Harden Windows 10 - A Security Guide

Introduction

Harden Windows 10 - A Security Guide provides documentation on how to harden your Windows 10 1909 (confiruation pack version 1909-c, 2019-12-12). It explains how to secure your Windows 10 computer. The knowledge contained stems from years of experience starting with Windows Vista. Hardening is performed using mostly native Windows tools and Microsoft tools.

Malware and hackers attack by exploiting security bugs and vulnerabilities. Even talented programmers make coding bugs, guarenteed by evidence of the last 50 years of computing, and unavoidable. The solution is to reduce attack surface so that we expose less opportunities for exploitation. One core concept is Least Privilege, when you are using an admin account and you get sucessfully attacked, the attacker gains admin control over the whole PC. Least privilege says you don't run as admin for day to day tasks, and thus you lessen the chance of a complete takeover. Another core concept is minimiztion. You configure your system so that it is only able to do what you normally do, and nothing else. This minimizes the number of exploitable security bugs that can possibly run, lessens your exposure, which is called the attack surface. By removing services and programs that listen or respond to the internet 24/7, you take out the possibilty of anybody sending them an exploit. If a new vulnerability is found months down the road, but it does not run on your system, it is already taken care of. We will reveal several other security principles, which allows you to adapt and evolve your defences as threats change with the times. There are many places in Windows where risk outweighs features, and this hardening guide goes through them one by one. Also, we will implement several layers of FREE security (antimalware is not the only thing that does security), if one layer gets broken through, you still have another, then another.

In today's environment, criminals attack vulnerable PCs to gain access personal data for id theft purposes, to steal your credit card data, to install ransomware and to conduct business espionage. Regular hackers want to get their hands on anything and spread viruses. So any PC is game for intrusion and it is not an elaborate thing, attacking a PC only requires a few minutes.

This guide will save you time and headache when dealing with intrusion. It is hacker tested.

Good security consists of deter, deny, delay, detection and remediation. Hardening historically covers the first 3. We will cover all 5 in this guide. A good admin will periodically check every machine in an organization for intrusions and errors. And she also performs recovery quickly to minimize disruption. We show you what to do.

This guide is frequently updated with new technolgies, tecbniques and ideas to improve security. A version number is provided at the top.

If you followed this hardening guide and you still got hacked, I want to know about it. Security is an ongoing, evolving series of improvments. Use the email address below.

Email: fortified dot windows -at- gmail dot com



The Windows 10 Home Hardening Guide is below and all of the hardening steps are contained in this document. There is an optional Configuration Pack which automates some of the configuration steps and also provides the ACLs to partition away hacker friendly admin command line tools. Some settings can only be reached with the Configuration Pack. The Configuration Pack saves time by letting you import certain configurations.

Due to technical difficulties, we are not able to offer instant download after payment for the Configuration Packs. Orders will be shipped out when we receive email notification from PayPal. SHIPPING PROCESS IS MANUAL.





Importance of Testing

It is important to note, that after hardening a system, one has to test to see if the applications that you run still runs as expected. The ideal candidate of this project is a home user with no need for communications among PCs in the LAN. That is because the more network ports you open, the less secure you become.

Testing was done on Windows 10 Home 64 bit machines.

After hardening, all control panel items are tested working, with the following exceptions:



Before you begin

If you suspect that your system has already been compromised, the best course of action is to re-install Windows. Anything that is happening without you doing anything to cause it is a concern. Computers always do things because somebody tells it to do so. And that can only either be you or the attacker. There can be malfunctions, but that only happens after you have done something new and different, or there is an automatically downloaded new feature update. If you haven't done anything new and different, and Windows Update history shows nothing, then there may be backdoors and botnets clients installed on your system. Yes, there it could have been a software bug, but they are single events. A series of different things happpening out of your control is an indication of an attack. Especially if the events appear to react to your mitigations. If it suddenly feels more sluggish, then thats an additional sign. A very definite sign is that your antivirus is shutdown (Defender systray icon displays a red X)- hackers do that as the very first thing.

You cannot fight back at someone who already has administrator level control of your system. You can implement something and they will just disable it. You best chance of survival is to re-install Windows and then hardening it to prevent further attacks from happening.

The goal is not to unravel and undo what the attacker did to your system. Lets say there are 7000 features in Windows; and there are 17000 related registry items. Any change in any of those 17000 registry items will cause a feature to not work. It is pointless to try and find and fix what the attacker messed with. Plus, the attacker will have added some remote control functionality to your system so that she can control your PC. So instead, the goal is to create a fresh Trusted and hardened system, so that attacks cannot resume. We start offline from a fresh install, harden the system to minimize the attack surface, protect what processes are allow to run, set up baselines measurements of what is the known and normal behavior of the system. Make a drive image while offline, and we defend against attacks. Attackers have the advantage, they only have to find one security hole amidst all our defences to take over a system. For that eventuality, we have logs of what went wrong, and we have trusted backup disk images. And we restore and build up new defences. If we have enough evidence, we can contact law enforcement.


For details of the Automated Configuration files, see the Automated Configuration section near the bottom of this document. They will also be mentioned  as when applicable in each section though out the document.

Lets Begin

 

Things you need downloaded beforehand IMPORTANT: Check the SHA hash and the Digital Signatures of files you download, if provided. If you are under attack, the attacker can perform a man-in-the-middle and modify your downloading and send you installers bundled with Rootkits to maintain their presence. I use Hash Tool.





SHA integrity checks, Digital Signatures and SmartScreen

SHA is an integrity verifier. If you use Hash Tool to generate a SHA256, and compare it against the one given at the official download site, you are assured that you have downloaded an unmodified copy.

To see the Digital Signatures of a file, right click on a file, choose Properties, then Digital Signature tab. This reveals the company that signed the file. Then click on the Name of Signer, then Details button. It should say "This digital signature is OK". If it does not say that, then the file has been modified - discard it. Check that the signature is signed by the correct company name.

The Edge browser has SmartScreen. It is a reputation checker. SmartScreen looks at many things and it revokes trust when a download has done bad things on a user's computer. So if the file has a signature, it can revoke trust of anything signed with that signature if the signature has a bad reputation.

Firefox and Chrome also has similar protection. But they don't have data that only MS can know, because Windows sends a lot of data back to MS.

Firefox's SHA256 file is located at: https://releases.mozilla.org/pub/firefox/ . You have to go down into the current version's directory to locate the SHA256SUMS file. Then you generate the SHA256 of the firefox file you downloaded with HashTool or QuickHash,, highlight and copy that; then open the SHA256SUMS file and CTRL-F, CTRL-V and Find.

Chrome doesn't post their SHA's. The explanation I found is that a unique ID is embedded into each download, so SHA wouldn't work for them.



Critical Windows Updates

Since the release of Windows 10 on Windows Insider, there has been critical updates that could stop you from performing Windows Check for Updates. If you have attackers on your tail, you may very well be stopped from obtaining critical updates. Or that you may be compromised when you go online to fetch updates.

There is a free tool called WSUS Offline Update, which can download updates for all Windows platforms and create a ISO image file.

This tool eliminates a critical gap in Windows installation. That is when you only have the latest version but are missing all updates. An attacker can attack you while you are updating online and vulnerable. The tool is available from here: http://www.wsusoffline.net/ . The site is in German and English.

So the plan is to run this tool on another PC to fetch the updates, and take the updates disc to the machine you are installing.

To fetch the updates, first run UpdateGenerator. On the main screen, select the platforms which you want updates for, and checkmark Create ISO images 'per selected product and language', then click the Start button.

After it finishes, check the iso sub folder to locate the ISO image file. Note that this is a DVD image file. Copy the ISO file to a USB memory stick and then copy it onto the system being installed. Once on the system, right click the file and choose Mount. This should result in a mounted drive. Go inside, and copy all the files and folders of the ISO into a new folder. Then start the UpdateInstaller program and click it's start button.




Windows Installation


As per normal, to securely install an OS, one should install it disconnected from the network. If you are using an ethernet cable, disconnect the cable. If you are on WiFi, Right click on Start button > Windows System > Control Panel > Network and Sharing Center > Change Adapter Settings and right click disable the WiFi interface.

To perform an upgrade from Windows 7 or 8.1, boot that version of Windows and run 'setup' from the DVD drive/USB memory stick. Do not boot with the ISO and do a clean install, as you won't be able to Activate your Windows 10 afterwards.

After you have done 1 custom-install/upgrade and activated that, then next time you can boot the DVD or USB memory stick created with a newly downloaded MS Media Creation Tool, and perform a 'clean install'. MS will remember your PC's hardware from your last activation and activate.




Install Critical and Important Updates

Use the updates ISO created by WSUS Offline Update and install the patches.

Create a Virgin Windows Disk Image

Before we go on to hardening, it would be wise to create a drive image using Macrium at this point to capture a clean virgin Windows install. That way, if you want to undo all the hardening in one swoop, you can reimage the machine using this image file




Turn off AutoPlay


AutoPlay is a problem when it comes to removable devices like USB memory sticks and CDs. Because it will run whatever program it is set for whenever you insert it. Hackers are known to casually leave CDs around in public washrooms and label it something like 'layoff positions for next quarter', Once inserted, their hacking tools will run in the background and call back to its master server. AutoPlay is the sucessor to AutoRun, and can be disabled in Windows. Do this for every account.

NOTE: It is essential to disable AutoRun and AutoPlay as the very first thing, becuase attackers will infect your USB memory sticks in an effort to remain in control of your machine even after you re-install Windows and proceed to re-install software off a memory stick.

Turn off AutoRun


AutoRun is the predecessor of AutoPlay, and is still active in Windows 10. Start the registry editor and go to this key:

HKEY_Current_User > Software > Microsoft > Windows > CurrentVersion > policies > Explorer >NoDriveTypeAutoRun
Change the value to 'FF'

Set Correct System Time and Time Zone

Right click on the clock in Systray and set the time and time zone with Adjust Date/Time.



Install Antivirus

Note regarding Windows 10 and 3rd party antivirus programs. Windows 10 has a semi-annual upgrade schedule and most 3rd party antivirus vendors have a hard time catching up, resulting in compatability issues - strange Windows problems will occur. You should use the Windows Defender Antivirus included with Windows 10, it is quite good. If you really want to use a 3rd party antivirus, you must remember to do program updates frequently, especially around the time of Windows new releases. To proceed, install your antivirus program now. You would also need to specify a outbound firewall rule to allow the antivirus to fetch signature updates. Google for "<YourAntiVirusName> offline installer' and use that version because you cannot go online before hardnening.




Install Critical Applications

Order of installation:

  1. BiniSoft Windows Firewall Control
  2. Firefox
  3. Comodo Internet Security (It's a sandbox that works with YubiKey, I turn off it's antivirus. See Comodo section and YubiKey section)
  4. Vooddoo Shield
  5. OS Armor
  6. Macrium Reflect free


Least Privilege and Reducing Attack Surface

One of the main concepts underlying hardening is least privilege. It means to configure your system so that it is only capable of doing things you normally do, and nothing else. So, that means that if a feature in Windows is not used, it is to be turned off, or disabled.

The reason behind it, is that the more features you enable, the larger your attack surface is. It means you have more to defend.  And one vulnerable spot is all it takes to get hacked. The more features you have, the more potential bugs ( some security related ) you have. Now attackers know a lot about the security bugs in the system – that’s how they attack. If you go live on the internet with all features turned on, the attacker would have a lot of choices. If you disable unused features, then they would have less to play with.

One of the first things you should do in line with least privilege is to create a Standard user account, and use that account for your daily work. Only login to the administrative account to install programs, configure networking, or do system maintenance tasks. Because when you are working in a Standard account, any malware or hacker that makes it onto your system will inherit your privilege and not have admin privileges to make system wide modifications. And that’s a win for you.

Remember that an attacker will have all the access that you have at the that moment of attack. So if you have important data stored in that account's Document folder, he will have the same access. ( more on that later ) So, if you have secret level data, it is best to store them in an account which you don't surf with. 

From a different perspective, a Standard account is a barrier to other accounts, and is also a container for attacks. If you have your services set up correctly and don't allow the command RunAs, ( it is the Seondary Logon service ), then automated attacks and hackers cannot gain access to your other accounts.  If you notice different behavior of your browser or something that looks like virus activity, you can rebuild your account and delete the old one as part of a recovery procedure. It may not contain the attacker if she attacks a service or an executable that is run by the System account. But that's why we disable services that are not necessary further on down


Create Accounts Now


Create all the user accounts now. It will be more difficult to create accounts later when everything is hardened. Go to Settings > Accounts > Family & other users > Other users and click on 'Add someone else to this PC'. Then, switch to that account and sign in; letting Windows complete the account creation process.



Display all Control Panel settings

Control Panel, select 'View by: Small Icons'. This shows all the configurations choices available.



Turn UAC to the max


When MS released Vista, there were some complaints about UAC asking for confirmation to do this, that and the other. So MS made a compromise in Windows 7 and allow customers to choose what level of prompting they want. Know that turning completely off UAC also means turning off Protected Mode in Internet Explorer, and not too many people realize that a major piece of protection is now turned off. UAC pops up mostly during the setup phase, once you have finished setting up your computer, you will rarely encounter it.

Control Panel\All Control Panel Items\User Accounts\Change User Account Control Settings

Move slider to top

 

Set up Firewall Profile

Windows network has 3 network types, domain, private and public. Work and home are similar and are labeled as 'private' under it's firewall tool. The private setting is set to allow 'network discovery', so that Windows is allowed to talk to other PCs. The public setting is the most secure and is meant to be used at cafe hotspots, airports etc. If your network contains insecure PCs, then you should set the network profile to public. The domain setting cannot be chosen by the user, and is used after the PC has joined a domain. Since we are hardening the PC, we want the most secure setting, and only allow Windows to talk when it is called for. So for those that intend to join a domain, choose the private profile; and if not, choose the public profile.

If you selected Private and later want to change it to Public or vice versa, here's how:

Systray network icon > open Network & Internet settings > change connection properties > select Public radio button.



Use only Bare Essential Network protocols

In order for a attacker to hack you remotely, he needs to interact with a network facing program running on your PC. Some networking components implement protocols. Networking protocols are grammar rules for bits and bytes to communicate with other PCs. And each has weaknesses. So unless your environment requires that a protocol must be used, we will want to disable all except the bare essentials. More protocols mean a larger attack surface.

The only protocol you really need is IPv4. And most networking equipment requires IPv4 in order to function. IPv6 will be increasingly necessary as we have run out of IPv4 addresses. As of this section's writing ( Windows ver 1803; May 2018) big ISP's has begun shipping IPv6 capable router/modems.

If you have a IPv6 capable ISP and router, then you can skip over all configurations in this guide that mention v6. as it is turned on by default by Microsoft. MS had made in the interim severaL tunneling technologies; 6to4, ISATAP, and DIrect Tunnel, but they have all been disabled now. And MS recommends that we turn on IPv6 now. These interim tunnelling technologies are bad, in that they cannot be inspected by your hardware firewall's firewall rules of your IPv4 router. If your ISP supports IPv6 then it is time to upgrade your router.

NetBIOS over TCP/IP is not required because NetBIOS is already active without this option. Disabling NetBIOS over TCP/IP should limit NetBIOS traffic to the local subnet.

The Discovery protocols are used to provide a nice graphical map of your network. For home users, this is not needed, as there is only one router. You would only get to see a picture depicting your PCs connected to your router. For Domain users, this feature is automatically turned off once you join the domain.

File and Printer Sharing should only be enabled if you plan to share some of your folders on the network or if you want to share your locally connected printer over the network. If printer sharing is desired, it is better to get a printer that has networking built in, so that when attacked, they only gain access to a printer instead of your PC. Disable this feature unless absolutely required.

Control Panel\Network and Sharing Center\Change Adapter Settings

Right click on Local Area Connection, choose Properties\

uncheckmark the following:

In line with layers of security, besides deactivating security protocols, we will be disabling services that serve these protocols. (see 'disabling vulnerable servies' section below)

 

Disable NETBIOS protocol


The NETBIOS protocol is an old protocol, and is used by Windows to locate Windows Domain Servers. Also it is one of two methods to locate a network shared folder. However, in a standalone PC scenario or a few PCs that don't share folders, it is of no use. Unused protocols should be disabled.

If you have the Automated Configuration Pack, you can open "No Netbios.reg". Then reboot the computer.



Disable IPV6 Totally


As mentioned previously, IPv6 tunneling bypasses the security of your IPv4 router and hardware firewall. Run 'Regedit',
Under the registry key HKLM\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters
right click on the right pane, create an New entry of type DWORD(32bit) called DisabledComponents,
Then double click on it and enter one of the following:
  • FF to disable all IPv6 components, except the IPv6 loopback interface, which can't be deactivated.
  • 0x01 to disable IPv6 all tunnel interfaces. These include Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), 6to4,and Teredo. If you have a IPv6 router, then you want to choose this one.
Note that the value "0" is the default setting.

If you have the Automated Configuration Pack, you can double click on "NoTCPIP6 All.reg" to disable all TCP/IP6, or you can double click on "NoTCPIP6 Tunnels.reg" to disable all tunneling protocols.



Disable unused Networking Devices

  

Control Panel / Device Manager, View menu / Show Hidden Devices

  • Disable:
  • /System Devices\Remote Desktop Device Redirector Bus

Reboot.

 

Disable IGMP


I have never seen this protocol used. When something is unused, least privilege says it should be disabled.

Start button\All Programs\Accessories\command prompt, right click, click on "run as administrator" at the bottom of the screen and paste in this command:

      Netsh interface ipv4 set global mldlevel=none

Disable port 1900 UPnP

The intention of UPnP is ease of configuration, so such things as games can auto-configure the firewall to let other players from the internet join in. However, with users each poking holes into your firewall with UPnP, pretty soon it will be Swiss cheese and cease to function as a firewall. It is better to configure firewall rules manually so that each firewall rule is known and accounted for. If your hardware firewall or router has an option to disable UPnP, do so.

Regedit

HKLM\Software\Microsoft\DirectplayNATHelp\DPNHUPnP

right click on right pane, new dword:32 bit,named UPnPMode

Double click on that and set the value to 2.

 

If you have the Automated Configuration Pack, you can double click on the file "UPnP.reg"



Disable SMB protocol


SMB is the file sharing protocol used for File Sharing. There are 3 versions. Version 1 is the oldest one, and abused by the WanaCry Ransomware to encrypt your data and ask for a ransom. version 2 and 3 are combined, and deemed safe. However, unless used, it is recommended you disable the protcols. Right click Start and click on Powershell as Admin. Then type in the following:

disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

set-smbserverconfiguration -EnableSMB2Protocol $false

(New to Windows v1803 - SMB v1 is disabled by default).

Disabling Listening Ports

When you run the command 'netstat -abn', it will show you which ports are open and listening to the network. Normally, you would want to close those ports unless you really need them. Windows 10's listening processes and their port numbers are RPCss ( 135 ), eventlog service ( 49409 ), Spoolsv ( 49410 ), schedule ( 49411 ), lsass.exe ( 49414 ). (The port numbers above 49152 can change between reboots), However, the default firewall policy for inbound traffic is to 'block' for all network profiles ( domain, private, public ). That means nobody can touch those listening ports unless the firewall is off, or you have made inbound 'allow' rules to pass traffic onto those processes. This has been verified by connecting to them with telnet and all attempts failed, unless one turns off the firewall or makes 'allow' rules. Also, as far as I can determine, all of those processes are essential to Windows, epecially RPCss and lsass.

 

 

Windows Advanced Firewall, turn on outbound blocking and logging


The basic principle for configuring firewalls is 'default deny'. That means all traffic is to be blocked unless you have made a rule to allow it. Those rules are your 'whitelist' of known good and currently used applications and protocols.

Window's firewall's default policy is set to inbound deny and outbound allow all. 'Outbound allow all' eases configuration, doesn't follow the default deny principle, and is not ideal. We don’t want malware to be able to call back to their master servers.

Most people don't know that you have to turn outbound blocking on. When outbound blocking is turned on, it only allows the programs and services you specify to talk to the net. Malware will have a hard time reporting back to their servers. However, it is missing a feature that tells you what programs it has blocked outbound. There is a free add-on called BiniSoft Windows Firewall Control that can solve this problem. See the BiniSoft section below. Without BiniSoft, after installing a program that needs to connect to the net, like your antivirus program, you have test those exe files one by one to see which is responsible for talking and then allow that exe to talk with a outbound rule.

Start/Settings/Administrative Tools/Windows Firewall with Advanced Security

/"Windows Firewall Properties" link
Click on each Profile (Domain, Private, Public) tab
  • change Outbound connection = Block
  • Specify Logging settings for Troubleshooting > Customize
  • Size Limit = 32767 KB (which is the max size allowed)
  • Log Dropped packets = Yes
  • Log Successful connections = Yes
  • Specify Settings that control Windows Firewall Behavior > Customize
  • Allow Unicast Response: No


Important: Before you make any changes to the firewall rules, go to the right side menu and choose 'Export Policy'. That is because the Restore Default Policy option does not give you back the current defaults; it gives you the defaults from a much older version of Windows 10. MS has been notified.



----- Firewall Rules ------ HowTo allow a windows service outbound: Click on Outbound Rules on the left, click on 'New Rule', select 'Custom', next to 'Services' click customize, select 'Apply to this service', scroll and find 'Windows Update', next, ports and protocol - (no change), next, IP addresses ( no change ), next, select 'Allow The Connection'. Checkmark all profiles,next. Give the rule a name, eg "Allow service X".

HowTo Allow a program outbound: Click on Outbound Rules on the left, click on 'New Rule', Select "Program", next, select "This program Path" and click on "Browse" button, Navigate to program folder and select the EXE, next, select "Allow the connection", Checkmark all profiles,next. Give the rule a name, eg "Allow Program X".

HowTo Allow communication to a destination port # and IP address: Click on Outbound rules on the left. Click on 'New Rule'. Select 'Custom'. next. Select 'All Programs'. next. For 'Protocol Type' select 'TCP' or 'UDP' as the case may be. For 'Remote Port', select 'Specific Ports'. Then type in the port number(s) below. next. For 'Remote address this rule applies to' select 'These ip addresses'. Click 'Add' button, and in the following dialog box, type in an ip address into 'This ip address or subnet'. ok. next. Select 'Allow the connection'. next. Checkmark all profiles,next. Give the rule a name, eg "Allow out to port ### on server YYY.

