during an intrusion investigation.
Side note, if you wish to receive a reply when you ping your machine, then enable ICMP in and ICMP out rules.
Whats left to be done is to disable any rules for apps that you don't use, inbound and outbound. For instance, if you don't use a MS Account to sign in, then mail, calendar and Windows Store you won't be able to use, and also you won't need the rule for AuthHost. If you don't have any IoT (Internet of Things) devices like Amazon Echo, then you don't need the AllJoinIn rules. If you don't want to send feedback messages to MS, then Feedback Hub rules can be disabled. If you don't use Groove Music, then Groove rule can be disabled. If you don't want to share photos, then that could be disabled. If you don't want Sticky Notes to go online and fetch related info, then you can disable that. If you don't use your computer to watch Movies and TV, then that can be disabled. If you don't plan on printing 3D objects with a 3D printer, then that can be disabled. XBox is another rule group where you can disable if you don't have one. Some of these rules have both inbound and outbound counter parts, when disabling, you need to do both. If you are not sure about a certain rule, Google for the term, and you will find out what the technology is for and if you have to use it. Remember the safest way is to follow the Default Deny principle, if it ain't going to be used then right click and disable the firewall rule. MS has chosen to enable rules for apps that maybe popular. But it should be the other way around, default deny and give explanations for the rules so that people can enable them themselves.
Side Note: You can disable several rules at once by clicking on the first line, and Shift-clicking on the bottom line, then right-click and choose Disable
Some Win apps (like those downloaded from the Store) install Inbound allow rules to itself. When you install an app, you should check the Inbound rules to see if any new rules have appeared, and disable those if you don't want inbound traffic to that app. Note that an inbound rule to an app essentially makes that application a server. That is, it will accept any transmission to itself all the time, and can be exploited
To preserve your firewall rules from MS modification, you will need to export the rules. And re-import them when they change. BiniSoft Windows Firewall Control has a solution for that, see below.
Do NOT enable FIPS in Local Security Policy > Local Policies > Security Options, or else you will not be able to Import Firewall Policy in Windows Defender Firewall with Advanced Security.
Local Security Policy > Local Policies > Security Options > System cryptography: Use FIPS compliant algorithms .."Windows Firewall doesn't notify you when an application calls outbound when outbound policy is block. BiniSoft Windows Firewall Control is an add on app that gives you that feature. It is also particularly useful also to have it create a 'temporary rule' for the times when you use web based program installers. You get this in their notification pop up.
Windows has a lot of programs that call outbound, and they are not just Windows' services (which we pruned further on down in the document). And since the default policy is outbound allow all, most people are not aware of them. We apply the default deny principle and set outbound policy to block which is BiniSoft's Medium Filtering Policy. Apart from the outbound rules set up above and allowing your browser, there is little else needed for Windows Activation and Windows Update and general web surfing. However, when outbound policy is set at Windows' default allow, those Windows programs go outbound, like SystemSettings, applicationFrameHost, taskhostw and tons more. Even though they each have a particular MS server to go to, an attacker will be able to spoof the MS server's ip and send malicious attacks to these poorly defended Windows applications. MS is relying on the firewall state that is set when those programs go outbound to protect and verify that any 'returning' traffic would be legit. But when attackers monitor traffic on compromised public routers, or otherwise spray their exploits, then all those Windows applications are ripe for attack. So, since the essential outbound rules are set as above, then you can ignore or block any notifications that BiniSoft displays. If you want to be cautious, then you can respond to the notification by blocking the program for X minutes
The second feature of BiniSoft is that it can create a temporary rule for a program installer. When you turn on notification and get BiniSoft's notification that your program installer wants to go outbound, on the right side of that notification, you get the choice to create a temporary rule, which should self-erase after the installer exits. If it doesn't, you can find the rule easily because it is in blue font. This eliminates the need to choose BiniSoft's Low Filtering Profile, which is an outbound allow all policy. To turn a Temporary Rule to a permanent one, right click the rule and select 'Add to Group' > 'Windows Firewall Control'.
The Notification setting is turned off. Nothing more needs to be allowed for Windows Activation, Windows Update or browsing, except adding an outbound rule for your preferred browser and antivirus. Do Not be tempted to allow executables to go outbound just because a popup prompt comes up, this guide has already filtered out the non-essentials.
You can turn on Notifications if you are installing new software and want to allow it onto the network. However, be careful to only click 'Allow this program' or 'Allow temporarily' ( one makes a rule and the other makes a temporary rule ) for the program you are installing. There will be numerous pop up's for Windows components like 'svchost', 'system' and others among the one software you just installed. Remember, this guide has already filtered out the non-essentials. Just allow the software you are installing only.
BiniSoft has a Secure Rules feature. It can stop unwanted changes to your rules. You define your rules and give it a Group Name. Then you put all the group names you want to keep intact in Main > Security > Authorized Groups. To change the Group of a particular rule, right click on the rule in Rules Panel and choose 'Add to Group'. By default, rules that belong to the built-in group "Windows Firewall Control" are always kept.
In Main > Security, you get to choose if the unauthorized rules are deleted or disabled. Then you checkmark Secure Rules. If you choose to Disable unauthorized rules (safest way) then all the unauthorized rules will be renamed and disabled. You can still recognize a Windows built-in rule should you ever want to enabled it. However, BiniSoft currently (v6.8.2.0) has a problem in that some rules are shown as their windows package names. For example the rule for "Microsoft Store" is displayed as "Microsoft.WindowsStore_11805.1001.49.0" in the BiniSoft rule panel. I have contacted the developer and he says it is the name returned by Windows API. And he will look into it further. I have included a file "firewall rule app packages.txt" that list the Windows firewall rule name and the windows package name.
A note about firewall rules. The trick is to minimize the connections to the internet. This reduces your attack surface. The more programs you allow to connect, the higher the chance that one of them has a security vulnerability. AND ALL IT TAKES IS ONLY ONE, and the whole pyramid of cards will come tumbling down. The attackers have the advantage. Microsoft, in their infinite wisdom, have allowed 96 applications to have inbound allow rules. After each Windows Update, these 92 inbound allow rules will be re-enabled. They may have limited each app's rights, so that you only lose control of, lets say, your contacts list. They might have double checked the coding. But witness the long time SMB v1 protocol which has been around for 15+ years. Network admin veterans rely on it because it is "time tested". It turns out there IS a security flaw. And the WannaCry ransomware took full advantage of it and spread like crazy, causing untold millions of dollars of damage. Doing threat models, limiting application rights and secure coding are all great things, and security has improved. But you have to remember that an exploit is an attack that can do non-ordinary and unexpected things. If the security flaw is of the kind which that can 'run arbitrary code' ( MS's term, used in MS Security Bulletins ) then your limited application rights, threat models just don't count anymore. Because run arbitrary code just means the hacker can run anything - install a rootkit, destroy your documents, erase your photos, whatever is your sense of the worst disaster. The goal of a firewall is to close off any venues of attack, before they have a chance to touch vulnerable code, and only to allow known and necessary network traffic. Default Deny is the safest way of designing firewall rules.
Outbound connections are also SO important. Lets say the that some Windows system exe calls out to MS server XYZ. For example wermgr reports Windows system problems to MS, and expects to receive an acknowledgment. Well, attackers also know that MS XYZ server's ip address. A firewall will correctly remember that wermgr connected outbound to that ip, and correctly allow the acknowledgment from the same ip back in. The hacker can easily send an attack bearing the XYZ server's ip. AND it will pass right through the firewall, unhindered. So, security vulnerabilities that exist in mundane tasks, that run only once in a while, could be usable by attackers. Because the attacker can blast out attacks spanning a wide spectrum of destination addresses, non stop, and if a couple of PC has just sent out an error report to MS's XYZ server, he is inside instantly. His payload will begin downloading malware, and the takeover begins. If your router/hardware firewall has a logging feature, you can see evidence of this 24 hrs a day. Attackers banging on every door, checking to see if their exploit's target vulnerable code is running.
And if the outbound policy is set to disallow, then the allowed applications needs scrutiny. MS enables some 40+ applications outbound in Windows 10 v1809's firewall outbound rules. The writer has received attack(s), when those rules are active, but has not narrowed it down to a particular one. (the attacker has not attacked 40+ times) But smart attackers don't over expose their prized possessions - their attack exploits, lest some security researcher catches and analyses it.
After you have finalized your rules, go to Main > Security and enable Secure Profile and Secure Rules. This will disable all rules which don't have Group Names specified in Security > Authorized Groups. Note, this feature will then forbid you to import rules from within Windows Defender Firewall UI - you will have to import rule thru Windows Firewall Control > Rules > Import Windows Firewall Rules from a File. If you need to enable a rule after Secure Rules has been turned on, you can right click on the rule in the Rules Panel and choose "Add to Group" and choose the group named "Windows Firewall Control".
Delivery Optimization is designed to save bandwidth when performing Windows Update. It caches the update for a short period and sends them over to another PC in the LAN. You can stop update downloads from other PCs so that you trust only Windows Update. But you can't totally stop uploading updates to other PCs on the internet.
First go to Settings > Update and security > Delivery Optimization and turn off Allow download from other PCs. Then click on Advanced Settings and checkmark "Limit how much bandwidth is used for Uploading" and make them the minimum.
Windows will automatically search for a HTTP Proxy for each account by default. A HTTP Proxy is a server service that receives HTTP requests and forwards the request to the internet. Usually it is used to filter web site request to ban certain web sites. And companies use it to enforce policies like banning Facebook and other productivity draining activities. Most home environments do not have a HTTP Proxy server. If an attacker plants a HTTP Proxy service on your network, then she can monitor your web activities. Or even redirect your web requests to a malicious site. This should be turned off.
Go to Settings > Network and Internet > Proxy and turn off 'Automatically detect settings'
Windows Media Player can execute scripts embedded into a media file. For example, openining a song file can automatically open up a web page, which could be rigged to deliver malware.
