Securing Microsoft Windows
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Securing Microsoft Windows as PDF for free.
More details
- Words: 4,063
- Pages: 18
Securing Microsoft Windows (2000/XP/2003)
by Guillaume Kaddouch, November 2006
INDEX TABLE INTRODUCTION.................................................................................... 3 I – KEEPING YOUR WINDOWS UP TO DATE...........................................4 1.1. Enabling Automatic Windows Update........................................................ 4 1.2. Checking Microsoft Office updates............................................................. 5
II - CONFIGURING WINDOWS SERVICES..............................................6 2.1. Disabling unneeded Windows services...................................................... 6 2.2. Setting services startup to manual............................................................ 9
III – REMOVING UNNEEDED PROGRAMS AT STARTUP........................ 10 IV - RUNNING EXPOSED PROGRAMS WITH RESTRICTED RIGHTS....... 11 4.1. Identifying 'critical' or 'exposed' applications..........................................11 4.2. Setting restricted rights for a given program (WinXP PRO/Win2K3)....... 11 4.3. Setting restricted rights for a given program (WinXP Home/Win2K).......14
V - CONFIGURING FILES AND EXTENSIONS DISPLAY......................... 15 VI - SETTING UP STRONG PASSWORDS.............................................. 16 6.1. Password complexity............................................................................... 16 6.2. Password diversity.................................................................................. 16
CONCLUSION.......................................................................................18
Securing Microsoft Windows
2/18
Guillaume Kaddouch
INTRODUCTION This guide is for the average user or a new user who just bought a computer, and is willing to secure his Windows Operating System. This guide does not contain complex tips meant for advanced users, but rather the basis of Windows security for everyday use. There is nothing incredible or until now unknown in this guide, so if you are looking at this, you can skip it. The purpose of this paper is to help you configuring securely your OS, and to disable some default dangerous settings. Lastly, I have came across badly infected computers, and some of them had at least one antivirus, and even a firewall. Nowadays malware are more aggressive than ever, and are more and more using user-mode rootkits to hide their files and processes, while attacking your main security applications to disable them. Some of these infected systems were not without any security, but the users have randomly added some security software without understanding what they were doing. Security is not a setup executable that you can install and forget, but instead a global process, beginning with the OS (configuring it), and requiring understanding and awareness from the one who is securing his system. Usually, when you first get a computer and are asking for advices to secure it, you are often told to install various security software, such as an antivirus. However, following this way, you are adding security on the top of something insecure by default, your Operating System. Windows is your security foundations, if it is weak, then everything on top of it can collapse. For instance, a malware could exploit a known Windows vulnerability in a service running by default, to execute, but if this vulnerability is patched, and that this service is disabled, then the malware is dead in it's track. Thus, you must take care of Windows itself first, this is as critical as making the foundations of a building. In what follows, we will see together how to decrease your exposure to various threats, by disabling unneeded Windows services, configuring few Windows options, setting up updates, controlling what is starting up, setting strong passwords, and by setting up some critical programs rights and privileges. This guide applies to Windows XP Home Edition and Professional Edition, Windows 2000, and Windows 2003. However, some general advices are true for all OS, so it's still good to read this guide even if you have Windows 98.
