# Locking down Windows



## lunarlander (Sep 22, 2007)

I want to start a thread about locking down Windows. I've been frequenting this security forum for several years and I notice people mostly just come asking for which security programs to install, forgetting about securing Windows before connecting to the internet.

Whenever I re-install Windows, it takes me 3-4 hours just installing, locking down and setting up Windows, without talking about installing applications. What do you do to secure Windows ( not talking about antivirus and other security applications ) ?

I believe all code can have security flaws, and is potentially expolitable. This is particularly for network facing code, but also others too. (for example, services running on the Local System account, if exploited, may be used to gain system wide privileges by hackers, and automatically, by malware ) So everything that is not necessary, not used, not hardware supported, should be turned off. 

The first thing I do - setup the network on my Vista (some same settings are present in XP):

Control Panel\Network and Sharing Center
Local Area Connection/ Properties 
UNCHECK these:
- Client for MS Networks
- File and Printer Sharing for Microsoft Networks
- Internet protocol version 6
- Link Layer Topology Discovery Mapper IO Driver
- Link Layer Topology Discovery Responder
Select 'Internet Protocol version 4 (TCP IPv4), click Properties, click Advanced
click 'DNS' tab, UNCHECK 'register this connections address in DNS'
click 'WINS' tab, SELECT 'Disable NETBIOS over TCP/IP'

The Topology Discovery protocols are useless except in large networks, and there is 
only one router in my network, like most home users. So there is no need to have discovery protocols and programs to display a fancy diagram to me to explain the layout of the network. 
It is also a new protocol, which means new network facing code. Hackable? I don't know, but I am not taking chances.

File sharing I don't use, and I don't connect to other machine's file shares either, so 
'Client for MS Networks' and 'File and Printer Sharing' are turned off. 

Most home routers don't support IPv6 today, like mine, and the firewalls built into 
those routers don't know anything about IPv6. So having IPv6 tunneling is like having a 
backdoor into the network, bypassing the perimeter firewall. Vista's firewall is IPv6 aware,
but malware can disable it and then I won't have the router firewall to fall back on. So I disable IPv6. (related: teredor network device driver ) Defence in depth: have two firewalls, one router based, and one host based, each with different rules.

The DNS server doesn't need to know my ip address, and I don't have any local DNS servers in my network, so uncheck register this connection address.

NETBIOS is an old protocol and I don't have old versions of Windows running in my network.


Please help build this thread by providing some of your OS lockdown settings. I will add to this thread in the comming days.


----------



## ckphilli (Apr 29, 2006)

Great idea for a thread:up: Hopefully Cookie sees this and adds some of her infinite wisdom. I'm gearing this towards home use...as I think this is what you were targeting.

Couple of things to add...

This is very basic, but important, IMO. -

*User accounts*

*Password protect *them; if possible use a strong password/pass phrase - 8+ characters, upper/lower case alpha, numeric, and special. Keep birthdays, names, dictionary words out of it ex: [email protected]$g#1

For many of us, this seems like overkill and I understand that. But the better the password, the more time it takes to crack. By adding a password to your account and enabling password protection when the screen saver activates, you add another layer of security. Also, you keep family members, etc from downloading content to your machine whether intentional or not.

Set up an *admin account* with the same privileges but a *different user name *and delete the admin account. The evil folks know that every machine has an admin account named "admin". It goes without saying that they will attempt the easiest way in.

*Testing*

There are many tools on the internet to test your security. I'm shy to post any of them because of the method they use. If interested, visit http://sans.org/. There is a wealth of information concerning OS hardening and testing. Please do not PM me for testing tools as I will not be held responsible for any "problems" that may occur due to my advice.

That's it for now Don't want to write a book of a post Thanks again Lunar:up:


----------



## lunarlander (Sep 22, 2007)

Start/Administrative Tools/Services

(If you don't see an Administrive Tools menu, right click the start button, choose properties. Next to the start menu radio button - click the Customize button. Then on the scroll list, scroll to the bottom. There you will see the item "System administrative tools", select "Display on All Programs menu and the Start Menu".)