If you have the Automated Configuration Pack, you can right click on "Disable Windows Media Player Scripting.reg" and choose Merge.
When activated, Software Restriction Policy will prevent any program from running except if it is residing in \Program Files or \Windows. That means any downloaded malware in Temporary Internet Files or elsewhere will not be able to run. ( browsers and plug-ins sometimes have vulnerabilities to let infected web sites to force them to download ) Since you will be running as a standard user daily, that malware cannot install itself to the above 2 locations, because you need admin rights to do so. So you are covered against unwanted Desktop programs running.
Feature not available in Windows 10 Home.
Simple SRP 2.1 is a free tool that provides the majority of the functionality of Windows\92 own SRP in a small program that sits in the systray. And it works on Windows 10 64bit.
This program provides crucial protection to Windows 10. After installation, only programs in \Program Files and \Windows will execute. So in order to run the BAT files of this guide\92s automated configuration, you need to choose the tool\92s UnLock from the right click menu, which will give you 30 mins of unlocked time.
The program installs into \Windows\SoftwarePolicy. Configuration is done via an .ini file that can be accessed and edited from its menu. There are some configuration items that need modification. Right click on the program\92s systray icon and choose Configure. Notepad will start.
Add the following extensions to the end of "File Extensions": VBS,JS,JSE,OTF,SCT,SHB,VBE,WSF,WSH,PS1. Then remove the ';' from the beginning of the line.
Locate "includeDLLs" and set it to 1.
Next, add the following lines underneath [Disallowed]
C:\Program Files (x86)\Google\Chrome\Application\SetupMetrics=1
C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files=1
C:\WINDOWS\Registration\CRMLog=1
C:\WINDOWS\Tasks=1
C:\Windows\Temp=1
c:\windows\tracing=1
C:\Windows\System32\Tasks\Microsoft\Windows\RemoteApp and Desktop Connections Update=1
C:\Windows\System32\Tasks\Microsoft\Windows\File Classification Infrastructure\Property Definition Sync=1
C:\Windows\System32\Tasks\Microsoft\Windows\Speech\HeadsetButtonPress=1
C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask-Roam=1
c:\windows\System32\com\dmp=1
c:\windows\System32\FxsTmp=1
c:\windows\System32\spool\PRINTERS=1
c:\windows\System32\spool\drivers\color=1
C:\Windows\System32\spool\SERVERS=1
c:\windows\System32\Tasks=1
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter=1
C:\Windows\System32\Tasks\Microsoft\Windows\WindowsColorSystem\Calibration Loader=1
C:\Windows\System32\Tasks\Microsoft\Windows\WindowsColorSystem=1
C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient=1
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\WCM=1
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System=1
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\RemoteApp and Desktop Connections Update=1
c:\windows\SysWOW64\com\dmp=1
c:\windows\SysWOW64\FxsTmp=1
c:\windows\SysWOW64\Tasks=1
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter=1
C:\Windows\Temp\DiagTrack_alternativeTrace=1
C:\Windows\Temp\DiagTrack_aot=1
C:\Windows\Temp\DiagTrack_diag=1
C:\Windows\Temp\DiagTrack_miniTrace=1
C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask-Roam=1
C:\windows\temp\mptelemetrysubmit=1
psexec.exe=1
wscript.exe=1
cscript.exe=1
mshta.exe=1
cmd.exe=1
powershell.exe=1
powershell_ise.exe=1
wmic.exe=1
system.management.automation.dll=1
C:\Windows\System32\backgroundTaskHost.exe=1
ntvdm64.dll=1
lxssManager.dll=1
finger.exe
The above 'disallowed' rules are made because those folders inside \Windows are user account writable. Because the default allow rules allow any program inside \Windows to be executed, an attacker can place her programs in any user writable folder inside, for example, \windows\System32\FxsTmp and get it to run.
Note: To correctly install Windows Defender Platform Updates from Windows Update, you have to remove the line \Windows\Temp temporarily . Take care to remove the line temporarily and put it back in, if you notice a Windows Defender Platform Update is coming in.
You have to exclude OSArmors warning several times so that it remembers SoftwarePolicyStart and SoftwarePolicy's various startup methods.
In recent months (Apr 2017) there have been attacks that do not utilize malware but uses Windows' built-in scripting engines to execute script lines. As such, there are no files in the payload for antiviruses or anti-exe's to detect and block. (The anti-exe Voodoo Shield is an exception in that in it's locked mode it prompts the user if Powershell is run) Nevertheless, it is sound protection to use SRP to block the execution of script engines until you temporarily unlock to run a script.
Now extract the AccessChk.zip file that was downloaded. Then create a 'find SRP block paths.bat' with the following lines:
accesschk -w -s -q -u Users "C:\Program Files"
accesschk -w -s -q -u Users "C:\Program Files (x86)"
accesschk -w -s -q -u Users "C:\Windows"
accesschk -w -s -q -u Everyone "C:\Program Files"
accesschk -w -s -q -u Everyone "C:\Program Files (x86)"
accesschk -w -s -q -u Everyone "C:\Windows"
accesschk -w -s -q -u "Authenticated Users" "C:\Program Files"
accesschk -w -s -q -u "Authenticated Users" "C:\Program Files (x86)"
accesschk -w -s -q -u "Authenticated Users" "C:\Windows"
accesschk -w -s -q -u Interactive "C:\Program Files"
accesschk -w -s -q -u Interactive "C:\Program Files (x86)"
accesschk -w -s -q -u Interactive "C:\Windows"
Place the bat file into the folder where you extracted Accesschk.exe, and run it file to find out which folders on your system you need to add to the Disallowed section.
Lastly, if you use the Opera browser, find in the [LimitedApps] section the line 'Opera=...' and place a semicolon (;) in front of the line to exclude Opera from protection, because Opera v30 (the latest version as of this section's writing) will not function with this enabled.
Save the file, exit Notepad and apply the policy.
The above configures the program to require a Windows admin account password. And it secures the mentioned paths under \Windows which can be modified by users to prevent malware from executing from in there.
Also, you can add a \93;\94 in front of these lines to remove extra menu items, as they add clutter to the right click menu:
;(C:\)=explorer.exe C:\
With Windows 10 Fall Creators Update v1709, Windows Defender gains anti-exploit features. It is MS EMET transcribed for Windows 10 with new additions. And it does not require the Secondary Logon service. You can add programs to be protected. Go to Windows Defender Security Center > App and Browser Control > Exploit Protection Settings to take a look. From there, click on Program Settings > Add program to customize. A good program to add would be your browser.
Windows has some minimal default anti-exploit settings for system files. I have chosen to augment them for svchost.exe and others because the custom settings have more protection features. Other programs added also included are the ones mentioned in the outbound and inbound 'default' firewall rules which MS re-enables after each Windows Update. To load those settings:
Windows Defender > Virus & Threat Protection > Ransomware Protection > Manage ransomware protection > Controlled Folder Access=On
Note that turning on Controlled Folder Access will forbid applications from creating files in documents folder. So for example, further down in this document, it tells you to create a baseline by using "driverquery > out.txt". This command will fail to create the out.txt because cmd.exe is not allowed to touch your Documents folder.
MS hides certain features of Windows Defender if you don't have the hardware for it. For example: Core Isolation. If you have this item you will find inside a switch to turn on Memory Integrity. This item is not compatible with some DLL's and may make certain apps like Oracle's VirtualBox not work. The thing to do is turn it on, and test your apps.
This is another item that MS hides if you don't have the hardware.(UEFI) To have this feature you have to disable "Legacy" option in BIOS and choose UEFI Secure Boot, and then install Windows. Installation from a DVD will be alright, but for USB, you will have to make sure the USB memory stick was created for UEFI in Rufus
DCOM is an ancient technology envisioned during the heyday of distributed computing. It is best disabled.
OSArmor (free) stops certain kinds of exploits and payloads. It isn't signature based, so it doesn't need to connect to the net. It can protect your browsers and office programs, and stops potential malware that execute off your USB memory stick. It also prompts you before you can run a script; like the bat and powershell scripts in this Configuration Pack. That is because it is common for attacks to exploit a program and then launch a script.
The way to use it is to first right click on the OSAmor systray icon, open Configurator, and check mark everything except Advanced tab > Block specific system processes > Block execution of NetSh. (NetSh is used by this guide to automatically take your admin account offline after sign in) Then carry on as usual. When it finds anything suspicious, it will prompt you. If you are performing an action like opening Event Viewer; which will issue a warning. You have 2 choices: a) Respond to the prompt by clicking on the Exclude button. This will populate the Exclusions Helper with what action you just performed. Then click on Add Exclusion button. If you don't plan to use this action often, then: b) Go to OSArmor > Protection > Disable Temporarily > 10 mins. After the application has opened, you can immediately set Protection back to Enabled. You don't have to have protection disabled while running the application. Be careful not to Disable OSArmor while online.
Finally, you can see what attacks or commands that were blocked in the Logs choice by right clicking the OSArmor systray icon.I have seen in the OSArmor Logs and popup Notifications that I have been attacked via an unknown firewall opening and the attacker was running 'NET1 USE ADMINISTRATOR' in an attempt to gain admin privileges. That the logs showed that those commands were executed, I know that the attackers were able to connect and get a command prompt, or something close to that. OSArmor is great at stopping these kinds of attacks. It stops unusual attempts to run system tools. And upon seeing them, I knew I had to take remedial action.
So I restored my drive image from a known good state (right after hardening). Then I tightened up my firewall rules - I removed IPv4 DHCP IN and DHCP out and assigned a static IP to my Ethernet. That removed 1 unused connection opening. Then I removed the AUTHOST and WWAHOST outbound rules - I don't use MS Accounts. Then I imaged the drive again with the new settings and saved it. So lets see if the same attacks happen again; then I would know that the vulnerability opening has not been closed and I need to harden further.
