It is important to note, that after hardening a system, one has to test to see if the applications that you run still runs as expected. The ideal candidate of this project is a home user with no need for communications among PCs in the LAN. That is because the more network ports you open, the less secure you become.
Testing was done on Windows 10 Home 64 bit machines.
After hardening, all control panel items are tested working, with the following exceptions:
If your system has already been compromised, the best course of action is to re-install Windows. Because there is no telling what backdoors and botnets clients have been installed on your system. You cannot fight back at someone who already has administrator control of your system. You can implement something and they will just disable it. You best chance of survival is to re-install Windows and then hardening it to prevent further attacks from happening.
For details of the Automated Configuration files, see the Automated Configuration section near the bottom of this document. They will also be mentioned as when applicable in each section though out the document.
As per normal, to securely install an OS, one should install it disconnected from the network..If you are using an ethernet cable, disconnect the cable. If you are on WiFi, Right click on Start button > go to Control Panel > Network and Sharing Center > Change Adapter Settings and right click disable the WiFi interface.
To perform an upgrade from Windows 7 or 8.1, boot that version of Windows and run 'setup' from the DVD drive/USB memory stick. Do not boot with the ISO and do a clean install, as you won't be able to Activate your Windows 10 afterwards.
After you have done 1 upgrade and activated that, then you can boot the DVD created with MS Media Creation Tool, and perform a 'clean install'. MS will remember your PC from your last activation.
Before we go on to hardening, it would be wise to create a drive image using Macrium at this point to capture a clean virgin Windows install. That way, if you want to undo all the hardening in one swoop, you can reimage the machine using this image file
Install your antivirus program now. You would also need to specify a outbound firewall rule to allow the antivirus to fetch signature updates. Windows 10 comes with Windows Defender antivirus. If you want to use this default antivirus, and MS is turning out to be a real great contender in this market, then nothing needs to be done except allowing it outbound in the firewall (already listed in the firewall rules). Google for "<YourAntiVirusName> offline installer' and use that version because you cannot go online before hardnening.
One of the main concepts underlying hardening is least privilege. It means to configure your system so that it is only capable of doing things you normally do, and nothing else. So, that means that if a feature in Windows is not used, it is to be turned off, or disabled.
The reason behind it, is that the more features you enable, the larger your attack surface is. It means you have more to defend. And one vulnerable spot is all it takes to get hacked. The more features you have, the more potential bugs ( some security related ) you have. Now attackers know a lot about the security bugs in the system – that’s how they attack. If you go live on the internet with all features turned on, the attacker would have a lot of choices. If you disable unused features, then they would have less to play with.
One of the first things you should do in line with least privilege is to create a Standard user account, and use that account for your daily work. Only login to the administrative account to install programs, configure networking, or do system maintenance tasks. Because when you are working in a Standard account, any malware or hacker that makes it onto your system will inherit your privilege and not have admin privileges to make system wide modifications. And that’s a win for you.Create your accounts now and sign in to each. Then sign back in to your admin account to continue hardening.
Remember that an attacker will have all the access that you have at the that moment of attack. So if you have important data stored in that account's Document folder, he will have the same access. ( more on that later ) So, if you have secret level data, it is best to store them in an account which you don't surf with.
From a different perspective, a Standard account is a barrier to other accounts, and is also a container for attacks. If you have your services set up correctly and don't allow the command RunAs, ( it is the Seondary Logon service ), then automated attacks and hackers cannot gain access to your other accounts. If you notice different behavior of your browser or something that looks like virus activity, you can rebuild your account and delete the old one as part of a recovery procedure. It may not contain the attacker if she attacks a service that is run by the System account. But that's why we disable services that are not necessary further on down
Control Panel, select 'View by: Small Icons'. This shows all the configurations choices available.
When MS released Vista, there were some complaints about UAC asking for confirmation to do this, that and the other. So MS made a compromise in Windows 7 and allow customers to choose what level of prompting they want. Know that turning completely off UAC also means turning off Protected Mode in Internet Explorer, and not too many people realize that a major piece of protection is now turned off. UAC pops up mostly during the setup phase, once you have finished setting up your computer, you will rarely encounter it.
Control Panel\All Control Panel Items\User Accounts\Change User Account Control Settings
Move slider to top
Windows network has 3 network types, domain, private and public. Work and home are similar and are labeled as 'private' under it's firewall tool. The private setting is set to allow 'network discovery', so that Windows is allowed to talk to other PCs. The public setting is the most secure and is meant to be used at cafe hotspots, airports etc. If your network contains insecure PCs, then you should set the network profile to public. The domain setting cannot be chosen by the user, and is used after the PC has joined a domain. Since we are hardening the PC, we want the most secure setting, and only allow Windows to talk when it is called for. So for those that intend to join a domain, choose the private profile; and if not, choose the public profile.
Control Panel \ Network and Sharing Center
When you plug in the ethernet cable or connect to WiFi after hardening, set network to Public, which is the most restrictive and secure.
Note: if you selected Private and later want to change it to Public, the only method for Windows 10 that I am aware of involves using PowerShell.Right click on PowerShell and then click Run as Admin, then type in this:
In order for a attacker to hack you remotely, he needs to interact with a network facing program running on your PC. Some networking components implement protocols. Networking protocols are grammar rules for bits and bytes to communicate with other PCs. And each has weaknesses. So unless your environment requires that a protocol must be used, we will want to disable all except the bare essentials. More protocols mean a larger attack surface.The only protocol you really need is IPv4. And most networking equipment requires IPv4 in order to function. IPv6 will be increasingly necessary as we have run out of IPv4 addresses. As of this section's writing ( Windows ver 1803; May 2018) big ISP's has begun shipping IPv6 capable router/modems.
NetBIOS over TCP/IP is not required because NetBIOS is already active without this option. Disabling NetBIOS over TCP/IP should limit NetBIOS traffic to the local subnet.
The Discovery protocols are used to provide a nice graphical map of your network. For home users, this is not needed, as there is only one router. You would only get to see a picture depicting your PCs connected to your router. For Domain users, this feature is automatically turned off once you join the domain.
File and Printer Sharing should only be enabled if you plan to share some of your folders on the network or if you want to share your locally connected printer over the network. If printer sharing is desired, it is better to get a printer that has networking built in, so that when attacked, they only gain access to a printer instead of your PC. Disable this feature unless absolutely required.
Control Panel\Network and Sharing Center\Change Adapter Settings
Right click on Local Area Connection, choose Properties\
uncheckmark the following:
Select 'Internet Protocol version 4 (TCP IPv4), click Properties, click Advanced,
In line with layers of security, besides deactivating security protocols, we will be disabling services that serve these protocols. (see 'disabling vulnerable servies' section below)
If you have the Automated Configuration Pack, you can open "No Netbios.reg". Then reboot the computer.
If you have the Automated Configuration Pack, you can double click on "NoTCPIP6 All.reg" to disable all TCP/IP6, or you can double click on "NoTCPIP6 Tunnels.reg" to disable all tunneling protocols.
Control Panel / Device Manager, View menu / Show Hidden Devices
The intention of UPnP is ease of configuration, so such things as games can auto-configure the firewall to let other players from the internet join in. However, with users each poking holes into your firewall with UPnP, pretty soon it will be Swiss cheese and cease to function as a firewall. It is better to configure firewall rules manually so that each firewall rule is known and accounted for. If your hardware firewall or router has an option to disable UPnP, do so.
right click on right pane, new dword:32 bit,named UPnPMode
Double click on that and set the value to 2.
If you have the Automated Configuration Pack, you can double click on the file "UPnP.reg"
When you run the command 'netstat -abn', it will show you which ports are open and listening to the network. Normally, you would want to close those ports unless you really need them. Windows 10's listening processes and their port numbers are RPCss ( 135 ), eventlog service ( 49409 ), Spoolsv ( 49410 ), schedule ( 49411 ), lsass.exe ( 49414 ). (The port numbers above 49152 can change between reboots), However, the default firewall policy for inbound traffic is to 'block' for all network profiles ( domain, private, public ). That means nobody can touch those listening ports unless the firewall is off, or you have made inbound 'allow' rules to pass traffic onto those processes. This has been verified by connecting to them with telnet and all attempts failed, unless one turns off the firewall or makes 'allow' rules. Also, as far as I can determine, all of those processes are essential to Windows, epecially RPCss and lsass.
Buy a router that has Stateful Packet Inspection ( SPI ) firewall. This kind of firewall will monitor outbound traffic and only allow matching return traffic. Like when you surf to a web site, your browser initiate a request to the site, and the site returns the web page. Buy one even if you have only 1 PC. And if you are using a cable modem which only has 1 Ethernet port, you definitely need one.
