windows hardening CS paper
<>Use a Non-Administrator Account
Windows ships with the Administrator account and Guest account by default. A password is not required to log-on. At least 60% of the machines I encounter in both home and business environments are running this way. Many current exploits are written to find and attack machines set up this way. Connected to the Internet and running as Administrator, an exploit is capable of:
Install any start services
Install AxtiveX controls, including IE and shell add-ins (common to both adware and spyware)
Install kernel-mode rootkits and keyloggers (hard to impossible to detect)
Access data belonging to all users on the machine
Cause code to run whenever anyone logs on to the computer (including capturing user names and passwords entered in the
Ctrl-Alt-Delete logon dialogReplace normal OS and program files with Trojan horses
Disable or even uninstall anti-virus programs
Cover its tracks in the event log to avoid detection
Access any other computer you are also Administrator on and gain control of those computers as well
The list goes on and on
Rename the Administrator account, and then password-protect it. Then, set up a limited account for yourself and all other users of the computer as well. Remember to use a password for the new accounts. Use the limited accounts for all general computing needs,
especially Internet and email uses. Never use the Administrator account unless it is necessary (Install or un-install programs, Windows updates etc.).
In some business environments, this can cause a problem because some everyday applications require Admin account privileges to run properly. Why you ask? Because in many cases it is easier to write a program this way. If you have program that needs Admin privileges
to run properly, you will have no choice, but I recommend pressuring the software vendor for a newer version being developed that will
run with a limited user. If enough users do this, the vendors will begin to respond rather than loose business.
If it helps you make the decision whether or not to take this step, remember that an exploit written to use Admin privilege is stopped
from installing, running or executing if you are a limited user.
The built-in administrator account and administrator group has the greatest number of default permissions and privilege as well as the ability to change their permissions and privileges. The object is to prevent an intruder from gaining control over the computer and administrator rights from the built-in Administrator account. To accomplish this, we will rename the Administrator account, change its description, and Password-protect it.
<>Renaming and password protecting the Administrator account
Windows 2000 computers:
Right click on ‘My Computer’ then click on ‘Manage’, which opens the Microsoft Management console.
Expand the “Local Users and Groups”, and open the ‘Users’ folder
Right click on ‘Administrator’, then click ‘Properties’ and type in the new name for the account. Then, change the description so
it no longer indicates it is the built-in account for administering the computer/domain.Left click on ‘OK’.
Right click the newly named account, click ‘Set Password’ and type in and confirm the new password for the account.
Windows XP Pro computers:
Right click on ‘My Computer’ then click on ‘Manage’, which opens the Microsoft Management console.
Open the Users folder under Local users and groups, right click on ‘Administrator’ and click ‘Rename’ and type in the new name
for the account.Right click the newly named account, click ‘Properties’ and change the description for the account so as not to reveal its true
nature.Click on ‘OK’
Right click on the new ‘Administrator’ account, and click ‘Set Password’.
Click ‘Proceed’ in the message box
Type in and confirm the new password for the account in the boxes and then click ‘OK’
<>Use Strong Passwords
I really can’t stress this enough, especially for business use. Please, do not pick a pet name, spouse name or anything else easily
guessed by people who know you.
Pick a password at least 8 characters long. I prefer 15 or more characters. Windows will accept a maximum of 127 characters.
Use both upper and lower case letters, numbers, and try to use characters as well. If you have multiple computers, do not repeat the
same passwords on each one. Never write down passwords and leave them in plain sight, or send them in email.
It is very scary to me to sit at a workstation that has all the account names, login names and passwords written on post-its and stuck on
the monitor. In a business environment, this is just inviting misuse.
The easiest way to pick a long, effective password is to think of an easy to remember phrase. Then change the letter o to the number 0, and all letter l to number 1. For example:
I like Tootsie-Roll becomes: I1iket00tsie-R011. Much harder to break that. Also, remember that Windows will accept spaces as a
password character.
<>Use a BIOS and Bootlevel Password
Once you set a Boot level BIOS password, it will be required every time the system is started. The system is completely disabled until
the password is entered. This is normally accomplished by selecting the password option in the BIOS setup. You may also want to
consider an additional password for accessing the BIOS settings in order to prevent unauthorized changes in the BIOS settings.