HowTo Allow or Block a Package: Click on Outbound rules on the left. Click on 'New Rule'. Select 'Custom'. Keep clicking Next button until you see "Block the connection", select that. Click next until you reach Finish, and name the rule. Then choose the rule just created and select Properties. Go to 'Program and Services' tab. Go to 'Application Packages' settings. Go to 'Apply to this application package' and select the package. OK. OK.

The following rules applies to all 3 profiles: Domain, Private and Public

  • Outbound/ allow \windows\system32\svchost.exe TCP (for system services)
  • Outbound/ allow \windows\system32\AuthHost.exe (for MS Account setup, Mail, Calendar)
  • Outbound/ allow \windows\system32\smartscreen.exe (so that it does a reputation check on downloaded files before runnnig)
  • Outbound/ allow \windows\system32\WWAHost.exe (for MS Account sign in)
  • Outbound/ allow \ProgramData\Microsoft\Windows Defender\Platform\4.18.1910.4-0\MpCmdRun.exe
  • Outbound/ allow \ProgramData\Microsoft\Windows Defender\Platform\4.18.1910.4-0\msmpeng.exe
  • Outbound/ allow serice "Windows Time" UDP to Remote port 123; Remote ip: <router`s ip>
  • Outbound/ allow ip 127.0.0.1 to ip 127.0.0.1
  • Outbound/ allow program <Firefox/Chrome/Opera, whichever browser you use>
  • Outbound/ allow program \program files\Internet explorer\iexplore.exe
  • Outbound/ allow MS Edge (package "Microsoft.MicrosoftEdge_8wekyb3d8bbwe")
  • Outbound/ allow program \PatchMyPC.exe
  • Outbound/ allow program \users\userAccountName\appdata\local\microsoft\onedrive\onedrive.exe. (if you choose to use OnrDrive, each account that uses OneDrive needs a rule )
  • Outbound/ allow Core Networking DNS (UDP-out): to <router's ip>
  • Outbound/ allow Windows Defender SmartScreen (package "Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy")
  • Outbound/ allow Core Networking - Dynamic Host Configuration Protocol (DHCP out) to <router's ip>
  • Outbound/ allow Core Networking - IPv6 (IPv6-Out)
  • OutBoumd/ Disable all other rules with a Green Dot ( which means they are active )

  • InBound/ allow Core Networking - Dynamic Host Configuration Protocol (DHCP in), from <router's ip>
  • InBound/ Disable all rules with a Green Dot ( which means they are active )


Several rule needs to be modified to match your environment.

One is Core Networking DNS, go to the rule's Properties > Scope tab and modify the Remote IP Address to your Windows Server's ip, and then your router's ip. You may wish to add another remote ip if you use a secondary DNS provider server, like Google's DNS server (8.8.8.8 and 8.8.4.4) The DNS server ip's are specified in Control Panel > Network and Sharing Center > Change Adapter Settings > Ethernet properties > Internet protocol version 4 > Properties button.

All routers have a DNS feature (which translates google.com to an ip address like 888.777.666.555 so you can surf to it).

So, DNS queries will go to your router, and only your router's ip are allowed to respond to it. Least Privilege principle. Allways narrow down the firewall rules to ip's which are allowed, if possible. So one wouldn't be possible to add a remote ip scope for your browser because it goes all over the internet.

The second one is Outbound Core Networking DHCP out. Modify the Remote IP to the router's ip just like above

The third one is Inbound Core Networking DHCP in. Modify the Remote IP to the router's ip just like above

The fourth one is Core Networking DNS (UDP-out). Modify the Remote IP just like above.

The fifth one is Windows Time, some routers like DLink's have a NTP (time) server. go to the rule's Properties > Scope tab and modify the Remote IP Address to your router's ip.

The last one is related to outbound Windows Time rule. By default, Windows Time service uses time.windows.com for it's time server. You have to go to Control Panel > Date and Time and change your time zone. Then go to the Internet Time tab > Change Settings button and change the server to your router's ip address. Then click Update Now twice to test it. Be sure to configure this setting or Windows will try in vain to reach time.windows.com because it fails the firewall rule. You need accurate time for a) Windows Activation, and b) when you need to access Event Viewer - it helps to see the real time when an event happened, so that you can correlate events between machines, espcially during an intrusion investigation.

Side note, if you wish to receive a reply when you ping your machine, then enable ICMP in and ICMP out rules.

Whats left to be done is to disable any rules for apps that you don't use, inbound and outbound. For instance, if you don't use a MS Account to sign in, then mail, calendar and Windows Store you won't use, and also you won't need the rule for AuthHost. If you don't have any IoT ( Internet of Things) devices, then you don't need the AllJoinIn rules. If you don't want to send feedback messages to MS, then Feedback Hub rules can be disabled. If you don't use Groove Music, then Groove, ZuneMusic, and ZoneVideo rules can be disabled. If you don't want to share photos, then that could be disabled. If you don't want Sticky Notes to go online and fetch related info, then you can disable that. If you don't use your computer to watch Movies and TV, then that can be disabled. If you don't plan on printing 3D objects with a 3D printer, then that can be disabled. Skype is popular, but it you don't use it then it should be disabled. XBox is another rule group where you can disable if you don't have one. Some of these rules have both inbound and outbound counter parts, when disabling, you need to do both. Remember the safest way is to follow the Default Deny principle, if it ain't going to be used then right click and disable the firewall rule. MS has chosen to enable rules for apps that maybe popular. But it should be the other way around, default deny and give explantions for the rules so that people can enable them themselves.

Side Note: You can disable several rules at once by clicking on the first line, and Shift-clicking on the bottom line, then right-click and choose Disable

Some Win apps install Inbound allow rules to itself. When you install an app, you should check the Inbound rules to see if any new rules have appeared, and disable those if you don't want inbound traffic to that app. Note that an inbound rule to an app essentially makes that application a server. That is, it will accept any transmission to the PC and can be exploited

To preserve your firewall rules from MS modification, you will need to export the rules. And re-import them when they change. BiniSoft Windows Firewall Control has a solution for that, see below.

EXPLOIT NOTICE: While testing, I have been successfully attacked with Skype inbound rule enabled. It is part of a set of Default Inbound Allow Rules by MS. Attackers know these default inbound rules Very Well. And have thoroughly investigated them to work out exploits. In particular, you should avoid using Skype, even only with outbound rules enabled and inbound disabled. That is why I made the above set of Inbound Block Rules to counter act them. Block rules override Allow rules. Under no circumstance should you disable the inbound block rules.

-----------------------------------------------------
FIPS and Windows Advanced Firewall
-----------------------------------------------------
Do NOT enable FIPS in Local Security Policy > Local Policies > Security Options, or else you will not be able to Import Firewall Policy in Windows Defender Firewall with Advanced Security.
Local Security Policy > Local Policies > Security Options > System cryptography: Use FIPS compliant algorithms .."


BiniSoft Windows Firewall Control


Windows Firewall doesn't notify you when an application calls outbound when outbound policy is block. BiniSoft Windows Firewall Control is an add on app that gives you that feature. It is also particular useful also to have it create a 'temporary rule' for the times when you use web based program installers. You get this in their notification pop up.

  • Install the BiniSoft WFC.
  • Turn on notifications: Systray icon > Main Panel > Notifications > Display Notifications.
  • Systray icon > Main Panel > Options > Start automatically at user logon
  • Systray icon > Main Panel > Security > checkmark Secure Boot. This will make Windows go offline when booting up, and you have to sign in and change the BiniSoft Profile back to Medium Filtering.

Windows has a lot of programs that call outbound, and they are not just Windows' services (which we have pruned). And since the default policy is outbound allow all, most people are not aware of them. We apply the default deny principle and set outbound policy to block which is BiniSoft's Medium Filtering Policy. Apart from the outbound rules set up above and allowing your browser, there is little else needed for Windows Activation and Windows Update and general web surfing. However, when outbound policy is set at Windows' default allow, those Windows programs go outbound, like SystemSettings, applicationFrameHost, taskhostw and tons more. Even though they each have a particular MS server to go to, an attacker will be able to spoof the MS server's ip and send malicious attacks to these poorly defended Windows applications. MS is relying on the firewall state that is set when those programs go outbound to protect and verify that any 'returning' traffic would be legit. But when attackers monitor traffic on compromised public routers, or otherwise spray their exploits, then all those Windows applications are ripe for attack. So, since the essential outbound rules are set as above, then you can block any notifications that BiniSoft displays. If you want to be cautious, then you can respond to the notification by blocking the program for X minutes

The second feature of BiniSoft is that it can create a temporary rule for a program installer. When you get BiniSoft's notification that your program installer wants to go outbound, on the right side of that notification, you get the choice to create a temporary rule, which should self-erase after the installer exits. If it doesn't, you can find the rule easily because it is in blue font. This eliminates the need to choose BiniSoft's Low Filtering Profile, which is an outbound allow all policy.

To use the BiniSoft rules provided, you have to edit some of the rules. Right click on BiniSoft icon in the Systray, select Rules Panel. On the right side panel, select 'Filter by Enabled'. Then click on the word 'Name' on the rules side to sort the rules by name. Locate the rules that has the word 'router' and/or 'server', and double click on each. Then go to the 'Remote Addresses' field and replace the addresses with your Windows Server's ip and/or Router's ip, separated by a comma, no spaces.

The Notification setting is turned off. Nothing more needs to be allowed for activation, Windows Update or browsing, except adding an outbound rule for your preferred browser. Do Not be tempted to allow executables to go outbound just because a popup prompt comes up, this guide has already filtered out the non-essentials.

You can turn on Notifications if you are installing new software and want to allow it onto the network. However, be careful to only click 'Allow this program' or 'Allow temporarily' ( one makes a rule and the other makes a temporary rule ) for the program you are installing. There will be numerous pop up's for Windows components like 'svchost', 'system' and others among the one software you just installed. Remember, this guide has already filtered out the non-essentials. Just allow the software you are installing only.

BiniSoft has a Secure Rules feature. It can stop unwanted changes to your rules. You define your rules and give it a Group Name. Then you put all the group names you want to keep intact in Main > Security > Authorized Groups. To change the Group of a particular rule, right click on the rule in Rules Panel and choose 'Add to Group'. Rules that belong to the built-in group "Windows Firewall Control" are always kept.

In Main > Security, you get to choose if the unauthorized rules are deleted or disabled. Then you checkmark Secure Rules. If you choose to Disable unauthorized rules (safest way) then all the unauthorized rules will be renamed and disabled. You can still recognize a Windows built-in rule should you ever want to enabled it. However, BiniSoft currently (v6.0.2.0) has a problem in that some rules are shown as their windows package names. For example the rule for "Microsoft Store" is displayed as "Microsoft.WindowsStore_11805.1001.49.0" in the BiniSoft rule panel. I have contacted the developer and he says it is the name returned by Windows API. And he will look into it further. I have included a file "firewall rule app packages.txt" that list the Windows firewall rule name and the windows package name.

A note about firewall rules. The trick is to minimize the connections to the internet. This reduces your attack surface. The more programs you allow to connect, the higher the chance that one of them has a security vulnerability. AND ALL IT TAKES IS ONLY ONE, and the whole pyramid of cards will come tumbling down. The attackers have the advantage. Microsoft, in their infinite wisdom, have allowed 62 applications to have inbound allow rules. After each Windows Update, these 62 inbound allow rules will be re-enabled. They may have limited each app's rights. so that you only lose control of, lets say, your contacts list. They might have double checked the coding. But witness the long time SMB v1 which has been around for 15+ years. Network admin veterans rely on it because it is "time tested". It turns out there IS a security flaw. And the WannaCry ransomware took full advantage of it and spread like crazy, causing untold millions of dollars of damage. Doing threat models, limiting application rights and secure coding are all great things, and security has improved. But you have to remember that an exploit is an attack that can do non-ordinary and un-expected things. If the security flaw is of the kind which that can 'run arbitary code' ( MS's term, used in MS Security Bulletins ) then your limited application rights, threat models just don't count anymore. Because run arbitary code just means the hacker can run anything - destroy your documents, erase your photos, whatever is your sense of the worst disaster. The goal of a firewall is to close off any venues of attack, before they have a chance to touch vulnerable code, and only to allow known and necessary network traffic. Default Deny is the safest way of designing firewall rules.

Outbound connections are also SO important. Lets say the that some Windows system exe calls out to MS server XYZ. For example wermgr reports Windows system problems to MS, and expects to receive an acknowledgment. Well, attackers also know that MS XYZ server's ip address. A firewall will correctly remember that wermgr connected outbound to that ip, and correctly allow the acknowlegment from the same ip back in. The hacker can easily send an attack bearing the XYZ server's ip. AND it will pass right through the firewall, unhindered. So, security vulnerabilities that exist in mundane tasks, that run only once in a while, could be usable by attackers. Because the attacker can blast out attacks spanning a wide spectrum of destination addresses, non stop, and if a couple of PC has just sent out an error report to MS's XYZ server, he is inside instantly. His payload will begin downloading malware, and the takeover begins. If your router/hardware firewall has a logging feature, you can see evidence of this 24 hrs a day. Attackers banging on every door, checking to see if their exploit's target vulnerable code is running.

And if the outbound policy is set to disallow, then the allowed applications needs scrutiny. MS enables some 40+ applications outbound in Windows 10 v1809's firewall outbound rules. The writer has received attack(s), when those rules are active, but has not narrowed it down to a particular one. (the attacker has not attacked 40+ times) But smart attackers don't over expose their prized pocessions - their attack exploits, lest some security researcher catches and analyses it.

If you have the Automated Configuration Pack, go to Systray icon > Main Panel > Options and select 'Import User Settings from file'; locate the "BiniSoft User Settings ...XML".

Note: The User Settings enable Secure Rules. This will disable all rules which don't have Group Names specified in Security > Authorized Groups. If you need to enable a rule after Secure Rules has been turned on, you can right click on the rule in the Rules Panel and choose "Add to Group" and choose the group named "Windows Firewall Control".




If you have the Automated Configuration Pack, then go to Systray icon > Main Panel > Rules and select 'Import Windows Firewall Rules from file' and locate the "Binisoft Standalone Full Policy.WFW". IMPORTANT: use Windows Defender Firewall with Advanced Security to EXPORT/BACKUP your rules BEFORE you use this.

NOTE: The Ruleset only enables the very core of rules needed for daily use. One of the core missions of this web page is to help those currently under attack. And that means the firewall has minimal allowed applications. In particular, things like WWAHOST.exe, which is needed for Windows Activation, is Not enabled. You can use the Rules Panel's search to find and enable that rule when you want to do Windows Activation.

The ruleset also assumes you use a web based online email like outlook.com or gmail.com. So the Mail and Calendar rule was not enabled. If you really want to enable these 2 apps and enlarge your attack surface, you will need to use the instructions for 'How to Allow or Block a Package' above.

Windows Defender Firewall is designed so that individual Windows accounts CAN have their own rules, and they are shown in Windows Defender Firewall with Advanced Security's Local User Owner column (in the far right). Rules created via BiniSoft has the owners' column specified as "any". Some MS created rules like DHCP also have the "any" owner. BiniSoft does not have the capability to make rules that specify an owner. Certain MS created rules like "Mail and Calendar", "MS People" and "Microsoft Store" etc, were created with a Windows machine name + account, and thus are not portable to your machine. Merely changing the rule to the Windows Firewall Control group does not make the rule work. You have to use the instructions on 'How to Allow or Block a Package' above to create a new rule. If you want to enlarge your attack surface and use a lot of the MS Apps, then it is best NOT to import this ruleset, but modify the ones created by default by Windows, which has your account names.




Delivery Optimization

Delivery Optimization is designed to save bandwidth when performing Windows Update. It caches the update for a short period and sends them over to another PC in the LAN. You can stop update downloads from other PCs so that you trust only Windows Update. But you can't totally stop uploading updates to other PCs on the internet.

First go to Settings > Update and security > Delivery Optimization and turn off Allow download from other PCs. Then click on Advanced Settings and checkmark "Limit how much bandwidth is used for Uploading" and make them the minimum.

Disable Automatic Proxy Search


Windows will automatically search for a HTTP Proxy for each account by default. A HTTP Proxy is a server service that receives HTTP requests and forwards the request to the internet. Usually it is used to filter web site request to ban certain web sites. And companies use it enforce policies like banning Facebook and other productivity draining activities. Most home environments do not have a HTTP Proxy server. If an attacker plants a HTTP Proxy service on your network, then she can monitor your web activities. Or even redirect your web requests to a malicious site. This should be turned off.

Go to Settings > Network and Internet > Proxy and turn off 'Automatically detect settings'




Setting up a Microsoft Account


Setting up the system to use a MS Account for login is needed if you plan to do purchases through the Windows app Store.

However, it is not recommended that your admin account be an MS account, because it is exposed on the net on Outlook.com and allows attackers to crack your password before even touching your network or your computer.

You can use gmail or yahoo mail or outlook.com or hotmail.com addresses for this "MS Account". If you use a gmail or yahoo mail account, Windows will create a mirror account on outlook.com that uses the same name and password. It will also migrate your phone number over to this account. The phone number is used for 2nd factor authentication when you go do Billing things.

You should do everything possible to protect this MS account, because it is used to hold your credit card number. When you first use Win Store to purchasing anything, Windows asks you for your credit card number and stores it online in this MS account. Also Cortana uses your MS account to store notes about your past queries and other personal information. So don't use it for email or instant messaging. (so that the account name is not circulated) And don't enable Onedrive. A compromised MS account will give the attacker access to all these things. Secure it with a complex and long passphrase. ( see how to create a strong passphrase below ). Although MS uses 2nd factor authentication when you go to outlook.com and check your Billings and credit card details, it does not use 2nd factor authentication when you use the credit card to buy stuff, it only asks for your passphrase. So once your passphrase is cracked, the hacker can go on a shopping spree, in addition to being able to log on to your PC.

WARNING: an MS account is a semi-admin. She can install Win Apps from the Store even if she is not an admin account. And depending on the Win App, the installation could open inbound 'allow' firewall rules which will make your PC vulnerable. Modifying firewall rules used to require admin rights but MS has apparently decided to bypass this. So, create an MS account only for an admin person and never for a user, as a user cannot be trusted to treat security as important. All a user wants at the moment is to try out that new software.

If you have to use MS accounts for your users, you can put a ban on the Windows Store.

Open Regedit, and navigate to
      HKLM\Software\Policies\Microsoft\WindowsStore Make a Dword32 named RemoveWindowsStore
And set the value to 1.

Setting RemoveWindowsStore to 0 will reactivate the Store.

Disable Windows Media Player Scripting

Windows Media Player can execute scripts embedded into a media file. For example, openining a song file can automatically open up a web page, which could be rigged to deliver malware.

If you have the Automated Configuration Pack, you can right click on "Disable Windows Media Player Scripting.reg" and choose Merge.





Software Restriction Policy

When activated, Software Restriction Policy will prevent any program from running except if it is residing in \Program Files or \Windows. That means any downloaded malware in Temporary Internet Files or elsewhere will not be able to run. ( browsers and plug-ins sometimes have vulnerabilities to let infected web sites to force them to download ) Since you will be running as a standard user daily, that malware cannot install itself to the above 2 locations, because you need admin rights to do so. So you are covered against unwanted Desktop programs running.

Feature not available in Windows 10 Home.

 

Simple Software Restriction Policy 2.1 by IWR Consultancy

Simple SRP 2.1 is a free tool that provides the majority of the functionality of Windows’ own SRP in a small program that sits in the systray. And it works on Windows 10 64bit.

This program provides crucial protection to Windows 10. After installation, only programs in \Program Files and \Windows will execute. So in order to run the BAT files of this guide’s automated configuration, you need to choose the tool’s UnLock from the right click menu, which will give you 30 mins of unlocked time.

The program installs into \Windows\SoftwarePolicy. Configuration is done via an .ini file that can be accessed and edited from its menu. There are some configuration items that need modification. Right click on the program’s systray icon and choose Configure. Notepad will start.


Locate [CustomPolicies] and add the following line:
C:\ProgramData\Microsoft\Windows Defender=1
C:\ProgramData\Microsoft\Windows Defender\*\mpengine.dll=1

Add the following extensions to the end of "FileExtensions": VBS, JS, JSE, OTF, SCT, SHB, VBE, WSF, WSH, PS1. Then remove the ';' from the beginning of the line.


Change this item: DisallowSpecificFolders to 1

Locate "includeDLLs" and set it to 1.

Next, add the following lines underneath [Disallowed]
C:\Program Files (x86)\Google\Chrome\Application\SetupMetrics=1
C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files=1
C:\WINDOWS\Registration\CRMLog=1
C:\WINDOWS\Tasks=1
C:\Windows\Temp=1
c:\windows\tracing=1
C:\Windows\System32\Tasks\Microsoft\Windows\RemoteApp and Desktop Connections Update=1
C:\Windows\System32\Tasks\Microsoft\Windows\File Classification Infrastructure\Property Definition Sync=1
C:\Windows\System32\Tasks\Microsoft\Windows\Speech\HeadsetButtonPress=1
C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask-Roam=1
c:\windows\System32\com\dmp=1
c:\windows\System32\FxsTmp=1
c:\windows\System32\spool\PRINTERS=1
c:\windows\System32\spool\drivers\color=1
C:\Windows\System32\spool\SERVERS=1
c:\windows\System32\Tasks=1
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter=1
C:\Windows\System32\Tasks\Microsoft\Windows\WindowsColorSystem\Calibration Loader=1
C:\Windows\System32\Tasks\Microsoft\Windows\WindowsColorSystem=1
C:\Windows\System32\Tasks\Microsoft\Windows\Speech\HeadsetButtonPress=1
C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient=1
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\WCM=1
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System=1
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\RemoteApp and Desktop Connections Update=1
c:\windows\SysWOW64\com\dmp=1
c:\windows\SysWOW64\FxsTmp=1
c:\windows\SysWOW64\Tasks=1
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter=1
C:\Windows\Temp\DiagTrack_alternativeTrace C:\Windows\Temp\DiagTrack_aot C:\Windows\Temp\DiagTrack_diag C:\Windows\Temp\DiagTrack_miniTrace C:\Windows\Temp\* C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask-Roam C:\windows\temp\mptelemetrysubmit c:\windows\system32\tasks\comodo wscript.exe=1
cscript.exe=1
mshta.exe=1
cmd.exe=1
powershell.exe=1
powershell_ise.exe=1
wmic.exe=1
system.management.automation.dll=1
C:\Windows\System32\backgroundTaskHost.exe


The above 'disallowed' rules are made because those folders inside \Windows are user account writable. Because the default allow rules allow any program inside \Windows to be executed, an attacker can place her programs in any user writable folder inside, for example, \windows\System32\FxsTmp and get it to run.