More expensive hardware firewall routers will have more tools, like configurable rules, sending logs to remote syslog servers, and fancier protection like spotting syntactical illegal ip packets. For an example of small/medium size business product, take a look at the www.sonicwall.com site. They have products which integrates a firewall, gateway antivirus and antispyware, and VPN. These usually costs $400 and up.
As an alternative, there are free Linux distributions that offer almost the same features, like IPFire and pfSense. See the section Intrusion Detection part 4 below.
Before you make any changes to the firewall rules, go to the right side menu and choose 'Export Policy'. That is because the Restore Default Policy option does not give you back the current defaults; it gives you the defaults from a much older version of Windows 10. MS has been notified.
If you have the Automated Configuration Pack, you can import the firewall rules into BiniSoft.
To preserve your firewall rules from MS modification, you will need to export the rules. And re-import them when they change. BiniSoft Windows Firewall Control has a solution for that, see below.EXPLOIT NOTICE: While testing, I have been successfully attacked with Skype inbound rule enabled. It is part of a set of Default Inbound Allow Rules by MS. Attackers know these default inbound rules Very Well. And have thoroughly investigated them to work out exploits. In particular, you should avoid using Skype, even only with outbound rules enabled and inbound disabled. That is why I made the above set of Inbound Block Rules to counter act them. Block rules override Allow rules. Under no circumstance should you disable the inbound block rules.
Windows Firewall doesn't notify you when an application calls outbound when outbound policy is block. BiniSoft Windows Firewall Control is an add on app that gives you that feature. It is also particular useful also to have it create a 'temporary rule' for the times when you use web based program installers. You get this in their notification pop up.
If you have the Automated Configuration Pack, go to Systray icon > Main Panel > Options and select 'Import User Settings from file'; locate the "BiniSoft User Settings ...XML". Then go to Systray icon > Main Panel > Rules and select 'Import Windows Firewall Rules from file' and locate the "Binisoft Standalone Full Policy.WFW".
Windows has a lot of programs that call outbound, and they are not just Windows' services (which we have pruned). And since the default policy is outbound allow all, most people are not aware of them. We apply the default deny principle and set outbound policy to block which is BiniSoft's Medium Filtering Policy. Apart from the outbound rules set up above and allowing your browser, there is little else needed for Windows Activation and Windows Update and general web surfing. However, when outbound policy is set at Windows' default allow, those Windows programs go outbound, like SystemSettings, applicationFrameHost, taskhostw and tons more. Even though they each have a particular MS server to go to, an attacker will be able to spoof the MS server's ip and send malicious attacks to these poorly defended Windows applications. MS is relying on the firewall state that is set when those programs go outbound to protect and verify that any 'returning' traffic would be legit. But when attackers monitor traffic on compromised public routers, or otherwise spray their exploits, then all those Windows applications are ripe for attack. So, since the essential outbound rules are set as above, then you can block any notifications that BiniSoft displays. If you want to be cautious, then you can respond to the notification by blocking the program for X minutes
The second feature of BiniSoft is that it can create a temporary rule for a program installer. When you get BiniSoft's notification that your program installer wants to go outbound, on the right side of that notification, you get the choice to create a temporary rule, which should self-erase after the installer exits. If it doesn't, you can find the rule easily because it is in blue font. This eliminates the need to choose BiniSoft's Low Filtering Profile, which is an outbound allow all policy.
To use the BiniSoft rules provided, you have to edit some of the rules. Right click on BiniSoft icon in the Systray, select Rules Panel. On the right side panel, select 'Filter by Enabled'. Then click on the word 'Name' on the rules side to sort the rules by name. Locate the rules that has the word 'router' and/or 'server', and double click on each. Then go to the 'Remote Addresses' field and replace the addresses with your Windows Server's ip and/or Router's ip, separated by a comma, no spaces.
The Notification setting is turned off. Nothing more needs to be allowed for activation, Windows Update or browsing, except adding an outbound rule for your preferred browser. Do Not be tempted to allow executables to go outbound just because a popup prompt comes up, this guide has already filtered out the non-essentials.
You can turn on Notifications if you are installing new software and want to allow it onto the network. However, be careful to only click 'Allow this program' or 'Allow temporarily' ( one makes a rule and the other makes a temporary rule ) for the program you are installing. There will be numerous pop up's for Windows components like 'svchost', 'system' and others among the one software you just installed. Remember, this guide has already filtered out the non-essentials. Just allow the software you are installing only.
BiniSoft has a Secure Rules feature. It can stop unwanted changes to your rules. You define your rules and give it a Group Name. Then you put all the group names you want to keep intact in Main Panel > Security > Authorized Groups. You get to choose if the unauthorized rules are deleted or disabled. Then you checkmark Secure Rules. If you choose to Disable unauthorized rules (safest way) then all the unauthorized rules will be renamed and disabled. You can still recognize a Windows built-in rule should you ever want to enabled it. However, BiniSoft currently (v188.8.131.52) has a problem in that some rules are shown as their windows package names. For example the rule for "Microsoft Store" is displayed as "Microsoft.WindowsStore_11805.1001.49.0" in the BiniSoft rule panel. I have contacted the developer and he says it is the name returned by Windows API. And he will look into it further. I have included a file "firewall rule app packages.txt" that list the Windows firewall rule name and the windows package name.
A note about firewall rules. The trick is to minimize the connections to the internet. This reduces your attack surface. The more programs you allow to connect, the higher the chance that one of them has a security vulnerability. AND ALL IT TAKES IS ONLY ONE, and the whole pyramid of cards will come tumbling down. The attackers have the advantage. Microsoft, in their infinite wisdom, have allowed 15 applications to have inbound allow rules. After each Windows Update, these 15 inbound allow rules will be re-enabled. They may have limited each app's rights. so that you only lose control of, lets say, your contacts list. They might have double checked the coding. But witness the long time SMB v1 which has been around for 15+ years. Network admin veterans rely on it because it is "time tested". It turns out there IS a security flaw. And the WannaCry ransomware took full advantage of it and spread like crazy, causing untold millions of dollars of damage. Doing threat models, limiting application rights and secure coding are all great things, and security has improved. But you have to remember that an exploit is an attack that can do non-ordinary and un-expected things. If the security flaw is of the kind which that can 'run arbitary code' ( MS's term, used in MS Security Bulletins ) then your limited application rights, threat models just don't count anymore. Because run arbitary code just means the hacker can run anything - destroy your documents, erase your photos, whatever is your sense of the worst disaster. The goal of a firewall is to close off any venues of attack, before they have a chance to touch vulnerable code, and only to allow known and necessary network traffic. Default Deny is the safest way of designing firewall rules.
Outbound connections are also SO important. Lets say the that some Windows system exe calls out to MS server XYZ. For example wermgr reports Windows system problems to MS, and expects to receive an acknowledgment. Well, attackers also know that MS XYZ server's ip address. A firewall will correctly remember that wermgr connected outbound to that ip, and correctly allow the acknowlegment from the same ip back in. The hacker can easily send an attack bearing the XYZ server's ip. AND it will pass right through the firewall, unhindered. So, security vulnerabilities that exist in mundane tasks, that run only once in a while, could be usable by attackers. Because the attacker can blast out attacks spanning a wide spectrum of destination addresses, non stop, and if a couple of PC has just sent out an error report to MS's XYZ server, he is inside instantly. His payload will begin downloading malware, and the takeover begins. If your router/hardware firewall has a logging feature, you can see evidence of this 24 hrs a day. Attackers banging on every door, checking to see if their exploit's target vulnerable code is running.
And if the outbound policy is set to disallow, then the allowed applications needs scrutiny. MS enables some 40+ applications outbound in Windows 10 v1809's firewall outbound rules. The writer has received attack(s), when those rules are active, but has not narrowed it down to a particular one. (the attacker has not attacked 40+ times) But smart attackers don't over expose their prized pocessions - their attack exploits, lest some security researcher catches and analyses it.
Delivery Optimization is designed to save bandwidth when performing Windows Update. It caches the update for a short period and sends them over to another PC in the LAN. You can stop update downloads from other PCs so that you trust only Windows Update. But you can't totally stop uploading updates to other PCs on the internet.
First go to Settings > Update and security > Delivery Optimization and turn off Allow download from other PCs. Then click on Advanced Settings and checkmark "Limit how much bandwidth is used for Uploading" and make them the minimum.