Disable these services. Right click the service name, choose Properties,
select Disable from the "startup type" pulldown.
-
Name / Original Starup Mode
Adaptive Brightness /manual ( Windows 7 RC only)
Bluetooth support service /manual 
BranchCache /manual ( Windows 7 RC only)
Offline files /automatic
Secondary logon /manual
UPnP Device host /manual
SSDP Discovery /manual
Tablet PC Input Service /manual
Terminal Service /? ( vista only )
Telephony /manual (affects Remote Access - Connection mgr/ VPN)
Web Client /manual
Server /automatic (File and Printer Sharing; HomeGroup)
Workstation /automatic (File and Printer Sharing; HomeGroup)
WinHTTP Web Proxy auto discovery /manual
Remote Registry /manual
Function discovery resource publication /automatic (HomeGroup)
Computer Browser /manual
IP Helper /automatic ( ipv6 tunnelling )
Health Key Certificate Management /manual
Net.tcp port sharing service /?
NetLogon /manual
Network Access Protection Agent /manual
Peer Name Resolution Protocol /manual
Peer Networking Grouping /manual
Peer Networking Identity Mgr /manual
PRNP Machine Name Publication Service /manual


The above are the services that I don't use - I only use this PC to surf the internet
and play games. I must stress that disabling the
above services may not work for you. For example, I disabled the Tablet PC Input
Service, if you have a tablet PC, then you will need this service and shouldn't 
modify it. Another example is "Terminal Service"; this is the Remote Desktop 
server. If you use Remote Desktop to connect to your PC, then you shouldn't 
disable this. Another example is the Network Access Protection Agent; this 
service is used by Windows Server to check if your PC has up to date security
updates and other security programs. Some companies use this feature to ensure
that travelling laptops do not bring back viruses to the company network. If you 
disable this service, your company's Windows Server may not allow you to 
connect to their network.

Network facing code - services that accept input from the network or internet, are open to attackers anytime. Services like SSDP Discovery and Function Discovery are examples. Vulnerabilities may not currently publicly exist, but may be discovered in the future. So it is prudent to disable them if you don't use those features.

When you click on a service name, an explanation is shown on the 
left. When you look at the properties of a service, there is a Dependencies
tab, which shows you the relationships it has with other services. Disabling
one service can stop another service. You have to carefully review both the 
explanation and dependencies before disabling any service.

I listed the original startup mode; so you can revert a particular service's setting
back to it's original state if needed.

Disabling unneeded services presents a smaller interaction space for the attacker,
be it automated malware or live hacker. Prevention is better than a cure. Lock-downs
are the former, and antivirus programs are the latter.


----------



## lunarlander (Sep 22, 2007)

Locking down Windows. Part 3

For IE7
Go to /Program Files/Internet Explorer/iexplore.exe, right click, select "Run as Administrator"
Tools menu/Internet options/Advanced
Enable 'Data Execution Protection (DEP)' option

COMMENT: Vista's default browser IE7 doesn't have Data Execution Prevention turned 
on because I think at that time when IE7 was released, some Add-Ons aren't programed correctly to use that feature. Almost all add-ons are now functional with this turned on, and IE8 has it turned on by default. DEP is a key prevention technology that stops exploits.

Start button /Right Click Computer/ Properties/ Advanced System Settings
/Performance Settings button/ Data Execution Prevention Tab
Select "Turn on DEP for all programs ..."

Right click on Desktop/ Personalize / Screen Saver
Wait 10 minutes, Checkmark "On resume, display Logon screen"

( For Vista Only )
Start button / Administrative Tools /Event Manager
Create Custom View, for the following EventIDs;
-
HOWTO: For each line below, click 'Create Custom View'. Select 'By Log', pull down 'Event Logs', Checkmark 'Windows Logs',
move to the field marked with "<All Event IDs>" and type in the event id numbers as shown below, click ok and name the view.
-
4723,4724 - Change Password
4720,4726,4738,4781 - Change, Delete, Change Accounts
4608,4609 - Startup, Shutdown
4613 - Clear Security Log
4616 - Change System Time
4617 - Unable to Log
4714,4705 - privilege assigned or removed
4708,4714 - change audit policy
4717,4718 - system access granted or removed
4739 - change domain policy
16390 - administrator account lockout
4727-4730,4731-4734,4735,4737,4784,4755-4758 - group changes
4624,4636,4803,4801 - account logons
4672 - admin account logons
4698 - schedule new job
4656 - access refused to object
3004,3005 - windows defender finds something
4664 - create hard link to audited file
865 - software restriction triggered