Note: To correctly install Windows Defender Platform Updates from Windows Update, you have to remove the line \Windows\Temp temporarily . Take care to remove the line temprorarily and put it back in, if you notice a Windows Defender Platform Update is coming in.


In recent months (Apr 2017) there have been attacks that do not utilize malware but uses Windows' built-in scripting engines to execute script lines. As such, there are no files in the payload for antiviruses or anti-exe's to detect and block. (The anti-exe Voodoo Shield is an exception in that in it's locked mode it prompts the user if Powershell is run) Nevertheless, it is sound protection to use SRP to block the execution of script engines until you temporarily unlock to run a script.

Now extract the AccessChk.zip file that was downloaded. Then create a 'find SRP block paths.bat' with the following lines:
accesschk -w -s -q -u Users "C:\Program Files"
accesschk -w -s -q -u Users "C:\Program Files (x86)"
accesschk -w -s -q -u Users "C:\Windows"
accesschk -w -s -q -u Everyone "C:\Program Files"
accesschk -w -s -q -u Everyone "C:\Program Files (x86)"
accesschk -w -s -q -u Everyone "C:\Windows"
accesschk -w -s -q -u "Authenticated Users" "C:\Program Files"
accesschk -w -s -q -u "Authenticated Users" "C:\Program Files (x86)"
accesschk -w -s -q -u "Authenticated Users" "C:\Windows"
accesschk -w -s -q -u Interactive "C:\Program Files"
accesschk -w -s -q -u Interactive "C:\Program Files (x86)"
accesschk -w -s -q -u Interactive "C:\Windows"

Place the bat file into the folder where you extracted Accesschk.exe, and run it file to find out which folders on your system you need to add to the Disallowed section.

Lastly, if you use the Opera browser, find in the [LimitedApps] section the line 'Opera=...' and place a semicolon (;) in front of the line to exclude Opera from protection, because Opera v30 (the latest version as of this writing) will not function with this enabled.

Save the file, exit Notepad and apply the policy.

The above configures the program to require a Windows admin account password. And it secures the mentioned paths under \Windows which can be modified by users to prevent malware from executing from in there.

Also, you can add a “;” in front of these lines to remove extra menu items, as they add clutter to the right click menu:

;(C:\)=explorer.exe C:\
;Control Panel=control.exe
;Printers and Faxes=control printers
;Network Connections=ncpa.cpl
;Computer Management=compmgmt.msc
;Disk Management=diskmgmt.msc
;Registry Editor=regedit.exe
;Task Manager=taskmgr.exe
;Windows Firewall=firewall.cpl
;Command Prompt=cmd.exe
;Salamander=salamand.exe

 

 




Configure Anti-Exploit technology

With Windows 10 Fall Creators Update v1709, Windows Defender gains anti-exploit features. It is MS EMET transcribed for Windows 10. And it does not require the Secondary Logon service. You can add programs to be protected. Go to Windows Defender Security Center > App and Browser Control > Exploit Protection Settings to take a look. From there, click on Program Settings > Add program to customize. A good program to add would be your browser.

Settings for Chrome:
  • Aribitary Code Guard: off
  • Block low integrity images: on
  • Block remote images: on
  • Block untrusted fonts: on
  • Code integrity guard: off
  • Control flow guard: on
  • Data execution prevention: on
  • Disable extension points: on
  • Disable Win32 system calls: off
  • Do not allow child proceses: off
  • Export address filtering: on
  • Force randomization: on
  • Import address filtering: on
  • Randomize memorty locations; on
  • Simulate execution: on
  • Validate API invokation: on
  • Validate exception chains: off
  • Validate handle usage: on
  • Validate heap integrity; on
  • Validate image dependency integrity: on
  • Validate stack integrity: on


Settings for Opera:
  • Arbitary code guard: off
  • Block low integrity images: on
  • Block remote images: on
  • Block untrusted fonts: on
  • Code Integrity guard: off
  • Control flow guard: on
  • Data Execution prevention: on
  • Disable extension points: on
  • Disable Win32k system calls: off
  • Do not allow child processes: off
  • Export address filtering: on. Validate access for modules: unchecked
  • Force randomization for images: on. Do not allow stipped images: checkmarked
  • Import address filtering: on
  • Randomize memory allocation (bottom up ASLR): on
  • Simulate execution( (SimExec): on
  • Validate API invocation (CallerCheck): on
  • Validate exception chains (SEHOP): on
  • Validate handle ussage: on
  • Validate heap integrity: on
  • Validate image dependency integrity: on
  • Validate stack integrity (StackPivot): on

Settings for FireFox 70.0.1:
  • Aribitary Code Guard: off
  • Block low integrity images: on
  • Block remote images: on
  • Block untrusted fonts: on
  • Code integrity guard: off
  • Control flow guard: on
  • Data execution prevention: on
  • Disable extension points: off
  • Disable Win32 system calls: off
  • Do not allow child proceses: off
  • Export address filtering: on. Validate access for modules: checked
  • Force randomization: on
  • Import address filtering: on
  • Randomize memorty locations; on
  • Simulate execution: on
  • Validate API invokation: on
  • Validate exception chains: on
  • Validate handle usage: on
  • Validate heap integrity; on
  • Validate image dependency integrity: on
  • Validate stack integrity: on

Windows has some minimal default anti-exploit settings for system files. I have chosen to augment them for svchost.exe and others because the custom settings have more protection features. Other programs added also included are the ones mentioned in the outbound and inbound firewall rules which MS re-enables after each update. To load those settings:

  • Start an admin powershell
  • Type in 'set-processmitigation -PolicyFilePath <\FolderWhereYouStoreConfigPack>\EP.xml'
  • Reboot
There are about 40 apps in the set of default MS enabled firewall rules. All of them have been tested offline and they run. And I have tested the following most used apps online and verified that they run OK:
  • Calendar
  • Mail
  • Maps
  • Mix Reality Viewer
  • Microsoft Store (runs, can purchase movies, but can't install any games due to old PC not meeting requriements)
  • Tips
  • Get Help
  • Groove Music
  • Edge
  • Sticky Notes
  • One Note
  • Weather
  • People
  • Photo
  • Skype
  • Movies & TV
Howwver, I would not run Skype, as noted in the firewall section, it was successfully attacked. And the exploit protection was not able to protect this app.

Configurations could not be made for the following apps:
  • Feedback Hub
  • Sticky Notes (it runs perfectly WITHOUT inbound or outbound firewall rules. You just don't get Cortana's integration)
  • Mobile Plans (not likely to be used except on Windows Mobile)
  • Calculator (it runs perfectly WITHOUT outbound firewall rule)
The above apps error out after a few tests and refused to run anymore. Had to re-install Windows

As a general rule, any application that takes video and audio input cannot be fully protected, as they are a glob of data with no predictable structure except for a marker at the start and end. Anything could be transmitted to the program in between the markers and the program would have no way of knowing and checking. With other kinds of data input, for example, a data entry form, the program can check the data for validity, like if a month field has allowed values, a year field has acceptable range of values and so forth. That is not to say that Defender's Exploit Protection cannot be applied, but if the nature of the data is unpredictable and cannot be checked, then any protection on top of it is not useful.

If the Anti-Exploit settings are not working for a program that you need to use, you can go to Windows Defender Security Center > App and Browser Control > Exploit Protection Settings > Program Settings, find that program name and remove the setting. Consult the 'filewall rules app packages.txt'




Turn on Ransomware Protection

Windows Defender > Virus & Threat Protection > Ransomware Protection > Manage ransomware protection > Controlled Folder Access=On

Note that turning on Controlled Folder Access will forbid applications from creating files in documents folder. So for example, further down in this document, it tells you to create a baseline by using "driverquery > out.txt". This command will fail to create the out.txt because cmd.exe is not allowed to touch your Documents folder.




Disable DCOM and Limit COM

DCOM is an ancient technology envisioned during the heyday of distributed computing. It is best disabled.

  • Administrative Tools > Component Services.
  • Compoent Servies > Computers > right click My Computer, Properties. Default Properties tab. Uncheckmark "Enable Distributed COM on this computer.
  • COM Security tab > Access Permissions. For the "Self" and "Administrator" settings, uncharkmark "Remote Access".
  • COM Security tab > Launch and Activation Permissions. For the "System", "Administrator" and "Interactive" settings, uncheckmark "Remote Launch" and "Remote Activation".


Turn on Windows Defender Optional Protections

Windows Defender comes with some protection turned off by default. Here's how to turn them on.

Open an admin Powershell windows, then type in:
  • Set-MpPreference -PUAProtection Enabled
  • Set-MpPreference -EnableNetworkProtection Enabled
Then open Windows Defender, navigate to Device Security > Core isolation details > Memory integrity. Turn on.



OSArmor


OSArmor (free) stops certain kinds of exploits and payloads. It isn't signature based, so it doesn't need to connect to the net. It can protect your browsers and office programs, and stops potential malware that execute off your USB memory stick. It also prompts you before you can run a script; like the bat and powershell scripts in this Configuration Pack. That is because it is common for attacks to exploit a program and then launch a script.

The way to use it is to first right click on the OSAmor systray icon, open Configurator, and check mark everything except Advanced tab > Block specific system processes > Block execution of NetSh. (NetSh is used by this guide to automatically take your admin account offline after sign in) Then carry on as usual. When it finds anything suspicious, it will prompt you. If you are performing an action like opening Event Viewer; which will issue a warning. You have 2 choices: a) Respond to the prompt by clicking on the Exclude button. This will populate the Exclusions Helper with what action you just performed. Then click on Add Exclusion button. If you don't plan to use this action often, then: b) Go to OSArmor > Protection > Disable Temporarily > 10 mins. After the application has opened, you can immediately set Protection back to Enabled. You don't have to have protection disabled while running the application.

Finally, you can see what attacks or commands that were blocked in the Logs choice by right clicking the OSArmor systray icon.




Accept Apps only from the Store

Windows defaults to allowing 'sideloaded' apps, which is to accept apps from a local install. Normally, Apps are mostly downloaded from the Store, which are vetted by MS. Unless you are a developer, you have no need for the sideload feature, and is best disabled.

Go to Settings > Update and Security > For developers, and change the setting to Windows Store Apps.


Disabling Vulnerable Services

Most people are aware that services can be security problems, and that some should be disabled. The culprits are partially network services that listen to the net. Anything that takes input from the net is candidate for manipulation by attackers. When one looks at the list of services that are disabled below, one might say that there are no known exploits for such and such a service. But the principle again is least privilege. Only those services that are needed should be active. And we don't want to wait until an exploit hits the security news sites and then take action. Least privilege is a pro-active, preventative concept.

There are various servers in the list of services which listens 24x7 to everybody sending them stuff.( which includes exploits ) Like the simply named 'Server' service that is responsible for File and Printer sharing. Another server is UPnP Device Host, which lets other PCs interact with devices on this PC. Components that allow remote management are also turned off - like Remote Registry and Windows Remote Management. The first allow other PCs to change your registry; and the second allows remote shell access. The Secondary Logon service is turned off, because it let command line users run programs as admin. It requires the admin's password, but then attackers have all day to figure that out. DNS Client used to be not needed, but MS has changed that in v1809 so that it can't be disabled. I have left 6 services on Automatic/Manual start which do react to inputs from the net, These services tell other windows programs about your network and allows you to choose your firewall profile (public or private). One of them is related to Direct Access, which only can be used in an environment that has Windows Servers, but I found that disabling it causes networking to malfunction. 

There is another angle to services that makes some more desirable targets, and that is the account that runs them. The System account is all powerful and is equal in power to administrators. A network facing service which use this account, like the WMI Performance Adapter (gone from v1809) or the Printer Extensions and Notifications, will be prized, A service running as System will also be targeted by attackers who gained entry into a Standard account, they will try to take over the service to gain System rights. (This is called "escalation of privilege").

There are some services which activate if you have the right equipment, like. Microsoft iSCSI initiator service, Bluetooth support service, Fax, SmartCard. SmartCard removal policy and WWAN autoconfig are all dependent on specific hardware. In my personal configuration, they are all disabled, because I don't have them. In particular, Bluetooth support service is one that ought to be disabled if one doesn't have any bluetooth peripherals; it is a networking component  that can be abused by attackers, and there are free hacking tools available. It is not disabled in the default configuration file because I don't want someone to apply the config and suddently find that their keyboard or mouse doesn't work. 

When you configure services, clicking on each will display a description. If that is not enough for you, you can check outt http://blackviper.comm, sometimes they have additional information..

 

If you have the Automated Configuration Pack, you can set up the services by right clicking on "Harden Win 10 Home Services.bat" and choosing "Run as Administrator"

 

Items in <angle brackets> are optional and not setup in the Automated Configuration file.

Right click on Start button/Control Panel/Administrative Tools/Services

Right click on the following services, choose Properties and set Startup Type to Disable.

Name (Original Mode),  what it does

---------------------------------------------------

  • Application Layer Gateway Service (manual) no plug-in' for internet connection sharing allowed
  • Application management:(manual) disabled because this is for installation of software thru domain group policy
  • Auto Time Zone Updater (disabled) no need unless this is globe trotting laptop
  • Branchcache:(manual) only used in enterprise
  • Cellular time: (manual) this is not a phone
  • Computer browser: (manual) no need to explore network.
  • Connected User Experience and Telemetry (automatic) turns off some telemetry sent to MS
  • Connected Device Platform Service(automatic) has 2 listening ports TCP5040 and UDP5050. Related to IoT (Internet of Things. Users online reports
  • Device Management Wireless Application Protocol (manual) WAP is a cell phone protocol
  • Distributed link tracking client:(automatic) maintains shortcuts to files on network share if source file is renamed
  • Distributed Transaction Coordinator (manual) No foreign network transactions allowed
  • Download Maps Manager (automatic) Downloading maps may reveal your location
  • function discovery provider host: (manual) no need to do network discovery on small lans
  • function discovery resource publication.(manual) no need to publish this computer's services
  • homegroup listener: (manual) dont use homegroup
  • homegroup provider: (manual)
  • Infrared monitor service (manual) starts a file transfer automatically when it connects
  • Interactive service detection: (manual) only old services do interaction with desktop. practice not encouraged by MS
  • Internet connection sharing: (disabled by default)
  • IP Helper:(automatic) enables IPv6 tunnels over IPv4. We dont want tunnels; non-inspectable by firewalls.
  • IPsec Policy Agent (manual) Requires Kerberos server. may be necessary for VPN
  • KTMRM for distributed transaction coordinator (manual) disabled because it is not used.
  • Link layer topology discovery mapper: (manual) draws a map of your network. not needed
  • Microsoft App-V Client (disabled) requires a server
  • Microsoft Storage Space SMP (manual) requires a server
  • Net.Tcp Port sharing service:(disabled by default)
  • NetLogon: (manual) used by domain servers. disabled because no network logons allowed.
  • Network connected devices auto setup:(manual) devices can still be manually setup
  • Offline Files:(automatic) disabled because no server on lan
  • Peer name resolution protocol:(manual) disabled because no peers on lan
  • Peer networking grouping:(manual) home group. not used
  • Peer networking identity manager:(manual) peer to peer networking. not used
  • Performance counter DLL host:(manual) allows remote query to performance data
  • Phone service (manual) this is not a phone
  • PNRP machine name publication service:(manual) publishes peer name. disabled because no peers on lan
  • Quality windows audio video experience:(manual) QOS. not used
  • Remote access auto connection manager:(manual) remote access. not used
  • Remote access connection manager (manual)
  • Remote desktop configuration:(manual) Not used.
  • Remote desktop services (manual) remote desktop. Not used
  • Remote Desktop Services UserMode Port Redirector (manual) remote desktop. Not used
  • Remote registry:(disabled by default)
  • Retail demo service:(manual) for demo mode. not used
  • Routing and remote access:(disabled by default)
  • Secondary logon:(manual) the runas feature. not used
  • Secure socket tunneling protocl service (manual) disabled because no tunnels to remote points allowed. (may be necessary for VPN)
  • Server:(automatic) disabled because no file and printer sharing allowed
  • Shared PC account manager (disabled) requires central management tools
  • SNMP trap:(manual) disabled because SNMP responds to queries over the network
  • SSDP discovery:(manual) disabled because SSDP not allowed
  • TCP/IP netbios helper:(manual) disabled because netbios not allowed
  • UPnP device host:(manual) disabled becuase no hosting of devices allowed for other pc's
  • Webclient:(manual) not used
  • User Experience Virtualization service (disabled) requires server
  • Windows Camera Frame Server (manual) enables sending camera video to multiple apps simultaneously, what if for example a spyware app is running in the background.
  • Windows Management Service (manual) possibly requires a server
  • Windows media player network sharing service:(manual) disabled because no sharing allowed
  • Windows mobile hotspot service:(manual) disabled because no sharing allowed
  • Windows Process Activation Service (manual) Was part of IIS, now a separate thing. not used.
  • Windows Push Notification System Service (automatic) talks to an outside WNS server, allows third party app developers to talk to their app
  • Windows remote management:(manual) disabled becuase this allows remote management
  • Work folders:(manual) disabled because no domain servers in standalone config
  • Workstation:(automatic) disabled because no file and print sharing is allowed in network
  • Xbox accesory manager (manual). disabled because no connection to exterior devices allowed
  • Xbox live auth manager:(manual). disabled because no connection to exterior devices allowed
  • Xbox live game save:(manual) disabled because no connection to exterior devices allowed
  • Xbox live networking service:(manual) disabled because no connection to exterior devices allowed

WARNING: Geolocation service:(manual) used by cortana, If you disable this one, you won't be able to reset it back to normal again. Current Windows bug as of 2015-Aug-19  Update 2018-10-05 Fixed in v1809, so you can now disable it if you don't like Windows'location tracking


----------------------------
My Service Settings
----------------------------
Below are additional Service settings that I use on my machine. They are not suitable for everyone; most of the services listed are disabled because I don't have the equipment parts for that service to function, like smart card reader, iSCSI or bluetooth.  Also I rarely print anything, so printing is disabled 

If you have the Automated Configuration Pack, my personal additional settings are in "My Personal Win 10 Home Disabled Services.BAT".

  • AllJoyn router service (manual) not used by me
  • AVCTP service (manual) related to bluetooth audio and video, not used by me
  • bluetooth handsfree service:(manual) not used by me.
  • bluetooth support service:(manual) not used by me.
  • Certificate propagation (manual) smart card related. not used by me.
  • Data Usage (automatic) phone releated
  • Enterprise App Management Service (manual) not used by me
  • fax:(manual) not used by me
  • HV Host Service (manual) virtualization, not used by me
  • Hyper-V ... all 8 services (manual) virtualization. not used by me
  • Microsoft Account Sign in Assistant (manual) MS Accounts not used by me, NEEDED only for activation.
  • Microsoft iSCSI initiator service:(manual) not used by me
  • Network Connection Broker (manual) used by Windows Store, not used by me
  • Payments and NFC/SE Manager (manual) payment mechanism used by phone
  • Phone Service (manual) not a phone
  • Printer spooler:(automatic) not used by me
  • Printer extensions and notifications:(manual) not used by me
  • Radio Management Service (manual) phone related, not a phone
  • Sensor Data Service (manual) don't have sensors on my pc
  • Sensor monitoring service:(manual) not used by me. dont have screen briteness control.
  • Sensor service:(manual) no orientation device on my pc
  • Smart card device enumeration service:(manual). dont have smartcard devices
  • Smart card removal policy:(manual) dont have smartcard device. if hacked will lock pc.
  • Spatial Data Service (manual) no 3D equipment
  • Telephony: (manual) dont have telephony devices
  • Touch keyboard and handwriting panel service:(manual) dont have such device
  • WalletService (manual) don't use MS Wallet to make payments
  • Wi-Fi Direct Services Connection Manager Service (manual) don't have Wi-Fi enabled monitor
  • Windows biometric service:(manual) dont have such device
  • Windows connect now - config registrar:(manual) dont have wireless on pc
  • Windows Insider Service (manual) I don't run pre-public-release versions
  • Windows Perception Service (manual) don't have 3D components
  • Windows Perception Simulation Service (manual) don't have 3D components
  • Windows PushToInstall Service (manual) I don't download apps from the Store
  • WWAN autoconfig:(manual) dont have GSM or CDMA device



If you have the Automated Configuration Pack, you can additionally disable the non-configurable WinHTTP Proxy Auto Discovery Service. It provides an API that even Edge doesn't use. Right click on the reg file and choose Merge.




Stop Logins from the Network.

There should be limited logins available from the network. The 2 local security policies are set also in the Harden Win 10 Home Services BAT file if you have the Autpmated Configuration Pack. 

However, if we stop user and admin accounts from login through the network, then Simple Software Restriction Policy will stop working. However we are still protected by Windows Firewall. So the accounts that are denied are: Guests, Anonymous Logon, NETWORK SERVICE, SERVICE, and LOCAL SERVICE.

 

 

Disable Live Tiles

A LiveTile on the Start Menu accepts input from the Internet. It has been said if the attacker can make her way onto the desktop, then all is lost. To be safe, Right click on each LiveTile and choose Turn LiveTile off. You can always click on a tile to run that app. If you are sure that you don't ever want to see a particular LiveTile, then right click and choose Unpin from Start.