Windows will automatically search for a HTTP Proxy for each account by default. A HTTP Proxy is a server service that receives HTTP requests and forwards the request to the internet. Usually it is used to filter web site request to ban certain web sites. And companies use it enforce policies like banning Facebook and other productivity draining activities. Most home environments do not have a HTTP Proxy server. If an attacker plants a HTTP Proxy service on your network, then she can monitor your web activities. Or even redirect your web requests to a malicious site. This should be turned off.
Go to Settings > Network and Internet > Proxy and turn off 'Automatically detect settings'
When activated, Software Restriction Policy will prevent any program from running except if it is residing in \Program Files or \Windows. That means any downloaded malware in Temporary Internet Files or elsewhere will not be able to run. ( browsers and plug-ins sometimes have vulnerabilities to let infected web sites to force them to download ) Since you will be running as a standard user daily, that malware cannot install itself to the above 2 locations, because you need admin rights to do so. So you are covered against unwanted Desktop programs running.
Feature not available in Windows 10 Home.
Simple SRP 2.1 is a free tool that provides the majority of the functionality of Windows’ own SRP in a small program that sits in the systray. And it works on Windows 10 64bit.
This program provides crucial protection to Windows 10. After installation, only programs in \Program Files and \Windows will execute. So in order to run the BAT files of this guide’s automated configuration, you need to choose the tool’s UnLock from the right click menu, which will give you 30 mins of unlocked time.
The program installs into \Windows\SoftwarePolicy. Configuration is done via an .ini file that can be accessed and edited from its menu. There are some configuration items that need modification. Right click on the program’s systray icon and choose Configure. Notepad will start.
Locate [CustomPolicies] and add the following line:
Add the following extensions to the end of "FileExtensions": VBS, JS, JSE, OTF, SCT, SHB, VBE, WSF, WSH, PS1. Then remove the ';' from the beginning of the line.
Locate "includeDLLs" and set it to 1.
Next, add the following lines underneath [Disallowed]
C:\Program Files (x86)\Google\Chrome\Application\SetupMetrics=1
C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files=1
C:\Windows\System32\Tasks\Microsoft\Windows\RemoteApp and Desktop Connections Update=1
C:\Windows\System32\Tasks\Microsoft\Windows\File Classification Infrastructure\Property Definition Sync=1
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\RemoteApp and Desktop Connections Update=1
The above 'disallowed' rules are made because those folders inside \Windows are user account writable. Because the default allow rules allow any program inside \Windows to be executed, an attacker can place her programs in any user writable folder inside, for example, \windows\System32\FxsTmp and get it to run.
Note: To correctly install Windows Defender Platform Updates from Windows Update, you have to remove the line \Windows\Temp temporarily . Take care to remove the line temprorarily and put it back in, if you notice a Windows Defender Platform Update is coming in.
In recent months (Apr 2017) there have been attacks that do not utilize malware but uses Windows' built-in scripting engines to execute script lines. As such, there are no files in the payload for antiviruses or anti-exe's to detect and block. (The anti-exe Voodoo Shield is an exception in that in it's locked mode it prompts the user if Powershell is run) Nevertheless, it is sound protection to use SRP to block the execution of script engines until you temporarily unlock to run a script.
Now extract the AccessChk.zip file that was downloaded. Then create a 'find SRP block paths.bat' with the following lines:
accesschk -w -s -q -u Users "C:\Program Files"
accesschk -w -s -q -u Users "C:\Program Files (x86)"
accesschk -w -s -q -u Users "C:\Windows"
accesschk -w -s -q -u Everyone "C:\Program Files"
accesschk -w -s -q -u Everyone "C:\Program Files (x86)"
accesschk -w -s -q -u Everyone "C:\Windows"
accesschk -w -s -q -u "Authenticated Users" "C:\Program Files"
accesschk -w -s -q -u "Authenticated Users" "C:\Program Files (x86)"
accesschk -w -s -q -u "Authenticated Users" "C:\Windows"
accesschk -w -s -q -u Interactive "C:\Program Files"
accesschk -w -s -q -u Interactive "C:\Program Files (x86)"
accesschk -w -s -q -u Interactive "C:\Windows"
Place the bat file into the folder where you extracted Accesschk.exe, and run it file to find out which folders on your system you need to add to the Disallowed section.
Lastly, if you use the Opera browser, find in the [LimitedApps] section the line 'Opera=...' and place a semicolon (;) in front of the line to exclude Opera from protection, because Opera v30 (the latest version as of this writing) will not function with this enabled.
Save the file, exit Notepad and apply the policy.
The above configures the program to require a Windows admin account password. And it secures the mentioned paths under \Windows which can be modified by users to prevent malware from executing from in there.
Also, you can add a “;” in front of these lines to remove extra menu items, as they add clutter to the right click menu:;(C:\)=explorer.exe C:\
With Windows 10 Fall Creators Update v1709, Windows Defender gains anti-exploit features. It is MS EMET transcribed for Windows 10. And it does not require the Secondary Logon service. You can add programs to be protected. Go to Windows Defender Security Center > App and Browser Control > Exploit Protection Settings to take a look. From there, click on Program Settings > Add program to customize. A good program to add would be your browser.Settings for Chrome:
Windows has several default anti-exploit settings for system files. I have chosen to augment them for svchost.exe and others because the custom settings have more protection features. As such, an attacker can spoof the origin address and mount an attack on the services, which would bypass the firewall. Other programs added also include the ones mentioned in the outbound and inbound firewall rules which MS re-enables after each update. To load those settings:
Windows Defender > Virus & Threat Protection > Ransomware Protection > Manage ransomware protection > Controlled Folder Access=On
Note that turning on Controlled Folder Access will forbid applications from creating files in documents folder. So for example, further down in this document, it tells you to create a baseline by using "driverquery > out.txt". This command will fail to create the out.txt because cmd.exe is not allowed to touch your Documents folder.
OSArmor (free) stops certain kinds of exploits and payloads. It isn't signature based, so it doesn't need to connect to the net. It can protect your browsers and office programs, and stops potential malware that execute off your USB memory stick. It also prompts you before you can run a script; like the bat and powershell scripts in this Configuration Pack. That is because it is common for attacks to exploit a program and then launch a script.
The way to use it is to first right click on the OSAmor systray icon, open Configurator, and check mark everything except Advanced tab > Block specific system processes > Block execution of NetSh. (NetSh is used by this guide to automatically take your admin account offline after sign in) Then carry on as usual. When it finds anything suspicious, it will prompt you. If you are performing an action like opening Event Viewer; which will issue a warning. You have 2 choices: a) Respond to the prompt by clicking on the Exclude button. This will populate the Exclusions Helper with what action you just performed. Then click on Add Exclusion button. If you don't plan to use this action often, then: b) Go to OSArmor > Protection > Disable Temporarily > 10 mins. After the application has opened, you can immediately set Protection back to Enabled. You don't have to have protection disabled while running the application.
Windows defaults to allowing 'sideloaded' apps, which is to accept apps from a local install. Normally, Apps are mostly downloaded from the Store, which are vetted by MS. Unless you are a developer, you have no need for the sideload feature, and is best disabled.Go to Settings > Update and Security > For developers, and change the setting to Windows Store Apps.
Most people are aware that services can be security problems, and that some should be disabled. The culprits are partially network services that listen to the net. Anything that takes input from the net is candidate for manipulation by attackers. When one looks at the list of services that are disabled below, one might say that there are no known exploits for such and such a service. But the principle again is least privilege. Only those services that are needed should be active. And we don't want to wait until an exploit hits the security news sites and then take action. Least privilege is a pro-active, preventative concept.
There are various servers in the list of services which listens 24x7 to everybody sending them stuff.( which includes exploits ) Like the simply named 'Server' service that is responsible for File and Printer sharing. Another server is UPnP Device Host, which lets other PCs interact with devices on this PC. Components that allow remote management are also turned off - like Remote Registry and Windows Remote Management. The first allow other PCs to change your registry; and the second allows remote shell access. The Secondary Logon service is turned off, because it let command line users run programs as admin. It requires the admin's password, but then attackers have all day to figure that out. DNS Client used to be not needed, but MS has changed that in v1809 so that it can't be disabled. HomeGroup is a file sharing mechanism and the whole network's shared stuff (all material from all PCs) is secured via 1 password. With the File and Printer Sharing way, at least you can have different logons for different PCs. I have left 6 services on Automatic/Manual start which do react to inputs from the net, These services tell other windows programs about your network and allows you to choose your firewall profile (public or private). One of them is related to Direct Access, which only can be used in an environment that has Windows Servers, but I found that disabling it causes networking to malfunction.