Securing Microsoft Windows
3/18
Guillaume Kaddouch
I – KEEPING YOUR WINDOWS UP TO DATE Updating your OS and keeping it updated at any time, is the most critical step to begin with. You can have the most secure computer of the world, if you have critical unpatched vulnerabilities, they can be exploited against you and potentially bypass all of your security measures. A vulnerability can be exploited either locally or remotely, and can be used to disable some of your security software and/or to execute arbitrary codes. 1.1. Enabling Automatic Windows Update There is different possibilities, the easiest is to set automatic updates to automatically check updates, download them, and install them, without your intervention. To do so, click on the Start button, launch the Configuration Panel, then click on the “Automatic Updates” icon :
You can then select the first option, “Automatic (recommended)” :
However, I advise to configure the updates to notify you in case of new updates available, without downloading them. Thus, you will be able to choose when downloading them, and to uncheck updates you may not want, such as the Windows Genuine Advantage Notification update, for instance :
Securing Microsoft Windows
4/18
Guillaume Kaddouch
Either way, the purpose is to apply updates as soon as available, to avoid in the wild malware to exploit these vulnerabilities against you. Most of the exploited vulnerabilities, are, surprisingly, already known ones for which a fix is available since a long time (sometimes more than a year !). Some trojan and spyware are targeting patched flaws because they know some people never update their Windows. If you prefer to manually check for updates, you can go to : http://windowsupdate.microsoft.com/
1.2. Checking Microsoft Office updates If you have Microsoft Office installed, you should go there : http://office.microsoft.com
There are often some critical flaws discovered in Microsoft Word or PowerPoint, consequently you should keep en eye on Microsoft Office updates as well. It goes a little beyond the “Securing Windows”, but since Microsoft Office is often part of the default installation while buying a new computer, I think it is as important to talk about it than Windows itself. Moreover, Microsoft Office, once installed, is integrated into the OS, and it's vulnerabilities can hurt your whole system (e.g. Word will be the default .doc files viewer and can be automatically triggered from your Internet browser). While we are at it, there is a free alternative to Microsoft Office, it is OpenOffice.org. It includes the same components corresponding to Word/Excel/PowerPoint/Access and is compatible with Microsoft Office. While Microsoft Office 2003 Professional did suffer 15 critical vulnerabilities in 2006 until now, OpenOffice.org 2.x only had 2 non critical ones. Of course it could be explained because Microsoft Office is more targeted, anyone is free to interpret these statistics.
You can grab OpenOffice.org there : http://www.openoffice.org/
Securing Microsoft Windows
5/18
Guillaume Kaddouch
II - CONFIGURING WINDOWS SERVICES One of the most overlooked step by people buying a new computer. A service, is a component which brings a functionality to Windows, and enables you to do a particular task. For instance, if you want to print, the Spooler service must be enabled. Otherwise, Windows will refuse to print. Same for files sharing on a LAN, if the Server service is disabled, you wont be able to share any files. Then, regarding security, some services running by default are dangerous for your system. For instance some services are opening up your system to the network, making it directly attackable remotely. Such services are RemoteRegistry, Messenger (not to be confused with MSN Messenger which is an external application), and Server. There are more, these ones are just common open holes. Generally, in security, you must close any service/feature you do not use, to reduce your exposure surface (your entry points). A patched flaw in a service prevents it to be abused by a known vulnerability (as explained in the first chapter), but still the service is exposed to the Internet at large, and could be vulnerable to flaws yet to be discovered (0-day exploits). 2.1. Disabling unneeded Windows services Some of the services I am describing below, are sometimes necessary if you need a particular feature (e.g. The WZCSVC service which is labelled as “Wireless Configuration Service”). You should not disable a service if you need what it does. Consequently, in the list of services I am giving below and that I advise to disable, you should be aware of your system and particular setup, to not disable necessary services for your system. To access the service manager, click on the Start menu, then click Run. Enter “services.msc” without the quotes, click OK.
The service names I will give are not the one you can see under the “Name” column, but the one you can see when you double click on a service line. A new window appears, and in the first tab there is the “Service name” line. These names are the same for everyone, it will be easier for you to spot them no matter your Windows language.
Securing Microsoft Windows
6/18
Guillaume Kaddouch
You can see in this example that the service called “IMAPI CD-Burning COM” under the “Name” column, is internally named “ImapiService”. This is the difference between the “Display name” and the “Service name”. Below, I'm using the later. Services to keep (16) : •
RpcSs
•
AudioSrv (unless you don't have a sound card)
•
Dhcp (if you are on a network, LAN/WAN/Internet)
•
Netman (if you are on a network, LAN/WAN/Internet)
•
ShellHWDetection
•
ProtectedStorage
•
SamSs
•
Winmgmt
•
EventLog
•
DcomLaunch
•
wuauserv (unless you have disabled Windows automatic updates)
•
BITS (unless you have disabled Windows automatic updates)
•
Schedule
•
PlugPlay
•
CryptSvc
•
Themes (unless you do not use any theme)
Services you may need to keep depending on your system : •
FastUserSwitchingCompatibility (if you are using the fast user switching feature)
•
WZCSVC (if you are on a Wireless network)
•
Browser (if you need to browse LAN computers)
•
SharedAccess (if you are using the Windows XP firewall)
•
srservice (if you are using the restore feature)
•
Spooler (if you want to print)
•
lanmanserver (if you want to share files on a LAN)
Securing Microsoft Windows
7/18
Guillaume Kaddouch
Also please notice that some software, for instance security applications, install services on your system. It is impossible to write an exhaustive list, but usually if you see services related to your antivirus or firewall, of course do not disable them. All of the other services should be disable. To disable a service, right click on it, select “Properties”, and in the new window, change the startup type to “Disable” (instead of Automatic). Tweaking it's services is tedious. For the best safety you should disable your services one by one (except the aforementioned ones that you should keep) and check that you didn't lose any functionalities (e.g. network, USB peripherals). It is impossible to show a list of services that you should disable, as everyone's system is unique (LAN/WAN/Internet/standalone, printer, scanner, USB peripherals, some software services, etc...).