 

Before Installing Applications

Whenever you choose to install a new application, you need to consider it's security ramifications. For example an older app which needs admin rights and accesses the internet is bad. That's because one successful attack will give the attackers admin rights over your machine. Another thing is listening apps. Technically they are servers, like a FTP server. As revealed by doing 'netstat -abn' from an admin command prompt, and any such apps listens 24x7 to anyone who cares to connect. While you may sleep, servers do not, and you won't be around to monitor it's security. One may point out that FTP servers have username and password protection. But attackers don't usually attack the main entrance. If you are deploying a server, it would be a good idea to restrict connections to your friends' ip address in the firewall rules (bearing in mind that home ISP's change residential ip's frequently, and you'd have to update those ip addresses frequently)

It's a good idea to checkout www.exploit-db.com to look for existance of any attack exploits before installing any app. Some exploits only work in certain versions of the software. So if you find an old exploiit, there is a chance it won't work against newer versions. But to be really sure, you would have to complile the exploit and test it, which if you aren't a programmer, can be difficult. Be aware of the risk and decide.



Installation of New Software


Allways try to find installers that do not require internet access. Google for the 'offline installer" of the program. Web based setup programs are hazardous. It requires connection to the net while running as admin. And also most setup installers require turning off your anti-exe, and other protection.

When Software Restriction Policy is set up, remember that programs will not run when they are located outside of \Windows or \Program Files. To enable your install program to run, lets say from your Downloads folder, you have to go to Local Security Policy > Software Restriction Policies > Security Level, and set Unrestricted as the default policy temporarily. Always remember to re-enable SRP before leaving your admin account.

Do not be tempted to add your Downloads folder as an exception to SRP, as attackers will find that out and place their wares in there and run them.

When installing security programs, some installers require default settings of services and ACLs. In the Automated Configuration Pack, there are 2 bat files: Restore Services bat and Restore ACLs bat. If your antivirus installer causes errors, you can run them and then install your new antivirus and redo Harden Services bat and Dual Admin bat. Kaspersky products (Total Security and Small Office Security) are known to require this step.

Always try to find if there are SHA256 signatures published by the vendor for the programs that you are trying to download. (SHA1 is deprecated) If there is one, save it to a txt file. After downloading both the setup and the SHA, use Hash Tool to generate the SHA signature, copy it to the SHA txt file opened in notepad. Line the signatures up, and you will be able to see quickly if they match. Discard the download if the SHA signature fail to match; it has either been tampered with or corrupted.

If you are currently under attack, the attackers may modify the download or feed you one with an infection by sending you a faked download page. Or they can make the downloaded setup unexecutable. Always be quick to close the browser after the download finishes. Because there is a pathway from the net to your download, and closing the browser should severe that connection.



Minimizing Attack Surface (uninstalling all the apps that you don't run )

You should uninstall all the Win Apps that you don't use. It removes attack surface from your attackers. Go to Settings >l Apps > Apps and Features. Clicking on an app will reveal an uninstall button. Remove all the things you don't need. Note that this is a per account setting. Removing an app from the admin account still leaves the app enabled/installed for other accounts.

There are certain apps you cannot remove:
  • Alarms and clock
  • App Installer
  • Camera
  • Game bar
  • Get Help
  • HEIF Image Extensions
  • Maps
  • Messaging
  • Microsoft Edge/Allow
  • Microsoft Store
  • People
  • Photos
  • Webp Image Extensions
  • Your Phone


With the software that you want to install, allways choose Custom Installation if there is such an option in the setup program. For example, if you only want to use MS Word, and don't need Excel or Powerpoint, then uncheck those 2 options. Word and Excel can run macro's, which is a language and can be made to do useful or harmful things, depending who is weilding it. Attackers are Known to use macro's to infect machines.

If you use LibreOffice ( a free open source office suite competitive with MS Office ) there is a python language module. Languages like macro's can be harmful. Test if it is a core part of the program by renaming the exe to ex0; then run the program and see if it breaks. If it doesn't ( and it doesn't for me ) then leave it renamed that way.



Sign on Security

It is very important to guard your sign on passphrases, espcially your admin account one. attackers will try to trick you into giving out the passphrase by installing a tojan  that looks like the Windows sign on screen and upon seeing this most users will key in their passphrase without question. Microsoft has made a feature whereby you need to press CTRL-ALT-DEL in order to reach the sign on screen,  because the special key sequence CTRL-ALT-DEL can only be trapped by the operating system. This feature is normally only active when a PC is domain joined to Windows Servers. However it can be enabled without Windows servers. 

Another MS security feature is not displaying the account name in the sign on screen, even when the user is currently signed on and has locked the system by pressing WinKey-L. This means the attacker needs to get both the account name and the passphrase right and significantly enhances security. 

If you have the Automated Configuration Pack, you can right click on Harden Win 10 Pro Security options.bat and choose Run as admin to enable these 2 features. Further down the document, all the settings in Security options are given.



Privacy



Under Start > Settings > Privacy is a whole lot of apps that uses your private info. Some of them are used by Cortana, the new artificial intelligence personal assistant, like Speech, inking & typing, and Location. The privacy settings are per account, except Location, which is a system wide setting which can only be enabled by admins. Most privacy settings now has a system wide on/off switch, which can only be enabled by admins.


New Account To Do List


  • Remove all un-needed tiles on Start menu: Right click on tile > unpin from start.
  • Find Sandboxie items on Start menu, right click on 'Run web browser sandoxed', Pin to start
  • Settings > System > Shared experiences > Share across devices : off
  • Settings > Devices
    • AutoPlay > Off
  • Settings > Network and Internet > Proxy > Automatically detect settings > Off
  • Settings > Personalization
    • Start > Show suggestions occationally on Start > Off
    • Lockscreen > change Windows Spotlight to Picture ( it connects to the internet and is an entry point; by setting this you won't get new pictures by MS on your lockscreen )
    • Themes > Desktop icon settings: checkmark the icons you want for desktop, Then right click on desktop > sort by name > twice
    • Taskbar > Notification > Select which icons appears on Taskbar: Always show all icons in notifcation area: ON
  • Settings > Apps
    • Apps & features. Remove all the apps you don't use
    • Default Apps > click on Web browser > select your favourite web browser
    • Offline Maps > Automatically update maps > Off
    • Apps for Websites:
      • Maps (2) > Off
  • Settings > Gaming > Game bar >
    • Record game ... : off
    • Captures ... : off
    • Broadcast ... : off
  • Ease of Access > Display > show notifications for 1 min
  • Settings > Privacy
    • General > Let website provide locally relevant ... > Off
    • General > Let Windows track app launches ... > Off
    • General > Show me suggest contents ... > Off
    • Speech > If you turn off online speech recognition ... > Off
    • Inking & typing personalization > When this is switched off ... > Off
    • Diagnostic & feedback > select Basic
    • Activity history > Un-checkmark: Store my activity history ...
    • Location > Change button > Off. Location for this device > Off
    • Camera > Change button > Off. Camera access for this device > Off
    • Microphone > Change button > Off. Micropboe for this device > Off
    • Notifications > Change button > Off. User notification for this device > Off
    • Account Info > Change button > Off. Account info access for this device > Off
    • Contacts > Change button > Off. Contacts access for this device > Off
    • Calender > Change button > Off. Calender access for this device > Off
    • Phone Call > Change button > Off.
    • Call History > Change button > Off.
    • Email > Change button > Off. Email access for this device > Off
    • Tasks > Change button > Off. Task access for this device > Off
    • Messaging > Change button > Off. Messaging access for this device > Off
    • Radio > Change button > Off. Acccess to control radios for this device > Off
    • Other Devices > Off
    • Background Apps > Let apps run in the background > Off
    • App Diagnostics > Change button > Off. Apps diagnotics info for this device > Off
    • Automatic File Downloads > Off
    • Documents > Change button > Off. Document library access for this device > Off
    • Pictures > Change button > Off. Pictures library access for this device > Off
    • Videos > Change button > Off. Videos library access for this device > Off
    • File System > Change button > Off. File system access for this device > Off
  • Settings > Update & Security > For Develpers > select Microsoft Store Apps
  • Right click on Taskbar > Taskbar settings:
    • set cortana icon to hidden
    • set Show People on taskbar to off
  • Right click on taskbar > Task Manager > Startup tab: Microsoft OneDrive setup: Disabled

    OneDrive

     

    Onedrive lets you keep your documents, pictures and PC settings on the net, ready for syncing to all of your PCs. However, your personal files are sitting there on the internet 24x7x365 waiting for someone to crack your password. This is not secure to say the least.



    Enable DEP

    Data Execution Prevention is a technology that foils some types of attacks when they are coded in a certain way. By default, this feature is enabled but protects only Windows executables. You want to enable it to protect all programs, like your Firefox, Opera, Acrobat Reader and others.

    Right Click Computer/ Properties/ Advanced System Settings

    /Performance Settings button/ Data Execution Prevention Tab

      Select "Turn on DEP for all programs ..."

     

     

    Disable dump file creation

    Dump files are memory dumps, and everything in memory are saved to a file. This is used for debugging problems when your system crashes. However, passwords and all confidential stuff that are running currently are also saved to this file. You should enable this feature only when you are experiencing problems and need to debug.

    Computer > Properties > Advanced System Settings > Startup and Recovery Settings - settings button

    Write debugging info: None.



    Disallow Remote Assistance

    Remote assistance allow a helper to control your PC with complete desktop, keyboard and mouse access. This is not a attacker favorite as there is built in protection that allow only the invited to take control. However, there are phone scams that lure users into giving them remote access, and you will want to protect your users and prevent them from compromising your computer.

    Computer/Properties/Advanced System settings/Remote tab

    Un-checkmark allow remote assistance

     

     

    Let Windows make more Restore Points available

    System Restore can be a life saver when you encounter system errors. Setting it to use more disk space and making more restore points is good policy

    Right click Computer/Properties/Advanced Systems Settings/System Protection tab

    Configure button/create bigger system restore cache

     

    .

    Enable Visibility into Windows hidden files

    You want to be able to see all files and folders in Windows. If you do not do this step, hackers can hide their installed tools from you. Although the attacker can also install a rootkit which also hides their files, they may not be able to get that far into your system to do so.

    Windows Explorer/ View pull down menu / Options button / Change Folders and Search options / View tab

    CHECKMARK items below

    • Always show menus
    • Display the full path in the title bar
    • Show hidden files, folders and drives
    UNCHECK items below
    • hide empty drives
    • hide folder merge conflicts
    • hide extensions for known file types
    • hide protected operating system files

    Windows Explorer/ View pull down menu /
    • checkmark File Name Extensions
    • checkmark Hidden Files


    Configure Lock Screen

    Unattended PCs are obvious security risks. But many people fail to take care of this via this simple setting. Most larger companies that are security aware have strict rules to enable this and not to leave PCs logged in and unattended.

    Go to Settings > Personalize > Lock Screen > Screen Time out settings, configure it to wait 10 minutes.

     

     

    Least Privilege part 2

    If you look at \Windows\System32 folder, you will see a lot of exe programs. Some of them are Windows' GUI components and needed by the system. And some are command line programs used to administrate Windows. A Standard user account doing daily work has little use for these command line programs, as they are intended for IT administrators. In accordance with Least Privilege, these command line admin tools should be partitioned away from the User group. See the following RBAC section.

    Attackers aim to get use of three accounts, the admin account, the "Administrator" account, and the System account. The admin account is needed for configuring the system, so it needs full access to command line tools and we cannot avoid this. The 'Administrator' account is by default disabled. And the System account is used by some services. In testing, it is revealed that the System account cannot be constricted or else our Restore BAT wouldn't work. So in the provided configuration file, command line tools are set so that only members of the administrators group and 'TrustedInstaller' can invoke them. (The System acount gets inheritied rights)  Also, in line with layers of security, the command line admin programs are denied execution by low integrity processes. 

    As an example, few people are aware that there is a command line FTP program, as most people use their browsers to download. This program is used mainly by attackers who need to bring over their tools once they gained command prompt or powershell access.

     

     

    Role Based Access Control (RBAC)

    Role Based Access Control means setting up accounts to do what it is only necessary for the job role. Hence an accountant would be set up so that he can run the accounting program, and not others like our hardening scripts. This is in accordance to the Least Privilege pricinple.

    When we analyse our security posture, the weakest point of defense is when we are using our admin account. Sometimes, a program installer needs Software Restriction Policy turned off; because it writes to and then executes a temporary exe from within the temp folder. And we must use the admin account to install software. Sometimes the install program needs to dowload components online, and the downloading portion maybe vulnerable. And if the account houses our hardening scripts as well as other important documents, there is a lot to lose. Installing a new program usually takes time, may be a good half hour or more to configure, test and so on. So in this hour we are essentially running an insecure semi-hardened box. This calls for a role called the Installation Admin.

    In the Configuration Pack, the Dual Admin BAT creates an installation admin (you choose the actual account name) and restricts it from running admin command line tools, and administration GUI apps. In addition, it removes oridnary user accounts from accessing admin command line tools. After configuration, the command line administrative tools ( plus regedit, regedt32 and tasksched ) can only be accessed from a full admin account using an elevated command prompt. Also, only the full admin account has take ownership right. Right click on the BAT file and choose Run as Admin.

    Note: the dual admin BAT script does not assign a password to the Install Admin. Sign on into the Install Admin account and give it a passphrase.

    In effect, the only special rights this installation admin account possess are the right to write anywhere in the hard drive, (like the Program Files folder, which only an admin can write to). and to write to any registry key. This seems very generous, but the fact is we are not able to restrict it further. This account would then be used when you install a program, which is a very common task for an admin role.

    Very often, an attacker will install a Remote Access Tool/Trojan (RAT) to monitor the victim. This program is just like an ordinary program that provides remote access like Window's own Remote Desktop or the commercial program TeamViewer. It can view our screens, see what we type and control the PC by running any program. They are very hard to detect, espcially if the attacker does not make any changes to your system and just watches you. And anti-malware programs usually fail to identify them, because there are legit remote admin tools too. The goal is to hamper this RAT. The RAT will get all the permissions of the account that you sign into and require an online connection. So here is the second step; we will make our full privilege admin account go offline when used. This will buy us time to find and eliminate the RAT.

    Now we create 5 scheduled tasks. The first one is for the full admin sign in to disconnect the network adpater. Ensure that you are signed in as the full admin.

    Note: Scheduled Tasks action line reference the network adpater name. In the majority of cases, they are called Ethernet and Wi-Fi. But if you have multiple network adapters, then the names will be different and the network adapter name needs to be changed, from'Ethernet' and 'Wi-Fi' and replace them with what you have. The adapter names you currently have is shown at Control Panel > Network and Sharing Center > Change Adapter Settings.



    • Sign in to the account you want to make offline.
    • Go to Start > Windows Administrative Tools > Task Scheduler.
    • Right click on Task Scheduler Library, select Create Task
    • Name the task 'Full Admin logon no network', click Next
    • Checkmark Run with highest privileges
    • For Trigger tab, click New button, select Begin the Task 'At Logon', click Next
    • Settings: Specific User; Full Admin account
    • For Action, click New button
    • select 'Start a program', click Next
    • Paste in "netsh interface set interface name="Ethernet" admin=disabled" , click OK
    • Yes
    • click New button
    • select 'Start a program', click Next
    • Paste in "netsh interface set interface name="Wi-Fi" admin=disabled" , click OK
    • Yes
    • Click Finish
    • Click OK

    Next, we make a scheduled task for full admin switch out, re-enables the network.

    • Right click on Task Scheduler Library,
    • Create New Task
    • Name the task: 'Full Admin SwitchOut'
    • Checkmark Run with highest privileges
    • Triggers tab
    • New button
    • Begin a task: On disconnect from user session
    • Settings: Specific user: full-admin
    • Select Connection from local computer
    • OK
    • Actions tab
    • New button
    • Paste in "Shutdown -L", click OK
    • Yes
    • New button
    • Paste in "netsh interface set interface name="Ethernet" admin=enabled" click OK
    • Yes
    • New button
    • Paste in "netsh interface set interface name="Wi-Fi" admin=enabled" click OK
    • Yes
    • Settings tab
    • If the task is already running: Queue a new instance
    • OK
    • OK

    Next, we make a scheduled task for switching to full admin . (Fast user switching)

    • Right click on Task Scheduler Library,
    • Create New Task
    • Name the task: 'Admin SwitchIn'
    • Checkmark Run with highest privileges
    • Triggers tab
    • New button
    • Begin a task: On connection to a user session
    • Settings: Specific user: full-admin
    • Select Connection from local computer
    • OK
    • Actions tab
    • New button
    • Paste in "netsh interface set interface name="Ethernet" admin=disabled" click OK
    • Yes
    • New button
    • Paste in "netsh interface set interface name=""Wi-Fi" admin=disabled" click OK
    • Yes
    • Settings tab
    • If the task is already running: Queue a new instance
    • OK
    • OK

    Next, we create 2 actions for your Limited Admin account to sign in.

  • Right click on Task Scheduler Library,
  • Create New Task
  • Name the task: 'Limited Admin SignIn'
  • When running the task, use the following user account: System account
  • Checkmark Run with highest privileges
  • Triggers tab
  • New button
  • Begin a task: at logon
  • Settings: Specific user: Limited Admin
  • Select Connection from local computer
  • OK
  • Actions tab
  • New button
  • Paste in "netsh interface set interface name="Ethernet" admin=enabled" click OK
  • Yes
  • New button
  • Paste in "netsh interface set interface name="Wi-Fi" admin=enabled" click OK
  • Yes
  • Settings tab
  • If the task is already running: Queue a new instance
  • OK
  • OK

    And we create 2 actions for Limited Account Switch To.

  • Right click on Task Scheduler Library,
  • Create New Task
  • Name the task: 'Limited Admin SwitchTo'
  • When running the task, use the following user account: System account
  • Checkmark Run with highest privileges
  • Triggers tab
  • New button
  • Begin a task: On connection to user session
  • Settings: Specific user: Limited Admin
  • Select Connection from local computer
  • OK
  • Actions tab
  • New button
  • Paste in "netsh interface set interface name="Ethernet" admin=enabled" click OK
  • Yes
  • New button
  • Paste in "netsh interface set interface name="Wi-Fi" admin=enabled" click OK
  • Yes
  • Settings tab
  • If the task is already running: Queue a new instance
  • OK
  • OK

    Repeat the above 2 tasks for any non-admin account



    Lastly we create a scheduled task for system startup, say if you restart the system while signed on as full admin. So we want to always startup the system on a connected state.

    • Create New Task
    • Name the task 'Enable network on Startup'
    • When running the task, use the following user account: System account
    • Checkmark Run with highest privileges
    • Triggers tab
    • click New button
    • Begin the task 'At strartup'
    • Action tab
    • New button
    • Paste in "netsh interface set interface name="Ethernet" admin=enabled" click OK
    • Yes
    • New button
    • Paste in "netsh interface set interface name="Wi-Fi" admin=enabled" click OK
    • Yes
    • OK

    The whole set of scheduled tasks is designed to disconnect the network adapter for the full admin, when he signs in, or when his account is switched to. And we reconnect the network adapter when he switches to another account or signs out. You can verify this when you sign on to the full admin account by looking at the Internet icon in the systray - it will have the red X when you logon to the account.

    To test the Install Admin account's ability to properly run install programs, the following programs were tested:

    • Avast antivirus free
    • AVG antivirus free
    • Avira antivirus free
    • BitDefender antivirus free
    • Voodoo Shield free
    • Zone Alarm free
    • Libre Office
    • VLC media player

    It is known that security programs requires additional rights to set themselves up, that is why security programs were tested among other programs. Avira, BitDefender, Voodoo Shield failed to install. And WSUS Offline fails to run. They require the usage of the full privilege admin account. Ordinary installation programs like VLC typically don't require as many rights. The aim is to reduce usage of the full admin account and lessen the risk. For normal programs, use the install admin account first, then if it fails, use the full admin account. To enable your full admin account's internet access, right click on the internet icon in the systray, select 'open network and sharing center', click on 'Change adapter settings'. Then right click on the adpater and choose Enable.



    New to ver 4 of Dual Admin, it is now possible to run the following networking commands in the Install Admin account:

    • netstat
    • nslookup
    • ipconfig
    • ping
    • tracert
    • pathping
    This in essence makes the Install Admin also the Network Admin. The commands allow one to do some network diagnosis and has only one security feature: netstat's '-b' command option. The '-b' option allows one to see which program is doing the network connection. To an attacker who ia already on your PC, this offers little value as they can see what networking programs you have in the folder Program Files already. This netstat option also allows you to see if there are any foreign programs that is connecting out, and maybe you might be able to catch the attacker's tool in action. Note that the firewall rules for these commands have not been created yet, and the commands will still fail initially in the Network Admin account. You have to create the allow rules for these program to do outbound connection. AND you have to also allow the ICMPv4 protocol outbound in order for ping, tracert, and pathping to work.



    Further Protecting your Data

    The Documents folder has 3 ACL rules allowing access for System, YOU, and the Administrators group. If you right click on the Documents folder and choose Properties > Security tab, you will see this.

    The System account is present in almost all files and folders, but it doesn't need to be as far it can be determined. Attackers also can use escalation of privilege attacks to get to use the System account because it is as powerful as an admin. You can choose Edit and Remove to take the right away.

    However, the Configuration Pack BAT files need System to work, that is, if you unzipped the Configuration Pack into Documents. To work around this, you can create a Security folder under your Users\<YourAccount>\ folder and extract the files there. Just remember to move the contents back to the Documents folder when you're done.

    The Administrators group is present so that any admin can access your files in an emergency. This can be removed to ensure that the Install Admin can't get at your files. Because the Install Admin has internet access, a RAT (Remote Access Trojan) can use that account to get your files if access is granted for the Administrators group. Removing the ACL entry will ensure that your data stays private. The downside of this is when you need to remove this account using Start > Settings > Accounts > Family and Other People, the Documents folder can not be deleted and will be orphaned. If the account will never be removed, or if you can remember to re-instate the Administrators group, then this rule can be deleted.