There is another angle to services that makes some more desirable targets, and that is the account that runs them. The System account is all powerful and is equal in power to administrators. A network facing service which use this account, like the WMI Performance Adapter (gone from v1809) or the Printer Extensions and Notifications, will be prized, A service running as System will also be targeted by attackers who gained entry into a Standard account, they will try to take over the service to gain System rights. (This is called "escalation of privilege").
There are some services which activate if you have the right equipment, like. Microsoft iSCSI initiator service, Bluetooth support service, Fax, SmartCard. SmartCard removal policy and WWAN autoconfig are all dependent on specific hardware. In my personal configuration, they are all disabled, because I don't have them. In particular, Bluetooth support service is one that ought to be disabled if one doesn't have any bluetooth peripherals; it is a networking component that can be abused by attackers, and there are free hacking tools available. It is not disabled in the default configuration file because I don't want someone to apply the config and suddently find that their keyboard or mouse doesn't work.
When you configure services, clicking on each will display a description. If that is not enough for you, you can check outt http://blackviper.comm, sometimes they have additional information..
If you have the Automated Configuration Pack, you can set up the services by right clicking on "Harden Win 10 Home Services.bat" and choosing "Run as Administrator"
Items in <angle brackets> are optional and not setup in the Automated Configuration file.
Right click on Start button/Control Panel/Administrative Tools/Services
Right click on the following services, choose Properties and set Startup Type to Disable.
Name (Original Mode), what it does
WARNING: Geolocation service:(manual) used by cortana, If you disable this one, you won't be able to reset it back to normal again. Current Windows bug as of 2015-Aug-19 Update 2018-10-05 Fixed in v1809, so you can now disable it if you don't like Windows'location tracking
If you have the Automated Configuration Pack, my personal additional settings are in "My Personal Win 10 Home Disabled Services.BAT".
There should be limited logins available from the network. The 2 local security policies are set also in the Harden Win 10 Home Services BAT file if you have the Autpmated Configuration Pack.
However, if we stop user and admin accounts from login through the network, then Simple Software Restriction Policy will stop working. However we are still protected by Windows Firewall. So the accounts that are denied are: Guests, Anonymous Logon, NETWORK SERVICE, SERVICE, and LOCAL SERVICE.
A LiveTile on the Start Menu accepts input from the Internet. It has been said if the attacker can make her way onto the desktop, then all is lost. To be safe, Right click on each LiveTile and choose Turn LiveTile off. You can always click on a tile to run that app. If you are sure that you don't ever want to see a particular LiveTile, then right click and choose Unpin from Start.
At this point, you have hardened networking components. Switch to your Standard account..Connect now to internet. There are 3 things you need to check before you can perform activation.Open Start > All apps > Windows Administrative Tools > Services. And right click to start these 2 services:
Then Right click on This PC, choose Properties, click on Activate. If it results in an error, click the Trouble Shoot button.Or, you can open an elevated command prompt and run the following:
EXPLOIT NOTICE It has been noticed that there is a vulnerability in the Windows Update process, and some attackers know to exploit it to take over your PC. If you are unsure, better use Offline WSUS for every update. MS issues security updates every 2nd Tuesday of the month.
Then immediately do Check for Updates.
Settings > Update & Security > Windows Update.
DO NOT SURF the net while updates are going on, as Edge and Internet Explorer are still unpatched and vulnerable.
If you wish, you may want to defer Windows Update until we reach the end of this guide, when all attack venues are covered.
If you use MS Office, then go do Microsoft Update now.
Settings > Update & Security > Windows Update > Advanced Options > checkmark Give me updates for additional Microsoft Products.
Remember to update your firewall outbound rules to allow the programs that need the internet, like Adobe Reader which now have their own update service, so add allow outbound rules for those services. Also your browser, antivirus and PatchMyPC (see below) need to reach outbound to the internet.
One of the most important things to do is to update EVERYTHING on your computer, constantly, that means Windows Update and updating all programs and plug-ins. It is very important to know that security patches closes the holes that malware/hackers need to get onto your computer. Patching the security holes is the ultimate preventative measure that treats the source of the problem.
It is known that attackers reverse engineer MS patches to exploit the vulnerabilities. It only takes a few days for them to do so, so be sure to patch on time. MS's patch schedule is on the second Tuesday of each month. Calendar a repeating entry on your cellphone. The features patches are on the fourth Tuesday of the month.
Windows Update supplies security fixes to Windows and its programs like Edge and Internet Explorer. If you use a buggy Edge, then hacked websites can install viruses/malware unbeknown to you.
Adobe Flash is another component that lots of people forget about. Luckily, three browsers, Edge, Internet Explorer and Google Chrome, will fetch Flash updates automatically, so you don't have to do a thing. If you use Firefox, Opera or another browser, then you need to download the Flash plugin for them. Adobe Flash has an automatic update feature for Flash, if you install Flash, you must make an outbound allow firewall rule for the service. An alternative to Flash is HTLM 5. Many sites are supporting this now, and you may find that you don't need Flash anymore.PatchMyPC detects which of your installed programs have a new version. This is a lifesaver. It will tell you about a new version and install it for you. This is a very important part of maintaining security of your machine.
AutoPlay is a problem when it comes to removable devices like USB memory sticks and CDs. Because it will run whatever program it is set for whenever you insert it. Hackers are known to casually leave CDs around in public washrooms and label it something like 'layoff positions for next quarter', Once inserted, their hacking tools will run in the background and call back to its master server. AutoPlay is the successor to AutoRun, and can be disabled in Windows. Do this for every account.
Go to Settings > Devices > AutoPlay, set AutoPlay to off.
It is very important to guard your sign on passphrases, espcially your admin account one. attackers will try to trick you into giving out the passphrase by installing a tojan that looks like the Windows sign on screen and upon seeing this most users will key in their passphrase without question. Microsoft has made a feature whereby you need to press CTRL-ALT-DEL in order to reach the sign on screen, because the special key sequence CTRL-ALT-DEL can only be trapped by the operating system. This feature is normally only active when a PC is domain joined to Windows Servers. However it can be enabled without Windows servers.
Another MS security feature is not displaying the account name in the sign on screen, even when the user is currently signed on and has locked the system by pressing WinKey-L. This means the attacker needs to get both the account name and the passphrase right and significantly enhances security.
If you have the Automated Configuration Pack, you can right click on Harden Win 10 Pro Security options.bat and choose Run as admin to enable these 2 features. Further down the document, all the settings in Security options are given.
Onedrive lets you keep your documents, pictures and PC settings on the net, ready for syncing to all of your PCs. However, your personal files are sitting there on the internet 24x7x365 waiting for someone to crack your password. This is not secure to say the least.
Data Execution Prevention is a technology that foils some types of attacks when they are coded in a certain way. By default, this feature is enabled but protects only Windows executables. You want to enable it to protect all programs, like your Firefox, Opera, Acrobat Reader and others.
Right Click Computer/ Properties/ Advanced System Settings
/Performance Settings button/ Data Execution Prevention Tab
Select "Turn on DEP for all programs ..."
Dump files are memory dumps, and everything in memory are saved to a file. This is used for debugging problems when your system crashes. However, passwords and all confidential stuff that are running currently are also saved to this file. You should enable this feature only when you are experiencing problems and need to debug.
Computer > Properties > Advanced System Settings > Startup and Recovery Settings - settings button
Write debugging info: None.
Remote assistance allow a helper to control your PC with complete desktop, keyboard and mouse access. This is not a attacker favorite as there is built in protection that allow only the invited to take control. However, there are phone scams that lure users into giving them remote access, and you will want to protect your users and prevent them from compromising your computer.
Computer/Properties/Advanced System settings/Remote tab
Un-checkmark allow remote assistance
System Restore can be a life saver when you encounter system errors. Setting it to use more disk space and making more restore points is good policy
Right click Computer/Properties/Advanced Systems Settings/System Protection tab
Configure button/create bigger system restore cache
You want to be able to see all files and folders in Windows. If you do not do this step, hackers can hide their installed tools from you. Although the attacker can also install a rootkit which also hides their files, they may not be able to get that far into your system to do so.
Windows Explorer/ View pull down menu / Options button / Change Folders and Search options / View tabCHECKMARK items below
Unattended PCs are obvious security risks. But many people fail to take care of this via this simple setting. Most larger companies that are security aware have strict rules to enable this and not to leave PCs logged in and unattended.
Go to Settings > Personalize > Lock Screen > Screen Time out settings, configure it to wait 10 minutes.