You should be aware that some services not listed here may be vital for your system and that disabling them may break some functionalities. Do not disable services installed by your security applications. As I said above, disable them one by one and not all at once, and check that nothing is broken. If you can, make backups before applying this chapter.
Few services cannot be disabled using the services manager. For these ones, you can use the tool Windows Worms Doors Cleaner that I have done. It is available there : http://www.firewallleaktester.com/wwdc.htm
Disabling these services can also break few applications expecting them to be always enabled. If it causes any problem, WWDC allows you to revert back your modification.
Securing Microsoft Windows
8/18
Guillaume Kaddouch
2.2. Setting services startup to manual There is services you need only occasionally, not every day. Despite being a waste of resources if you use them rarely, it's also against the security principle to disable anything you do not use. However, you cannot disable them totally, as you use them, even if it's not often. The solution is to set their “Startup type” to “Manual”. This way, as soon as the software or the Windows feature that use this service, will need it, it will automatically activate it. That is the best tradeoff between security and usability. Unfortunately, sometimes the software is not smart enough to start back it's own service, and you must go into the service manager and click on “Start” button. The choice is up to you, between giving the priority to security, or usability.
Also, you can set a service to Manual if you are unsure to need it or not.
Securing Microsoft Windows
9/18
Guillaume Kaddouch
III – REMOVING UNNEEDED PROGRAMS AT STARTUP Services are not the sole tasks to launch at startup, some other programs and applications also does (often too much). Following the same principle to disable what we don't need, this time we will disable what we don't need to start as soon as we log in (even if we will need them later). This will save resources, will speed up Windows bootup, and will reduce our exposure while we start. To see what is launched at startup, go to the Start button, click Run, then enter “msconfig” without the quotes (not available on Windows 2000). You will be able to see in the “Startup” tab, all of your applications launched at startup. Ideally, you should disable everything except your security software (antivirus, firewall, anti-spyware). Often they is “parasites” you can uncheck such as your CD or DVD burning software, Microsoft Office, Adobe reader, etc...
Obviously do not disable your security applications, everything si unchecked on the screenshot above, but this is just for the example. Of course the above startup item “kav” (Kaspersky Antivirus) should stay checked. If you do not have access to msconfig, there is a free tool called Autoruns from Sysinternals : http://www.sysinternals.com/Utilities/Autoruns.html Also check your startup folder, located at “Start -> All programs -> startup”. Having the bare minimum starting up, and only the needed services, decrease dramatically your exposure to network and local threats, without talking about the advantage of having more resources available (CPU and memory).
Securing Microsoft Windows
10/18
Guillaume Kaddouch
IV - RUNNING EXPOSED PROGRAMS WITH RESTRICTED RIGHTS Ideally, we should all use a restricted user account, unlike the default administrator account Windows gives us. Not having administrator privileges cut off a vast majority of malware, and prevent them to do any harm. Unfortunately, this is not always possible, due to some software badly designed which cannot run without having administrator privileges. There is also video games refusing to let you play online because their anti-cheat component requires admin rights. Some software setup does not work properly while being used with the “run as” command and fail to install. Also some people can find that running a restricted account is a real pain when they want to constantly install/remove software. If you can afford it, having a restricted user account is a very good point, and you can skip this chapter. If not, in the following you will see how to run critical applications with restricted rights, while being on an administrator account. 4.1. Identifying 'critical' or 'exposed' applications Not all of your applications are concerned. Generally, exposed applications are the networkenabled ones, because they can be reached and thus be abused remotely. Some easy ones are your browser, your email client, your instant messaging application, your Peer to Peer client, or any else network-enabled application which may be either permanently running or very often used. You are the only one who can decide which application is exposed on your side, I cannot give an exhaustive list. For instance you may be running a server (e.g. FTP) which is particularly exposed. At the very least, you should have your browser and email client.