    Block Low Integrity Programs from Accessing Your Documents

    There is also an option where low integrity programs can be made so that they can't even read medium integrity locations. That’s what the commands below do. When you execute the commands, your desktop, document, pictures, videos and music folders will be unreadable to any programs marked as low integrity. The last command above makes the Downloads folder a low integrity folder. This is necessary because you need a place to save your downloads.( Low can't write to Medium) You will also want to create an Upload directory, and copy the file which you want to upload there. Because this Upload folder has not been processed by chml, the low integrity browser can read this folder.

    Since you also have a Standard User account, run the commands below stating your Standard User account too. Note: this measure only protects you against attacks to your low integrity programs like Internet Explorer. (and Firefox or Opera, if you followed the above instructions) But since browsers are primary vectors of attack, this security measure is important. You can also experiment and set other internet facing programs to low integrity, like your chat program.

    Visit http://www.minasi.com/apps// to download chml.exee

    Then right click on command prompt and choose 'run as administrator".

    Then execute the following commands for Each user.

     

    cd "\user\<yourAccName>\downloads\chml"  ( or wherever you saved chml )
    chml "c:\users\<yourAccName>\desktop" -i:m -nr -nw -nx
    chml "c:\users\<yourAccName>\documents"  -i:m -nr -nw -nx
    chml "c:\users\<yourAccName>\pictures"  -i:m -nr -nw -nx
    chml "c:\users\<yourAccName>\videos" -i:m -nr -nw -nx
    chml "c:\users\<yourAccName>\music"  -i:m -nr -nw -nx
    chml "c:\users\<yourAccName>\downloads" -i:l

     



    Turn on File History

    File History saves your documents, pictures, music, contacts and IE favorites every hour to a removable drive ( or USB key ). It does it every hour by default and keeps versions of the files as they change. This is a very convenient method of performing backups and should be used. Just remember to unplug the USB key when you shut down the computer and carry it with you, or else your attackers will gain access to all your files.

    Go to Settings > Update & Security >Backup and click on "Add a drive"

     

     

    Browsers and Security


    Browsers are a major attack entry point - you connect out to the internet with it and attackers know to use that same path to gain entry to your machine. Firewalls are useless againts these kinds of attacks. Attackers modify common web sites to download malware. Even big sites like Yahoo.com have been modified in the past. And they can mount an attack on you if you usually have the same web apps open, like Gmail or others - they spoof the origin ip address and send over exploits for your browser. There are only a few major browsers, so they can try one attack after another. Also Javascript is the same across all browsers, it is a standard.

    Javascript is a big problem. Many web sites use it and they break if you turn Javascript off. Think of it as a programming language used especially by attackers. I turn off Javascript and try to avoid sites that requires it as a general policy. The Chrome and Opera browsers (both based on Chromium) allows you to turn off Javascript globally and make exceptions to allow individual sites. This is the best solution so far. You can set that exception from allow to block once the web page has loaded. In Chrome, you go to [Menu] Settings and type 'javascript' into the search box, then 'Site settings' to turn off javascript, and allow or disallow specific sites.

    There is a flaw in the thinking that a site can be marked as trustworthy forever. Because 1) even popular and trusted sites can be attacked, or modified or spoofed. 2) Some sites subscribe to ad banners which they have no control over, and sometimes the banners are made maliciously.

    Another free plug-in is MalwareBytes. It blocks malware from downloading. But as with all signature based solutions, it is not an absolute guarentee. It simply means the malware is not detectable at that time; the malware may simply be too new.

    Another free extension is Ublock Origin. It aims to block ads and malware sites. The malware sites are identified by malware researchers as they appear. Malware distribution sites appear and disappear within a couple of hours. But this mitigation is still a good thing to have. Blocking ads has the side benefit of faster page loads.

    There are other browser based attacks and some try to fool you into clicking inside their dialog box or a button created by the attacker. Once you click it, it's game over - the exploit runs because you authorized it. It doesn't matter if the button is labeled 'Close', 'Ok' or any other thing, it's goal is to get you to click it. When you receive a suspicious pop up, the correct way to close it is NOT to click it's Close button or interact with it in any way. You either close the tab, or you exit the browser completely. If the browser's close button on the title bar is removed, you start Task Manager and End Task the browser program.

    You Must keep your browsers updated. Chrome, for instance, updates very week or two. The longer you delay updating it, the longer the time a vulnerability is usable by an attacker. On most browsers, you navigate to [menu] Help > About and it will fetch the latest version. You don't even need to sign into an admin account.

    Not only do browsers need to be constantly updated, so do the extensions, plug-ins and add-ons. Because they have security vulnerabilities too. Firefox allows you to set that extensions are automatically updated. In other browsers, you have to remove the extension and re-install it. Generally, I disable all extensions, plug-ins and add-ons - saves me the headache of remembering to update them. Most of them are unnecessary.

    Flash is a plug-in. But it doesn't show up in Chrome's extensions nor Firefox's extension area. It is built into the browser. But it can be disabled in Firefox. (see below) And it is not a neccesary component any more. HTML 5 can do videos now and most sites use HTML 5. It is better to disable it. Especially since Flash has had vulerability after vulnerability over the years.

    The best thing to do is to keep 2 browsers, at least Firefox and Chrome. If the hardened Firefox refuses to load a site properly, you can switch to Chrome, where only what Google considers "non-core" things are configurable.

    Edge is the default web browser of Windows 10, and is pinned to the task bar. Edge has some new security features, like removing support for AciveX, VBScript, Browner Helper Objects (BHO) and VML. It also is a Windows app, and lives within a sandbox, which contains attacks. It also has Smart Screen Filter, like IE. It supports the W3C standard 'Content Security Policy', and also has HTTP Strict Transport Security. It is also a 64 bit browser, and uses ASLR (address space layout randomization) fully. There is also a new feature caled 'Control Flow Guard' which controls coding jumps in memory (in most attacks, attackers injects code to some place in memory and try to make the browser code execution jump to his own code). In accordance with good security practice, MS has also offered a handsome bounty to security bug reporters.

    Because Edge is included with Windows, and many people don't know better, it is widely used. And thus, it is widely attacked. It has sound security technology, but attackers also put a lot of effort into breaking that security. You want to choose your own battles. I avoid using it. Secondly, Edge cannot be sandboxed by Sandboxie or Comodo Internet Security, and that puts a big dent into your security.

    Open Edge, click on settings (the "..." button. Click on Settings, then 'Advanced'.

    .Turn off 'Use Adobe Flash'.

    .Privacy and Security > Security > Turn on Windows Defender SmartScreen

    Internet Explorer was the most popular browser because it is installed by default. Edge may soon surpass it in popularity because it is pinned to the task bar. Internet Explorer has an important defense mechanism, called Protected Mode. It is another name for Integrity Levels. Basically, the entire system is marked as Medium integrity. While frequently attacked programs like Internet Explorer is marked as Low integrity. Low integrity cannot modify Medium. So even if someone compromises IE and gains access to your PC, they cannot modify your system. You can set the integrity level of a program yourself, so you can make Firefox or other browsers use Protected Mode as well. IE should only be used to access legacy web sites that are not maintained, if you have no other choice; most sites support other browsers now. Popular alternatives to IE are Firefox, Opera and Chrome. There have been security holes discovered in them just like IE, but they are reputed to be more secure, primarily because they don't use ActiveX. There are ActiveX code libraries strewn about in Windows, and many are not safe for web use. Attackers often make IE call to these ActiveX code modules as a means of attack.

    Set IE to use Protected Mode Always

    Control Panel/Internet Options/Security Tab

    Checkmark Protected Mode for all zones

    Login to EACH user account and repeat.

    Set IE to use ActiveX Filtering

    Open Internet Explorer, Gear icon / Safety / checkmark ActiveX Filtering

    Login to EACH user account and repeat.

    IE has this stupid distinction about the source of a web page. By default, if a web server is within your network (like a company web server), then Protected mode is disabled. Well, if an attacker wants to attack your network, they would just simply attack your web server first, and let his tools spread when internal visitors use the infected company web server.

    Set IE11 to use Enhanced Protected Mode

    Windows 8 has Enhanced Protected Mode that protects your private files and folders like the Document folder. However, to remain compatible to plugins like 3rd party toolbars etc, Enhanced Protected Mode has to be manually enabled. Go to Control Panel > Internet Options > Advanced; scroll the Settings list to Security section

    checkmark "Enable 64 bit Processes for Enhanced Protected Mode".

    checkmark 'Enable Enhanced Protect Mode'

    Note that by doing this, some plugins may not work.

    Note: the above settings are a per user setting, so you have to enabled this individually for EACH account. I will remind you of this at the end of this document.

    Mozilla Firefox is open source software. Proponents of open source say because the code is open for all to inspect, it makes for a safer product. (as opposed to IE, which only a limited number of MS programmers work on). But the downside to that argument is that their source code is also available to hackers to find vulnerabilities as well. Mozilla has also once called on white hat hackers to help test attack Firefox. But whether or not this is an ongoing engagement is unclear.

    Firefox can be made more secure if you install certain plug-ins. The most popular one is NoScript, which blocks JavaScript from executing until you mark a site as trustworthy, or opt to temporarily allow scripting. If you choose to block Javascript permanently, you can do that in about:config. (see below) There are lots of plug-ins and browser extensions that are named close to the real/original ones. Some have been discovered to host malware, so your protection is out the door once you install them. When in doubt, don't install.

    Firefox configurations for version 71.0:

    Copy and paste the following into a filo named user.js and copy it to the C:\Users\<yourAccountName>\AppData\Roaming\Mozilla\Firefox\Profiles\91yzyij5.default-release\ folder.


    user_pref("browser.sessionstore.resume_from_crash", false); user_pref("accessibility.force_disabled", 1); user_pref("accessibility.typeaheadfind.flashBar", 0); user_pref("app.shield.optoutstudies.enabled", false); user_pref("beacon.enabled", false); user_pref("browser.cache.cache_isolation", true); user_pref("browser.contentblocking.category", "strict"); user_pref("browser.download.useDownloadDir", false); user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false); user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false); user_pref("browser.newtabpage.activity-stream.feeds.snippets", false); user_pref("browser.newtabpage.activity-stream.feeds.telemetry", false); user_pref("browser.newtabpage.activity-stream.telemetry", false); user_pref("browser.newtabpage.activity-stream.telemetry.structuredIngestion", false); user_pref("browser.ping-centre.telemetry", false); user_pref("browser.search.geoip.url", ""); user_pref("browser.search.log", true); user_pref("browser.search.suggest.enabled", false); user_pref("datareporting.healthreport.uploadEnabled", false); user_pref("dom.disable_window_move_resize", true); user_pref("dom.disable_window_open_feature.close", true); user_pref("dom.disable_window_open_feature.titlebar", true); user_pref("dom.events.dataTransfer.protected.enabled", true); user_pref("dom.ipc.plugins.sandbox-level.default", 3); user_pref("dom.largeAllocationHeader.enabled", false); user_pref("dom.payments.defaults.saveAddress", false); user_pref("dom.popup_maximum", 1); user_pref("dom.security.featurePolicy.enabled", true); user_pref("dom.security.featurePolicy.header.enabled", true); user_pref("dom.security.featurePolicy.webidl.enabled", true); user_pref("dom.vr.enabled", false); user_pref("dom.webdriver.enabled", false); user_pref("geo.enabled", false); user_pref("javascript.options.discardSystemSource", true); user_pref("javascript.options.dynamicImport", false); user_pref("javascript.options.experimental.fields", false); user_pref("javascript.options.ion", false); user_pref("javascript.options.mem.log", true); user_pref("javascript.options.mem.max", 128); user_pref("javascript.options.mem.notify", true); user_pref("javascript.options.parallel_parsing", false); user_pref("javascript.options.strict", true); user_pref("javascript.options.throw_on_asmjs_validation_failure", true); user_pref("javascript.options.throw_on_debuggee_would_run", true); user_pref("jsloader.shareGlobal", false); user_pref("layers.mlgpu.sanity-test-failed", false); user_pref("media.autoplay.default", 5); user_pref("media.cubeb.sandbox", true); user_pref("media.peerconnection.enabled", false); user_pref("media.peerconnection.ice.obfuscate_host_addresses", true); user_pref("media.peerconnection.ice.tcp", false); user_pref("media.peerconnection.turn.disable", true); user_pref("media.wmf.deblacklisting-for-telemetry-in-gpu-process", false); user_pref("network.captive-portal-service.enabled", false); user_pref("network.cookie.thirdparty.sessionOnly", true); user_pref("network.disable.ipc.security", false); user_pref("network.dns.disablePrefetch", true); user_pref("network.http.speculative-parallel-limit", 0); user_pref("network.IDN.use_whitelist", true); user_pref("network.predictor.cleaned-up", true); user_pref("network.prefetch-next", false); user_pref("network.proxy.type", 0); user_pref("network.security.esni.enabled", true); user_pref("network.trr.mode", 2); user_pref("permissions.default.camera", 2); user_pref("permissions.default.desktop-notification", 2); user_pref("permissions.default.geo", 2); user_pref("permissions.default.microphone", 2); user_pref("plugin.state.flash", 0); user_pref("plugins.show_infobar", true); user_pref("pref.downloads.disable_button.edit_actions", false); user_pref("privacy.resistFingerprinting", true); user_pref("privacy.trackingprotection.enabled", true); user_pref("privacy.trackingprotection.fingerprinting.enabled", true); user_pref("privacy.trackingprotection.socialtracking.enabled", true); user_pref("security.ask_for_password", 1); user_pref("security.dialog_enable_delay", 50); user_pref("security.disable_button.openCertManager", false); user_pref("security.identitypopup.recordEventTelemetry", false); user_pref("security.insecure_field_warning.ignore_local_ip_address", false); user_pref("security.mixed_content.block_object_subrequest", true); user_pref("security.OCSP.require", true); user_pref("security.pki.mitm_detected", true); user_pref("security.remote_settings.intermediates.checked", 1); user_pref("security.sandbox.logging.enabled", true); user_pref("security.sandbox.rdd.win32k-disable", false); user_pref("security.ssl.enable_false_start", false); user_pref("security.ssl.errorReporting.enabled", true); user_pref("security.ssl.require_safe_negotiation", true); user_pref("security.ssl3.rsa_des_ede3_sha", false); user_pref("security.strict_security_checks.enabled", true); user_pref("security.tls.enable_0rtt_data", false); user_pref("security.tls.hello_downgrade_check", true); user_pref("security.tls.version.min", 3); user_pref("signon.rememberSignons", false); user_pref("toolkit.asyncshutdown.log", true); user_pref("toolkit.osfile.log", true); user_pref("toolkit.telemetry.archive.enabled", false); user_pref("toolkit.telemetry.bhrPing.enabled", false); user_pref("toolkit.telemetry.firstShutdownPing.enabled", false); user_pref("toolkit.telemetry.hybridContent.enabled", false); user_pref("toolkit.telemetry.newProfilePing.enabled", false); user_pref("toolkit.telemetry.shutdownPingSender.enabled", false); user_pref("toolkit.telemetry.unified", false); user_pref("toolkit.telemetry.updatePing.enabled", false);

    You can type "about:config" into the address bar and set the following options if you want.

      Firefox Extreme Hardened settings
    • javascript.enabled: false;
    • dom.script_loader.bytecode_cache.enabled;false
    • dom.events.async.clipboard; false
    • dom.event.clipboardeventsEnabled: false
    • dom.storage.enabled: false


    If you have the Configuration Pack, you can copy the USER.JS.71.0.X file to C:\Users\<yourAccountName>\AppData\Roaming\Mozilla\Firefox\Profiles\91yzyij5.default-release\. Rename amy existing user.js file. Then rename USER.JS.71.0.X. to user.js. The file contains all the above settings and it will append or override the default settings.

    A lot of sites like gmail and financial sites require javascript.enabled = true and dom.storage.enabled = true. The user.js file does not set these 2 options. But if you are under attack, set both to false. .





    In general, the less unecessary connections you make the better. Automatic connections that always happen can be used against you. An attacker can spoof that auto connect address and launch an attack if Firefox is vulnerable in it's receptors. The author has experienced denial of service attacks where a crafted packet was sent to some telemetry component and it always closes Firefox. The telemetry features are turned off for you above. You should set the following settigns manually:

    • Options > Home > Home page: blank
    • Options > Home > New Tab page: blank
    • Add-ons > Plug-ins > Gear > Update addons automatically: UnCheck
    • Options > Sync : do not turn on


    Low Integrity Firefox

    As mentioned above, you can enhance Firefox's security by setting it to low integrity. Open an elevated command prompt and copy and paste in following commands, one line at a time, substituting with your account name:

    icacls "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" /setintegritylevel low

    icacls "C:\Users\\AppData\Local\Temp" /setintegritylevel(oi)(ci) low /t
    icacls "C:\Users\\AppData\Local\Mozilla" /setintegritylevel(oi)(ci) low /t
    icacls "C:\Users\\AppData\Roaming\Mozilla" /setintegritylevel(oi)(ci) low /t
    icacls "C:\Users\\Downloads" /setintegritylevel(oi)(ci) low /t


    icacls "C:\Users\\AppData\Local\Temp" /setintegritylevel(oi)(ci) low /t
    icacls "C:\Users\\AppData\Local\Mozilla" /setintegritylevel(oi)(ci) low /t
    icacls "C:\Users\\AppData\Roaming\Mozilla" /setintegritylevel(oi)(ci) low /t
    icacls "C:\Users\\Downloads" /setintegritylevel(oi)(ci) low /t
    Note that in order for Firefox to run as low integrity, it required the setting of \AppData\Local\Temp folder also to low integrity, which was previously medium. This folder may contain sensitive temporary data from other applications. An intruder gaining access through Firefox may be locked into low integrity mode and can't change system settings, but he can glean data from this folder, which may be undesirable.

    Note: every time you update Firefox, you have to re-run the command that makes the exe a low integrity program. ( ... setintegritylevel low )

    Opera is another alternative browser.

    Opera, starting with version 56.0.3051.104 together with Windows 10 v1809b supports Windows Defender Exploit Protections.

    Low integrity Opera If you run Opera using the desktop icon for launcher.exe, Opera is launched as integritylevel:Untrusted So there is no need to set integrity level with icacls.

    Chrome is Google's browser, it is also open source, mostly. It's architecture allocates high-risk components, such as the HTML parser, the JavaScript virtual machine, and the Document Object Model (DOM), to its sandboxed rendering engine. It prevents modifications to your Windows system. This sandbox is designed to protect one from unpatched security holes. It also uses IE's Protected Mode in Vista, Windows 7, 8 and 10. Recently, Chrome has also added a sandbox around Adobe Flash, to prevent security bugs in Flash from compromising a system. Google also pays white hat hackers to test attack its product, and there has been numerous security flaws discovered this way. Google is doing this right. Chrome is also capable of automatically updating itself. As with other browsers, go to menu > help > about to perform a check and update.

    Chrome has a bunch of hidden settings which should be turned on. Google for "Chrome flags which you need to check out - CK's technology news"

    And also, Google has a special deal with Adobe and gets Flash updates automatically. These two things save a lot of time.

    Howver, Chrome cannot show you who signed a web site's certificate. You cannot verify that the encryption is directly from the web site. Thus you can be victim of a man-in-the-middle attack and you cannot detect it. Firefox, on the other hand will show you the details of the ceritificate if you click on the padlock icon.

    Chrome has 2 versions, one is for ordinary users and one is for enterprise. The ordinary one installs itself into \users\...\appdata, thus allowing users to install the product without IT dept's blessing. That is, if software restriction policy has not been turned on. The enterprise edition installs into \Program Files (x86), like what normal 32 bit programs usually do. You should use the enterprise edition.