Most people are aware that services can be security problems, and that some should be disabled. The culprits are partially network services that listen to the net. Anything that takes input from the net is candidate for manipulation by attackers. When one looks at the list of services that are disabled below, one might say that there are no known exploits for such and such a service. But the principle again is least privilege. Only those services that are needed should be active. And we don't want to wait until an exploit hits the security news sites and then take action. Least privilege is a pro-active, preventative concept.
There are various servers in the list of services which listens 24x7 to everybody sending them stuff.( which includes exploits ) Like the simply named 'Server' service that is responsible for File and Printer sharing. Another server is UPnP Device Host, which lets other PCs interact with devices on this PC. Components that allow remote management are also turned off - like Remote Registry and Windows Remote Management. The first allow other PCs to change your registry; and the second allows remote shell access. The Secondary Logon service is turned off, because it let command line users run programs as admin. It requires the admin's password, but then attackers have all day to figure that out. DNS Client used to be not needed, but MS has changed that in v1809 so that it can't be disabled. I have left 6 services on Automatic/Manual start which do react to inputs from the net, These services tell other windows programs about your network and allows you to choose your firewall profile (public or private). One of them is related to Direct Access, which only can be used in an environment that has Windows Servers, but I found that disabling it causes networking to malfunction.
There is another angle to services that makes some more desirable targets, and that is the account that runs them. The System account is all powerful and is equal in power to administrators. A network facing service which use this account, like the WMI Performance Adapter (gone from v1809) or the Printer Extensions and Notifications, will be prized, A service running as System will also be targeted by attackers who gained entry into a Standard account, they will try to take over the service to gain System rights. (This is called "escalation of privilege").
There are some services which activate if you have the right equipment, like. Microsoft iSCSI initiator service, Bluetooth support service, Fax, SmartCard. SmartCard removal policy and WWAN autoconfig are all dependent on specific hardware. In my personal configuration, they are all disabled, because I don't have them. In particular, Bluetooth support service is one that ought to be disabled if one doesn't have any bluetooth peripherals; it is a networking component that can be abused by attackers, and there are free hacking tools available. It is not disabled in the default configuration file because I don't want someone to apply the config and suddenly find that their keyboard or mouse doesn't work.
When you configure services, clicking on each will display a description. If that is not enough for you, you can check out http://blackviper.com, sometimes they have additional information..
If you have the Automated Configuration Pack, you can set up the services by right clicking on "Harden Win 10 Home Services.bat" and choosing "Run as Administrator"
Items in <angle brackets> are optional and not setup in the Automated Configuration file.
Right click on Start button/Control Panel/Administrative Tools/Services
Right click on the following services, choose Properties and set Startup Type to Disable.
Name (Original Mode), what it does
---------------------------------------------------
WARNING: Geolocation service:(manual) used by cortana, If you disable this one, you won't be able to reset it back to normal again. Current Windows bug as of 2015-Aug-19 Update 2018-10-05 Fixed in v1809, so you can now disable it if you don't like Windows'location tracking
If you have the Automated Configuration Pack, my personal additional settings are in "My Personal Win 10 Home Disabled Services.BAT".
If you have the Automated Configuration Pack, you can additionally disable the non-configurable WinHTTP Proxy Auto Discovery Service. It provides an API that even Edge doesn't use. Right click on the reg file and choose Merge.
There should be limited logins available from the network. The 2 local security policies are set also in the Harden Win 10 Home Services BAT file if you have the Automated Configuration Pack.
However, if we stop user and admin accounts from login through the network, then Simple Software Restriction Policy will stop working. However we are still protected by Windows Firewall. So the accounts that are denied are: Guests, Anonymous Logon, NETWORK SERVICE, SERVICE, and LOCAL SERVICE.
Whenever you choose to install a new application, you need to consider it's security ramifications. For example an older app which needs admin rights and accesses the internet is bad. That's because one successful attack will give the attackers admin rights over your machine. Another thing is listening apps. Technically they are servers, like a FTP server. As revealed by doing 'netstat -abn' from an admin command prompt, and any such apps listens 24x7 to anyone who cares to connect. While you may sleep, servers do not, and you won't be around to monitor it's security. One may point out that FTP servers have username and password protection. But attackers don't usually attack the main entrance. If you are deploying a server, it would be a good idea to restrict connections to your friends' ip address in the firewall rules (bearing in mind that home ISP's change residential ip's frequently, and you'd have to update those ip addresses frequently)
It's a good idea to checkout www.exploit-db.com to look for existence of any attack exploits before installing any app. Some exploits only work in certain versions of the software. So if you find an old exploit, there is a chance it won't work against newer versions. But to be really sure, you would have to complile the exploit and test it, which if you aren't a programmer, can be difficult. Be aware of the risk and decide.
Allways try to find installers that do not require internet access. Google for the 'offline installer' of the program. Web based setup programs are hazardous. It requires connection to the net while running as admin. And also most setup installers require turning off your anti-exe, and other protection.
When Software Restriction Policy is set up, remember that programs will not run when they are located outside of \Windows or \Program Files. To enable your install program to run, lets say from your Downloads folder, you have to go to Local Security Policy > Software Restriction Policies > Security Level, and set Unrestricted as the default policy temporarily. Always remember to re-enable SRP before leaving your admin account.
Do not be tempted to add your Downloads folder as an exception to SRP, as attackers will find that out and place their wares in there and run them.
When installing security programs, some installers require default settings of services and ACLs. In the Automated Configuration Pack, there are 2 bat files: Restore Services bat and Restore ACLs bat. If your antivirus installer causes errors, you can run them and then install your new antivirus and redo Harden Services bat and Dual Admin bat. Kaspersky products (Total Security and Small Office Security) are known to require this step.
Always try to find if there are SHA256 signatures published by the vendor for the programs that you are trying to download. (SHA1 is deprecated) If there is one, save it to a txt file. After downloading both the setup and the SHA, use Hash Tool to generate the SHA signature, copy it to the SHA txt file opened in notepad. Line the signatures up, and you will be able to see quickly if they match. Discard the download if the SHA signature fail to match; it has either been tampered with or corrupted.
If you are currently under attack, the attackers may modify the download or feed you one with an infection by sending you a faked download page. Or they can make the downloaded setup unexecutable. Always be quick to close the browser after the download finishes. Because there is a pathway from the net to your download, and closing the browser should severe that connection.
You should uninstall all the Win Apps that you don't use. It removes attack surface from your attackers. Go to Settings >l Apps > Apps and Features. Clicking on an app will reveal an uninstall button. Remove all the things you don't need. Note that this is a per account setting. Removing an app from the admin account still leaves the app enabled/installed for other accounts.
There are certain apps you cannot remove:With the software that you want to install, allways choose Custom Installation if there is such an option in the setup program. For example, if you only want to use MS Word, and don't need Excel or Powerpoint, then uncheck those 2 options. Word and Excel can run macro's, which is a language and can be made to do useful or harmful things, depending who is wielding it. Attackers are Known to use macro's to infect machines.
If you use LibreOffice ( a free open source office suite competitive with MS Office ) there is a python language module. Languages like macro's can be harmful. Test if it is a core part of the program by renaming the exe to ex0; then run the program and see if it breaks. If it doesn't ( and it doesn't for me ) then leave it renamed that way.
It is very important to guard your sign on passphrases, espcially your admin account one. attackers will try to trick you into giving out the passphrase by installing a tojan that looks like the Windows sign on screen and upon seeing this most users will key in their passphrase without question. Microsoft has made a feature whereby you need to press CTRL-ALT-DEL in order to reach the sign on screen, because the special key sequence CTRL-ALT-DEL can only be trapped by the operating system. This feature is normally only active when a PC is domain joined to Windows Servers. However it can be enabled without Windows servers.
Another MS security feature is not displaying the account name in the sign on screen, even when the user is currently signed on and has locked the system by pressing WinKey-L. This means the attacker needs to get both the account name and the passphrase right and significantly enhances security.
If you have the Automated Configuration Pack, you can right click on Harden Win 10 Pro Security options.bat and choose Run as admin to enable these 2 features. Further down the document, all the settings in Security options are given.
You want to be able to see all files and folders in Windows. If you do not do this step, hackers can hide their installed tools from you. Although the attacker can also install a rootkit which also hides their files, they may not be able to get that far into your system to do so.
Windows Explorer/ View pull down menu / Options button / Change Folders and Search options / View tab
CHECKMARK items belowCopy this html file to \users\public\documents and login to each of your other accounts and perform the configurations per account. Search for "New Accounts to do"
Onedrive lets you keep your documents, pictures and PC settings on the net, ready for syncing to all of your PCs. However, your personal files are sitting there on the internet 24x7x365 waiting for someone to crack your password. This is not secure to say the least
Data Execution Prevention is a technology that foils some types of attacks when they are coded in a certain way. By default, this feature is enabled but protects only Windows executables. You want to enable it to protect all programs, like your Firefox, Opera, Acrobat Reader and others.
Settings / System / About / Advanced System Settings
/Performance Settings button/ Data Execution Prevention Tab
Select "Turn on DEP for all programs ..."
Dump files are memory dumps, and everything in memory are saved to a file. This is used for debugging problems when your system crashes. However, passwords and all confidential stuff that are running currently are also saved to this file. You should enable this feature only when you are experiencing problems and need to debug.
Settings > System > About > Advanced System Settings > Startup and Recovery Settings - settings button
Write debugging info: None.
Remote assistance allow a helper to control your PC with complete desktop, keyboard and mouse access. This is not a attacker favorite as there is built in protection that allow only the invited to take control. However, there are phone scams that lure users into giving them remote access, and you will want to protect your users and prevent them from compromising your computer.
Settings > System > About > Advanced System settings > Remote tab
Un-checkmark allow remote assistance
System Restore can be a life saver when you encounter system errors. Setting it to use more disk space and making more restore points is good policy
Settings > System > About > Advanced System settings > System Protection tab > Configure > create bigger system restore cache
.