COMMENT: the events IDs are taken from a Microsoft publication for security monitoring. These are the important security events that you should look into. I recommend inspecting these twice a month. For example, if you find one day that audit policies have changed, or that someone has logged into your admin account at 3am, then you would at least be aware that something is wrong. If you don't view the event logs, you won't know what is happening to your PC. Also examine the Events listed in the main page - "Summary of Administrative Events'. Expand and double click those listed in "Critical", "Error" and "Warning" sections.

Use a standard account for your internet browsing, email and daily work. Only use the admin account when you are initially setting up your machine or have to install some program. Then those log entries showing admin account logons will really stick out. Also, malware will have problems installing when you use a standard account, because you don't have system wide modification privileges. You may moan about this if you are the type that constantly install new software trying out this and that, because you will need to switch user and login to your admin account often. But Security is balanced against convenience. And to do it properly, you have to use the facilities in the way they are designed. Use the admin account only when needed.

Windows Defender is a pretty silent running program, but here in the event viewer is where you see what it detects.


----------



## lunarlander (Sep 22, 2007)

Windows Explorer/ Organize/ Folder and search options / View tab 
CHECKMARK items below
-Allways show menus
-Display the full path in the title bar
-Show hidden files, folders and drives
UNCHECK items below
-hide empty drives in computer folder ( Windows 7 only )
-hide extensions for known file types
-hide protected operating system files

Start Menu, Right Click Computer/ Properties
At the bottom, click on Activate Windows
(Do windows activation before setting up firewall outbound blocking below)

Start Menu, Administrative Tools/Windows Firewall with Advanced Security
/Windows Firewall Properties link 
- Go to each profile tab, and set Outbound connection = Block
- Go to Public Profile tab/Logging/Customize
-- Size Limit = 999999 KB
-- Log Dropped packets = Yes

=== Firewall Rules ===
HowTo allow a windows service outbound: Click on Outbound Rules on the left, click on 'New Rule', select 'Custom', next to 'Services' click customize, 
select 'Apply to this service', scroll and find 'Windows Update', next, ports and protocol - (no change), next, IP addresses ( no change ), next, select 'Allow The Connection'. Checkmark all 3 "Domain", "Private" and "Public". Give the rule a name, eg "Allow service X".

HowTo Allow a program outbound: Click on Outbound Rules on the left, click on 'New Rule', Select "Program", next, select "This program Path" and click on "Browse" button, Navigate to program folder and select the EXE, next, select "Allow the connection", Checkmark all 3 "Domain", "Private" and "Public". Give the rule a name, eg "Allow Program X".

Outbound/ allow service 'Windows update'
Outbound/ allow service 'Software License' (VISTA only)
Outbound/ allow service 'Windows Time'
Outbound/ allow program '\Program files\Windows Media Player\wmplayer.exe'
Outbound/ allow program '\Program files\internet explorer\iexplorer.exe'
Outbound/ allow program '\Windows\HelpPane.exe' ( Windows Help, when it fetches more online help )
Outbound/ allow program '\windows\ehome\ehshell.exe' ( Media Center )
Outbound/ allow program '\windows\system32\wercon.exe ( Vista's windows problem reporting)
Outbound/ allow program '\windows\systemW32\werfault.exe' ( windows problem reporting )
Outbound/ allow program '\windows\system32\werfaultSecure.exe' ( windows problem reporting )
Outbound/ allow program '\program files\windows defender\msacui.exe'
Outbound/ allow program '\program files\mcafee\site advisor\mcsacore.exe' ( Macfee SiteAdvisor)
Inbound/ Disable Rule, for all items listed with name like 'Core Networking'...'ICMPv6-In'
Inbound/ Disable Rule, 'Teredo - UDP In'
Inbound/ Disable Rule, For all items listed with 'Remote Assistance' section
Inbound/ Disable Rule, for all items listed with 'Network Discovery' section
Outbound/ Disable Rule, for all items listed in 'Core Networking' with 'IPv6'
Outbound/ Disable Rule, 'Core Networking Teredo UDP out'
Outbound/ Disable Rule, for all items starting with 'Network Discovery' section
Outbound/ Disable Rule, for all items starting with 'Remote Assistance' section