    Chrome settings for version 78.0.3904.108:

    • Menu > Settings:
      • People
        • Sync and google services
          • Sync and personalize Chrome: Do not turn on
      • AutoFill11
        • Offer to save passwords: off. Passwords saved in browsers are easily readable by attackers.
        • Auto Sign-in: off
        • Payment methods
          • Save and fill payment methods: off. Saved info includes your credit card number and expiration date, and are easily readable by attackers.
        • Addresses and more
          • Save and fill addresses: off. Saved info includes your cell phone number, and is easily readable by attackers.
      • Advanced
        • Privacy and Security
          • Sync and Google services
            • Autocpplete searches and URLs; off
            • Show suggestions for similar pages when a page can't be found: off
            • Safe Browsing: on
          • Allow Chrome sign in: disable
          • Preload pages .. : disable
          • Site settings
            • Cookies : Block third party cookies: enable
            • Location : block
            • Camera : block
            • Microphone : block
            • Notifications: block
            • Javascript : block
            • Flash : block (default)
            • Pop ups and redirects : block (default)
            • Background sync : Do not allow ...
            • Automatic downloads : Do not allow ...
            • Unsandboxed plugin access : Do not allow ...
            • Handlers : Do not allow
            • Midi Devices: Do not allow ...
            • USB devices : Do not allow
            • PDF: download instead of ...
            • Clipboard : Do not allow ...
            • Payment handlers : Do not allow ...
        • Downloads: Ask where to save each file ... : Enabled
        • System
          • Continue running background apps when Google Chrome is closed: Disable
          • Use hardware acceleration: off
      • chrome://flags ( type this in address bar )
      • All experimental built-in modules : Disabled
      • Allow credit card import from dynamic forms after entry: Disabled
      • Allow Signed HTTP Exchange certificates without extension: Disabled
      • Allows synchronous XHR requests in page dismissal: Disabled
      • Anonymize local IPs exposed by WebRTC : Enabled
      • Autofill Off No Server Data: Enabled
      • Autofill Uses Server Validation: Enabled
      • Block scripts loaded via document.write: Disabled (I think this disables NoScript extension)
      • Block scripts loaded via document.write: Enabled
      • Cast Media Route Provider: Disabled
      • Connect to Cast devices on all IP addresses : Disabled
      • Cookies without samesite musgt be secure: Enabled
      • Cooperative Scheduling: Disabled (not moving back to Windows95)
      • Credit card autofill ablation experiment: Enabled
      • Cross Origin Embedder Policy : Enabled
      • Data reduction proxy with network service: Disabled
      • Data Saver Server Previews : Disabled
      • Debugging for packed apps: Enabled
      • Desktop PWAs installable from the omnibox; Disabled
      • Desktop PWAs local updating: Disabled (binaries installed (may not by you) do not need updates)
      • Device Discovery Notifications : Disabled
      • Disable saving local copy of uploaded card when credit card upload succeeds: Enabled
      • Disable site isolation : Default
      • Disable the 'instant extended' limit on search suggestions: Disabled
      • Enable Ambient Authentication in Guest session.: Disabled
      • Enable Ambient Authentication in Incognito mode: Disabled (auto-login when in incognito, with who's credentials?)
      • Enable App Management page: Enabled (you want to see what apps there are)
      • Enable click to call feature on desktop when a phone number is selected: Enabled
      • Enable click to call feature signals to be handled on desktop : Disabled
      • Enable Cloud Printer Handler: Disabled
      • Enable device registration for Sharing features: Disabled (you sign in to sync, this is good access control)
      • Enable Display Locking : Disabled
      • Enable GPU AppContainer Lockdown : Enabled
      • Enable History Favicons Google Server Query: Disabled
      • Enable improved cookie controls UI: Enabled
      • Enable network logging to file : Enabled
      • Enable new download backendL Disabled (this 'offline content provider' now knows what you are downloading)
      • Enable new USB backend : Disabled
      • Enable offering upload of Autofilled credit cards: Disabled
      • Enable Portals: Disabled
      • Enable removing SameSite=None cookies: Enabled
      • Enable shared clipboard feature signals to be handled: Disabled
      • Enable Signed Exchange prefetch cache for navigations: Disabled
      • Enable the account data storage for passwords: Disabled (don't store more passwords online for hackers to hack)
      • Enable USS for bookmarks sync : Disabled
      • Enable USS for passwords sync: Disabled (experimental, not good for important items like passwords)
      • Enable USS for sync encryption keys: Disabled (experimental is bad for syncing important things like necryption keys)
      • Enterprise cloud reporting in browser: Disabled
      • EV certificate details in Page Info: Enabled
      • Experimental enabled SharedArrayBuffer support in JavaScript: Disabled
      • Experimental QUIC protocol: Disabled
      • Experimental system keyboard lock : Disabled
      • Experimental Web Payments API features: Disabled
      • Extension Content Verification : Enforce Strict
      • Extensions Toolbar menu: Enabled (more controls are better)
      • Filesystem API in Incognito: Disabled
      • Focus Mode: Disabled (address bar is gone in Focus Mode, you can't see where a page came from)
      • Future V8 VM features: Disabled
      • Generic Sensor Extra Classes; Disabled
      • Google Payments card saving checkbox: Disabled
      • Happiness Tracking Surveys : Disabled (no more surveys)
      • Happiness Tracking Surveys Demo: Disabled
      • Identity consistency between browser and cookie jar; Disabled
      • Intent picker: Enabled (you want to know when you are installing a native-code app)
      • Isolate additional origins : Enabled
      • Latest stable JavaScript features : Enabled
      • Load Media Router Component Extension: Disabled (nothing should touch my router)
      • Make cardholder name editable in dialog during credit card upload: Disabled
      • Make expiration date editable in dialog during credit card upload: Disabled
      • Mark non-secure origins as non-secure : Enabled
      • MimeHandlerView in cross-process frame: Enabled (you want to know what is handling what mimi type)
      • Mirroring Service: Disabled
      • Native File System API: Disabled
      • Navigation suggestions for lookalike URLs: Enabled
      • Omnibox Experimental Keyword Mode: Disabled
      • Omnibox Google Drive Document suggestions: Disabled (don't want Google going through my Google Drive)
      • Omnibox Group Suggestions By Search vs URL: Disabled
      • Omnibox Local Entity Suggestions: Disabled
      • Omnibox on-focus suggestions: Disbled (Don't want advertisment suggestions)
      • Omnibox on device head suggestions: Disabled
      • Omnibox Pedal suggestions: Disabled
      • Omnibox rich entity suggestions: Disabled
      • Omnibox Suggestion Transparency Options: Disabled
      • Omnibox Zero Suggestions on New Tab Page: Disabled
      • OpenXR support: Disabled
      • Password Leak Detection: Enabled
      • Policy Atomic Groups Enabled: Disabled
      • Prefetch request properties are updated to be privacy-preserving: Enabled
      • Previews Allowed : Disabled
      • Query in Omnibox: Enabled
      • Quieter notification permission prompts: Disabled
      • Reduce default 'referer' header granularity : Enabled
      • Runs network service in-process : Disabled
      • SameSite by default cookies: Enabled
      • Save PDF Forms: Enabled
      • Send tab to self; Disabled (This is unnecessary, if you already sync bookmarks, one more thing to hack)
      • Service worker long running message dispatch : Disabled
      • Show autofill predictions: Enabled
      • Show Safety Tip UI when visiting low-reputation websites: Enabled
      • Strict-Origin-Isolation : Enabled
      • Sync Clipboard Service: Disabled (don't copy your clipboard to an online server)
      • System Web Apps : Disabled
      • TLS 1.3 downgrade hardening : Enabled
      • TLS 1.3 Early Data: Disabled
      • Unified Consent: Enabled (new privacy consent acknowlegement)
      • Use Chrome Sync sandbox : Disabled
      • Use Google Payments sandbox servers: Enabled
      • Use InstallableInkDrop where supported: Disabled
      • Use realtime priority thread for Audio Worklet: Disabled (realtime execution could slow down your PC)
      • Use the Windows OS spellchecker: Disabled
      • Web Authentication API BLE support : Enabled
      • Web Authentication caBLE support : Disabled
      • WebAssembly SIMD support: Disabled
      • WebAssembly threads support: Enabled
      • WebXR AR Module: Disabled
      • WebXR Device API : Disabled
      • WinRT Sensor Implementation: Disabled (less input is best)
      • XR device sandboxing : Enabled
      • Zero-copy rasterizer : Disabled

    Unfortunately, the Chrome settings cannot be copied from one PC to another, so the above will have be done manually. The version above seems to have preferences for Chrome Flags and will not import a Local Settings file from from another PC.



    Sandboxing your Browser: Sandboxie


    Sandboxie ( http://www.sandboxie.com/ applies the sandbox security concept to protect any browser. Basically, the protected browser is made to look within a small directory, but it thinks that that directory is drive C. Sandboxie, and any sandbox in general, does not aim to stop an attack, but instead contains the attack, within that directory. If the attack creates folders and files, it will be created in that directory. If it installs hacking tools and malware, they will all be confined to that directory. All your downloads will also arrive into that directory first, and Sandboxie will help move it back to the outside world. And everything in that directory can be wiped away with one click. This program is vital to securing your browser.

    It has been debated whether Chrome's AppContainer security is better than Sandboxie. According to one forum message, AppContainer is one level lower than Sandboxie's "untrusted" mode, and that should be a good thing. However, my personal choice is still to use Sandboxie, due to the reason that it is safer not to have all your eggs in one basket. If Chrome is ever successfully attacked, then I would still have a second layer of security apart from Chrome itself.

    Create a sandbox for each user. this is assuming that you have different user accounts for different uses. Like one for online banking, and one for your writing/posting your blog. This is so that anything that gets into one sandbox cannot lift data belonging to another sandbox.

    Remember to delete the users' Sandbox once in a while. And especially when you upgrade your browser.

    Right click on the sandbox and choose Sandbox Settings.

    • delete>delete invocation> checkmark automatically delete contents of sandbox so that anything that gets into sandbox does not persist on your system
    • program stop>leader programs> chrome <or your preferred browser> so that anything that gets into this sandbox get terminated when chrome exits
    • restrictions>Internet access> only chrome <or your preferred browser> so that anything that gets into this sandbox cannot acccess the web
    • restrictions>start/run access> only chrome <or your preferred browser>
    • restrictions>drop rights> checkmark 'drop rights ...'


    Tip, if you have a favorite site that requires login, and you allow the site remember your login so you don't have to login every time, you can start the browser outside of Sandboxie to quickly login and let the site save a cookie. Then restart the browser using Sandboxie. Sandboxie will copy the cookies from outside to the sandbox when initiating.



    Sandboxing your Browser: Comodo Internet Security Free

    Comodo Internet Security (free) ( http://www.comodo.com/home/internet-security/free-internet-security.php also provides a sandbox feature which is named Auto-Containment. The primary reason for chooaing Comodo over Sandboxie is that it correctly handles Firefox's built in YubiKey hardware token support. YubiKey is a hardware 2nd factor authentication method used in conjunction with Google's Advanced Protection Program.

    To make CIS Auto-Containment correctly handle your browser, you have to go to Advanced View > Auto-Containment > Auto-Containment (on the left) and Add button. Then click on Edit button. Then Browse button and select File. Navigate to Firefox.exe > Open > OK. Then check that Action is "Virtual" and OK.

    Because 3rd party AV's commonly causes compatibility problems with Windows 10, it is best to Disable the Antivirus Component. Go to Advanced View > Stateful > and select Disable and Permanently.

    Note: Comodo Internet Security is more strict than Sandboxie in particularly one way: you cannot copy and paste from the sandboxed browser to an application outside the sandbox.



    YubiKey

    YubiKey is a hardware security token. It is supported by Gooogle's Gmail and Google Drive to replace SMS 2nd factor authentication. Without spending anything extra, SMS 2nd factor authentication is an OK security measure. (a extra logon code is sent via text messaging when you attempt to sign in). However, cell phones can be easily hacked, (especially Androids) and that 2nd factor would be useless. The token is a small USB insert and can also be used with your cell phone if your cell phone has NFC (near field communications). So you either insert the USB end into your PC or tap the token on your cell phone when navigating to gmail.com. Many sites support it, including FaceBook, Outlook, OneDrive, DropBox, Salesforce, Github, Dashlane password manager ....

    You have to buy 2 tokens to register with Google Advanced Protection Program. One for daily use, and another for backup in case you lose the first one. Currently, the cheapest model is the Security Key NFC ($49 for a pair). And it is currently the best 2nd Factor authentication security measure. Highly recommended.

    Why not a VPN service ?

    VPN services proclaim because they encrypt your internet browsing traffic, you are secured. But the thing is, what are you protected from? The only scenario where it was useful was when you are sitting in a cafe using a WiFi hotspot, it stopped` snoopers from seeing where you were surfing to. It does not protect you from everything else far more dangerous: hackers, malware, drive-by-downloads, javascript attacks, and everyhing else the internet can bring.

    From 2018 onwards, most web sites are almost obliged to provide https aka SSL encryption by popular demand - you see the padlock symbol to the right of the address bar of your browser. So your traffic to web sites are already encrypted without a VPN service. And the Firefox and Chrome browsers will stop transmissions whenever your traffic is being spied upon or manipulated by a man-in-the-middle attack and bring up a big warning notification.

    VPN services were useful when offering https was expensive and only done by financial institutions and web stores. Now, everybody is using https, even web sites that only serve news; don't sell anything and don't bave financial anything. VPN services are expensive, and your money is better left in your wallet or purse.



    A better DNS Server

    Quad9 provides a set of DNS servers that has 18+ threat intelligence providers which provide up to date blocks to malware infected sites and phishing sites. Go to your router's setup web page and put in these servers addresses:
    • IPv4 DNS Servers: 9.9.9.9 and 149.112.112.112
    • IPv6 DNS Servers: 2620:fe::fe and 2620:fe::9 .


     

     

    Passwords


    You should have strong passwords to safe guard your accounts, particularly the admin accounts. The first account created when you install Windows is an administrative account. So you need to protect that. There is also a hidden account called Administrator which you should also protect with a password, but it first has to be enabled, as it is disabled by default. This is done with the following command at an elevated command prompt:

    net user Administrator (password)

    Your passwords should be long ( 15+ characters ) and also use upper and lower case, numbers and symbols. The best way is to create passphrases. For example, take the sentence "James T Kirk is the captain of the USS Enterprise 1701". That would form the password JTKitcotUSSE1701. Throw in symbols and it becomes JTK$itcot%USSE1701. This password is now long and complex enough to foil attacks.

    It is not secure to use the same password everywhere. Some people think it is OK to use the same password for email, banking, Facebook, windows login and so on. If your password is discovered, ( say by a keylogger ) the next logical thing is to try that on your email account. Once they get access to your email, they can use the ‘forgot my password’ feature of many web sites to have them email over your access password for that site. And very shortly everything will be compromised. Password attack programs either use a brute force approach or a dictionary approach. The brute force method tries every combination of numbers and letters. The dictionary approach tries out known words. These password attack programs are fast and can test thousands of passwords per minute. A short password is crackable in no time. A secure site would have safety features like locking your account after several failed tries or making you answer the security questions. But not every site is secure like that. And those weak sites are the primary target of password attack programs.

    Enforce long password/passphrase

    See Automated Configuration section.

     

    —————————-

    BIOS Password


    It is also prudent to password protect your BIOS, so that people cannot boot your PC. Also, you should change the boot order in the BIOS so that it boots the hard drive first, rather than the CD/DVD. If an attacker can insert a Linux Live CD and start up your PC, then they will be able to mount your hard drive and read all data from it, and all Windows security will be bypassed.

     


     

    Physical Security

    Physical security is very important and should not be overlooked. If someone has physical access to your PC, then they could bypass a lot of the hardening that was done.

    For example, if a attacker could access your PC and boot up a Linux Live CD, he could then read and copy off all files from the Windows disk partition. Or he could remove your hard drive and put it into another PC as a secondary drive and get data off that way. Either way, Window's password security will be of no use, because the hard drive's copy of Windows was never started.

    Lock your office or study room or bedroom containing your PC.

     

     

    BitLocker Drive Encryption

    BitLocker is a full disk encryption feature of Windows 10 Pro, When that is active, the whole drive is encrypted and will not be readable with other copies of Windows or Linux. This eliminates the offline attacks as mentioned above.

     


    Intrusion Detection part 1


    Good security partly consists of deter, deny and delay. That is what hardening does. Good security is also about detection: Detection of unwanted changes like unauthorized account creations, running of malware and other unwanted apps, etc. Fortunately, a lot of things are tracked in the event logs. Windows’ Event Viewer holds a lot of information about your system (Control Panel > Administrative Tools > Event Viewer). One cannot claim to know what is going on in a system without examining the logs periodically.

    Microsoft created a Security Events to Monitor Guide. Google for "Appendix L events to monitor"

    In the guide, it examines what security monitoring one should do and provides the relevant Event IDs. In the section below, those Event IDs are placed into Custom filters, which allows you to monitor for signs of intrusion.

    Attacks follow a general pattern when an attacker compromises a system. There may be new mechanics to use when attacking, but it always leave a trail. And the event logs hold that trail. There will always be admin account 'misuse'; the standard account is used daily - but why is the admin account suddenly logged on on a particular day? ( It may be wise to keep a paper log book of the times you use the admin account ) The attack may use a buffer overflow technique for different programs and services for gaining entry, but it usually leaves a Application Hang event or a Service Terminated event. If the attacker tried to guess a password, it will leave repeated Logon Failure events. If the attacker tried to execute a program outside of Program Files and Windows folder, it will leave a Software Restriction (SRP) event. If the attack gained hold of the System account, you may not spot the that logon event in the multitude of System account logons that happen through out the day because Windows uses that account for itself, but you may find the buffer overflow. Why is the system time suddenly off by 5 hours? It could be that an attacker is trying to hide herself by making event logs records inaccurate. (And that is also a good reason to have a centralized syslog server, see below) And don't disregard Windows 10's own Defender, which can detect many newer attacks; it recognized a Remote Access Tool for me.

    Make Event Log files Bigger


    (also covered by automated configuration part 2)

    You may not discover an intrusion right on the first day when they get in. Very often, the discovery comes several weeks to months later. You will need to retain log entries, and the default log sizes allow for too short a period.

    Control Panel/Administrative Tools /Event Viewer

    Expand 'Windows Logs'. Right click on Application, Properties and set log size to 1000000. Do the same for 'Security' and 'System'.

    Security Events to Monitor for


    Create Custom Views for the following Event IDs;

    (see also Automated Configuration part 1)

    HOWTO: click 'Create Custom View'. Select 'By Log', pull down 'Event Logs', Checkmark 'Windows Logs', Move to the field and copy and paste in the event id numbers, click OK and name the view.

    • 4723,4724 - Change Password
    • 4720,4726,4738,4781 - Delete, Change Accounts
    • 4608,4609 - Startup, Shutdown
    • 4613 - Clear Security Log
    • 4616 - Change System Time
    • 4617 - Unable to Log
    • 4714,4705 - Privilege assigned or removed
    • 4708,4714 - Change audit policy
    • 4717,4718 - System access granted or removed
    • 4739 - Change domain policy
    • 16390 - Administrator account lockout
    • 4727-4730,4731-4734,4735,4737,4784,4755-4758 - Group changes
    • 4624,4636,4803,4801 - Account logons
    • 4625,4626,4627,4628,4630,4635,4649,4740,4771,4772,4777 - Logon failures ( KEYWORD: Audit Failure )
    • 4672 - Admin account logons
    • 4698 - Schedule new job
    • 4656 - Access refused to object
    • 4664 - Create hard link to audited file
    • 865,866,867,868,882 - Software restriction triggered
    • 1000 - Application Error ( Event Level: CHECKMARK "Error" )
    • 1002 - Application Hang ( Event Level: CHECKMARK "Error" )
    • 7031 - Service terminated unexpectedly
    • 4697 - Install a Service
    • 4663 - Access audited file
    • 11707,11742 - Application Install or Uninstall
    • By Log: Application and Services Log > Microsoft > Windows > Windows Defender - Windows defender

    In the Configuration Pack, the above 'custom view' filters are in the folder "Event Viewer Custom Views". Simply choose 'Import Custom View' to import each xml file one by one.


    The above items are important to review.

    Now that Windows is hardened, most of the vulnerabilities you face will come from applications. The concepts that underlie protecting apps are the same as protecting the OS. Be careful of apps that have high privileges, and scrutinise network facing apps. Patching is really important and upgrade the app when new versions are posted. Monitor Event Viewer's "application hang" and "application error" and "service terminated unexpectedly" custom views - if something fishy is going on and it happened after an application hang/error then there is a chance that you have been attacked. Be aware of what is normal and what is not. Know the protection settings that have been applied and know when a change is made (by an attacker). For example, your full-admin's Documents folder has been set to only have 1 ACL which is full accesss by the full-admin; if you find that suddenly that another ACL has been added giving access to, for example, the administrators group then something is wrong.



    Turn on CrashOnAuditFail


    System halts when it cannot create an event in Security Log.
    Run 'regedit'. Find the key \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    Edit the item 'crashonauditfail' snd set it to 1


     

     

    Logalyze


    If you have several machines, you might consider setting up an event log collector machine. The benefits are:

    1. All event logs from all machines are centrally collected like an operations center.
    2. If the attacker uses the same attack across machines, you may see the same event happening around the same time across machines.
    3. In Logalyze, you can view the unfiltered collected logs in incoming order, which helps you learn about the logs in almost real time, and not have them separated into Application, Security and System
    4. You can define and save queries for the eventID's listed above which allow you to quickly spot problems on any of your machines.
    5. The log collector can collect logs also from your router, hardware firewall, intrusion detection system, Linux machines, and whatever devices you have on your network as long as they can be configured to send logs to a remote machine.

    Logalyze install consists of 4 downloads:

    • Evtsys. from https://code.google.com/archive/p/eventlog-to-syslog/downloads
    • Java. from https://www.java.com/en/download/
    • Apache Tomcat. from https://tomcat.apache.org/download-90.cgi
    • Logalyze. from http://www.logalyze.com/downloads/viewcategory/2-installer
    Set up Instructions
    • Install Java using it's setup program

    • Apache Tomcat is a java based web app server. It is needed by Logalyze to present the logs in a web page. It doesn't have an installer. Just unzip and copy to Program Files.

    • Logalyze doesn't have an installer. Just unzip and copy to \Users\<StandardAccountName>\AppData\Local\logalyze;.

    • Then set 2 system environment variables by going to This PC > Properties > Advanced System Settings > Environment Variables.
      JAVA_HOME to the folder name where you installed Java
      CATALINA_HOME to C:\Users\<StandardAccoundName>\AppData\local\logalyze\admin

    • Next, set up a Custom Inbound Allow Firewall Rule, to allow UDP Port 1670.
      Then Disable all other Inbound rules. This operations center machine is important and must be hardened.

    • Finally, set up Simple Software Restriction Policy (SSRP). These are security compromises we need to take: executables needs to be run from the user-writable AppData folders, and cmd.exe has to be allowed to run in order to run Logalyze batch files.
      Go to the [CustomPolicies] section and add the following 2 lines:
      \Users\<StandardAccountName>\AppData\Local\logalyze\bin=1
      \Users\<StandardAccountName>\AppData\Local\logalyze\admin\bin=1
      Then go to the [Disallowed] section and add a semi-colon to the beginning of cmd.exe=1.
      Now, we close the gap caused by the compromise: Go to change the permissions of \logalyze\bin and \logalize\admin\bin. Go into Advanced and Disable Inheritance. Then give that StandardAccount only rights to Read & Execute, List folder contents, and Read..
    Then install EvtSys on each Windows machine. EvtSys translates and sends Windows event logs to the syslog server, which is the common name for event log collector. Unzip, open an admin command prompt and the install command is:
    "evtsys -i -h (your log collector machine ip) -p 1670"
    Then go to Start > Windows Administrative Tools > Services to start the EventLog to Syslog service. Note the Ethernet adapter needs to be connected for the service to start, just unplug the Router to stop it from going online while we are hardening.
    You also need to create an Outbound Allow Firewall Rule to allow outbound traffic to the log collector machine IP; UDP port 1670.


    To start Logalyze you run 2 bat files and open your browser.
    Go to \Users\<StandardAccountName>\AppData\Local\logalyze\bin and run startup.bat.
    Go to \Users\<StandardAccountName>\AppData\Local\logalyze\admin\bin and run startup.bat.
    Then start your browser, and use the address 127.0.0.1:8080 .