You want to be able to see all files and folders in Windows. If you do not do this step, hackers can hide their installed tools from you. Although the attacker can also install a rootkit which also hides their files, they may not be able to get that far into your system to do so.
Windows Explorer/ View pull down menu / Options button / Change Folders and Search options / View tab
CHECKMARK items belowUnattended PCs are obvious security risks. But many people fail to take care of this via this simple setting. Most larger companies that are security aware have strict rules to enable this and not to leave PCs logged in and unattended.
Go to Settings > Personalize > Lock Screen > Screen Time out settings, configure it to wait 10 minutes.
If you look at \Windows\System32 folder, you will see a lot of exe programs. Some of them are Windows' GUI components and needed by the system. And some are command line programs used to administrate Windows. A Standard user account doing daily work has little use for these command line programs, as they are intended for IT administrators. In accordance with Least Privilege, these command line admin tools should be partitioned away from the User group.
Attackers aim to get use of three accounts, the admin account, the "Administrator" account, and the System account. The admin account is needed for configuring the system, so it needs full access to command line tools and we cannot avoid this. The 'Administrator' account is by default disabled. And the System account is used by some services. In testing, it is revealed that the System account cannot be constricted or else our Restore BAT wouldn't work. So in the provided configuration file, command line tools are set so that only members of the administrators group and 'TrustedInstaller' can invoke them. (The System account gets inherited rights) Also, in line with layers of security, the command line admin programs are denied execution by low integrity processes.
As an example, few people are aware that there is a command line FTP program, as most people use their browsers to download. This program is used mainly by attackers who need to bring over their tools once they gained command prompt or powershell access.
Role Based Access Control means setting up accounts to do what it is only necessary for the job role. Hence an accountant would be set up so that he can run the accounting program, and not others like our hardening scripts. This is in accordance to the Least Privilege principle.
When we analyze our security posture, the weakest point of defense is when we are using our admin account. Sometimes, a program installer needs Software Restriction Policy turned off; because it writes to and then executes a temporary exe from within the temp folder. And we must use the admin account to install software. Sometimes the install program needs to download components online, and the downloading portion maybe vulnerable. And if the account houses our hardening scripts as well as other important documents, there is a lot to lose. Installing a new program usually takes time, may be a good half hour or more to configure, test and so on. So in this hour we are essentially running an insecure semi-hardened box. This calls for a role called the Installation Admin.
In the Configuration Pack, the Dual Admin BAT creates an installation admin (you choose the actual account name) and restricts it from running admin command line tools, and administration GUI apps. In addition, it removes ordinary user accounts from accessing admin command line tools. After configuration, the command line administrative tools ( plus regedit, regedt32 and tasksched ) can only be accessed from a full admin account using an elevated command prompt. Also, only the full admin account has take ownership right. Right click on the BAT file and choose Run as Admin.
Note: the dual admin BAT script does not assign a password to the Install Admin. Sign on into the Install Admin account and give it a passphrase.
In effect, the only special rights this installation admin account possess are the right to write anywhere in the hard drive, (like the Program Files folder, which only an admin can write to). and to write to any registry key. This seems very generous, but the fact is we are not able to restrict it further. This account would then be used when you install a program, which is a very common task for an admin role.Very often, an attacker will install a Remote Access Tool/Trojan (RAT) to monitor the victim. This program is just like an ordinary program that provides remote access like Window's own Remote Desktop or the commercial program TeamViewer. It can view our screens, see what we type and control the PC by running any program. They are very hard to detect, especially if the attacker does not make any changes to your system and just watches you. And anti-malware programs usually fail to identify them, because there are legit remote admin tools too. The goal is to hamper this RAT. The RAT will get all the permissions of the account that you sign into and require an online connection. So here is the second step; we will make our full privilege admin account go offline when used. This will buy us time to find and eliminate the RAT.
Now we create several scheduled tasks, one for the full admin, and the rest for non-admins. The first one is for the full admin sign in to disconnect the network adapter. Ensure that you are signed in as the full admin.
Note: Scheduled Tasks action line reference the network adapter name. In the majority of cases, they are called Ethernet and Wi-Fi. But if you have multiple network adapters, then the names will be different and the network adapter name needs to be changed, from 'Ethernet' and 'Wi-Fi' and replace them with what you have. The adapter names you currently have is shown at Control Panel > Network and Sharing Center > Change Adapter Settings.
The whole set of scheduled tasks is designed to disconnect the network adapter for the full admin, when he signs in. And we reconnect the network adapter when he signs in to a non-admin account.
To test the Install Admin account's ability to properly run install programs, the following programs were tested:
It is known that security programs requires additional rights to set themselves up, that is why security programs were tested among other programs. Avira, BitDefender, Voodoo Shield failed to install. And WSUS Offline fails to run. They require the usage of the full privilege admin account. Ordinary installation programs like VLC typically don't require as many rights. The aim is to reduce usage of the full admin account and lessen the risk. For normal programs, use the install admin account first, then if it fails, use the full admin account. To enable your full admin account's internet access, right click on the internet icon in the systray, select 'open network and sharing center', click on 'Change adapter settings'. Then right click on the adapter and choose Enable.
New to ver 4 of Dual Admin, it is now possible to run the following networking commands in the Install Admin account:
The Documents folder has 3 ACL rules allowing access for System, YOU, and the Administrators group. If you right click on the Documents folder and choose Properties > Security tab, you will see this.
The System account is present in almost all files and folders, but it doesn't need to be as far it can be determined. Attackers also can use escalation of privilege attacks to get to use the System account because it is as powerful as an admin. You can choose Edit and Remove to take the right away.
However, the Configuration Pack BAT files need System to work, that is, if you unzipped the Configuration Pack into Documents. To work around this, you can create a Security folder under your Users\<YourAccount>\ folder and extract the files there. Just remember to move the contents back to the Documents folder when you're done.
The Administrators group is present so that any admin can access your files in an emergency. This can be removed to ensure that the Install Admin can't get at your files. Because the Install Admin has internet access, a RAT (Remote Access Trojan) can use that account to get your files if access is granted for the Administrators group. Removing the ACL entry will ensure that your data stays private. The downside of this is when you need to remove this account using Start > Settings > Accounts > Family and Other People, the Documents folder can not be deleted and will be orphaned. If the account will never be removed, or if you can remember to re-instate the Administrators group, then this rule can be deleted.
The files you save in Documents, Pictures and Videos are private. In event of a hacker attack, she will explore those folders in depth. Again, don't put those files in an account you surf with. And encrypt your data. Use the downloaded VeraCrypt.
Here's how to use VeraCrypt.Look through your documents folder now. Decide which files need to be segregated into the separate encrypted volume or to an offline machine. You MUST categorize your data files. What you don't know is what you don't know. And without looking through your documents, you will be storing important files along side your trivial document files.
Passwords list for your web sites need to physically written down into a notebook, not stored in a Notepad text file. Hackers know to look for such files.
File History saves your documents, pictures, music, contacts and IE favorites every hour to a removable drive ( or USB key ). It does it every hour by default and keeps versions of the files as they change. This is a very convenient method of performing backups and should be used. Just remember to unplug the USB key when you shut down the computer and carry it with you, or else your attackers will gain access to all your files.
Go to Settings > Update & Security >Backup and click on "Add a drive"
There is a new version of Edge based on the open source Chromium browser. It looks a lot like Chrome. Plus, it still contains Edge features like SmartScreen and Application Guard (Application Guard is a hardware based protection and is only available to Windows Pro users). Windows 10 20H2 have it installed by default, or you can google for Chromium Edge and you will find the download. MS decided that it is too much work for programmers to maintain different web code for all the different browsers and decided to adopt the Chromium browser. Plus, Edge now has access to all the extensions made for Chrome.
Copy and paste the following into a filo named user.js and copy it to the C:\Users\<yourAccountName>\AppData\Roaming\Mozilla\Firefox\Profiles\91yzyij5.default-release\ folder.
You can type "about:config" into the address bar and set the following options if you want.
Next, go here:
If using Sandboxie: \Users\<yourSurfingAccount>\AppData\Local\Mozilla\Firefox\Profiles\
Do this for all accounts
If you have the Configuration Pack, you can copy the USER.JS file to C:\Users\<yourAccountName>\AppData\Roaming\Mozilla\Firefox\Profiles\91yzyij5.default-release\. First rename any existing user.js file. The file contains all the above settings and it will append or override the default settings. A lot of sites like gmail and financial sites require javascript = true and dom.storage.enabled = true. If you are under attack, set both to false. The settings above includes these 2 settings, and I keep a tab open to about:config to toggle them as when required.
In general, the less unecessary connections you make the better. Automatic connections that always happen can be used against you. An attacker can spoof that auto connect address and launch an attack if Firefox is vulnerable in it's receptors. The author has experienced denial of service attacks where a crafted packet was sent to some telemetry component and it always closes Firefox. The telemetry features are turned off for you above. You should set the following settings manually:
Opera, starting with version 56.0.3051.104 together with Windows 10 v1809b supports Windows Defender Exploit Protections.
Unfortunately, the Chrome settings cannot be copied from one PC to another, so the above will have be done manually. The version above seems to have preferences for Chrome Flags and will not import a Local Settings file from from another PC.
It's claim to security is that it has a cloud/server component and the client installed in your PC is lightweight. So all the processing of javascript and other things takes place in the server. However, it doesn't support extensions and plugins. And it doesn't even support the 'back' button of my mouse. And it doesn't support the Yubikey. And it costs $20 per year. However, when current versions of Chrome, Firefox and Edge has bugs, and you need a browser to use, this is a good one.
As of this sections writing (2021-05-25) The latest version of Sandboxie 5.49.5 is confirmed with work with Yubikey.