<>Use the Screensaver
Proper use of the screensaver will help protect your computer while you are away from it for short periods of time. This is especially important in business environments. Just bring up the screensaver settings and enable password protection. Here's how:
Right click an open area of the desktop
Left click properties from the choices
Left click the screensaver tab
Check the box to “On resume, password protect”
On Windows 2000 machines, left click the Power button, then left click the advanced tab, then check the box to “Prompt for password
when computer goes off standby”.
Remember to pick a time period for the screensaver to start, perhaps 10 minutes. If you are going to be away for an unknown time
period, you can always start the screensaver manually when you are called away. Another quick way to secure things is to simply hit
Ctrl-Alt-Delete which brings up the task manager. You then select ‘Lock Computer’ by left clicking the button, or hitting ‘Alt-k’ on the keyboard.
<>Guest Account
The guest account is known to exist on all Windows 2000 Server, Windows 2000 Professional, and Windows XP computers. Microsoft recommends against disabling the Guest account in Windows XP or removing it in either Win2k or XP. For more security of this account,
I recommend the following.
Windows 2000 computers:
Rename Guest account, password protect it, then disable it. Here's how:
On the desktop, right click on ‘My Computer’ then click on ‘Manage’, which opens the Microsoft Management console.
Expand the “Local Users and Groups”, and open the ‘Users’ folder
Right click on ‘Guest’ then click ‘Rename’ and type in the new preferred name
Right click on ’Guest’ then click ‘Properties and check to box ‘Account is disabled’. Also check the box for ‘User cannot change password’. Then type in the new full name, and change the description of the account as well.
Windows XP Pro computers:
Right click on ‘My Computer’, then click ‘Manage’ which opens the Microsoft Management Console.
Open the Users folder under Local users and groups, right click on ‘Guest’ and click ‘Rename’ and type in the new name for the account.
Right click on ‘Guest’, click properties and edit the description for the account so its true nature will not be revealed.
<>Use NTFS File system
When Windows XP or Windows 2000 is installed, it should be installed on a separate partition formatted with the NTFS File system
rather than the older FAT File system. The NTFS system allows you to configure which users have access to which data, who can
perform what kinds of operations, and allows you to encrypt files and data.
<>Disable auto-logins
Do not use any automated logins and be sure all users are password protected. Go to the control panel, click on administrative tools,
click local security policy. Make sure all users have a password set for the account. I also recommend having only one administrator
account on each machine.
<>Limit unnecessary accounts
Limit any unnecessary or unused accounts and remember, I recommend only one administrator account per machine. If you see
accounts that are not needed, or not used, delete them.
<>Disable Enumeration of SIDS
Even after renaming Guest and Administrator accounts, an intruder armed with the right software can still find the real account by enumerating the account SIDs (Security Identifiers) because renaming an account does not change its SID. Once an account name has been identified (an attacker is looking for an Administrator account here) a brute force attack on the password is usually the next step.
This can be avoided by not allowing the enumeration of Account SIDs.
On a Windows XP machine, follow these steps:
Click Start, go to Control Panel, click administrative tools, and click local security policy.
Click the ‘Security Options’ folder in the left pane
Double click ‘Network access: Do not allow anonymous enumeration of SAM accounts and shares’ on the right pane.
Choose ‘Enabled’ and then click ‘Apply’ and ‘OK’ to save your settings.
On a Windows 2000 machine, follow these steps:
Click Start, go to control panel, click administrative tools, and open ‘Local Security Policy’
Click on + on the ‘Local Policies’ folder in the left pane
Left click ‘Security Options’ folder under local policies
Right click on ‘Additional restrictions for anonymous connections’ in the right pane
Left click ‘Security…’ from the box that opens
Under local policy setting, click the down arrow at the right end of the window and choose (left click) ‘Do not allow enumeration
of SAM accounts and shares’Left click ‘OK’ to save your settings, and exit all windows
<>Disable File and Print Sharing
If you are not connected to a domain, simplified file sharing is automatically enabled in Windows XP. It should be noted here that simple
file sharing cannot be turned off in Windows XP Home Edition. Why disable print and file sharing? Well, if you use an always-on
high-speed Internet connection, leaving these services turned on is like leaving your doors open when you are not at home. Unless it is absolutely necessary, I recommend you turn these services off.