    To see the logs that Logalyze collected, go to the Search tab, set the time frame drop down, and click on the magnifying glass icon to the right of the search bar.

    To search for several Event ID's, just type in each number separated by space and an upper case "OR".

    To find logs of a particular Windows machine, type "loghostname:" followed by the Windows Computer name which you find in This PC > Properties; for example "loghostname:desktop-u3ehvod". To find logs of a device like your router, use for example "loghostname:192.168.0.1" where 192.168.0.1 is your gateway/router's ip address.

    You can find event ID's on a particular machine, for example "loghostname:desktop-u3ehvod AND 4624".

    To save a query/search, click on the floppy icon to the right of the search bar. To see your saved queries, go to the Admin tab, click on Definitions pull down and choose Query Definitions.

    Routers and Linux generally expect the syslog server to run on UDP port 514.

    • Go to the Admin tab, Collectors section > Add New button.
    • Then give the collector a name (e.g. Router).
    • Go to the next tab Data Transport Protocol, select DTP Type: socket. Port: 514 and Proto: UDP.
    • Go to the next tab Data Format, select DF Type: syslog.
    • Click Save button.
    • Now go to the Firewall and create a Custom Inbound Allow Rule to allow UDP Port 514.
    • Now go to your router's web page and set up where to send the logs to, which is the ip address of your syslog machine.




    Intrusion Detection – part 2: Baselines

    Intrusion detection also has to do with seeing that things aren’t different from what is normal. Your PC was running perfectly on day 1 after hardening, is it doing anything different today? To answer that question, we need baselines.

    What we want to know is what programs are normally running when we first login. If we know that, then we can be sure that we aren’t contaminated with spyware or other hacking tools. There are 2 programs we want to get, all free. The first one is AutoRuns, available from here: http://technet.microsoft.com/en-us/sysinternals/bb963902

    It doesn't have a setup program, just download, unzip, create a folder under \Program Files and copy the files there.

    AutoRuns lists all of the places in the registry where programs are set to auto launch. Right click on it, and choose Run as admin, and use File/Save to take a snapshot of each account's current settings. Later on during your regular system checkups, you can use the File/Compare feature to see if anything is different. New entries show up in green. If all green entries are good, then save the file again with todays date, and do the comparison with the new file in the next scheduled check.

    The second program is Process Explorer, available here: http://technet.microsoft.com/en-us/sysinternals/bb896653

    This program is like Task Manager, but it shows more info. Many malware name themselves with familiar Windows program names, trying to hide themselves. Login to your admin account, then right click on Process Manager and choose 'run as admin', go to View/Select Columns and checkmark 'command line'. Then do a File/Save . The resulting text file is now a snapshot of what normally runs when you first login.

    When you do a comparison using Process Explorer, note that you cannot use a file comparison tool like ‘fc’ (file compare) to check for differences, that is because the PID (process identifier) for each program/process would be different on different boot-ups. You would have to do a visual check of the command line.

    Next, reboot your PC and open an elevated command prompt with 'run as admin', and type

    netstat -abn > netstat-baseline.txt

    The netstat program shows you a list of programs that are listening and connecting to the net. If a attacker connects to your PC, his program would have to connect back from your PC to his PC, and his program would show up here in this list.

    Driverquery is a command line tool in Windows, What it does is list all the drivers in use. Some virus and rootkits now come in the form of a driver. When you perform you routine checks, first run this:

    driverquery > out.txt

    If this is the first snapshot, then rename the out.txt to driverquery-out.txt.

    Next time, run this:

    driverquery > out2.txt

    Then use Beyond Compare to compare the original against the new one.

    The thing to do is to create a first txt, then create a 2nd txt just before you do each Windows Update, and use Beyond Compare to see if there are any diffferences. If there are, investigate, because nothing should have changed unless you installed new software, or that someone has added something to your machine in between the last Windows Update till now. That would be around 2 weeks, and most changes should be still fresh in your mind.

    If there are no difference, do the Windows Update and create another set of baselines.

    Now we have 4 baselines, save them onto a USB memory stick for use in comparisons later. One should also save the Autoruns, and Process Explorer files onto the memory stick as well. Because, after an attack, programs may get altered or rendered unusable You Have to keep the baselines on a USB memory stick because attackers will modify your baselines to make you think nothing has changed.

    Last thing when doing baseline comparisons is to run “sfc /scannow” to determine if any system files has been modified. SFC contains the correct windows files signatures and makes a comparison to the current setup. It will also fix the problem.

     


    Intrusion Detection – part 3

    You should definitely use an antimalware program. However note, you can only have one realtime antivirus program. The realtime capability monitors file access and file modifications as they happen. And having more than one realtime antivirus will cause problems. Having more than one anti-spyware program usually doesn't cause problems. Windows 10 has Windows Defender installed by default, which is an antivirus program. It will also scan ActiveX components before use and does network behaviour monitoring.

    For a list of antimalware programs to consider, go to http://av-comparitives.org or http://virusbtn.com. These 2 sites run test on antivirus programs to see how effective they are.

    There are also a lot of fake antivirus programs floating around, so make sure you find more than 1 review before installing one. The fake ones report of non-existent infections and just ask you for your money and do nothing. Some will even stop you from going to legitimate antivirus program sites, stop your programs from working and make you think you are infected with a virus. If you happen to have installed a fake antivirus, there is one anti-malware program that can remove it. It's called MalwareBytes. ( https://www.malwarebytes.org) MalwareBytes has a free version, which doesn't include real time detection and automatic signature updates. It is a very good tool to have, just remember to update the signatures before doing a scan.

    Bear in mind that no antimakware program will catch everything you encounter. There has been a study that was done that found that the best detection rate is around 60%. Vendors can't hope to have captured and analyzed ALL the viruses out there, because lots of new ones are introduced every day.

    Yes, you can't fully trust your antivirus program to do a perfect job. To be on the safe side, use online scanners once in a while to do a double check. There are quite a few of them: TrendMicro Housecall, BitDefender, Kapersky, Panda and ESET. Google for "online scan" and you will see them.

    If you download stuff from P2P and bittorents, beware. Lots of infected programs are floating around. And they would even work as expected, except that they will also get you infected. And those viruses tend to be new ones, so most likely your antivirus program will not even beep. You have been warned. The best that you could do is upload the file to virustotal.com and let them run your file against their 39 antivirus programs, and then decide if you want to keep the file or not. You have to remember that it is hackers who release pirated software, cracks and keygens, and they seed these files on P2P and bittorrent. And most likely, they also want to own your PC.

    Also antimalware tools are no match for hackers. Hackers' attack tools always evade AV protection because they test them against common security protections to make sure they cannot be detected. AV programs also do not detect remote access tools because they are can be used legitimately or otherwise.

    Security suites are very popular. For example, Norton includes antivirus, anti-spyware, anti-rootkit, smart firewall, network monitoring, parental controls, anti-spam and more. They certainly seem to be value for your money. But when weighing effectiveness, many choose a best of breed, mix and match, solution. For example: one can use ESET antivirus and anti-spyware, Webroot anti-spyware, Windows firewall, NetNanny parental control, Gmail's anti-spam and Gmer anti-rootkit.

    If you are considering security suites, then you should also Google for "<brand> end point protection". End Point Protection is the name used for antivirus suites for businesses. And like MS's way of adding more security feaures for Windows Enterprise, the business products of major antivirus brands offer more security features. Most will also offer a trial version, so you can test them before making the leap.


    VoodooShield


    One type of program you must have is an anti-executable. Unlike anti-malware programs, it is not signature based. This class of protection stops any program from running unless you have clicked on it or that it resides in a small whitelist. So if you clicked on it, then it runs; if you didn't, then it gets blocked. This stops drive by downloads where web sites get hacked to deliver malware. Also, many exploits download a malware of their choosing (mostly RATs) and executes it. Anti-executables is a great class of protection to have. There are several on the market, like Anti-Executable, AppGuard, No Virus Thanks EXE Radar Pro, and Voodoo Shield. The last one is free. Note: you have to allow VoodooShield,exe and VoodooShieldService.exe outbound in the firewall but only enable the firewall rules when it asks you to register and then immediately disable both the rules. This is because VoodooShield is primarily an anti-executable whoes job is to tell you something has run. The online portion enables it to verify signatures and test run an exe in a monitored sandbox. But this is not it's main job. You just want to be prompted when an unclicked upon program is run, which could be a normal background task or a program started by an intruder. Secondly, opening a connection to the net enables a spoofed attack on VoodooShield. Remember that the firewall design principle is default deny and minimization of connections.

    If You are Under Attack

    If you are currently under attack, then avoid doing an update using your antivirus. Instead, google for "<your antivirus name> + "offline update". Most antivirus companies publish their virus signatures for offline use for updating non-internet connected PCs. (E.g. network isolated coorporate PCs) Download the file, and check the Digital Signature.

    MS Defender provides their updates via a program named "mpam-fe.exe" from "www.microsoft.com/en-us/ wdsi/defenderupdates." .Download and then check the digital signature and run it.

    Comodo Internet Security provides their updates via a file named "bases.cav" from "www.comodo.com/home/internet-security/updates/vdp/database.php3". To update, click on the Question Mark > About > Import Virus Database

    Antivirus online update components can be attacked. Attackers have studied the majority of antivirus programs to find ways to attack them. Because AV's are programs that almost everyone have. And there are only about a dozen of major vendors. So their goal is easily schievable.



    Registry Guard


    One of the ways that malware and rootkits gain persistence is by adding themselves to the registry. Thus the registry needs to be guarded against modification. Install Registry Guard to protect yourselves against this. NOTE: you have to go to Services.msc to turn it off before doing Windows Updates.



    Intrusion Detection - part 4



    Many people rely on their antivirus and antimalware to detect intrusions. Both are necessary, but when you are dealing with hackers, they will not identify everything. That is because a careful hacker tries toavoid detection and will not use tools that can be picked up by common security protection.

    One thing you can do is to employ a hardware firewall that has network intrusion detection system and network intrusion prevention system. Commercial tools costs $400 and up. But there are several Linux distributions that plays the role of a firewall and IDS/IPS. All you need is an older computer and an extra network card to deploy them. The ones I prefer are IPFire and pfSense.

    Both are straight forward to install and does not require Linux experience. You simply download the ISO file and burn image to disk, then boot with it and follow the prompts. 


    IPFire calls the external internet connection RED, and the internal network GREEN. And if you use 3 ethernet cards, a DMZ Network can be created labeled ORANGE. You have to assign a network card to each RED, ORANGE and GREEN zone. You can make the lights on the card light up and find out which card is which. After install, go to the web ip address you assigned during install and start configuration, just like configuring a router.

    In IPFire the built in intrusion detection is called snort and their intrusion prevention is an add-on called Guardian. Guardian takes the ip addresses found by snort and blocks them. Add-ons are available for install from the PakFire pull down menu. Once installed, go to Services > Intrusion detection and download the free signatures from EmergingThreats. Then you review  the rulesets and disable those rules groups that give alerts for services that you don't have in your LAN. Then checkmark Guardian and save. The ET rules update approximately once a month, the update is not automatic. Create an reoccuring appointment in your smartphone

    Note: only enable Guardian intrutsion prevention if you are using IPFire as the main router. If IPFire is behind another router, then it will only see that router as the source of intrusion and block that.


    Intrusion Detection - part 5


    There is a program called WinDump, from here: http://www.winpcap.org/windump. It can capture all network traffic. And if you run it on another non-compromised machine, it can tell you almost absolutely if you have been attacked because you are looking at the network traffic from the outside of the compromised machine, and no rootkit can hide their traffic.

    You can see the source and destination of each packet, the ports used, and the network packet contents in ascii. Start WinDump and then boot up the compromised Windows machine without logging on. This will allow you to see what network traffic occurs at Windows boot time.

    There would be quite a lot of packets to go thru. Open your browser and go to any web site that can do 'ip to domain' conversion, and paste in an ip from the WinDump output. This will tell you the domain name that the packet is going to. Along with the domain name, it usually states the company which is managing that network/site. You can then lookup that company's web site. Then identify the harmless ones that belong to Microsoft and Alkamai (which I think is a server ISP that caters to coorperate clients like MS) and sites like your antivirus update site. Anything else would be suspicious, especically if the domain is a home user ISP, or the ip belongs to some company that is from another country which you don't go to, like 'ru' (Russia) and 'cn' (China)




    Intrusion Detection - part 6

    A Honey Pot is usually a unused dummy system set up just to lure attackers. Once you notice traffic on it, then it is guarenteed that you have an attacker. You can setup auditing for a 'honey folder' which you never click on to act as an intrusion detector.

    First create a folder, called for example 'Plans for the New year', and then right click on it and choose Properties. Then go to Security tab > Advanced > Audit tab. First you set up which user account to watch for, then leave the settings for 'Read and Execute' which will generate an Event Viewer entry

    If you have the Configuration Pack, the Event Viewer custom views xml files allow you to import the custom views. Click on 'Access audited file' view to see the entries generated by the intruder. Also, you have to run the Harden Audit BAT and the Harden Security Options BAT to enable the auditing.

    Take care not to audit folders and files you normally use, because each access generates 6 or more entries. And could fill up the log and cause old entries to be emptied away.




    Intrusion Detection Maintenance Routine You Should Do Regularly

    • Go through the Event Viewer Custom Views set up previously
    • Check that your antimalware is working. Defender should not show a red icon on the systray. Then go to http://www.eicar.org/?page_id=3950 and download eicar_com.zip. Your antimalware should detect the test virus and quarrantine it.
    • Do a malware scan of your drives


    

    Keyloggers and Screen Grabbers

    This class of spyware deserves mentioning on their own. Unlike other hacker attacks, these do not aim to penetrate and gain admin rights, but they are deployed by criminal hackers. They function in a standard account. Their aim is to capture credentials to your web accounts like banking account numbers and passwords, email account and others. Antivirus programs do not detect them. To counter these, I know of 2 programs, Zemana AntiLogger. (http://www.zemana.com) which has anti-keylogger as well as anti-screen grabber functions. The other one is KeyScrambler (http://www.qfxsoftware.comm) which is only a anti-keylogger. ( Both programs now have free editions.)



    Scan for Security Vulnerabilities

    Good security relies in part on using patched and updated software. So you must check for new releases and update your software. Another part lies in finding out if your software has security vulnerabilities. For which there may be no patches yet, so you should stop using or use with caution. Thus you need a vulnerability scanner. Nessus is a long time player in this field and has a Nessus Essentials for non-commercial use.




    How to Deal with an Intrusion


    The first thing you should do if you suspect an intrusion is to determine if it is really an intrusion. For example, let's say you found that the XXX service has stopped and restarted by viewing EventViewer. It may look like an attack, since if everything was hunky dorey that error should not occur. But if you look further down at past events, you may see that it did the same thing while you were still configuring the machine and was offline then. Some Windows errors may be due to mis-configuration, and some Windows errors happen on their own anyways. Those may be errors messages that were designed to be observed by the programmer so they can write code to catch those error conditions and have the program react to them. For example if you were going to burn a DVD and didn't put a blank DVD in, the program would throw an error, and the programmer would write code to respond to that error message and put up a dialog box to tell you there is no blank disk in the drive.

    The next thing to do is to run security programs like antivirus and anitmalware. Hopefully they identify something and quarrantine it. Hackers don't use viruses and malware most of the time, they are too easily identified and removed by common security programs. For example, most av and antimalware are useless at detecting remote access tools. The reason is that remote access tools may be legitimately used by the computer user to give access to their friends or service technicians, or themselves when they are in a remote location like a coffee shop.

    If your installed antimalware like Windows Defender or a 3rd party antimalware does not find anything, try googling for "online scan" and you will see several big name antivirus vendors offering one time malware removal programs. Download these using another machine and copy onto the compromised machine and let them run. The download usually takes a long time because all signatures are being downloaded at once instead of daily trickle feeds. Remember each antimalware vendor has different malware signatures, so you have to try several.

    Then try some bootable antimalware tools, these downloads are usually ISO files which you have to right click on and choose Burn to Disk. Antimalware on a boot up CD bypasses starting up Windows, and also bypasses any self-protection that the malware has. Google for "bootable antimalware"

    In the end, everything above may not locate the attacker's tools. Remember, remote access tools are generally not picked up. Or the attack tool is simply too new.

    The next step is to contain the attacker. And make sure that attacker cannot further progress to totally own the machine and attack other machines in your network. Close all browsers and networking apps, so that the connection traffic dies down. Then open an administrative command prompt and do "netstat -anbo". This will show all the connections to the machine. The program which makes the connection can sometimes be listed too. If it can't be listed by netstat, use the PID in the PID column and look up that PID up in Task Manager > Details tab. The attacker's program is often disguised by naming it with a familiar Windows exe name. Right click on the column titles bar and choose Select Columns, then checkmark 'Command Line'. This will show you the true location of that seemingly Windows program, maybe it is actually located in \Windows\Temp. Netstat's or WinDump's connection listing while the machine is quiet gives you the connections' ip addresses. Open the browser and google for "ip to domain". This will list several sites which let you see what domains an ip address belongs to. Go thru the connections ip address listing individually, and see what organizations they belong to. If the domain belongs to Microsoft, then ignore that one. If it belongs to a residential internet service provider or belong to companies that may offer public hotspots like Star Bucks Coffee, then you may have identified your attacker. Google the organization's name to find out if it is a residential ISP or a bussiness oriented network provider.

    The ip to domain tool will also give you the attacker's ip network address range. Lets say the network's ip is 206.248 168.128/26. Now create a firewall inbound rule that blocks that address range.

    • Go to Start button > Windows Administrative Tools> Windows Defender Advanced Firewall
    • Click on Inbound rules on the left
    • Click on New Rule on the right
    • Select the Custom radio button, Next
    • Select All Programs, Next
    • Select Protocol type: Any, Next
    • For "Which remote ip addresses this applies to", select "these ip addresses"
    • Click the Add button, and type in the network address range, Next
    • Select Block the Connection, Next
    • Checkmark Domain,Private and Public. Next
    • Name the rule. Finish

    The reason to block the network range instead of a single ip address is that the attacker maybe able to move to another connection within her network. And blocking the entire network of a residential ISP couldn't hurt, or maybe you are blocking the entire Russian militia.

    One may choose to block the network ip range at the Windows firewall or router firewall, if the router has a firewall rules feature. Most Linux based Firewall distros have that. A easy-to-use one is SmoothWall.

    Now you have to decide what to do with the resident evil code on your machine. There are 2 choices: 1) try to remove it, 2) back up your data and restore from image.

    Removing an infection requires someone who investigates malware, every day, as they are released. You may have an embedded remote access tool and not malware, but there are similarities between the two. There are malware researchers who do this for a living. They are the people who work for the likes of Norton, Kaspersky or Snort. Thankfully, some also donate their time in free forums to help the public. Here's two. Google for 'malware removal forum' to see more.

    • forums.techguy.org
    • techsupportforum.com

    Note that the removal process might take a day or two. The forums' helpers will ask you to download detection tools, and ask you to paste the tool's output report back to the forum. If one tool does not reveal anything, they would ask you to download another tool and repeat. Finally they will offer a removal tool together with a custom script, which removes your particular infection. This is the only route to go if there are no backup of program installers and install keys.

    If one or two days is too long, and you need to resume work quickly, then backup your data and restore from image. That's almost what larger companies do: they backup an image of the infected hard drive and RAM and give those to their forensics department; then they restore the machine from a trusted image made while offline. Then they would restore yesterday's data from backup tapes. So one loses a morning's work, but is able to get up and running in a few hours. Forensics will investigate deeper into the attack code, and the incident responders will dig deeper in the networking logs. Perhaps the attack compromised other workstations, perhaps a Windows server; larger companies have the resources and need to investigate.




    When Things Don't Work

    There are layers of protection enabled in this document. For the most part, you will experience problems when installing new software. Disabling protection is a risky thing to do. Ensure that the software you are installing have SHA256 hashes or digital signatures. And use the main admin account which has the network adapter disabled. Then you can go about disabling each piece of protection to make the software install work. Remember to re-enable them once you are finished.

    • Set VoodooShield to Disabled. VoodooShield will remind you to re-enable protection
    • Set OSArmor protection to Disable Temporarily for 10 mins
    • Set Software Restriction Policy's Security Level to Unrestricted
    • Stop the Registry Guard service. Start service again when done
    • WinApps need their own Settings > Privacy settings enabled.
    • Run the Restore services Bat file. You can re-harden services by running the Harden Services Bat and My Personal Disabled Services Bat. DO NOT LEAVE THE HARDENING FILES ON YOUR SYSTEM FOR ATTACKERS to use

    There are of course unlisted protections that you have hardened when you followed this document. But they are seldom encountered when installing software. Example of these are the disabled network protocols and UPnP.

    It is understood that attackers read this document too. But true security is not security through obscurity. And if your main admin account is compromised, and they can get there to do all these steps, then you have to notify me and consider adding another layer of security.

    REMEMBER to RE-ENABLE your PROTECTIONS when FINISHED




    Security as a Process

    Security is a process, that is ongoing after we perform hardening. Your hardened Windows Windows 10 is good and now has multiple layers of security, but new vulnerabilities will be discovered in various software that you use and weaken your stance. Take the case of the browser; attackers target browsers all the time, and new security holes will be revealed. One has to know when these holes are discovered, and take steps to mitigate.

     

    The first step is to know about the new vulnerabilities. The following websites report on security matters ::

    http://threatpost.comm

    http://www.theregister.co.uk/security//

    http://www.sans.org/newsletters/risk/http://www.sans.org/newsletters/risk/

    http://www.microsoft.com/technet/security/advisory/default.mspx

    http://www.exploit-db.com

    You should visit them once a week to learn of new security vulnerabilities. The articles will tell you about new security holes in applications or OS, which version it applies to, and give a brief description of the weakness. Sometimes, the software vendor will inform us of some configuration change for you to apply for the time being, until they make a patch ready. Also, the articles may tell us if attacks using the vulnerability has been spotted in use..