YubiKey is a hardware security token. It is supported by Google's Gmail and Google Drive to replace SMS 2nd factor authentication. Without spending anything extra, SMS 2nd factor authentication is an OK security measure. (a extra logon code is sent via text messaging when you attempt to sign in). However, cell phones can be easily hacked, (especially Androids) and that 2nd factor would be useless. The token is a small USB insert and can also be used with your cell phone if your cell phone has NFC (near field communications). So you either insert the USB end into your PC or tap the token on your cell phone when navigating to gmail.com. Many sites support it, including FaceBook, Outlook, OneDrive, DropBox, Salesforce, Github, Dashlane password manager ....
You have to buy 2 tokens to register with Google Advanced Protection Program. One for daily use, and another for backup in case you lose the first one. Currently, the cheapest model is the Security Key NFC ($49 for a pair). And it is currently the best 2nd Factor authentication security measure. Highly recommended.
HitmanPro Alert is an anti-exploit defense tool, and it primarily defends browsers. Notice that Sandboxie only protects attackers from writing to disk, thus gaining persistence. Sandboxie does not protect an attacker who uses RAM only attacks exploits. HitmanPro Alert detects many exploit coding techniques and is a good defense for your browser. It contains all the features of HitmanPro which is a good 2nd opinion AV and adds anti-exploit capability. It costs $49.97 for 1 PC and $82.50 for 3 PCs. Note that if you run it witout purchasing after the 30 day trial period, there are no anti-exploit capabilities.
You will have to add an Unrestricted Path rule to Software Restriction Policy to allow hitmanpro Alert to run it's malware detection module: C:\users\
Hitmanpro Alert displays a big dialog box when it detects an exploit and tries to close your browser. However, when used it conjunction with Sandboxie, it cannot close the browser - you have to manually close it upon seeing the notice. But the good thing is you know when you are hit, without it, you will be blissfully unaware that an exploit has been thrown at you. And then you can check the Sandboxie icon in the systray to see if there are still any red dots in the icon - that means that there are still processes left running in the sandbox. Then you need to right click on Sandboxie > your sandbox > Terminate Programs.
VPN services proclaim because they encrypt your internet browsing traffic, you are secured. But the thing is, what are you protected from? The only scenario where it was useful was when you are sitting in a cafe using a WiFi hotspot, it stopped` snoopers from seeing where you were surfing to. It does not protect you from everything else far more dangerous: hackers, malware, drive-by-downloads, javascript attacks, and everything else the internet can bring.
From 2018 onwards, most web sites are almost obliged to provide https aka SSL encryption by popular demand - you see the padlock symbol to the right of the address bar of your browser. So your traffic to web sites are already encrypted without a VPN service. And the Firefox and Chrome browsers will stop transmissions whenever your traffic is being spied upon or manipulated by a man-in-the-middle attack and bring up a big warning notification.
VPN services were useful when offering https was expensive and only done by financial institutions and web stores. Now, everybody is using https, even web sites that only serve news; don't sell anything and don't have financial anything. VPN services are expensive, and your money is better left in your wallet or purse.
Microsoft has a security baseline consisting of dozens of group policy settings. It is also available to Windows Pro users using GPedit. The author has reviewed the settings, and most are good to go. The baseline cannot be used on Windows Home because it does not support gpedit.msc.
The best way to manage passwords is to use an address book. Yes, that's pen and paper. Keeping it in a file on the computer is just waiting for disaster to happen. Hackers know how lazy people get and rely on copy and paste from a password file, and they use a utility program to quickly search for a password file. Use an address book.
Many security experts recommend a password manager browser extension to keep track of online passwords. You just have to remember the master password, and the correct password will be inserted for you when you reach a login page. Some, like Lastpass can also generate a secure gibberish password for you. And some password managers support 2nd factor authentication like with Google's Authenticator cell phone app; so that you need to remember a master password and Google Authenticator will generate a 6 digit code for you to enter into LastPass, only then will it allow access to your password list. Don't use the 'remember your password' feature of the browser, that password list is not securely stored And don't forget the master password, Lastpass does not know your master password because they don't keep it; once you forget it all your passwords are lost. But then if you use your browser every day and hence the master password, there's is little chance of you forgetting it.
See Automated Configuration section.
It is also prudent to password protect your BIOS, so that people cannot boot your PC. Also, you should change the boot order in the BIOS so that it boots the hard drive first, rather than the CD/DVD. If an attacker can insert a Linux Live CD and start up your PC, then they will be able to mount your hard drive and read all data from it, and all Windows security will be bypassed.
Physical security is very important and should not be overlooked. If someone has physical access to your PC, then they could bypass a lot of the hardening that was done.
For example, if a attacker could access your PC and boot up a Linux Live CD, he could then read and copy off all files from the Windows disk partition. Or he could remove your hard drive and put it into another PC as a secondary drive and get data off that way. Either way, Window's password security will be of no use, because the hard drive's copy of Windows was never started.
Lock your office or study room or bedroom containing your PC. And if it is on the ground floor of a house, then lock the Windows too.
A door lock serves to buy time for discovery of intrusion. It cannot be counted upon to prevent an intrusion as all police departments know, because if a lock is too difficult to pick, they can always drill it or break down the door. But then you would know after the fact and then the stealth preferred by hackers will be gone.
BitLocker is a full disk encryption feature of Windows 10 Pro, When that is active, the whole drive is encrypted and will not be readable with other copies of Windows or Linux. This eliminates the offline attacks as mentioned above.
In the Configuration Pack, the above 'custom view' filters are in the folder "Event Viewer Custom Views". Simply choose 'Import Custom View' to import each xml file one by one. There are 54 custom views in the Configuration Pack
Now that Windows is hardened, most of the vulnerabilities you face will come from applications. The concepts that underlie protecting apps are the same as protecting the OS. Be careful of apps that have high privileges, and scrutinise network facing apps. Patching is really important and upgrade the app when new versions are posted. Monitor Event Viewer's "application hang" and "application error" and "service terminated unexpectedly" custom views - if something fishy is going on and it happened after an application hang/error then there is a chance that you have been attacked. Be aware of what is normal and what is not. Know the protection settings that have been applied and know when a change is made (by an attacker). For example, your full-admin's Documents folder has been set to only have 1 ACL which is full accesss by the full-admin; if you find that suddenly that another ACL has been added giving access to, for example, the administrators group then something is wrong.
You click on Start and type 'Reliability History' and it will display a overview of what critical events has happened in the last month or so. You want to pay attention to the red X's which mark critical events. In the bottom pane, after you click on a date column on top, it will show all the notable events for that day. It does not replace going through Event Viewer's list of custom views, it is a summary.
If you have several machines, you might consider setting up an event log collector machine or SIEM tool (Security Information and Event Management). The benefits are:
Logalyze install consists of 4 downloads:
To see the logs that Logalyze collected, go to the Search tab, set the time frame drop down, and click on the magnifying glass icon to the right of the search bar.
To search for several Event ID's, just type in each number separated by space and an upper case "OR".
To find logs of a particular Windows machine, type "loghostname:" followed by the Windows Computer name which you find in This PC > Properties; for example "loghostname:desktop-u3ehvod". To find logs of a device like your router, use for example "loghostname:192.168.0.1" where 192.168.0.1 is your gateway/router's ip address.
You can find event ID's on a particular machine, for example "loghostname:desktop-u3ehvod AND 4624".
To save a query/search, click on the floppy icon to the right of the search bar. To see your saved queries, go to the Admin tab, click on Definitions pull down and choose Query Definitions.
Routers and Linux generally expect the syslog server to run on UDP port 514.
Wazuh is a SIEM system (Security Information and Events Management). It offers a real time birds eye view of security events happening in a network of PC's. Wazuh is open source, which means as per open source rules it has a free version. It also has a cloud based version which is not free. Wazuh can ingest logs from Windows, Linux and other network systems like a hardware firewall. It then uses it's rules to generate alerts and events for you to follow up. Human intervention is necessary to discern which events are important. For example it can record that QuickHash has crashed and you will have to supply the brains to know that yes it crashes often and nothing needs to be done. However, if it tells you that your Windows web surfing standard account is signing on in restricted admin mode Y, then you will have to know that this is not normal and needs to be investigated. It's rules are quite clever however, for example if it detects a quick succcession of failed logins within 2 minutes, it will alert you that someone is trying to brute force your account and the event level reported is higher. It also reports the possible attacker tactic that an event may mean or is part of. It uses the Mitre Att&ck classification system. The Mitre Att&ck classification is drawn from tactic and metbods used by hacker groups and is quite thorough.
Wazuh itself runs on Linux, and you can use the user friendly Ubuntu distro as it's OS. Wazuh needs a 2 core (4 threads) cpu system with 4 Gb of RAM to run. You might have an older PC at home that works. Setup is relatively pain free, all you need is to run 2 commands on Ubuntu and 2 commands on each Windows system that needs to be monitored. We will additionally perform some simple hardening of Ubuntu along the way.
First lets download Ubuntu. Go to ubuntu.com and download the desktop version. The file is a iso file, which is a DVD image. If your system has a DVD drive, simply right click the file and choose Burn. If it doesn't have a DVD drive, then use Rufus to write it onto a USB memory stick. Select the dd method to write after you click Start.
Boot the media (USB/DVD). After choosing 'Install Ubuntu', choose the Minimum Install, then find your time zone and supply a username and password.
After booting into Ubuntu, right click on the desktop and choose Open in Terminal.
Now start Wazuh by opening Firefox and typing in 127.0.0.1 in the address bar. Then click the 3 bar icon on the top left and choose Wazuh
Next on the Ubuntu desktop, click on the left most icon on the top right corner. (it resembles a network) Then click on the gear icon in 'connected'. This will give you the current ip address of Ubuntu. Click on the gear button > ipv4 tab > select Manual button, and give it an ip address by changing the last 3 digits of the current address (it has to be less than 255). This is now the Wazuh machine's static ip.