4.2. Setting restricted rights for a given program (WinXP PRO/Win2K3) For Windows XP Professional and Windows 2003 (go to the next part for Windows XP Home and Windows 2000) : Using the local policies manager, you can define restrictions, in a way that any executable you wish, automatically runs with restricted privileges, as if you were in a restricted user account. Before starting the local policies manager, there is a registry modification to do, in order to have the “Basic User” (means “restricted user”) option available. To start the registry editor, go to Start -> Run, and enter “regedit” without the quotes, OK, then go to : HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\
and add a DWORD value :“Levels” (right click on the right pane, select “New”, then “DWORD”). Set it's hexadecimal value to 20000 (should appear as 0x20000).
Securing Microsoft Windows
11/18
Guillaume Kaddouch
Close the registry. Now go to Start -> Run, and enter “secpol.msc” without the quotes, this will run the local policies manager. Click on the left side on Software Restriction Policies. Theoretically, Windows should say “No Software Restriction Policies Defined”. Right-click on "Software Restriction Policies", and then click on "Create New Policies" :
Finally click on the Additional Rules folder.
Securing Microsoft Windows
12/18
Guillaume Kaddouch
We are at it finally, you can right click on the right pane, and select “New Path Rule”. In the Path text box enter your application path (e.g. Your browser). In the Security Level list, select “Basic User”, then click OK, that's all. Create as many rule as applications you want to restrict.
From now on, every time the restricted application will run, either ran manually or automatically, it will not have the administrator privileges.
Be aware that you may have to revert it's rights to “Unrestricted” in order to update your application.
Securing Microsoft Windows
13/18
Guillaume Kaddouch
4.3. Setting restricted rights for a given program (WinXP Home/Win2K) For Windows XP Home and Windows 2000: In Windows XP Home Edition and Windows 2000, as an alternative you can use the DropMyRights tool from Michael Howard, available at this page : http://msdn.microsoft.com/library/default.asp?url=/library/enus/dncode/html/secure11152004.asp
(original screenshot from Michael Howard) As explained on the page, you have to create a shortcut which calls DropMyRights executable, and passing it as parameter the executable path you want to restrict. It is a little less user-friendly as you have to click this shortcut every time, because if by mistake you run the application directly it will not be restricted, same if the application is ran automatically by a script for instance. Anyway, this great tool enables you to run critical programs with restricted privileges, when your OS does not provide such feature.
Securing Microsoft Windows
14/18
Guillaume Kaddouch
V - CONFIGURING FILES AND EXTENSIONS DISPLAY Since a long time, malware try to fool the user by making him to believe he runs something, whereas it is something else. For instance you can see many files with a double extension, such as virus.txt.exe. The reason for this, is that by default Windows hides known file extensions, such as .exe, .txt, .dll, etc... By naming a malicious file “malware.txt.exe”, Windows will hide the real extension part, the “.exe”, and will display “malware.txt”. The file having as icon a text icon (as if it was a text file), the illusion is perfect. Also, some trojans will simply set the “hidden” attribute on their files. Since Windows is also not showing hidden files by default, a trojan could hide easily from the user, and trick it with no effort. Granted, if hidden files are not showed by default, it's because critical system files are hidden, and that the user cannot mistakenly delete what he cannot see or select. However, if you are not a system file serial killer, this feature fights back against you in favour of malware. There is also trojan using the super hidden file attribute, which corresponds to files having system attribute + hidden attribute (very critical files). In what follows, you will be able to see them all. Launch the explorer (Start -> Run -> explorer). In the Tools menu, select Folder Options. Go to the second tab, Display. Under “files and folders”, check everything. Under “hidden files and folders”, check the first one “Show hidden files and folders”. Then below, uncheck everything (except, if you want, “remember folder settings”).