If you look at \Windows\System32 folder, you will see a lot of exe programs. Some of them are Windows' GUI components and needed by the system. And some are command line programs used to administrate Windows. A Standard user account doing daily work has little use for these command line programs, as they are intended for IT administrators. In accordance with Least Privilege, these command line admin tools should be partitioned away from the User group. See the following RBAC section.
Attackers aim to get use of three accounts, the admin account, the "Administrator" account, and the System account. The admin account is needed for configuring the system, so it needs full access to command line tools and we cannot avoid this. The 'Administrator' account is by default disabled. And the System account is used by some services. In testing, it is revealed that the System account cannot be constricted or else our Restore BAT wouldn't work. So in the provided configuration file, command line tools are set so that only members of the administrators group and 'TrustedInstaller' can invoke them. (The System acount gets inheritied rights) Also, in line with layers of security, the command line admin programs are denied execution by low integrity processes.
As an example, few people are aware that there is a command line FTP program, as most people use their browsers to download. This program is used mainly by attackers who need to bring over their tools once they gained command prompt or powershell access.
Role Based Access Control means setting up accounts to do what it is only necessary for the job role. Hence an accountant would be set up so that he can run the accounting program, and not others like our hardening scripts. This is in accordance to the Least Privilege pricinple.
When we analyse our security posture, the weakest point of defense is when we are using our admin account. Sometimes, a program installer needs Software Restriction Policy turned off; because it writes to and then executes a temporary exe from within the temp folder. And we must use the admin account to install software. Sometimes the install program needs to dowload components online, and the downloading portion maybe vulnerable. And if the account houses our hardening scripts as well as other important documents, there is a lot to lose. Installing a new program usually takes time, may be a good half hour or more to configure, test and so on. So in this hour we are essentially running an insecure semi-hardened box. This calls for a role called the Installation Admin.
In the Configuration Pack, the Dual Admin BAT creates an installation admin (you choose the actual account name) and restricts it from running admin command line tools, and administration GUI apps. In addition, it removes oridnary user accounts from accessing admin command line tools. After configuration, the command line administrative tools ( plus regedit, regedt32 and tasksched ) can only be accessed from a full admin account using an elevated command prompt. Also, only the full admin account has take ownership right. Right click on the BAT file and choose Run as Admin.
Note: the dual admin BAT script does not assign a password to the Install Admin. Sign on into the Install Admin account and give it a passphrase.In effect, the only special rights this installation admin account possess are the right to write anywhere in the hard drive, (like the Program Files folder, which only an admin can write to). and to write to any registry key. This seems very generous, but the fact is we are not able to restrict it further. This account would then be used when you install a program, which is a very common task for an admin role.
Very often, an attacker will install a Remote Access Tool/Trojan (RAT) to monitor the victim. This program is just like an ordinary program that provides remote access like Window's own Remote Desktop or the commercial program TeamViewer. It can view our screens, see what we type and control the PC by running any program. They are very hard to detect, espcially if the attacker does not make any changes to your system and just watches you. And anti-malware programs usually fail to identify them, because there are legit remote admin tools too. The goal is to hamper this RAT. The RAT will get all the permissions of the account that you sign into and require an online connection. So here is the second step; we will make our full privilege admin account go offline when used. This will buy us time to find and eliminate the RAT.
Now we create 5 scheduled tasks. The first one is for the full admin sign in to disconnect the network adpater. Ensure that you are signed in as the full admin.
Note: Scheduled Tasks action line reference the network adpater name. In the majority of cases, they are called Ethernet and Wi-Fi. But if you have multiple network adapters, then the names will be different and the network adapter name needs to be changed, from'Ethernet' and 'Wi-Fi' and replace them with what you have. The adapter names you currently have is shown at Control Panel > Network and Sharing Center > Change Adapter Settings.
Next, we make a scheduled task for full admin switch out, re-enables the network.
Next, we make a scheduled task for switching to full admin . (Fast user switching)
Next, we create 2 actions for your Limited Admin account to sign in.
And we create 2 actions for Limited Account Switch To.
Repeat the above 2 tasks for any non-admin account
Lastly we create a scheduled task for system startup, say if you restart the system while signed on as full admin. So we want to always startup the system on a connected state.
The whole set of scheduled tasks is designed to disconnect the network adapter for the full admin, when he signs in, or when his account is switched to. And we reconnect the network adapter when he switches to another account or signs out. You can verify this when you sign on to the full admin account by looking at the Internet icon in the systray - it will have the red X when you logon to the account.
To test the Install Admin account's ability to properly run install programs, the following programs were tested:
It is known that security programs requires additional rights to set themselves up, that is why security programs were tested among other programs. Avira, BitDefender, Voodoo Shield failed to install. And WSUS Offline fails to run. They require the usage of the full privilege admin account. Ordinary installation programs like VLC typically don't require as many rights. The aim is to reduce usage of the full admin account and lessen the risk. For normal programs, use the install admin account first, then if it fails, use the full admin account. To enable your full admin account's internet access, right click on the internet icon in the systray, select 'open network and sharing center', click on 'Change adapter settings'. Then right click on the adpater and choose Enable.
New to ver 4 of Dual Admin, it is now possible to run the following networking commands in the Install Admin account:
The Documents folder has 3 ACL rules allowing access for System, YOU, and the Administrators group. If you right click on the Documents folder and choose Properties > Security tab, you will see this.
The System account is present in almost all files and folders, but it doesn't need to be as far it can be determined. Attackers also can use escalation of privilege attacks to get to use the System account because it is as powerful as an admin. You can choose Edit and Remove to take the right away.
However, the Configuration Pack BAT files need System to work, that is, if you unzipped the Configuration Pack into Documents. To work around this, you can create a Security folder under your Users\<YourAccount>\ folder and extract the files there. Just remember to move the contents back to the Documents folder when you're done.
The Administrators group is present so that any admin can access your files in an emergency. This can be removed to ensure that the Install Admin can't get at your files. Because the Install Admin has internet access, a RAT (Remote Access Trojan) can use that account to get your files if access is granted for the Administrators group. Removing the ACL entry will ensure that your data stays private. The downside of this is when you need to remove this account using Start > Settings > Accounts > Family and Other People, the Documents folder can not be deleted and will be orphaned. If the account will never be removed, or if you can remember to re-instate the Administrators group, then this rule can be deleted.
There is also an option where low integrity programs can be made so that they can't even read medium integrity locations. That’s what the commands below do. When you execute the commands, your desktop, document, pictures, videos and music folders will be unreadable to any programs marked as low integrity. The last command above makes the Downloads folder a low integrity folder. This is necessary because you need a place to save your downloads.( Low can't write to Medium) You will also want to create an Upload directory, and copy the file which you want to upload there. Because this Upload folder has not been processed by chml, the low integrity browser can read this folder.
Since you also have a Standard User account, run the commands below stating your Standard User account too. Note: this measure only protects you against attacks to your low integrity programs like Internet Explorer. (and Firefox or Opera, if you followed the above instructions) But since browsers are primary vectors of attack, this security measure is important. You can also experiment and set other internet facing programs to low integrity, like your chat program.
Visit http://www.minasi.com/apps// to download chml.exee
Then right click on command prompt and choose 'run as administrator".
Then execute the following commands for Each user.cd "\user\<yourAccName>\downloads\chml" ( or wherever you saved chml )
File History saves your documents, pictures, music, contacts and IE favorites every hour to a removable drive ( or USB key ). It does it every hour by default and keeps versions of the files as they change. This is a very convenient method of performing backups and should be used. Just remember to unplug the USB key when you shut down the computer and carry it with you, or else your attackers will gain access to all your files.
Go to Settings > Update & Security >Backup and click on "Add a drive"
Because browsers are the primary interface to the web, and used by everyone, they are a PRIMARY vector of attack. attackers will attack a website and modify it to deliver malware, using security holes in the browser. Or they can send attacks forging the address of a web page you are on. ( If you have a tab of your favorite web site always open, they can forge that web site's address and send attacks).
Internet Explorer was the most popular browser because it is installed by default. Edge may soon surpass it in popularity because it is pinned to the task bar.
Internet Explorer has an important defense mechanism, called Protected Mode. It is another name for Integrity Levels. Basically, the entire system is marked as Medium integrity. While frequently attacked programs like Internet Explorer is marked as Low integrity. Low integrity cannot modify Medium. So even if someone compromises IE and gains access to your PC, they cannot modify your system. You can set the integrity level of a program yourself, so you can make Firefox or other browsers use Protected Mode as well.