In the same ipv4 tab, turn off Automatic DNS. Then type in '9.9.9.9,1.1.1.1,8.8.8.8'. And then click 'Apply'.
Click on the ipv6 tab and select disabled, and click 'Apply'.
Next you follow these steps to install the Wazuh agent on each Windows desktop:
Check that the 'Active Agent' count in the Wazuh server page now gives the correct count of agents you have installed.
Note that if you make a mistake with the ip address, you have to go to Control Panel > Programs and Features to uninstall the 'Wazuh agent' before trying again.
More agents for different OS's like MacOS, and how to install them, are available. See the 'Wazuh Documentation' site for details.
Most of the power of Wazuh lies in Security Events, click on the Security Events rectangle on the left hand side of Wazuh's main page. Then choose a date range to show the corresponding events. Pick an event, click the arrow on the left to reveal the message. Then click on JSON to see the verbose message. If you are wondering what you should be concentrating on with the massive amount of events, I personally do not review events lower than a level of 7. Here is the classification of the event levels: https://documentation.wazuh.com/current/user-manual/ruleset/rules-classification.html
And here is what an real attack might look like: https://rioasmara.com/2022/01/16/defense-while-attacking-with-hackthebox-and-wazuh/
Wazuh needs to be protected by a firewall. Open a terminal and type 'sudo gedit /etc/network/if-up.d/iptablesload' Then paste these lines inside and save the file.
#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0
Then you type 'sudo chmod +x /etc/network/if-up.d/iptablesload'. to make the script file executable.
Then type 'sudo gedit /etc/iptables.rules', and paste in the following. Replacing 192.168.1.13 with the ip address of your Windows machine. So there are 2 lines in the INPUT section and 2 lines in the OUTPUT section that needs modification. For more Windows machines, you duplicate the pairs of rules in INPUT and OUTPUT, using the Windows machines' ip.
# Generated by iptables-save v1.8.7 on Sat Sep 24 20:42:28 2022
*filter
:INPUT DROP [20:1520]
:FORWARD DROP [0:0]
:OUTPUT DROP [1413:698633]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A INPUT -p udp -m udp -s 192.168.2.1 --sport 67 --dport 68 -j ACCEPT
-A INPUT -p udp -m udp --dport 68 -j DROP
-A INPUT -p tcp -m tcp --dport 6000 -j DROP
-A INPUT -p tcp -m tcp --dport 6001 -j DROP
-A INPUT -p tcp -m tcp --dport 6002 -j DROP
-A INPUT -p tcp -m tcp --dport 6003 -j DROP
-A INPUT -p tcp -m tcp --dport 6004 -j DROP
-A INPUT -p tcp -m tcp --dport 6005 -j DROP
-A INPUT -p tcp -m tcp --dport 6006 -j DROP
-A INPUT -p tcp -m tcp --dport 6007 -j DROP
-A INPUT -p icmp -j DROP
-A INPUT -p tcp -m tcp --dport 135 -j DROP
-A INPUT -p tcp -m tcp --dport 139 -j DROP
-A INPUT -p tcp -m tcp --dport 445 -j DROP
-A INPUT -p udp -m udp --dport 137 -j DROP
-A INPUT -p udp -m udp --dport 138 -j DROP
-A INPUT -p tcp -m tcp --dport 111 -j DROP
-A INPUT -p udp -m udp --dport 111 -j DROP
-A INPUT -d 255.255.255.255/32 -j DROP
-A INPUT -s 9.9.9.9/32 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -s 1.1.1.1/32 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -s 8.8.8.8/32 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.13 -p tcp -m tcp --dport 1514 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.13 -p tcp -m tcp --dport 1515 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -s 91.189.94.4/32 -p udp -m udp --sport 123 -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j DROP
-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -d 9.9.9.9/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 1.1.1.1/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -d 91.189.94.4/32 -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -d 192.168.1.13 -p tcp -m tcp --sport 1514 -j ACCEPT
-A OUTPUT -d 192.168.1.13 -p tcp -m tcp --sport 1515 -j ACCEPT
-A OUTPUT -p icmp -j DROP
COMMIT
# Completed on Sat Sep 24 20:42:28 2022
Now you can toggle the networking off and on, and type in "sudo iptables -L -v" and you should see the iptables rules listed.
Intrusion detection also has to do with seeing that things aren\92t different from what is normal. Your PC was running perfectly on day 1 after hardening, is it doing anything different today? To answer that question, we need baselines.
What we want to know is what programs are normally running when we first login. If we know that, then we can be sure that we aren\92t contaminated with spyware or other hacking tools. There are 2 programs we want to get, all free. The first one is AutoRuns, available from here: http://technet.microsoft.com/en-us/sysinternals/bb963902
It doesn't have a setup program, just download, unzip, create a folder under \Program Files and copy the files there.AutoRuns lists all of the places in the registry where programs are set to auto launch. Right click on it, and choose Run as admin, and use File/Save to take a snapshot of each account's current settings. Later on during your regular system checkups, you can use the File/Compare feature to see if anything is different. New entries show up in green. If all green entries are good, then save the file again with todays date, and do the comparison with the new file in the next scheduled check.
The second program is Tasklist
This program is like Task Manager, but it can be outputted to a file, and then sorted. Many malware name themselves with familiar Windows program names, trying to hide themselves. Login to your admin account, then right click on Command prompt and choose 'run as admin'. Then type in "tasklist /V > tasklist-out.txt", and a second one "tasklist /v /app > tasklist2-out.txt". Now you have a snapshot of what normally runs when you first login. To sort the list type "sort tasklist-out.txt > tasklist-out-sorted.txt".
When you do a comparison, note that you cannot use a file comparison tool like 'fc' (file compare) to check for differences, that is because the PID (process identifier) for each program/process would be different on different boot-ups. You would have to do a visual check of the command line.Now we have 4 baselines, save them onto a USB memory stick for use in comparisons later. One should also save the Autoruns, and Process Explorer files onto the memory stick as well. Because, after an attack, programs may get altered or rendered unusable You Have to keep the baselines on a USB memory stick because attackers will modify your baselines to make you think nothing has changed.
Last thing when doing baseline comparisons is to run 'sfc /scannow' to determine if any system files has been modified. SFC contains the correct windows files signatures and makes a comparison to the current setup. It will also fix the problem.Next we create a hash list of all executable files using QuickHash.
Run QuickHash, and select SHA256 from the algorithm panel. Then select "FileS" from the tabs on the top. Checkmark "Choose file types" and type in "*.exe;*.dll;*.js;" . Then checkmark "hidden folders too". Now click on "Select folders" button and select Drive C. Calculation will begin after you choose the folder. Wait a few minutes for the list to appear and click the "Clipboard" button. This will copy the list to the clipboard. Now open notepad and paste in the list and save it as hash-list.csv.
Now open your spreadsheet program and open the csv file. The separator is comma. Now select all text except column 1, which is the useless file number. And save the selected list as hash-list1.csv.
You have to repeat these 2 steps when you have a Windows Update or install new programs so that you have an up to date hash listing.
When you need to do a comparison, create a new hash-list#.csv file and use "fc filename1 filename2" and you will see the differences. If you spot any differences in the current list of files, locate the file and rename it to somefile.exe.bad. This way, you can identify and isolate any potential malware and hacking tools installed by the attacker.
Now we have 5 baselines, save them onto a USB memory stick for use in comparisons later. Because, after an attack, programs may get altered or rendered unusable. You Have to keep the baselines on a USB memory stick because attackers will modify your baselines to make you think nothing has changed.
Last thing when doing baseline comparisons is to run 'sfc /scannow' to determine if any system files has been modified. SFC contains the correct windows files signatures and makes a comparison to the current setup. It will also fix the problem.If you are considering security suites, then you should also Google for "<brand> end point protection". End Point Protection is the name used for antivirus suites for businesses. And like MS's way of adding more security feaures for Windows Enterprise, the business products of major antivirus brands offer more security features. Most will also offer a trial version, so you can test them before making the leap.
Antivirus online update components can be attacked. Attackers have studied the majority of antivirus programs to find ways to attack them. Because AV's are programs that almost everyone have. And there are only about a dozen of major vendors. So their goal is easily schievable.
One type of program you must have is an anti-executable. Unlike anti-malware programs, it is not signature based. This class of protection stops any program from running unless you have clicked on it or that it resides in a small whitelist. So if you clicked on it, then it runs; if you didn't, then it gets blocked. This stops drive by downloads where web sites get hacked to deliver malware. Also, many exploits download a malware of their choosing (mostly RATs) and executes it. Anti-executables is a great class of protection to have. There are several on the market, like Anti-Executable, AppGuard, No Virus Thanks EXE Radar Pro, and Voodoo Shield. The last one is free. Note: you have to allow VoodooShield,exe and VoodooShieldService.exe outbound in the firewall but only enable the firewall rules when it asks you to register and then immediately disable both the rules. This is because VoodooShield is primarily an anti-executable whoes job is to tell you something has run. The online portion enables it to verify signatures and test run an exe in a monitored sandbox. But this is not it's main job. You just want to be prompted when an unclicked upon program is run, which could be a normal background task or a program started by an intruder. Secondly, opening a connection to the net enables a spoofed attack on VoodooShield. Remember that the firewall design principle is default deny and minimization of connections.
Another reason you should have a good hardware firewall like ipFire, PFSense or Sonicwall is that it has logging. Most consumer routers do not log traffic at all. The thing to look for is Outbound traffic, not inbound. If an attacker succeeds in landing onto one of your machines, there will be outbound traffic back to him. And it would make things easier if he works at night when you don't use your PCs - the outbound traffic will really stand out.
The logs of your Windows firewall has been configured to log outbound traffic as well. The log file is located at \Windows\System32\logfiles\firewall\.
The real selling point of having an external hardware firewall log is that it is external. No amount of root kits and cleaning up the tracks will remove the logs on an external firewall. So even if logging is somehow disabled on your Windows box, you still have a trustworthy log of what transpired in the hardware firewall.