In Windows XP, follow these steps:
Click Start, then go to settings, then click Control Panel
Double click Internet Options.
Click on the ‘Connections’ tab, select your connection, and then click ‘Settings’
Click ‘Properties’, click the ‘Networking’ tab, and then uncheck the box for ‘File and Printer Sharing for Microsoft Networks’.
Click ‘OK’ to save the settings
While you are here, let’s do one more thing, and choose not to save temporary Internet files:
Left click on the Advanced tab of Internet Properties
Scroll down to ‘Security’ at the bottom of the window, and check the box to ‘Empty Temporary Internet Files when browser is
closed’Click ‘OK’ to save the settings, and exit the control panel
On Windows 2000 machines, use the following steps:
Click Start, then go to settings, then click Control Panel
Double click ‘Network and Dial-up Connections’
Right click ‘Local Area Connection’ and choose ‘Properties’
From the box that opens, uncheck ‘File and Print Sharing for Microsoft Networks’
Click ‘OK’ to save the settings
To choose not to save Temporary Internet Files:
In the Control Panel, open Internet Options
Left click on the Advanced tab of Internet Properties
Scroll down to ‘Security’ at the bottom of the window, and check the box to ‘Empty Temporary Internet Files when browser is
closed’Click ‘OK’ to save the settings, and exit the control panel
<>Unhide File Extensions
By default, Windows XP and Windows 2000 hides known file extensions to simplify displays. The problem with this is that a malware
writer can hide a file extension type after the file display and keep you from knowing what kind of file you are about to open. This is especially true for files hiding Trojans. Let’s not let this happen for most file types.
On both Windows XP and Windows 2000, follow these steps:
Click Start, go to settings, open the Control Panel, and double click ‘Folder Options’
Left click the ‘View’ tab
Uncheck the box for ‘Hide extensions for known file types’
There are still three known file extensions that will remain hidden even after the above procedure. They are .shs, .pif, and .lnk so if in doubt, the rule should be not to open or run the file. The file extensions on my personal banned list are: .exe .dll .ocx .wav .jpeg .gif
.bat .com .cmd .pif .scr .zip .mime .mim .uue .uu .b64 .bhx .hgx .xxe .doc .vbs .ico .bmp .ani .cur .hlp .upm .shs .lnk. I never open any
of these unless I am specifically expecting them.
<>Disable Remote Assistance and Remote Desktop
This applies to Windows XP machines only. Remote assistance allows you to invite another person to logon to your machine for remote troubleshooting. I recommend you leave it disabled. You can always re-enable it later if the service is ever needed. Remote desktop is available on XP Professional and allows you access to a Windows session on one computer while you are at another computer in
another location, not only over a LAN, but over the Internet as well.
To disable these functions, follow this procedure:
Click Start, go to settings, then Control Panel
Double click on the System icon
Click on the ‘Remote’ tab, and uncheck the boxes to ‘Allow Remote Assistance invitations to be sent from this computer’, and
‘Allow users to connect remotely to this computer’Click ‘Apply’ to save the settings, and close the windows.
<>Disable any unnecessary and potentially dangerous service
The three most common services to turn off are Windows Plug and Play, DCOM, and Windows Messenger. I have been using PC’s for
"over twenty years now and cannot imagine a situation where any of these services are needed. I have never used any of them, but
many a malware writer has. The easiest way to disable these services is to use very small programs from Steve Gibson, of Gibson Research Corporation.
To disable Windows Plug and Play, go here:
http://www.grc.com/unpnp/unpnp.htm
To disable Windows DCOM, go here:
http://www.grc.com/dcom/
To disable Windows Messenger, go here:
http://www.grc.com/stm/shootthemessenger.htm
All three of these programs are freeware and are a very small file size.
<>Encrypt the My Documents and Temp folders
Both Windows XP and Windows 2000 allow you to encrypt selected data files and folders in your computer. By doing this, even if your computer is compromised by an attacker, you have an extra layer of security for your most used files by denying access to anyone
except the user that encrypted the files to begin with.
