Sunday, November 22, 2009

How to get Bullet Proof Windows (Harden MS Windows Vista or 7). Updated 2-11-2010.

This blog will cover techniques you can apply to your Windows Vista or 7 OS to harden them against the ever present malware threat. Straight to the meat, then:



  • Enable DEP for all processes: Go to Control Panel->System->Advanced System Settings->Advanced->Settings->Data Execution Prevention, select "Turn on DEP for all processes and services except those I select."
  • Enable SEHOP for all processes: http://blogs.technet.com/srd/archive/2009/11/20/sehop-per-process-opt-in-support-in-windows-7.aspx
  • I found a new tool, called EMET, this will allow you to turn on various exploit protections system wide, and additional ones on a per-file basis. One of the major ones is 'mandatory ASLR', which has the added benefit of making every .dll that gets loaded by a process ASLR'ed, in the past, various IE8 hacks were done (such as at pwn2own) because not all .dlls that IE8 uses opt into ASLR, EMET, with iexplorer.exe protected, will enable ASLR (and other protections) for all those .dlls which should prevent most every exploit that we have and will see. EMET can be downloaded from: http://www.microsoft.com/download/en/details.aspx?id=1677. In EMET, you should set DEP to always on, SEHOP to "opt out" and ASLR to "opt in" system wide (those are the most secure settings), then click 'configure apps' and add internet explorer, and any other browsers that you have and apps that handle external data (adobe reader/acrobat, media players, office programs, explorer, and so on.) In my testing, this fully works with IE, adobe reader X, and explorer, but it may not work for everything so test it thoroughly before adding to a production environment.
  • In Windows 7, Either maximize UAC (Control Panel->User Accounts->Change User Account Control settings, then move the notch to the top so it's at "Always Notify.")
OR preferably:
Run as standard user, in Control Panel->User Accounts->Change Your Account Type, select "Standard User" and apply the settings. You may need to make a seperate admin account, if you don't have any other admin accounts on your system (or enable the built-in Administrator account ala: http://www.hardforum.com/showpost.php?p=1034950404&postcount=4 ). Running as Standard User is more secure than running as Admin with UAC because programs you elevate with UAC use the same profile as an unelevated Admin, which means infected libraries, etc. might be referenced in elevation mode. When running as Standard user and elevating, programs get their own profile.
  • Require Ctrl-Alt-Del for elevation to Admin: Execute gpedit.msc as admin, navigate to: Computer Configuration\Administrative Templates\Windows Components\Credential User Interface, Enable Require Trusted Path for Credentials Entry.
Registry option for Home Users for require Ctrl-Alt-Del for elevation: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnableSecureCredentialPrompting
set to dword "1".
  • Require ctrl-alt-del for log in - only the OS can receive a ctrl-alt-del sequence, so if you require ctrl-alt-del for log in and elevation, you can be sure no malware intercepted the log in or elevation sequence in order to steal your password, to require ctrl-alt-del for log in, hit windows key+R and type "control userpasswords2" - go to advanced and check the box at the bottom that says "Require users to press ctrl-alt-delete."
This prevents spoofing of the password dialog.
  • If you use Internet Explorer, disable Active-X in the Internet Zone: Internet Options->Security->Internet Zone->Custom Level, set "Run Active-X Controls and plug-ins" to disabled. You can then add sites that have active-x plug-ins you wish to use (e.g. youtube.com) to your trusted zones, by clicking the blue and green globe at the bottom of the internet explorer window and selecting Trusted Sites->Sites->Add. (uncheck require https if necessary.)
  • IE9 has a new feature called 'active-X filtering' this is a much better way to run securely, now you can just enable active-X filtering (gear icon->safety->active X filtering), and for every website that you want to run active-X controls on, just click the blue circle with the line through it, in the address/search bar and select 'turn off active X filtering' - now you only have to do this once per site for sites you want to run active-x controls on, vs. the old method that could result in many dialogs per site, with new content generating new prompts.
  • IE10 desktop version in Windows 8 has a new feature called 'enhanced protected mode'. Enhanced protected mode will run IE10 x64, and run it in a special hardened sandbox better than the previous sandbox. The new sandbox prevents read access to the file system and registry, as well as write access, so it's better than the write-blocking sandbox previously available. When IE10 is run in x64, it uses HEASLR (a feature specific to Windows 8), which stands for 'high entropy address space layout randomization'. I won't turn this into a thesis, but ASLR randomizes addresses as knowing the addresses of code makes it easier for a malicious data file (like .html that you get from the web in your browser) to exploit the running process, so ASLR tries to make it hard to guess the address. Typically if you guess the wrong address and try to exploit, the browser will just crash and close. Previously you could fill up an entire 32-bit address space of 4GBs with 'heap spraying' and probably infect the process any way, but because of HEASLR it will be impossible to do so if you run with enhanced protected mode enable. As the process gets 1TB of virtual memory, and filling it up will cause the machine to run out of memory long before an infection can occur. This is something people are ignorant about when they say x64 programs are unneeded, the security benefits make them greatly needed actually. Enhanced protected mode supports flash, but not many other plug-ins, you will be prompted to load the specific web site in the regular sandbox if the web site uses an unsupported plug-in, which is usually ok and the best available at this time.