A Honey Pot is usually a unused dummy system set up just to lure attackers. Once you notice traffic on it, then it is guaranteed that you have an attacker. You can setup auditing for a 'honey folder' which you never click on to act as an intrusion detector.
First create a folder, called for example 'Plans for the New year', and then right click on it and choose Properties. Then go to Security tab > Advanced > Audit tab. First you set up which user account to watch for, then leave the settings for 'Read and Execute' which will generate an Event Viewer entry
If you have the Configuration Pack, the Event Viewer custom views xml files allow you to import the custom views. Click on 'Access audited file' view to see the entries generated by the intruder. Also, you have to run the Harden Audit BAT and the Harden Security Options BAT to enable the auditing.
Take care not to audit folders and files you normally use, because each access generates 6 or more entries. And could fill up the log and cause old entries to be emptied away.
Windows events can capture what programs you run. This option is not turned on for you because it generates a lot of entries and scrolls the logs. But when you are threat hunting, this is good to look through.
Disable OSArmor protection for 10 minutes and go to Start > Windows administrative tools > Local Security Policy. Then go to Local Policy > Audit Policy. Click on Audit Process Tracking and audit for Success. This will create Event ID 4688 entries for every program that a user runs, either in the foreground or background. (This custom view is already in the list of Custom Views that came with the Configuration Pack, which you have imported in Intrusion Detection Part 1.)
Things you can look for:
This would prove that the admin account has been compromised. Then I would look for program error or program hung for possible clues as to which progam may have a vulnerability. Next I would backup data and restore from backup drive image and then restore data. If the vulnerable program is non-essential, I may bar it from running using Software Restriction Policy. Or look for patches and updates for that program.
Good security relies in part on using patched and updated software. So you must check for new releases and update your software. After you have done that, you have to find out if your software has newly discovered security vulnerabilities. For which there may be no patches yet, so you should stop using or use with caution. Thus you need a vulnerability scanner. Nessus is a long time player in this field and has a Nessus Essentials for non-commercial use.
First thing to do, start a Incident Response Log and record everything you do.
If you find that the system is behaving as if more obstacles are being thrown up as you try different investigations or remediation. Then the chance is high that the attacker has installed a remote admin tool observing your every move.
Then: Containment. Immediately disconnect ethernet and WiFi. Infections can be fast and spread to other computers and NAS. Plug the ethernet into a switch that goes nowhere. Then the malware will think it is online. Then we can observe where the malware wants to go via tcpdump. (If the laptop doesn't have ethernet, go buy a $20 USB ethernet adapter and a 100ft ethernet cable) OR if there is only one computer, then you can disconnect router from modem.
Lets try to verify if it is a compromise. Run Event Viewer and look through your Event Viewer custom views.
Each custom view in Event Viewer may give you some more info. Attack methods vary, it is impossible to list them all here.
Now given you have evidence of an intrusion, backup data, wipe your hard drive with Parted Magic, and restore a disk image before that date, and then restore data.
Now you check the other PCs within the same network. Sometimes you immediately know you have been attacked because you made a mistake, like running an unsigned program. But in most cases you only get to realize you've been attacked after some time and the attacker had time to do lateral movement. So go thru the above steps for each PC.
After you have re-imaged the rest of the affected PCs, run your vulnerability scanner like Nessus on each. It might find security holes which you don't know about. Then you can either:
The attacker may still be monitoring you with an man-in-the-middle attack. For that, go to your router and change its MAC address if possible, which would cause your ISP to give you a new external ip address. Or you go to whatsmyip.com and note the current ip address, unplug your modem and wait 15 mins. Then go to whatsmyip.com again to see if the ip has changed.
For completeness, change your online passwords where there is no 2nd factor authentication like Yubikey or Google Authenticator.
End of story. Proceed to Post Incident Response Review
But if you don't have a good backup disk image, then you would have to continue on.
By changing your router's MAC address and thus your ip address, the attacker will not be able to:
The next thing to do is to run security programs like antivirus and antimalware. Hopefully they identify something and quarantine it. Hackers don't use viruses and malware most of the time, they are too easily identified and removed by common security programs. For example, most av and antimalware are useless at detecting remote access tools. The reason is that remote access tools may be legitimately used by the computer user to give access to their friends or service technicians, or themselves when they are in a remote location like a coffee shop. Hackers also know to test their ware against the well known brands of antimalware before deploying it. If this is a targeted attack, then the hacker will already know which brand of antimalware you use.
Since you are now offline. use your cellphone (data plan, not WiFi) to google for "<your antivirus name> + "offline update". Most antivirus companies publish their virus signatures for offline use for updating non-internet connected PCs. (E.g. network isolated corporate PCs) Download the file, transfer it to the affected PC using USB cable, and right click, Properties, Digital Signatures tab, click the Digital Signature's Details button. It should say 'The digital signature is OK'. If it doesn't then discard it and try the download again.
MS Defender provides their updates via a program named "mpam-fe.exe" from "www.microsoft.com/en-us/ wdsi/defenderupdates." .Download and then check the digital signature and file properties > details' date is today's and run it.
Then try some bootable antimalware tools, these downloads are usually ISO files which you have to right click on and choose Burn to Disk. Antimalware on a boot up CD bypasses starting up Windows, and also bypasses any self-protection that the malware has. Google for "bootable antimalware" on your cell phone.
In the end, everything above may not locate the attacker's tools. Remember, remote access tools are generally not detected. Or the attack tool is simply too new.
Do a backup of your data files now. Documents, photos etc; anything you can't risk to lose or get modified.
The next step is to cut off the attacker. This requires you to put the infected machine back online again. If your antimalware could not find the attacker's tools and the offline scanners failed also, you have nothing else to do but try this.
Close all browsers and networking apps, so that the connection traffic dies down. Then open an administrative command prompt and do "netstat -anbo". This will show all the connections to the machine. The program which makes the connection can sometimes be listed too. If it can't be listed by netstat, use the PID in the PID column and look up that PID up in Task Manager > Details tab. The attacker's program is often disguised by naming it with a familiar Windows exe name. Right click on the column titles bar and choose Select Columns, then checkmark 'Command Line'. This will show you the true location of that seemingly Windows program, maybe it is actually located in \Windows\Temp (which shouldn't be) Netstat's or tcpdump's connection listing while the machine is quiet gives you the connections' ip addresses. Open the browser and google for "ip to domain". This will list several sites which let you see what domains an ip address belongs to. Go thru the connections ip address listing individually, and see what organizations they belong to. If the domain belongs to Microsoft, then ignore that one. If it belongs to a residential internet service provider or belong to companies that may offer public hotspots like Star Bucks Coffee or it is from another country that you don't do business with then you may have identified your attacker. Google the organization's name to find out if it is a residential ISP or a business oriented network provider.
Another method of finding the ip address of the attacker is to look through your Windows Defender Firewall logs, located at "\Windows\System32\Logfiles\Firewall\pfirewall.log . Search for SEND's during your PC's inactive times like during your regular sleeping time or work or school time
The ip to domain web site will also give you the attacker's ip network address range. Lets say the network's ip is 206.248.168.128/26. Now create a firewall inbound rule that blocks that address range.
The reason to block the network range instead of a single ip address is that the attacker maybe able to move to another connection within her network. like a university's network. And blocking the entire network of a residential ISP couldn't hurt, or maybe you are blocking the entire Russian militia.
One may choose to block the network ip range at the Windows firewall or router firewall, if the router has a firewall rules feature. Most Linux based Firewall distros have that. A easy-to-use one is SmoothWall.
Now you have to decide what to do with the resident evil code on your machine. Since you have read this far, you probably do not have a backup drive image. You will need to try to remove it
Removing an infection requires someone who investigates malware, every day, as they are released. You may have an embedded remote access tool and not malware, but there are similarities between the two. There are malware researchers who do this for a living. They are the people who work for the likes of Norton, Kaspersky or Snort. Thankfully, some also donate their time in free forums to help the public. Here's two. Google for 'malware removal forum' to see more.
Ask the forum malware specialist to explain what she found, what the malware tools do, how the attacker gained persistence (so that the tool restarts after every reboot) , and ask if there are signs of lateral movement. Most malware forum clients are noobs and the specialist usually does not explain.
Note that the removal process might take a day or two. The forums' helpers will ask you to download detection tools, and ask you to paste the tool's output report back to the forum. If one tool does not reveal anything, they would ask you to download another tool and repeat. Finally they will offer a removal tool together with a custom script, which removes your particular infection. This is the only route to go if you don't have a clean backup image.
If two days is too long, and you need to resume work quickly, then backup your data, wipe the hard disk with Parted Magic and re-install Windows; harden it and make a golden drive image. This will take 3-4 hours in addition to the time spent on offline malware scanning and time spent looking for the attacker's ip. And if you have a lot of applications to configure, it will take longer.
You will then need to take care of your other PCs. If you opt not to wait for a malware removal forum, you can now use Parted Magic to wipe the drive and use the golden drive image produced above.
After all the machines are clean, go online to all your important accounts and change the password, if there is no 2nd factor authentication like YubiKey or Gooogle Authenticator; and setup 2nd factor authentication this time.
Run your vulnerability scanner like Nessus. It might find security holes which you don't know about. Then you can either:
Post Incident Resonse Review
Follow Up after Attack
Install Wazuh SIEM on a spare computer. And check for high level events every 2 hrs passing by while you go to the washroom. It is important that you monitor for signs after an attack to ensure that the attacker has not returned, or that the threat removal stage has not missed something.
Contents:
Note that 32 bit Windows is not covered by the Dual Admin (which is a set of ACL configs) file. There are many more executables on a 32bit machine
If you wish to revert the changes to out of box defaults, use::
To configure, right click on the bat files and choose 'Run as Administrator'..