Popular alternatives to IE are Firefox, Opera and Chrome. There have been security holes discovered in them just like IE, but they are reputed to be more secure, primarily because they don’t use ActiveX. There are ActiveX code libraries strewn about in Windows, and many are not safe for web use. Attackers often make IE call to these ActiveX code modules as a means of attack.
Set IE to use Protected Mode Always
Control Panel/Internet Options/Security Tab
Checkmark Protected Mode for all zones
Login to EACH user account and repeat.
Set IE to use ActiveX Filtering
Open Internet Explorer, Gear icon / Safety / checkmark ActiveX Filtering
Login to EACH user account and repeat.
IE has this stupid distinction about the source of a web page. By default, if a web server is within your network (like a company web server), then Protected mode is disabled. Well, if a attacker wants to attack your network, they would just simply attack your web server first, and let his tools spread when internal visitors use the infected company web server.
Set IE11 to use Enhanced Protected Mode
Windows 8 has Enhanced Protected Mode that protects your private files and folders like the Document folder. However, to remain compatible to plugins like 3rd party toolbars etc, Enhanced Protected Mode has to be manually enabled. Go to Control Panel > Internet Options > Advanced; scroll the Settings list to Security section
checkmark "Enable 64 bit Processes for Enhanced Protected Mode".
checkmark 'Enable Enhanced Protect Mode'
Note that by doing this, some plugins may not work.
Note: the above settings are a per user setting, so you have to enabled this individually for EACH account. I will remind you of this at the end of this document.
Mozilla Firefox is open source software. Proponents of open source say because the code is open for all to inspect, it makes for a safer product. (as opposed to IE, which only a limited number of MS programmers work on). Mozilla has also once called on white hat hackers to help test attack Firefox. But whether or not this is an ongoing engagement is unclear.
To cover the angle of malicious ads, there is plug-in called AdBlock Plus. This plug-in removes all ads from sites. Its side benefit is that sites load faster without the ads.
There is another Firefox plug-in call WOT (web of trust). This plug-in marks search engine results with ratings. If a site is known to deliver malware, you will see a red danger icon next to it. And you can click on the icon to see detailed ratings by threat category. The ratings are driven by community help. WOT is now also available for Internet Explorer.
There is another free plug-in by Mcafee called SiteAdvisor. It also marks search engine results with a safety rating icon, and this product works with both IE and Firefox..There are lots of plug-ins and browser extensions that are named close to the real/original ones. Some have been discovered to host malware, so your protection is out the door once you install them. When in doubt, don't install.
Low Integrity Firefox
As mentioned above, you can enhance Firefox's security by setting it to low integrity. Open an elevated command prompt and copy and paste in following commands, one line at a time, substituting <yourAccName> with your account name:
icacls "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" /setintegritylevel low
icacls "C:\Users\<yourAccName>\AppData\Local\Temp" /setintegritylevel(oi)(ci) low /t
icacls "C:\Users\<yourAccName>\AppData\Local\Mozilla" /setintegritylevel(oi)(ci) low /t
icacls "C:\Users\<yourAccName>\AppData\Roaming\Mozilla" /setintegritylevel(oi)(ci) low /t
icacls "C:\Users\<yourAccName>\Downloads" /setintegritylevel(oi)(ci) low /t
icacls "C:\Users\<nextAccName>\AppData\Local\Temp" /setintegritylevel(oi)(ci) low /t
icacls "C:\Users\<nextAccName>\AppData\Local\Mozilla" /setintegritylevel(oi)(ci) low /t
icacls "C:\Users\<nextAccName>\AppData\Roaming\Mozilla" /setintegritylevel(oi)(ci) low /t
icacls "C:\Users\<nextAccName>\Downloads" /setintegritylevel(oi)(ci) low /t
Note that in order for Firefox to run as low integrity, it required the setting of \AppData\Local\Temp folder also to low integrity, which was previously medium. This folder may contain sensitive temporary data from other applications. An intruder gaining access through Firefox may be locked into low integrity mode and can't change system settings, but he can glean data from this folder, which may be undesirable.
Note: every time you update Firefox, you have to re-run the command that makes the exe a low integrity program. ( ... setintegritylevel low )Opera is another alternative browser. The thing that is good about them is that they patch up publicly disclosed vulnerabilities quite quickly. There is also a WOT plugin for this browser.
Opera, the current version 56.0.3051.104 together with Windows 10 v1809b supports more Windows Defender Exploit Protecions than Chrome and is more secure.Low integrity Opera If you run Opera using the desktop icon for launcher.exe, Opera is launched as integritylevel:Untrusted So there is no need to set integrity level with icacls.
See Automated Configuration section.
It is also prudent to password protect your BIOS, so that people cannot boot your PC. Also, you should change the boot order in the BIOS so that it boots the hard drive first, rather than the CD/DVD. If an attacker can insert a Linux Live CD and start up your PC, then they will be able to mount your hard drive and read all data from it, and all Windows security will be bypassed.
Physical security is very important and should not be overlooked. If someone has physical access to your PC, then they could bypass a lot of the hardening that was done.
For example, if a attacker could access your PC and boot up a Linux Live CD, he could then read and copy off all files from the Windows disk partition. Or he could remove your hard drive and put it into another PC as a secondary drive and get data off that way. Either way, Window's password security will be of no use, because the hard drive's copy of Windows was never started.
Lock your office or study room or bedroom containing your PC.
BitLocker is a full disk encryption feature of Windows 10 Pro, When that is active, the whole drive is encrypted and will not be readable with other copies of Windows or Linux. This eliminates the offline attacks as mentioned above.
In the Configuration Pack, the above 'custom view' filters are in the folder "Event Viewer Custom Views". Simply choose 'Import Custom View' to import each xml file one by one.
Now that Windows is hardened, most of the vulnerabilities you face will come from applications. The concepts that underlie protecting apps are the same as protecting the OS. Be careful of apps that have high privileges, and scrutinise network facing apps. Patching is really important and upgrade the app when new versions are posted. Monitor Event Viewer's "application hang" and "application error" custom views - if something fishy is going on and it happened after an application hang/error then there is a chance that you have been attacked. Be aware of what is normal and what is not. Know the protection settings that have been applied and know when a change is made (by an attacker). For example, your full-admin's Documents folder has been set to only have 1 ACL which is full accesss by the full-admin; if you find that suddenly that another ACL has been added giving access to, for example, the administrators group then something is wrong.
If you have several machines, you might consider setting up an event log collector machine. The benefits are:
Logalyze install consists of 4 downloads:
To see the logs that Logalyze collected, go to the Search tab, set the time frame drop down, and click on the magnifying glass icon to the right of the search bar.
To search for several Event ID's, just type in each number separated by space and an upper case "OR".
To find logs of a particular Windows machine, type "loghostname:" followed by the Windows Computer name which you find in This PC > Properties; for example "loghostname:desktop-u3ehvod". To find logs of a device like your router, use for example "loghostname:192.168.0.1" where 192.168.0.1 is your gateway/router's ip address.
You can find event ID's on a particular machine, for example "loghostname:desktop-u3ehvod AND 4624".
To save a query/search, click on the floppy icon to the right of the search bar. To see your saved queries, go to the Admin tab, click on Definitions pull down and choose Query Definitions.
Routers and Linux generally expect the syslog server to run on UDP port 514.
Intrusion detection also has to do with seeing that things aren’t different from what is normal. Your PC was running perfectly on day 1 after hardening, is it doing anything different today? To answer that question, we need baselines.
What we want to know is what programs are normally running when we first login. If we know that, then we can be sure that we aren’t contaminated with spyware or other hacking tools. There are 2 programs we want to get, all free. The first one is AutoRuns, available from here: http://technet.microsoft.com/en-us/sysinternals/bb963902It doesn't have a setup program, just download, unzip, create a folder under \Program Files and copy the files there.
AutoRuns lists all of the places in the registry where programs are set to auto launch. Right click on it, and choose Run as admin, and use File/Save to take a snapshot of each account's current settings. Later on during your regular system checkups, you can use the File/Compare feature to see if anything is different. New entries show up in green. If all green entries are good, then save the file again with todays date, and do the comparison with the new file in the next scheduled check.
The second program is Process Explorer, available here: http://technet.microsoft.com/en-us/sysinternals/bb896653
This program is like Task Manager, but it shows more info. Many malware name themselves with familiar Windows program names, trying to hide themselves. Login to your admin account, then right click on Process Manager and choose 'run as admin', go to View/Select Columns and checkmark 'command line'. Then do a File/Save . The resulting text file is now a snapshot of what normally runs when you first login.