  • IE has tracking protection lists, these lists can be used to block malware originators. You should add malwaredomains from http://www.jansal.net/TPL.shtml and maybe some of the others if you choose.
Enable Protected Mode for Intranet and Trusted Sites Zones in Internet Explorer, Internet Options->Security->Intranet Sites, Enable Protected Mode, then click on Trusted Sites, and Enable Protected Mode again. Protected Mode is a sandbox that disallows IE from writing (or possibly reading) other areas of your user profile, it can only write to the temporary internet files directory and can not read areas that have been marked as unreadable to low privilege programs.
c:\-path to psexec.exe-\psexec.exe -d -l "c:\program files (x86)\mozilla firefox\firefox.exe"
or for 32-bit:
c:\-path to psexec.exe-\psexec.exe -d -l "c:\program files\mozilla firefox\firefox.exe"
Filling in the path for psexec.exe, and if necessary for firefox (and possibly drives.)
  • Also for firefox users, run the noscript plug-in to block plug-ins and scripts except on trusted sites.
  • Enable Auto-Updates: Control Panel->Windows Update->Change Settings, select "Install updates Automatically" and install updates "everyday." Enable Microsoft Updates.
  • Use chml.exe (get from http://www.minasi.com/apps/ ) to mark your valuable data on your system as unreadable to sandboxed/protected mode internet explorer and firefox. For example: chml c:\financial_data -i:m -nr -nx -nw
(chml will have to be run from an elevated cmd.exe prompt) Will make c:\financial_data unreadable, unwriteable, and unexecutable to IE and FF, so if they are exploited they can not read c:\financial_data at all (nor write, but that is standard for all directories). Note that you will not be able to upload from such directories with IE or FF, you will have to copy the data out of there to the desktop for instance, first, before uploading to a site like flicker or google docs, for example.
  • Run Microsoft Security Essentials Anti-Malware: http://www.microsoft.com/Security_Essentials/
  • Run Secunia's Vulnerability Scanner to detect vulnerable, out-of-date applications and update them: http://secunia.com/vulnerability_scanning/personal/ - if you do not score 100% in this vulnerability scanner, you need to fix it. Out of date apps are an easy way in for malware.
  • Read and apply information from MS' Security Research and Defense blog: http://blogs.technet.com/srd/default.aspx
  • Run 64-bit versions of Windows, 64-bit Windows have Kernel Patch Protection and Require Driver Signing, which together prevent rootkit like activity. DEP on 64-bit also protects more kernel structures than in 32-bit.
  • Windows 8 has a lot of new anti-exploit checks on kernel and user program structures, making them it and the programs on it much more secure. If you're not one of the 'metro yucky!' people you should consider it for it's security alone, especially at the $40 upgrade price.
  • When you connect to a network, choose the "Public Network" profile, this is the most secure. Especially choose this when using coffee shop, hotel, airports, etc. wi-fi, and basically any time except when you absolutely know you need the services allowed by the other profiles.
  • I did not include many things here that are security features of Windows, especially more corporate oriented things, like applocker, bitlocker, firewall settings, parental controls, and so on. So you can do additional web research on those things if you need, but I just wanted to mention them so people reading this know about them.
Windows Vista and 7 are already pretty secure see http://news.softpedia.com/newsImage/Vista-SP1-Infection-Rate-60-6-Less-than-that-of-XP-SP3-3.jpg/ - , as you can see, Windows Vista has phenominally low infection rates. Of special interest is that the unpatched Vista RTM has HALF the infections of the fully patched XP SP3. And unpatched Vista infection rates are barely higher than fully patched (at the time of this study) Vista SP1 (compare against XP where XP RTM or even XP SP2 infection rates are much higher than XP SP3), which shows that Vista is highly resistant to 0-day exploits, thanks to things like ASLR, DEP, IE protected mode, stack and heap cookies/checksumming, pointer encryption, locked down ACLed services and so on. The things I listed in this blog will only make you that much more secure when running Windows Vista or 7. Here is a new graph that includes Windows 7 https://www.microsoft.com/security/portal/Threat/SIR.aspx - Windows 7 64-bit has 1.4 computers cleaned of malware per 1,000 executions of MSRT, a terrific showing.
A word on being a smart user; Be aware that the internet is full of thousands or maybe millions of people who will do anything, say anything, etc. to compromise your system and private information. Do not respond to emails, IMs, text messages, etc. requesting passwords, PINs, credit card numbers and so on. Financial institutions and internet sites (paypal, ebay, so on.) do not do this. Do not click on links in emails, they may take you to bank.com.ru (a russian hacker site for example) instead of bank.com (your banking institution's website), and bank.com.ru may look exactly like bank.com in order to get you to give up a password or PIN or whatever. Also do not download executables and run them from porn and warez sites, or really any random site on the internet. A good tip is to use google to search for the name of any particular utility or tool you want to use that you find on the internet BEFORE running it, if it's legit there will be lots of people in forums discussing said program/game/whatever, and legit sites are more likely to be at the top of search results as well, giving you a good place to download from.
And for goodness sake, do not believe web browser pop-ups that say you're infected and you need to download an anti-virus to get rid of the virus, for the thing you download is actually the virus and you'll be sorry (and a nuisance to everyone else on the internet.)
Hope this helps, as I find more I will update.