To configure manually, open a elevated command prompt ( right click on Command Prompt and choose 'run as admin' ) Type in the following command::
SecEdit /configure /db <any_name>.sdb /cfg <template.inf>>
The <any_name>.sdb will hold the configured results, you make up the filename, but the file extension must be .sdb. The <template,inf> is either one of the templates named above..
Also provided in the package are Event Viewer 'custom view' xml files. These xml files setup filters for select event IDs, so that you get to see, for example, all login failures, in one screen,,
Use this bat file to setup what events to audit. It also sets up the event log file maximum file sizes for Application, Security and System..
It sets up the following::
Use this bat file to setup the password and account lockout settings..
Use of this file requires that you understand what the settings do. The numbers are:
Password history means that the system will remember 24 previous passwords so that they cannot be reused so that they are unique..
Password age means that the system will prompt you 14 days before 60 days is up to change your password. Minimum password age of 1 day means you cannot change your password again until 1 day have passed. This is so that users cannot rotate 24 times rapidly and reuse an old password..
Minimum password length is 14 characters. If you use a passphrase, then this shouldn't be a problem. Complexity requirement means that the passphrase must include upper and lower case, numbers and symbols.
The lockout settings are as follows:
What these numbers mean is that you are allowed 50 tries to get the right password. After that, the system locks up for 15 minutes. So, when you realize you have forgotten a password, write down the various passwords that you want to try and try to find the right one within 50 tries. After 50 tries, the system will not respond until 15 minutes have passed..
Unfortunately this can give rise to a denial of service (DoS) attack, where the attacker randomly tries out 50 passwords and her aim isn't to get in but to lock you out of the system. If we don't define a threshold number for password attempts, then an attacker can use a program to brute force or dictionary attack the system because they can do so an infinite number of times. If you realize that such a DoS attack is taking place, all you can do is unplug the Ethernet cable and go for a 15 minute break..
Use the 'Dual Admin.bat' to remove the standard users accounts from accessing command line admin tools. This script also sets up a heavily restricted admin account for installing non-security software. Together with this, you should set up the included login scripts that takes the full admin account offline automatically upon login. This aids in combating attacks where the attacker has remote access to your machine.
Some of these settings default to 'undefined'. And due to the fact that SecEdit does not handle settings that specify 'undefined', no restore bat file is offered to reverse these password and lockout settings..
Lastly, there is a security options file:
This file includes a group of security settings, as follows::
The 'security options' settings, audit, and 'password and lockout' settings are taken from MS Security Compliance Manager tool.
This PC > Properties > Advanced System Settings > System Protection tab > Create button.
This is important, your last line of defense is restoring from backup. This backup saves all of the settings you have done so far so you don't have to repeat them when you need to reinstall Windows. There is a free image backup tool called Macrium Reflect, available from here: http://www.macrium.com/reflectfree.aspx. Use the tool to create a trusted drive image and store it in an external USB hard drive.
NOTE: you have to maintain an up to date version of your trusted disk image once in a while. This is so that your drive image has up to date versions of programs and current antivirus signatures. I would recommend creating an up to date trusted disk image whenever you have made 2 major changes to your system.
Keep versions of the trusted disk images; do not delete old versions until you run out of space. The average time for big corporations to detect an intrusion is 3-6 months. That means intrusions usually stay undetected for several months. If you only have 1 disk image and the malware/hack tool is onboard already, you will have no images to reverse back to.
When you are finished with hardening, move the hardening scripts folder to a USB memory stick or a USB drive. Don't leave it for the attacker to discover.
When connecting online for the first time, Windows will ask you whether you want to be discoverable. This in turn sets the firewall profile behind the scenes to either Public or Private. What you want is No - Dont be discoverable. This will in turn set the firewall profile to be "Public", which is the most secure.
After hardening Windows and creating a Trusted Drive Image, you can now switch to your Standard account..Connect now to internet. There are 3 things you need to check before you can perform activation.
Open Start > All apps > Windows Administrative Tools > Services. And right click to start these 2 services:Then Right click on This PC, choose Properties, click on Activate. If it results in an error, click the Trouble Shoot button.
Or, you can open an elevated command prompt and run the following:NOTE: If you installed a device driver obtained from a vendor's web site, Windows Update will not update it because MS does not use or know their version numbers. You have to go to Device Manager >
It is also important that you update your Win Apps; to do so, Set OSArmor's protection to disable temporarily for 10 minutes and run Services.msc. Then go and set MS Store Install Service to Manual and Start the service.
Now set Windows Firewall Control to use Low Filtering Profile.
Now start MS Store. From the 3 dot menu, go to Downloads and Update and let it update everything. You will need to create a MS account. This means you would now have another account to keep tabs on. Do not use this admin account for anything else other and Windows Store Update.
Remember to set Windows Firewall Control to Medium Filtering Profile when done.
Now that you are online, you can run Nessus Vulnerability Scanner. It will retrieve the latest scanning module and vulnerability list, and scan your installed software for any new vulnerabilities. You may have downloaded the latest version from the vendor, but new vulnerabilities may already have been discovered.
WiFi enables beyond the perimeter attacks. If you live in an apartment bullding or crowded street, your WiFi signal can reach your neighbors. If you don't want to risk WiFi touching your PCs but have WiFi devices like Amazon Echo, Google Home, smart switches etc, then set those devices to use the Guest WiFi Network. Most modern WiFi routers has this feature. A Guest WiFi network is usually not allowed to contact your main network. Thus you will have isolated your vulnerable IoT devices from your PCs.
If your router also allows you to set the transmission strength, then set it to the lowest setting.
Since most WiFi routers only have 2 transmitter radios (2.4Ghz and 5Ghz), once the Guest WiFi Network is enabled, you will have also enabled WiFi for the internal network. If you don't plan to use this internal network WiFi, you can set it's WPA2 password to some long random gibberish typing. So then nobody could brute force guess that password. Also, you can disable the 5Ghz transmitter radio.
New routers offer previously expensive features at very affordable prices now. For example, this model:
CISCO RV-110WThe VLAN feature allows you to create isolated segmented networks for security. Home routers technically provide 2 segments only. But for the scenario where you have 2 teenage kids who download a lot, and you want to be segmented away from both, plus you have an Alexa smart speaker; then you need 4 segments. The CiSCO router above provide 4 VLANs. VLAN equiptment used to cost $300 and up. This one costs around $70. Also CISCO keeps track of security vulnerabilities as they become known and always provide patches. That cannot be said of other router manufacturers. The latest patch for this model was made on 2019-12-05.
Buy 2 YubiKeys and setup Google Advanced Security to use them.
Facebook has 2 factor authentication available. First go to Settings > Security and Login and setup 2 factor authentication. You have 2 choices between using the cellphone Google Authenticator app or receiving a cellphone SMS text message. Once that is done. You will see the option to register your YubiKey.
Sensitive data must be protected when being transferred. Just attaching a sensitive document to email is a no no. Use the 7zip compresion program to encrypt the document first, then attach it to the email. 7zip supports AES-256 encryptionn. Then use a second medium to tell the receiving party the password. (eg phone)
You should list out all the essential connections that you rely on or use regularly online and figure ways to protect them. That includes:
If this is a workplace email and calendar or internal web app, then check that a VPN is implemented to connect to your workplace. Sometimes this will involve a company issued VPN capable router. If neither is done, then you should start a conversation with your IT people arguing that a VPN to the workplace is necessary.
Many sites and applications support YubiKey so that would be the easiest thing to do.
If they don't support YubiKey as a hardware 2nd factor token, you should fall back to using the Google Authenticator cell phone app. Typically, the setup involves using the app to take a picture of the 'barcode' with it's built in camera. Once that is done, it will display new login codes every 30 sec that you copy onto the web site's sign on page.
If the web site does not support Google Authenticator, then it should support SMS text messaging. To set up that, you give your cell phone number to the web site, and the site will text message you a code everytime you sign in, and you copy that code onto the sign on page.
Bear in mind that Android phones are extremely hackable and if your cell phone is hacked then the attacker has access to the sign in codes (whether Google Authenticator or SMS). That is why Google is heavily emphasizing that their Pixel phones comes with at least 3 years of Regular Monthly security updates. Other famous cell phone brands like Samsung are notoriously tardy in providing security patches. Hardware 2nd factor tokens were created because there is a real need for them. And Google played a key part in its development together with the Swiss firm Yubico. Google has a vested interest in security because they want to harvest user internet usage, which feeds their advertising arm of the business. If the user is cautious then they won't do things online. It is a bit ironical that a firm that relies on tapping into users' private surfing wants to secure it as well. But that's the way it stands.
Another security thing not related to hardening is safe surfing practices.
The Calendar app is one of the few bundled Windows app that does not mandate an MS Account - you can use it with a Local Account. And it does not require connection to the internet. To use it:
Mozilla Thunderbird email client has more security features than the Mail app. It doesn't open embedded graphics which could be used to attack you. It has 2 phishing protections, one detects a potential phish, and the second warns you when you click on a link which takes you to a different site than what the link label says. Lastly, it has auto-updates.
If you intend to use the Windows Mail app, you need to do the following:Talk with your family members to see if they spot additional risks. You may not use that thing and spot it's importance. This will enable you to go look for secure versions of that kind of application.
There are layers of protection enabled in this document. For the most part, you will experience problems when installing new software. Disabling protection is a risky thing to do. Ensure that the software you are installing have SHA256 hashes or digital signatures. And use the main admin account which has the network adapter disabled. Then you can go about disabling each piece of protection to make the software install work. Remember to re-enable them once you are finished.
There are of course unlisted protections that you have hardened when you followed this document. But they are seldom encountered when installing software. Example of these are the disabled network protocols and UPnP.
It is understood that attackers read this document too. But true security is not security through obscurity. And if your main admin account is compromised, and they can get there to do all these steps, then you have to notify me and consider adding another layer of security.
REMEMBER to RE-ENABLE your PROTECTIONS when FINISHED