When you do a comparison using Process Explorer, note that you cannot use a file comparison tool like ‘fc’ (file compare) to check for differences, that is because the PID (process identifier) for each program/process would be different on different boot-ups. You would have to do a visual check of the command line.Next, reboot your PC and open an elevated command prompt with 'run as admin', and type
Now we have 4 baselines, save them onto a USB memory stick for use in comparisons later. One should also save the Autoruns, and Process Explorer files onto the memory stick as well. Because, after an attack, programs may get altered or rendered unusable You Have to keep the baselines on a USB memory stick because attackers will modify your baselines to make you think nothing has changed.
Last thing when doing baseline comparisons is to run “sfc /scannow” to determine if any system files has been modified. SFC contains the correct windows files signatures and makes a comparison to the current setup. It will also fix the problem.
You should definitely install antivirus and antispyware programs. However note, you can only have one realtime antivirus program. The realtime capability monitors file access and file modifications as they happen. And having more than one realtime antivirus will cause problems. Having more than one anti-spyware program usually doesn’t cause problems. Windows 10 has Windows Defender installed by default, which is an antivirus program. It will also scan ActiveX components before use and does network behaviour monitoring.
Bear in mind that no antivirus/anti-spyware program will catch everything you encounter. There has been a study that was done that found that the best detection rate is around 60%. Vendors can’t hope to have captured and analyzed ALL the viruses out there, because lots of new ones are introduced every day.
Yes, you can’t fully trust your antivirus program to do a perfect job. To be on the safe side, use online scanners once in a while to do a double check. There are quite a few of them: TrendMicro Housecall, BitDefender, Kapersky, Panda and ESET. Google for "online scan" and you will see them.
If you download stuff from P2P and bittorents, beware. Lots of infected programs are floating around. And they would even work as expected, except that they will also get you infected. And those viruses tend to be new ones, so most likely your antivirus program will not even beep. You have been warned. The best that you could do is upload the file to virustotal.com and let them run your file against their 39 antivirus programs, and then decide if you want to keep the file or not. You have to remember that it is hackers who release pirated software, cracks and keygens, and they seed these files on P2P and bittorrent. And most likely, they also want to own your PC.Also antivirus tools are no match for hackers. Hackers' attack tools always evade AV protection because they test them against common security protections to make sure they cannot be detected. AV programs also do not detect remote access tools because they are can be used legitimately or otherwise.
Security suites are very popular. For example, Norton includes antivirus, anti-spyware, anti-rootkit, smart firewall, network monitoring, parental controls, anti-spam and more. They certainly seem to be value for your money. But when weighing effectiveness, many choose a best of breed, mix and match, solution. For example: one can use ESET antivirus and anti-spyware, Webroot anti-spyware, Windows firewall, NetNanny parental control, Gmail’s anti-spam and Gmer anti-rootkit.
If you are considering security suites, then you should also Google for "<brand> end point protection". End Point Protection is the name used for antivirus suites for businesses. And like MS's way of adding more security feaures for Windows Enterprise, the business products of major antivirus brands offer more security features. Most will also offer a trial version, so you can test them before making the leap.
One type of program you must have is an anti-executable. Unlike anti-malware programs, it is not signature based. This class of protection stops any program from running unless you have clicked on it or that it resides in a small whitelist. So if you clicked on it, then it runs; if you didn't, then it gets blocked. This stops drive by downloads where web sites get hacked to deliver malware. Also, many exploits download a malware of their choosing (mostly RATs) and executes it. Anti-executables is a great class of protection to have. There are several on the market, like Anti-Executable, AppGuard, No Virus Thanks EXE Radar Pro, and Voodoo Shield. The last one is free. Note: you have to allow Voodoo Shield outbound in the firewall.
For your maintenance routine. You should do 2 more things.
1.Check that your antivirus is still alive and active. Go to http://www.eicar.org/86-0-Intended-use.html. And copy that test virus line of text, paste it into notepad, save it and try to open it again. Your antivirus should detect it.
2.Do an antivirus scan.
Both are straight forward to install and does not require Linux experience. You simply download the ISO file and burn image to disk, then boot with it and follow the prompts.
Note: only enable Guardian intrutsion prevention if you are using IPFire as the main router. If IPFire is behind another router, then it will only see that router as the source of intrusion and block that.
A Honey Pot is usually a unused dummy system set up just to lure attackers. Once you notice traffic on it, then it is guarenteed that you have an attacker. You can setup auditing for a 'honey folder' which you never click on to act as an intrusion detector.
First create a folder, called for example 'Plans for the New year', and then right click on it and choose Properties. Then go to Security tab > Advanced > Audit tab. First you set up which user account to watch for, then leave the settings for 'Read and Execute' which will generate an Event Viewer entry
If you have the Configuration Pack, the Event Viewer custom views xml files allow you to import the custom views. Click on 'Access audited file' view to see the entries generated by the intruder. Also, you have to run the Harden Audit BAT and the Harden Security Options BAT to enable the auditing.
Take care not to audit folders and files you normally use, because each access generates 6 or more entries. And could fill up the log and cause old entries to be emptied away.
This class of spyware deserves mentioning on their own. Unlike other hacker attacks, these do not aim to penetrate and gain admin rights, but they are deployed by criminal hackers. They function in a standard account. Their aim is to capture credentials to your web accounts like banking account numbers and passwords, email account and others. Antivirus programs do not detect them. To counter these, I know of 2 programs, Zemana AntiLogger. (http://www.zemana.com) which has anti-keylogger as well as anti-screen grabber functions. The other one is KeyScrambler (http://www.qfxsoftware.comm) which is only a anti-keylogger. ( Both programs now have free editions.)
The first thing you should do if you suspect an intrusion is to determine if it is really an intrusion. For example, let's say you found that the XXX service has stopped and restarted by viewing EventViewer. It may look like an attack, since if everything was hunky dorey that error should not occur. But if you look further down at past events, you may see that it did the same thing while you were still configuring the machine and was offline then. Some Windows errors may be due to mis-configuration, and some Windows errors happen on their own anyways. Those may be errors messages that were designed to be observed by the programmer so they can write code to catch those error conditions and have the program react to them. For example if you were going to burn a DVD and didn't put a blank DVD in, the program would throw an error, and the programmer would write code to respond to that error message and put up a dialog box to tell you there is no blank disk in the drive.
The next thing to do is to run security programs like antivirus and anitmalware. Hopefully they identify something and quarrantine it. Hackers don't use viruses and malware most of the time, they are too easily identified and removed by common security programs. For example, most av and antimalware are useless at detecting remote access tools. The reason is that remote access tools may be legitimately used by the computer user to give access to their friends or service technicians, or themselves when they are in a remote location like a coffee shop.
The next step is to contain the attacker. And make sure that attacker cannot further progress to totally own the machine and attack other machines in your network. Close all browsers and networking apps, so that the connection traffic dies down. Then open an administrative command prompt and do "netstat -anbo". This will show all the connections to the machine. The program which makes the connection can sometimes be listed too. If it can't be listed by netstat, use the PID in the PID column and look up that PID up in Task Manager > Details tab. The attacker's program is often disguised by naming it with a familiar Windows exe name. Right click on the column titles bar and choose Select Columns, then checkmark 'Command Line'. This will show you the true location of that seemingly Windows program, maybe it is actually located in \Windows\Temp. Netstat's or WinDump's connection listing while the machine is quiet gives you the connections' ip addresses. Open the browser and google for "ip to domain". This will list several sites which let you see what domains an ip address belongs to. Go thru the connections ip address listing individually, and see what organizations they belong to. If the domain belongs to Microsoft, then ignore that one. If it belongs to a residential internet service provider or belong to companies that may offer public hotspots like Star Bucks Coffee, then you may have identified your attacker. Google the organization's name to find out if it is a residential ISP or a bussiness oriented network provider.
The ip to domain tool will also give you the attacker's ip network address range. Lets say the network's ip is 206.248 168.128/26. Now create a firewall inbound rule that blocks that address range.
The reason to block the network range instead of a single ip address is that the attacker maybe able to move to another connection within her network. And blocking the entire network of a residential ISP couldn't hurt, or maybe you are blocking the entire Russian militia.
One may choose to block the network ip range at the Windows firewall or router firewall, if the router has a firewall rules feature. Most Linux based Firewall distros have that. A easy-to-use one is SmoothWall.
Now you have to decide what to do with the resident evil code on your machine. There are 2 choices: 1) try to remove it, 2) back up your data and restore from image.