COMMENTS: Windows 7 and Vista's firewall defaults to allow all outbound communications, which means any program including spyware/malware can call home. The best protection is a white list allowing only programs that you approve and know about to talk to the internet. Thus we turn on Outbound blocking and make a rule to allow each individual program out as needed. Windows XP users are not as lucky, as there is no outbound blocking feature at all on that platform. and will need to use a third party firewall.

Looking at the GUI of Windows Firewall with Advanced Security, it is easy to overlook that some rules apply to several network profiles, you have to expand the Profile column to see which profile(s) that a rule works in, as the default layout has the column width set to display just one word.

There is this concept called 'defence in depth', and it doesn't hurt to have overlapping layers/methods of defence. Hence, even though the network discovery protocols are unchecked above, we disable the firewall rules that allows that kind of network traffic.

If you use AVG Free Antivirus, here are the list of exe's you need to allow outbound: 
avgam.exe 
avgcmgr.exe 
avgemc.exe 
avgiproxy.exe 
avgnsx.exe 
avgtray.exe 
avgui.exe 
avgupd.exe 
avgwdsvc.exe

Sometimes, you need to allow a program to reach the internet, but don't know which EXE to specify in an outbound firewall rule. And Windows doesn't tell you which program is attempting to gain access. There is a free program called Vista Firewall Control. It sits in the systems tray and slides open a window telling you just that. It will also popup a dialog box asking if you want to enable this program to access the internet. If you select "Enable" then you don't need to make up an outbound rule in 
Vista's Firewall with Advanced Security. It works with Vista's built-in firewall and understands all the rules that you have specified already. Vista Firewall Control is available from here:

http://www.sphinx-soft.com/Vista/index.html


----------



## aka Brett (Nov 25, 2008)

awesome idea for a thread........what i do has already been posted,but am subscribing:up:


----------



## lunarlander (Sep 22, 2007)

Locking down Windows - part 5.

(Vista Business, Vista Ultimate, XP Professional ) 
Start button/Administrative Tools/Local Security Policy
/Account Policies/Account lockout policy
- Account lockout threashold - 10 invalid logon attempts
/Account Policies/Password Policy
- Mininum password length - 14 characters
/Software Restriction Policy, right click and select "Create policy...", then the settings will appear on the left.
- Security Level- Disallowed
- Enforcement - Apply software restriction policies to : select "All software files" ( CAUTION: don't set this on Windows 7 RC) 
- Designated File Types - find 'LNK' ( Shortcut ), clik REMOVE button.
/Local Policies/Security Options
- DCOM: Machine Access Restrictions... click 'Edit Security' button and modify all 4 entries to UNCHECKMARK 'remote access'
- DCOM: Machine Launch Restrictions... click 'Edit security' button and modify all 4 entries to UNCHECKMARK 'remote launch' and 'remote activation'
- Devices: Prevent users from installing printer drivers - enabled
- Devices: REstrict CD-ROM access to locally logged on users - enabled
- Network access: Named Pipers that can be access anonymously - empty all entries ( Vista only, Windows7 defaults with no entries)
- Network access: Do not allow anonymous enum of SAM account and shares - enabled
- Network access: Remotely accesible registry paths and subpaths - delete all entries
- Network access: Remotely accesible registry paths - delete all entries
- User Account Control: Behavior of the elevation prompt for standard users: 
-- (for Windows 7 RC) Prompt for Cred on Secure Desktop
-- (for Vista ) Automatically deny elevation request
- User Account Control: Behavior of the elevation prompt for admin users: 
-- (for Windows 7) Prompt for Cred on Secure Desktop
---(for Vista ) Prompt for consent
/Local Policies/User Rights ASsignment/Access this computer from the network: empty all entries
/Local Policies/Audit Policy: audit the following for success and failure
- Audit account logon events
- audit account management
- audit logon events
- audit policy change 
- audit privilege use
- audit system events
/Network List Manager Policies
- Unidentified Networks - treat as public
- Identifying Networks - treat as public
---