Securing Microsoft Windows
15/18
Guillaume Kaddouch
VI - SETTING UP STRONG PASSWORDS Once you have reduced the number of doors, the remaining ones should be well locked. A password may help preventing classical physical accesses (e.g. Your child typing randomly on the keyboard), it will restrict shared files access to authorised users only, and will cause a password prompt if administrator rights are needed from a restricted account. Having a blank password for the default administrator account is absolutely not advised. If we have a wider view, considering all of your software installed, you should set up a password everywhere you can (e.g. antivirus, firewall), especially to open up your email client or browser settings. Once you have your security installed and configured, you should ensure it's integrity won't be compromised by password protecting it. If you cannot disable your security without answering prompts, neither a malware can. 6.1. Password complexity A good password should not mean anything. Do not use as password words such as your kids name, your mother's name, your preferred song, or anything being in the dictionary. Example : ypldsi A password should be at least 8 characters long, the more there is, the stronger your password is. Example : apsldjsbch A password should be composed of alphanumeric characters, in upper and lower cases, as well as special characters. Example : 0)@fZ+”%KL5o Passwords such as “admin”, “Donovan”, or “admin123”, etc... can be easily cracked.
6.2. Password diversity Once you know how to create strong passwords, the last thing to (not) do is to use the same password everywhere... If your password is leaked, no matter how, everything falls down with it. You should have as many different passwords as your number of accesses. If for instance you need 10 passwords, create 10 different ones, do not use ten times the same. “Great in theory... but not very practical” you might say, and you will be right. It's not easy to remember 10 passwords (or more) which have purposefully no meaning and are hence inherently difficult to remember. One way to achieve it anyway, is to use a third party software which will store your passwords in an encrypted local database. Thus, you just need to remember one password to open your encrypted passwords database, then you can see them all. You can use for instance “Keepass password safe” which is a free open source software : http://keepass.sourceforge.net/
Securing Microsoft Windows
16/18
Guillaume Kaddouch
Securing Microsoft Windows
17/18
Guillaume Kaddouch
CONCLUSION When you keep your Windows up to date, every known vulnerability cannot hurt you in any way, and cannot be used against you. Thus all of these lame browser exploits using one year old patched vulnerabilities won't affect you at all. By closing unneeded Windows services, especially the network ones (DCOM RPC, Messenger, etc...), you prevent them from being exploited by 0-day exploits using unknown vulnerabilities, or not yet patched. By reducing the number of programs being ran at startup, you potentially reduce your exposure (e.g. IM or P2P software not automatically starting). Running critical applications with restricted rights cut off most of the malware in the wild (trojan, spyware, worms, etc...) as they cannot modify critical system files, nor alter your security applications. Displaying all files and extensions regardless of their attribute gives you slightly more control on what is happening on your system, as some malware try to fool you by using double extensions and super hidden files. Having strong passwords to lock down all of your security applications and settings, achieves to seal your system. Then, and only then, you may think to add security software Too often, people loads an incredible list of security software without knowing how they work, how they interact each others, without configuring them, and keeps being infected. Theoretically, if your computer is well configured and locked, and that you are practising safe hex (safe habits), you should not need any applications to secure your system. That shows how important it is to configure your system first. I do not advise to follow this way nevertheless, as unknown exploits could past your defence anyway. A layered approach is always safer (securing Windows + adding security software). However, it's pointless to install an incredible load of security software. Security is not quantified by the number of security applications installed Security must be based on strong foundations, your OS, but also your knowledge of it, and your safe habits. Then, you can improve it by adding, for instance, one antivirus and one personal firewall. If you wish to learn or want more control you may think about HIPS software (Host Intrusion Prevention System). However keep in mind that it comes afterwards. Trying to build a building by beginning from the roof, without any foundations, will result in the inevitable outcome of a collapse.