Removing an infection requires someone who investigates malware, every day, as they are released. You may have an embedded remote access tool and not malware, but there are similarities between the two. There are malware researchers who do this for a living. They are the people who work for the likes of Norton, Kaspersky or Snort. Thankfully, some also donate their time in free forums to help the public. Here's two. Google for 'malware removal forum' to see more.
Note that the removal process might take a day or two. The forums' helpers will ask you to download detection tools, and ask you to paste the tool's output report back to the forum. If one tool does not reveal anything, they would ask you to download another tool and repeat. Finally they will offer a removal tool together with a custom script, which removes your particular infection. This is the only route to go if there are no backup of program installers and install keys.
If one or two days is too long, and you need to resume work quickly, then backup your data and restore from image. That's almost what larger companies do: they backup an image of the infected hard drive and RAM and give those to their forensics department; then they restore the machine from image. Then they would restore yesterday's data from backup tapes. So one loses a morning's work, but is able to get up and running in a few hours. Forensics will investigate deeper into the attack code, and the incident responders will dig deeper in the networking logs. Perhaps the attack compromised other workstations, perhaps a Windows server; larger companies have the resources and need to investigate.
Security is a process, that is ongoing after we perform hardening. Your hardened Windows Windows 10 is good and now has multiple layers of security, but new vulnerabilities will be discovered in various software that you use and weaken your stance. Take the case of the browser; attackers target browsers all the time, and new security holes will be revealed. One has to know when these holes are discovered, and take steps to mitigate.
The first step is to know about the new vulnerabilities. The following websites report on security matters ::
You should visit them once a week to learn of new security vulnerabilities. The articles will tell you about new security holes in applications or OS, which version it applies to, and give a brief description of the weakness. Sometimes, the software vendor will inform us of some configuration change for you to apply for the time being, until they make a patch ready. Also, the articles may tell us if attacks using the vulnerability has been spotted in use..This information are of great help for you to maintain security. To continue on our browser example, lets say the new vulnerability involves the Opera browser's auto-update tool. Then you might mitigate that by using another browser for the time being, and monitor the vendor's site for a new version release. Or Opera may issue an advisory informing us to how to disable that feature in the registry. (PatchMyPC will also tell you when new program versions have been made, as mentioned previously). The main thing is that you get to know about potential problems from these web sites and takes steps to mitigate.
********Next, as part of the security process, you have to monitor your system and detect attacks. You have to perform those log checks, baseline comparisons, and virus scans (as mentioned earlier) on a regular basis, like every 1 or 2 weeks. We are being lax here already, for in a secure environment, they use SIEM tools (Security Information and Event Managemment) to monitor logs on a real time basis. Monitoring is crucial, as even the most hardened systems will have holes in its defenses. We cannot think that our hardened system is impervious.
********After a few months of use, computer settings change invariably: new software installed, new devices added, etc. We now have to check that all security settings are still in place. For example, are the user accounts still standard accounts, or has one been changed to admin for temporary problem troubleshooting? Has Simple Software Restriction Policy been disabled? So, after you put those locks on the doors, are they still locked? Or has there been tampering? We have to revisit the hardening process and check everything. This is to ensure that the system is still as secure as day one.
Note that 32 bit Windows is not covered by the Dual Admin (which is a set of ACL configs) file. There are many more executables on a 32bit machine
If you wish to revert the changes to out of box defaults, use::
To configure, right click on the bat files and choose 'Run as Administrator'..
To configure manually, open a elevated command prompt ( right click on Command Prompt and choose 'run as admin' ) Type in the following command::
SecEdit /configure /db <any_name>.sdb /cfg <template.inf>>
The <any_name>.sdb will hold the configured results, you make up the filename, but the file extension must be .sdb. The <template,inf> is either one of the templates named above..
Also provided in the package are Event Viewer 'custom view' xml files. These xml files setup filters for select event IDs, so that you get to see, for example, all login failures, in one screen,,
Use this bat file to setup what events to audit. It also sets up the event log file maximum file sizes for Application, Security and System..
It sets up the following::
Use this bat file to setup the password and account lockout settings..
Use of this file requires that you understand what the settings do. The numbers are:
Password history means that the system will remember 24 previous passwords so that they cannot be reused so that they are unique..
Password age means that the system will prompt you 14 days before 60 days is up to change your password. Minimum password age of 1 day means you cannot change your password again until 1 day have passed. This is so that users cannot rotate 24 times rapidly and reuse an old password..
Minimum password length is 14 characters. If you use a passphrase, then this shouldn't be a problem. Complexity requirement means that the passphrase must include upper and lower case, numbers and symbols.
The lockout settings are as follows:
What these numbers mean is that you are allowed 50 tries to get the right password. After that, the system locks up for 15 minutes. So, when you realize you have forgotten a password, write down the various passwords that you want to try and try to find the right one within 50 tries. After 50 tries, the system will not respond until 15 minutes have passed..
Unfortunately this can give rise to a denial of service (DoS) attack, where the attacker randomly tries out 50 passwords and her aim isn't to get in but to lock you out of the system. If we don't define a threshold number for password attempts, then an attacker can use a program to bruteforce or dictionary attack the system because they can do so an infinite number of times. If you realize that such a DoS attack is taking place, all you can do is unplug the ethernet cable and go for a 15 minute break..
Use the 'Dual Admin.bat' to remove the standard users accounts from accesssing command line admin tools. This script also sets up a heavily restricted admin account for installing non-security software. Together with this, you should set up the included login scripts that takes the full admin account offline automatically upon login. This aids in combating attacks where the attacker has remote access to your machine.
Some of these settings default to 'undefined'. And due to the fact that SecEdit does not handle settings that specify 'undefined', no restore bat file is offered to reverse these password and lockout settings..
Lastly, there is a security options file:
This file includes a group of security settings, as follows::
The 'security options' settings, audit, and 'password and lockout' settings are taken from MS Security Compliance Manager tool.
Run Java in Control Panel (if you have installed it). Go to Security tab, uncheckmark 'enable Java content in browser'.
If you have Google Chrome, enable Strict Site Isolation: go to "chrome://flags/#enable-site-per-process" Then enable Strict Site Isolation
For each account you created, do the steps in "New Account To Do List" section.
This PC > Properties > Advanced System Settings > System Protection tab > Create button.
This is important, your last line of defense is restoring from backup. This backup saves all of the settings you have done so far so you don't have to repeat them when you need to reinstall Windows. There is a free image backup tool called Macrium Reflect, available from here: http://www.macrium.com/reflectfree.aspx. Use the tool to create a drive image and store it in an external USB hard drive. Don't forget to create the rescue CD.
When you are finished with hardening, move the hardening scripts folder to a USB memory stick or a USB drive. Don't leave it for the attacker to discover.
Whenever you choose to install a new application, you need to consider it's security ramifications. For example an older app which needs admin rights and accesses the internet is bad. That's because one successful attack will give the attackers admin rights over your machine. Another thing is listening apps. Technically they are servers, like a FTP server. As revealed by doing 'netstat -abn' from an admin command prompt, and any such apps listens 24x7 to anyone who cares to connect. While you may sleep, servers do not, and you won't be around to monitor it's security. One may point out that FTP servers have username and password protection. But attackers don't usually attack the main entrance. If you are deploying a server, it would be a good idea to restrict connections to your friends' ip address in the firewall rules (bearing in mind that home ISP's change residential ip's frequently, and you'd have to update those ip addresses frequently)
It's a good idea to checkout www.exploit-db.com to look for existance of any attack exploits before installing any app. Some exploits only work in certain versions of the software. So if you find an old exploiit, there is a chance it won't work against newer versions. But to be really sure, you would have to complile the exploit and test it, which if you aren't a programmer, can be difficult. Be aware of the risk and decide.
Allways try to find installers that do not require internet access. Google for the 'offline installer" of the program. Web based setup programs are hazardous. It requires connection to the net while running as admin. And also most setup installers require turning off your anti-exe, and other protection.
When Software Restriction Policy is set up, remember that programs will not run when they are located outside of \Windows or \Program Files. To enable your install program to run, lets say from your Downloads folder, you have to go to Local Security Policy > Software Restriction Policies > Security Level, and set Unrestricted as the default policy temporarily. Always remember to re-enable SRP before leaving your admin account.
Do not be tempted to add your Downloads folder as an exception to SRP, as attackers will find that out and place their wares in there and run them.
When installing security programs, some installers require default settings of services and ACLs. In the Automated Configuration Pack, there are 2 bat files: Restore Services bat and Restore ACLs bat. If your antivirus installer causes errors, you can run them and then install your new antivirus and redo Harden Services bat and Dual Admin bat. Kaspersky products (Total Security and Small Office Security) are known to require this step.