COMMENTS: Giving yourself 10 guesses at the correct logon password is good enough generally, the feature locks the account for 30 mins after those 10 failed tries. Having a good long password is good enough to foil brute force guessing so I didn't turn on the rule that requires complexity. HOWEVER, you should use passphrases, not passwords. E.g. The phrase 'Captain Kirk is the captain of the USS Enterprise NCC1701' becomes the password 'ckitcotussencc1701'. 

Software Restriction Policy, when turned on, trusts all the programs in 2 folders: \Program Files and \Windows. Anything else cannot run. And, without an admin account, you cannot install programs to those two folders. So, when you surf the web, and some malicious web site downloads something to the internet temp folder and tries to execute it, it will fail. Also, tricky standard account users who install an unauthorized program into the Documents folder will also not run. 
We remove the LNK extension from SRP enforcement because shortcuts that point to programs in other folders will fail to run too. 
This leaves very little room for malware to mess around. 

DCOM programs are just programs, and we shouldn't allow remote access anything. They could be exploitable just like anything else. 

Account names (SAM) and folder shares should not be queriable across the network, a hacker who gets the names has won half the battle. 

Named Pipes and Registry entries don't have to be accessible across the network, at least not in a Workgroup setting. Maybe it is needed when you have a Windows Server. So wipe out all the named pipes and registry entries listed. This also begs the question as to which ports and which service is Windows using to access these named pipes and registry keys. I hope those ports are blocked when you select the 'Public' firewall profile.

User Account Control (UAC) prompts are widely accused of being overly annoying. But I have once gone to a web site where a UAC prompt suddenly appeared asking for system administration privileges. I have since learned to like UAC and its warnings. Without UAC, malware would have likely obtained the privilege to install silently.(Poor XP users.) When you logon to Windows, Windows gives you account tokens, which you use when changing system settings. In Vista, the administrative token is given to you if you logon as admin, but is held apart separately until it is needed, then Vista prompts you if you intentionally requested that action. It is a good security idea borrowed from Unix/Linux; where they have had this feature for a long time. 

For UAC behavior for a standard account, Vista offers the choice of 'deny elevation request' which is the safest. With Windows 7 RC, MS has removed that choice. The second best thing is to "request for credentials on a Secure Desktop" ( the Secure Desktop is the one where the background is dimmed ) If you have an account
for visitors like I do, you don't really want them to have the ability to mess around with system settings, so setting UAC to automatically deny standard users is good. Windows 7 RC removed that choice and gives the standard user the account name of the admin and prompts for the password. That just invites the user to go try and discover the admin password and I don't like it. Oh well. 

In Windows XP Professional and Vista Business/Ultimate, all security event logging are turned off by default. Without inspecting the logs (using Administrative Tools/Event Viewer) once in a while, you really don't know what is happening to your machine. Hackers can be logging into your account at night and setting up all sorts of things unbeknown to you. Hence I turned on all the normal auditing. Most things of importance are logged in the event viewer.


----------



## Tact (Sep 9, 2002)

oh. now i see what "locking down" means. that is very cool. i suppose i've done a very weak form of it when i disable some services as instructed by some online guides. 

i like it but it also seems like soooo much to do. i wonder if someone could maybe make a program that could do all this with a single button press. 

HOLY smokes at the power of Software restriction policy on part5 of your guide! can XP really do that? that sounds AWESOME! 

i will definately have to take a whole day to read this thread more thoroughly. thanks a lot.


----------



## lunarlander (Sep 22, 2007)

http://www.osnews.com/story/21424


----------