Securing Microsoft Windows
18/18
Guillaume Kaddouch
by Guillaume Kaddouch, November 2006
INDEX TABLE INTRODUCTION.................................................................................... 3 I – KEEPING YOUR WINDOWS UP TO DATE...........................................4 1.1. Enabling Automatic Windows Update........................................................ 4 1.2. Checking Microsoft Office updates............................................................. 5
II - CONFIGURING WINDOWS SERVICES..............................................6 2.1. Disabling unneeded Windows services...................................................... 6 2.2. Setting services startup to manual............................................................ 9
III – REMOVING UNNEEDED PROGRAMS AT STARTUP........................ 10 IV - RUNNING EXPOSED PROGRAMS WITH RESTRICTED RIGHTS....... 11 4.1. Identifying 'critical' or 'exposed' applications..........................................11 4.2. Setting restricted rights for a given program (WinXP PRO/Win2K3)....... 11 4.3. Setting restricted rights for a given program (WinXP Home/Win2K).......14
V - CONFIGURING FILES AND EXTENSIONS DISPLAY......................... 15 VI - SETTING UP STRONG PASSWORDS.............................................. 16 6.1. Password complexity............................................................................... 16 6.2. Password diversity.................................................................................. 16
CONCLUSION.......................................................................................18
Securing Microsoft Windows
2/18
Guillaume Kaddouch
INTRODUCTION This guide is for the average user or a new user who just bought a computer, and is willing to secure his Windows Operating System. This guide does not contain complex tips meant for advanced users, but rather the basis of Windows security for everyday use. There is nothing incredible or until now unknown in this guide, so if you are looking at this, you can skip it. The purpose of this paper is to help you configuring securely your OS, and to disable some default dangerous settings. Lastly, I have came across badly infected computers, and some of them had at least one antivirus, and even a firewall. Nowadays malware are more aggressive than ever, and are more and more using user-mode rootkits to hide their files and processes, while attacking your main security applications to disable them. Some of these infected systems were not without any security, but the users have randomly added some security software without understanding what they were doing. Security is not a setup executable that you can install and forget, but instead a global process, beginning with the OS (configuring it), and requiring understanding and awareness from the one who is securing his system. Usually, when you first get a computer and are asking for advices to secure it, you are often told to install various security software, such as an antivirus. However, following this way, you are adding security on the top of something insecure by default, your Operating System. Windows is your security foundations, if it is weak, then everything on top of it can collapse. For instance, a malware could exploit a known Windows vulnerability in a service running by default, to execute, but if this vulnerability is patched, and that this service is disabled, then the malware is dead in it's track. Thus, you must take care of Windows itself first, this is as critical as making the foundations of a building. In what follows, we will see together how to decrease your exposure to various threats, by disabling unneeded Windows services, configuring few Windows options, setting up updates, controlling what is starting up, setting strong passwords, and by setting up some critical programs rights and privileges. This guide applies to Windows XP Home Edition and Professional Edition, Windows 2000, and Windows 2003. However, some general advices are true for all OS, so it's still good to read this guide even if you have Windows 98.
Securing Microsoft Windows
3/18
Guillaume Kaddouch
I – KEEPING YOUR WINDOWS UP TO DATE Updating your OS and keeping it updated at any time, is the most critical step to begin with. You can have the most secure computer of the world, if you have critical unpatched vulnerabilities, they can be exploited against you and potentially bypass all of your security measures. A vulnerability can be exploited either locally or remotely, and can be used to disable some of your security software and/or to execute arbitrary codes. 1.1. Enabling Automatic Windows Update There is different possibilities, the easiest is to set automatic updates to automatically check updates, download them, and install them, without your intervention. To do so, click on the Start button, launch the Configuration Panel, then click on the “Automatic Updates” icon :
You can then select the first option, “Automatic (recommended)” :
However, I advise to configure the updates to notify you in case of new updates available, without downloading them. Thus, you will be able to choose when downloading them, and to uncheck updates you may not want, such as the Windows Genuine Advantage Notification update, for instance :
Securing Microsoft Windows
4/18
Guillaume Kaddouch
Either way, the purpose is to apply updates as soon as available, to avoid in the wild malware to exploit these vulnerabilities against you. Most of the exploited vulnerabilities, are, surprisingly, already known ones for which a fix is available since a long time (sometimes more than a year !). Some trojan and spyware are targeting patched flaws because they know some people never update their Windows. If you prefer to manually check for updates, you can go to : http://windowsupdate.microsoft.com/
1.2. Checking Microsoft Office updates If you have Microsoft Office installed, you should go there : http://office.microsoft.com
There are often some critical flaws discovered in Microsoft Word or PowerPoint, consequently you should keep en eye on Microsoft Office updates as well. It goes a little beyond the “Securing Windows”, but since Microsoft Office is often part of the default installation while buying a new computer, I think it is as important to talk about it than Windows itself. Moreover, Microsoft Office, once installed, is integrated into the OS, and it's vulnerabilities can hurt your whole system (e.g. Word will be the default .doc files viewer and can be automatically triggered from your Internet browser). While we are at it, there is a free alternative to Microsoft Office, it is OpenOffice.org. It includes the same components corresponding to Word/Excel/PowerPoint/Access and is compatible with Microsoft Office. While Microsoft Office 2003 Professional did suffer 15 critical vulnerabilities in 2006 until now, OpenOffice.org 2.x only had 2 non critical ones. Of course it could be explained because Microsoft Office is more targeted, anyone is free to interpret these statistics.