In Windows XP computers, follow this procedure:
Open Windows Explorer
Right click the folder you want to encrypt, and then click ‘Properties’
On the ‘General’ tab, click ‘Advanced’
Check the box to ‘Encrypt contents to secure data’
Click ‘OK’ to save your settings
In Windows 2000 computers, follow this procedure:
Right click “start” and then choose ‘Explore’
In the left pane, right click the folder you want to encrypt, then left click ‘Properties
Left click ‘Advanced’
Left click the box to ‘Encrypt contents to secure data'
Click ok to save your settings, and close open windows.
I recommend that you encrypt at least the following two folders:
1. ‘My Documents’ that contains the personal files in which most Microsoft Office documents are stored.
2. ‘Temp’ folder that contains the files created by most applications programs
<>Registry changes
The last few suggestions I have involves changes to the system registry. If you are at all squeamish about this, I suggest you stop your Windows hardening efforts at this point, or get help from someone that is familiar with registry edits and changes. If you elect to
proceed, I strongly suggest you do a system state backup before making any changes to the registry.
<>Clear Page File at System Shutdown
Default settings allow process memory files to be paged to the hard disk in clear text form at shutdown. Although this allows more
rapid recovery of this information the next time the system is started, it’s a great place for an intruder to look for any sensitive
information, and it is displayed in plain text form.
To clear the Page File at shutdown, follow this procedure:
Click Start and go to settings and open the Control Panel
Open ‘Administrative Tools, and choose ‘Local Security Policy’ followed by ‘Local Policies’ in the left pane, and then ‘Security
Options’In the right pane, right click on ‘Clear virtual memory pagefile when system shuts down’ , left click ‘Security’, and choose
‘Enabled’Left click ‘OK’ to save your settings, and close all open windows.
<>Disable dump file creation
When Windows stops unexpectedly as the result of a Stop Error (“blue screen of death” or system crash), a Memory.dmp file is
created and it can be helpful when using debugging tools and software. Like the page file above, it can contain sensitive information and
passwords displayed in plain text form. I have never found this information of much use, but an intruder can definitely make use of it. To disable the dump file creation, follow this procedure:
Click on Start, go the settings, and open the Control Panel
Double click the ‘System’ icon and then click the ‘Advanced’ tab
Click the ‘Startup and Recovery button, and look for ‘Write Debugging Information’ toward the bottom of the window (XP users
will have to first click on ‘Settings’)Click on the down arrow at the right of the top window. Default setting is Small Memory Dump (64 KB). Choose ‘(none)’
Click ‘OK’ to save your settings and close all open windows.
<>Disable Dr. Watson dump file creation
Another memory dump file similar to the ones above is created by Dr Watson. This is a program error debugger that gathers all kinds
of information about your computer when a user error or user-mode fault occurs within a program. I have never found these files to be useful either. To stop creation of these files, follow this procedure:
Go to start, then run, then type in ‘regedit.exe’ and hit ‘Return’
Browse to the following location in the left pane:
HKEY_LOCAL-MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
Left click on the value ‘Auto’ on the right pane, and change the value from ‘1’ to ‘0’
Close the registry editor.
To delete the dump files created by Dr Watson on earlier occasions, you will have to delete them manually with this procedure:
Open Windows explorer
Browse to C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson and delete files named User.dmp and Drwtsn32log.
<>The Scrap File danger
A scrap file is used by Windows machines to transfer data between programs, and it can contain just about anything from data to an executable program. Remember that in our discussion of file types, we chose to uncheck the box to ‘Hide known file extension types’ to show all file extensions and that I told you three file types would still remain hidden, one of them being .shs?
Herein lies the danger. A scrap file can be renamed with a different file extension to make it look benign. Windows assigns
‘RUNDLL32.EXE SHSCRAP.DLL, OPENSCRAP_RUNDLL %1’ to the .SHS extension by default. When the file is opened, Windows will unpack the scrap file and open or execute whatever is in the file. Once the scrap file is opened, you have absolutely no control over it. The trick here is to get the file to show its true .shs extension. To do this, we need yet another registry edit by following this procedure:
Go to ‘Start’, ‘Run’ and then type in “regedit.exe’
Left click ‘Edit’, then ‘Find’, and type in: HKEY_CLASSES_ROOT\ShellScrap and click ‘Find’
Once found, in the right pane, right click on ‘NeverShowExt’ and choose ‘Modify’
Type in ‘AlwaysShowExt’ and hit ‘Return’
Close the Registry Editor
Complete shut-down and re-boot
0 comments:
Post a Comment