    This information are of great help for you to maintain security. To continue on our browser example, lets say the new vulnerability involves the Opera browser's auto-update tool. Then you might mitigate that by using another browser for the time being, and monitor the vendor's site for a new version release. Or Opera may issue an advisory informing us to how to disable that feature in the registry. (PatchMyPC will also tell you when new program versions have been made, as mentioned previously). The main thing is that you get to know about potential problems from these web sites and takes steps to mitigate.

    ********

    Next, as part of the security process, you have to monitor your system and detect attacks. You have to perform those log checks, baseline comparisons, and virus scans (as mentioned earlier) on a regular basis, like every 1 or 2 weeks. We are being lax here already, for in a secure environment, they use SIEM tools (Security Information and Event Managemment) to monitor logs on a real time basis. Monitoring is crucial, as even the most hardened systems will have holes in its defenses. We cannot think that our hardened system is impervious.

    ********

    After a few months of use, computer settings change invariably: new software installed, new devices added, etc. We now have to check that all security settings are still in place. For example, are the user accounts still standard accounts, or has one been changed to admin for temporary problem troubleshooting? Has Simple Software Restriction Policy been disabled? So, after you put those locks on the doors, are they still locked? Or has there been tampering? We have to revisit the hardening process and check everything. This is to ensure that the system is still as secure as day one.

    Automated Configuration

    Contents:

    • The hardening document specific to Windows Home.
    • Harden Win 10 Services,bat - reduce attack surface of services, specific to Windows Home
    • Dual Admin.bat
    • (and optionally) My Personal Win10 Disabled Services.bat, specific to Windows Home

    Note that 32 bit Windows is not covered by the Dual Admin (which is a set of ACL configs) file. There are many more executables on a 32bit machine

    If you wish to revert the changes to out of box defaults, use::

    • Restore Win 10 Services.bat, specific to Windows Home or Pro
    • Restore Win 10 ACLs_GUI.bat, specific to Windows Home or Pro

    To configure, right click on the bat files and choose 'Run as Administrator'..

    To configure manually, open a elevated command prompt ( right click on Command Prompt and choose 'run as admin' ) Type in the following command::

                SecEdit /configure /db <any_name>.sdb /cfg <template.inf>>

    The <any_name>.sdb will hold the configured results, you make up the filename, but the file extension must be .sdb. The <template,inf> is either one of the templates named above..

    Also provided in the package are Event Viewer 'custom view' xml files. These xml files setup filters for select event IDs, so that you get to see, for example, all login failures, in one screen,,

    Use this bat file to setup what events to audit. It also sets up the event log file maximum file sizes for Application, Security and System..

    • Harden Win 10 Audit.bat

    It sets up the following::

    • Have Event Viewer show success and failure events for Account Logons, Account Management, Policy Change and System events..
    • System, Application and Security Event Log size: 1000000 kb            

    Use this bat file to setup the password and account lockout settings..

    • Harden Win 10 Password and Lockout.bat

    Use of this file requires that you understand what the settings do. The numbers are:

    • Enforce password history: 24 passwords
    • Maximum password age: 60 days
    • Minimum password age; 1 day
    • Minimum password length: 14 characters
    • Password must meet complexity requirementss 

    Password history means that the system will remember 24 previous passwords so that they cannot be reused so that they are unique..

    Password age means that the system will prompt you 14 days before 60 days is up to change your password. Minimum password age of 1 day means you cannot change your password again until 1 day have passed. This is so that users cannot rotate 24 times rapidly and reuse an old password..

    Minimum password length is 14 characters. If you use a passphrase, then this shouldn't be a problem. Complexity requirement means that the passphrase must include upper and lower case, numbers and symbols.

    The lockout settings are as follows:

    • Account lockout threshold: 50 password attemptss<
    • Account lockout duration: 15 minutess
    • Reset lockout counter after: 15 minutess

    What these numbers mean is that you are allowed 50 tries to get the right password. After that, the system locks up for 15 minutes. So, when you realize you have forgotten a password, write down the various passwords that you want to try and try to find the right one within 50 tries. After 50 tries, the system will not respond until 15 minutes have passed..

    Unfortunately this can give rise to a denial of service (DoS) attack, where the attacker randomly tries out 50 passwords and her aim isn't to get in but to lock you out of the system. If we don't define a threshold number for password attempts, then an attacker can use a program to bruteforce or dictionary attack the system because they can do so an infinite number of times. If you realize that such a DoS attack is taking place, all you can do is unplug the ethernet cable and go for a 15 minute break..

    Use the 'Dual Admin.bat' to remove the standard users accounts from accesssing command line admin tools. This script also sets up a heavily restricted admin account for installing non-security software. Together with this, you should set up the included login scripts that takes the full admin account offline automatically upon login. This aids in combating attacks where the attacker has remote access to your machine.


    Some of these settings default to 'undefined'. And due to the fact that SecEdit does not handle settings that specify 'undefined', no restore bat file is offered to reverse these password and lockout settings..

    Lastly, there is a security options file:

    • Harden Win 10 Security Options.bat

    This file includes a group of security settings, as follows::

    • Accounts: Administrator account status: disabled
    • Accounts: Block Microsoft accounts: disabled..
    • Accounts: Guest account status: disabled **
    • Accounts: Limit local account use of blank passwords to console logon only: enabled
    • Audit: Audit access of global system objects: disabled
    • Audit: Audit the use of Backup and Restore privilge: disabledd
    • Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings: disabled
    • Audit: Shutdown system immediately if unable to log security audits: disabled
    • DCOM: Machine access restrictions: no remote access for all accounts
    • DCOM; Machine launch restrictions: no remote launch and remote activation for all accounts
    • Devices: Allow undock without having to log on: disabled
    • Devices: Allowed to format and eject removable media: administrators and interactive users
    • Devices: Prevent users from installing printer drivers: enabled
    • Domain member: Digitally encrypt or sign secure channel data (always): enabled
    • Domain member: Digitally encrypt secure channel data (when possible): enabled
    • Domain member: Digitally sign secure channel data (when possible); enabled
    • Domain member: Disable machine account password changes: disabled
    • Domain member: Maximum machine account password age: 30 days
    • Domain member: Require strong (Windows 2000 or later) session key: enabled
    • Domain member: Display user information when session is locked: do not display user information
    • Interactive logon: Do not display last user name: enabled
    • Interactive logon: Do not requrie CTRL+ALT+DEL: disabled
    • Interactive logon; Machine account lockout threshold: 10 invalid logon attempts
    • Interactive logon: Machine inactivity limit: 900 seconds
    • Interactive logon: Number of previous logons to cache (in case domain controller is not available: 4 logons
    • Interactive logon: Prompt user to change password before expiration: 14 days
    • Interactive logon; Require Domain Controller authentication to unlock workstation; Disabled
    • Interactive logon: Require smart card: disabled..
    • Interactive logon: Smart card removal behavior: Lock workstation
    • MS network client: Digitally sign communications (always): disabled
    • MS network client: Digitally sign communications (if server agrees): enabled
    • MS network client: Send unencrypted password to thrid-party SMB servers: disabled
    • MS network server; Amount of idle time required before syspending session: 15 minutes
    • MS network server: Digitally sign communications (always): disabled  
    • MS network server; Digitally sign communications (if client agrees); enabled
    • MS network server: Disconnect clients when logon hours expire: enabled
    • MS network server: Server SPN target name validation level: Required from client
    • Network access: Allow anonymous SID/Name translation: disabled
    • Network access: Do not allow anonymous enumeration of SAM accounts: enabled
    • Network access: Do not allow anonymous enumberation of SAM accounts and shares: enabled
    • Network access: Do not allow storage of passwords and credentials for network authentication: disabled
    • Network access: Let Everyone permissions apply to anonymous users: disabled
    • Network access: Named Pipes that can be accessed anonymously: blank
    • Network access: Remotely accessible registry paths: blank
    • Network access; Remotely accessible registry paths and sub-paths: blank
    • Network access: Restrict anonymous access to Named Pipes and Shares: enabled
    • Network access: Shares that can be accessed anonymously: blank
    • Network access: Sharing and security model for local accounts: Classic - local users authenticate as themselves
    • Network security: Allow Local System to use computer identity for NTLM: : enabled
    • Network security: Allow LocalSystem NULL session fallbasck: disabled
    • Network security: Allow PKU2U authentication requests to thiscomputer to use online identifies: disabled
    • Network security: Configure encryption types allowed for Kerberos: RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types
    • Network security: Do not store LAN Manager hash value on next password change: enabled
    • Network security: Force logoff when logon hours expire: disabled
    • Network security; LAN MAnager authentication level: Send NTLMv2 response only, Refuse LM & NTLM
    • Network security: LDAP client signing requirements: Require signing
    • Network security: Minimum session security for NTLM SSP based (including secure RPC) clients: Require NTLMv2 session security, Require 128 bit encryption
    • Network security: Minimum session security for NTLM SSP based (including secure RPC) server: Require NTLMv2 session security, Require 128 bit encryption
    • Network security: Restrict NTLM: Incoming NTLM traffic: Deny all accounts
    • Network security: Restrict NTLM: NTLM authentication in this domain: Deny all
    • Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers: Deny all
    • Recovery console: Allow automatic administrative logon: disabled
    • Recovery console: Allow floppy copy and access to all drives and all folders: disabled
    • Shutdown: Allow system to be shut down without having to logon: enabled
    • Shutdown: Clear virtual memory pagefile: disabled
    • System cryptography: Use FIPS compliant algorithms for encryption, hasing and signing: disabled
    • System objects: Require case insensitivity for non-Windows subsystems: enabled
    • System objects: Strengthen default permissions of internal system objects (e.g. Symbolic links) : enabled
    • System settings: Optional subsystems: blank
    • System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies: disabled
    • UAC: Admin Appoval Mode for Built-in Administrator account: enabled
    • UAC: Allow UIAccess applications to prompt for elevation without using the secure desktop; disabled
    • UAC: Behavior of elevation prompt for administrators in Admin Approval Mode; Prompt for consent on the secure desktop
    • UAC: Behavior of the elevation prompt for standard users: Automatically deny elevation requests
    • UAC: Detect application installations and prompt for elevation: enabled
    • UAC: Only elevate executables that are signed and validated: disabled
    • UAC; Only elevate UIAccess applications that are installed in secure locations: enabled
    • UAC: Run all administrators in Admin Approval Mode: enabled
    • UAC: Switch to the secure desktop when prompting for elevation: enabled
    • UAC: Virtualize file and registry write failures to per-user locations: enabled

     

    The 'security options' settings, audit, and 'password and lockout' settings are taken from MS Security Compliance Manager tool.

     

     

    Last things to do


    Disable flash in your admin account. Internet Explorer > Gear > Manage Addons > Toolbars and Extensions > Show All Addons > Shockwave Flash Object > Disable button.

    Disable flash in Edge for each account.

    Disable Autoplay for all user accounts: Settings > Devices > AutoPlay. Choose 'Take No Action' for everything
    Turn off "Use AutoPlay for all media and devices"

    Set IE to turn on ActiveX Filtering for each account. Gear icon > Safety > ActiveX Filtering.

    Set IE to use Protected Mode for all zones. Gear icon > Internet options >Security tab > click each icon ( Internet, Local Intranet, Trusted sites, Restricted sites ),check mark Enable Protected Mode for each. Do this for all user accounts.

    Set IE to use Enhanced Potected Mode for all users. Control Panel > Internet Options > Advanced; scroll the Settings list to Security section, checkmark "Enable 64 bit Processes for Enhanced Protected Mode" and 'Enable Enhanced Protect Mode'

    Run Acrobat Reader ( if you have installed it ) to setup security.for each account

    Edit > Preferences

    • Javascript, uncheckmark "Enable Acrobat Javascript".
    • Security Enhanced. Protected View : All Files
    • Security Enhanced: Create Protected Mode Log File.
    • Security Enhanced: Uncheckmark Automatically Trust Sites from my Win OS Security Zones.
    • Trust Manager: Uncheckmark Allow Opening of Non-PDF file attachments
    • Trust Manager: Internet Access from PDF outside the web browser Change Settings button, select Block PDF file access to all web sites. This one is optional, some times you need to click on an internet link inside a PDF document.

    Run Java in Control Panel (if you have installed it). Go to Security tab, uncheckmark 'enable Java content in browser'.

    If you have Google Chrome, enable Strict Site Isolation: go to "chrome://flags/#enable-site-per-process" Then enable Strict Site Isolation

    For each account you created, do the steps in "New Account To Do List" section.



     

    Create a System Restore Point

    This PC > Properties > Advanced System Settings > System Protection tab > Create button.

     

     

    Do an image backup of the hard drive

    This is important, your last line of defense is restoring from backup. This backup saves all of the settings you have done so far so you don't have to repeat them when you need to reinstall Windows. There is a free image backup tool called Macrium Reflect, available from here: http://www.macrium.com/reflectfree.aspx. Use the tool to create a drive image and store it in an external USB hard drive. Don't forget to create the rescue CD. 

     

    NOTE: you have to maintain an up to date version of your disk image once in a while. To do so:

    1. Download latset version of programs you use: browsers, email clients etc. Store them on a USB stick.
    2. Download antivirus signatures
    3. Allow cmd.exe and cscript.exe in Software Restriction Policy then Run and create new Offline WSUS update files
    4. Backup your data files: documents, photos, browser settings etc.
    5. Restore from last trusted image.
    6. Install the latest version of applications, browsers, antivirus signatures etc you downloaded above
    7. Restore your data files
    8. Obtain the latest version of the Configuration Pack if a new version of Windows 10 is released. (April/May and Oct/Nov) It It will surely have new hardening guidelines. and it will have at least:
      • new services hardening
      • new anti-exploit protection settings
      • new browser hardening configurations
      • new configurations of new Windows security features
    9. Allow cmd.exe and cscript.exe in Software Restriction Policy then Apply new Offline WSUS updates
    10. Apply any new hardening steps
    11. Ensure all protecions like SRP, OSarmor, Comodo and Voodoo is enabled, and Make a New Trusted Image
    12. Go onllne and Activate Windows

    Move the Hardening Folder to a USB memory stick or USB Drive

    When you are finished with hardening, move the hardening scripts folder to a USB memory stick or a USB drive. Don't leave it for the attacker to discover.






    Going Online

    When connecting online for the first time, Windows will ask you whether you want to be discoverable. This in turn sets the firewall profile behind the scanes to either Public or Private. What you want is No - Dont be discoverable. This will in turn set the firewall profile to be "Public", which is the most secure.



    Activate Windows


    After hardening Windows and creating a Trusted Drive Image, you can now switch to your Standard account..Connect now to internet. There are 3 things you need to check before you can perform activation.

    Open Start > All apps > Windows Administrative Tools > Services. And right click to start these 2 services:
    1. Microsoft Sign-in assistant
    2. Windows Update
      If they are not running, then set them to Manual start, and Start the service.
    3. Check your Date & Time, and your Time Zone is correct. You may have to disable automatic time zone.

    Then Right click on This PC, choose Properties, click on Activate. If it results in an error, click the Trouble Shoot button.

    Or, you can open an elevated command prompt and run the following:
       slmgr.vbs /ato
    After activation, if you don't intend to use MS Accounts to sign in, go to services.msc and Disable the Microsoft Sign-in assistant service. It's one less service that is open to attacks.

    Check for Updates


    EXPLOIT NOTICE It has been noticed that there is a vulnerability in the Windows Update process, and some attackers know to exploit it to take over your PC. If you are unsure, better use Offline WSUS for every update. MS issues security updates every 2nd Tuesday of the month.

    Then immediately do Check for Updates.

    Settings > Update & Security > Windows Update. .

    DO NOT SURF the net while updates are going on, as Edge and Internet Explorer are still unpatched and vulnerable.

    If you use MS Office, then go do Microsoft Update now:

    Settings > Update & Security > Windows Update > Advanced Options > checkmark Give me updates for additional Microsoft Products.



    Patching


    One of the most important things to do is to update EVERYTHING on your computer, constantly, that means Windows Update and updating all programs and plug-ins. It is very important to know that security patches closes the holes that malware/hackers need to get onto your computer. Patching the security holes is the ultimate preventative measure that treats the source of the problem.

    It is known that attackers reverse engineer MS patches to exploit the vulnerabilities. It only takes a few days for them to do so, so be sure to patch on time. MS's security patch schedule is on the second Tuesday of each month. Calendar a repeating entry on your cellphone. The features patches are on the fourth Tuesday of the month.

    Windows Update supplies security fixes to Windows and its programs like Edge and Internet Explorer. If you use a buggy Edge, then hacked websites can install viruses/malware unbeknown to you.

    Adobe Flash is another component that lots of people forget about. Luckily, three browsers, Edge, Internet Explorer and Google Chrome, will fetch Flash updates automatically, so you don't have to do a thing. If you use Firefox, Opera or another browser, then you need to download the Flash plugin for them. Adobe Flash has an automatic update feature for Flash, if you install Flash, you must make an outbound allow firewall rule for the service. An alternative to Flash is HTLM 5. Many sites are supporting this now, and you may find that you don't need Flash anymore.

    PatchMyPC detects which of your installed programs have a new version. This is a lifesaver. It will tell you about a new version and install it for you. This is a very important part of maintaining security of your machine.



    Run Nessus Vulnerability Scanner

    Now that you are online, you can run Nessus Vulnerability Scanner. It will retrieve the latest scanning module and vulnerability list, and scan your installed software for any new vulnerabilities. You may have downloaded the latest version from the vendor, but new vulnerabilities may already have been discovered.



    WiFi

    WiFi enables beyond the perimeter attacks. If you live in an apartment bullding or crowded street, your WiFi signal can reach your neighbors. If you don't want to risk WiFi touching your PCs but have WiFi devices like Amazon Echo, Google Home, smart switches etc, then set those devices to use the Guest WiFi Network. Most modern WiFi routers has this feature. A Guest WiFi network is usually not allowed to contact your main network. Thus you will have isolated your vulnerable IoT devices from your PCs.

    If your router also allows you to set the transmission strength, then set it to the lowest setting.

    Since most WiFi routers only have 2 transmitter radios (2.4Ghz and 5Ghz), once the Guest WiFi Network is enabled, you will have also enabled WiFi for the internal network. If you don't plan to use this internal network WiFi, you can set it's WPA2 password to some long random gibberish typing. So then nobody could brute force guess that password. Also, you can disable the 5Ghz transmitter radio.

    New routers offer previously expensive features at very affordable prices now. For example, this model:

    CISCO RV-110W

    The VLAN feature allows you to create isolated segmented networks for security. Home routers technically provide 2 segments only. But for the scenario where you have 2 teenage kids who download a lot, and you want to be segmented away from both, plus you have an Alexa smart speaker; then you need 4 segments. The CiSCO router above provide 4 VLANs. VLAN equiptment used to cost $300 and up. This one costs around $70. Also CISCO keeps track of security vulnerabilies as they become known and always provide patches. That cannot be said of other router manufacturers. The latest patch for this model was made on 2019-12-05.



    Setting up Windows Calendar app

    The Calendar app is one of the few bundled Windows app that does not mandate an MS Account - you can use it with a Local Account. And it does not require connection to the internet. To use it:

    • temporarily disable the RegGuardSvc Service before first run. Afterwards re-enable the service.
    • Go to Settings > Privacy and turn on: Contacts, Email, Calendar


    Setting up Windows Mail app


    If you intend to use the Windows Mail app, you need to do the following:
    • Enable WWAHost firewall outbound
    • Enable authHost firewall outbound
    • Allow Mail and Calendar firewall outbound

    • Temporarily disable the RegGuardSvc Service before first run. Afterwards re-enable the service.
    • Go to Settings > Privacy and turn on: Contacts, Email, Calendar
    • Set MS Account Sign in Assistant service in services.msc to automatic. (only if you use an MS Account like outlook.com or, hotmail.com or livemail.com)


    If you intend to use the Mail app for your Gmail account, do the following:
    • Use your browser to go to the Gmail web site
    • gear > settings > settings > forwarding and pop/imap > IMAP access: Enabled
    • user icon > Google Account > Security > less secure app access: ON
    • Start Mail
    • Add an Account
    • Advanced Setup
    • Internet Mail
    • email address: john.doe@gmail.com
    • user name: john.doe
    • password: <YourPassword>
    • account name: john.doe
    • send your messages using this name: john
    • incomming mail server: imap.gmail.com:993
    • account type: IMAP4
    • outgoing SMTP email server: smtp.gmail.com:465
    • Leave all things checkmarked



    Mapped Drives to Shares

    To setup access to a mapped drive, you need some services running: Start > Administrative Tools > Services:
    • TCP/IP NETBIOS
    • WorkStation
    Also, you need your firewall rules. Go to Start button > All apps > Windows administrative tools > Windows Firewall with Advanced Security
    Click on Outbound Rules
    For each of the rules listed below, there are several with the same name, click on the one that says Domain in the Profile column; and right click on it and chose Enable:
    • File and Printer Sharing (Echo Request - ICMPv4-Out)
    • File and Printer Sharing (Echo Request - ICMPv6-Out)
    • File and Printer Sharing (LLMNR-UDP-Out)
    • File and Printer Sharing (NB-Datagram-Out)
    • File and Printer Sharing (NB-Name-Out)
    • File and Printer Sharing (NB-Session-Out)
    • File and Printer Sharing (SMB-Out)
    Then lastly,
    1. backup Security Options.inf in the Configuration Pack.
    2. Open the file in Notepad.
    3. Find this: RestrictSendingNTLMTraffic
    4. and set it to: RestrictSendingNTLMTraffic=4,0
    5. Run the Security Options.BAT as admin.
    OR
    1. Open All Programs > Windows Administrative Tools > Local Security Policy.
    2. Navigate to
      Security Settings > Local Policies > Security Options >
      Network Security: Restrict NTLM Outgoing NTLM traffic to remote servers,
    3. and choose "Allow all"
    Then to create a mapped drive, open File Explorer. Click on This PC on the left. Then click on Computer menu on the top. And choose Map Network Drive button. It will ask for the shared folder. Enter it in the following format:

    E.g. \\WIN-P14RT64AIA\CompanyDocsShare

    OR
    E.g. \\mydomainserver.com\CompanyDocsShare

    Click Finish button.

    That's it. Now you have access to your folder shares on the LAN.