You can grab OpenOffice.org there : http://www.openoffice.org/
Securing Microsoft Windows
5/18
Guillaume Kaddouch
II - CONFIGURING WINDOWS SERVICES One of the most overlooked step by people buying a new computer. A service, is a component which brings a functionality to Windows, and enables you to do a particular task. For instance, if you want to print, the Spooler service must be enabled. Otherwise, Windows will refuse to print. Same for files sharing on a LAN, if the Server service is disabled, you wont be able to share any files. Then, regarding security, some services running by default are dangerous for your system. For instance some services are opening up your system to the network, making it directly attackable remotely. Such services are RemoteRegistry, Messenger (not to be confused with MSN Messenger which is an external application), and Server. There are more, these ones are just common open holes. Generally, in security, you must close any service/feature you do not use, to reduce your exposure surface (your entry points). A patched flaw in a service prevents it to be abused by a known vulnerability (as explained in the first chapter), but still the service is exposed to the Internet at large, and could be vulnerable to flaws yet to be discovered (0-day exploits). 2.1. Disabling unneeded Windows services Some of the services I am describing below, are sometimes necessary if you need a particular feature (e.g. The WZCSVC service which is labelled as “Wireless Configuration Service”). You should not disable a service if you need what it does. Consequently, in the list of services I am giving below and that I advise to disable, you should be aware of your system and particular setup, to not disable necessary services for your system. To access the service manager, click on the Start menu, then click Run. Enter “services.msc” without the quotes, click OK.
The service names I will give are not the one you can see under the “Name” column, but the one you can see when you double click on a service line. A new window appears, and in the first tab there is the “Service name” line. These names are the same for everyone, it will be easier for you to spot them no matter your Windows language.
Securing Microsoft Windows
6/18
Guillaume Kaddouch
You can see in this example that the service called “IMAPI CD-Burning COM” under the “Name” column, is internally named “ImapiService”. This is the difference between the “Display name” and the “Service name”. Below, I'm using the later. Services to keep (16) : •
RpcSs
•
AudioSrv (unless you don't have a sound card)
•
Dhcp (if you are on a network, LAN/WAN/Internet)
•
Netman (if you are on a network, LAN/WAN/Internet)
•
ShellHWDetection
•
ProtectedStorage
•
SamSs
•
Winmgmt
•
EventLog
•
DcomLaunch
•
wuauserv (unless you have disabled Windows automatic updates)
•
BITS (unless you have disabled Windows automatic updates)
•
Schedule
•
PlugPlay
•
CryptSvc
•
Themes (unless you do not use any theme)
Services you may need to keep depending on your system : •
FastUserSwitchingCompatibility (if you are using the fast user switching feature)
•
WZCSVC (if you are on a Wireless network)
•
Browser (if you need to browse LAN computers)
•
SharedAccess (if you are using the Windows XP firewall)
•
srservice (if you are using the restore feature)
•
Spooler (if you want to print)
•
lanmanserver (if you want to share files on a LAN)
Securing Microsoft Windows
7/18
Guillaume Kaddouch
Also please notice that some software, for instance security applications, install services on your system. It is impossible to write an exhaustive list, but usually if you see services related to your antivirus or firewall, of course do not disable them. All of the other services should be disable. To disable a service, right click on it, select “Properties”, and in the new window, change the startup type to “Disable” (instead of Automatic). Tweaking it's services is tedious. For the best safety you should disable your services one by one (except the aforementioned ones that you should keep) and check that you didn't lose any functionalities (e.g. network, USB peripherals). It is impossible to show a list of services that you should disable, as everyone's system is unique (LAN/WAN/Internet/standalone, printer, scanner, USB peripherals, some software services, etc...).
You should be aware that some services not listed here may be vital for your system and that disabling them may break some functionalities. Do not disable services installed by your security applications. As I said above, disable them one by one and not all at once, and check that nothing is broken. If you can, make backups before applying this chapter.
Few services cannot be disabled using the services manager. For these ones, you can use the tool Windows Worms Doors Cleaner that I have done. It is available there : http://www.firewallleaktester.com/wwdc.htm
Disabling these services can also break few applications expecting them to be always enabled. If it causes any problem, WWDC allows you to revert back your modification.
Securing Microsoft Windows
8/18
Guillaume Kaddouch
2.2. Setting services startup to manual There is services you need only occasionally, not every day. Despite being a waste of resources if you use them rarely, it's also against the security principle to disable anything you do not use. However, you cannot disable them totally, as you use them, even if it's not often. The solution is to set their “Startup type” to “Manual”. This way, as soon as the software or the Windows feature that use this service, will need it, it will automatically activate it. That is the best tradeoff between security and usability. Unfortunately, sometimes the software is not smart enough to start back it's own service, and you must go into the service manager and click on “Start” button. The choice is up to you, between giving the priority to security, or usability.
Also, you can set a service to Manual if you are unsure to need it or not.
Securing Microsoft Windows
9/18
Guillaume Kaddouch
III – REMOVING UNNEEDED PROGRAMS AT STARTUP Services are not the sole tasks to launch at startup, some other programs and applications also does (often too much). Following the same principle to disable what we don't need, this time we will disable what we don't need to start as soon as we log in (even if we will need them later). This will save resources, will speed up Windows bootup, and will reduce our exposure while we start. To see what is launched at startup, go to the Start button, click Run, then enter “msconfig” without the quotes (not available on Windows 2000). You will be able to see in the “Startup” tab, all of your applications launched at startup. Ideally, you should disable everything except your security software (antivirus, firewall, anti-spyware). Often they is “parasites” you can uncheck such as your CD or DVD burning software, Microsoft Office, Adobe reader, etc...
Obviously do not disable your security applications, everything si unchecked on the screenshot above, but this is just for the example. Of course the above startup item “kav” (Kaspersky Antivirus) should stay checked. If you do not have access to msconfig, there is a free tool called Autoruns from Sysinternals : http://www.sysinternals.com/Utilities/Autoruns.html Also check your startup folder, located at “Start -> All programs -> startup”. Having the bare minimum starting up, and only the needed services, decrease dramatically your exposure to network and local threats, without talking about the advantage of having more resources available (CPU and memory).
Securing Microsoft Windows
10/18
Guillaume Kaddouch
IV - RUNNING EXPOSED PROGRAMS WITH RESTRICTED RIGHTS Ideally, we should all use a restricted user account, unlike the default administrator account Windows gives us. Not having administrator privileges cut off a vast majority of malware, and prevent them to do any harm. Unfortunately, this is not always possible, due to some software badly designed which cannot run without having administrator privileges. There is also video games refusing to let you play online because their anti-cheat component requires admin rights. Some software setup does not work properly while being used with the “run as” command and fail to install. Also some people can find that running a restricted account is a real pain when they want to constantly install/remove software. If you can afford it, having a restricted user account is a very good point, and you can skip this chapter. If not, in the following you will see how to run critical applications with restricted rights, while being on an administrator account. 4.1. Identifying 'critical' or 'exposed' applications Not all of your applications are concerned. Generally, exposed applications are the networkenabled ones, because they can be reached and thus be abused remotely. Some easy ones are your browser, your email client, your instant messaging application, your Peer to Peer client, or any else network-enabled application which may be either permanently running or very often used. You are the only one who can decide which application is exposed on your side, I cannot give an exhaustive list. For instance you may be running a server (e.g. FTP) which is particularly exposed. At the very least, you should have your browser and email client.
4.2. Setting restricted rights for a given program (WinXP PRO/Win2K3) For Windows XP Professional and Windows 2003 (go to the next part for Windows XP Home and Windows 2000) : Using the local policies manager, you can define restrictions, in a way that any executable you wish, automatically runs with restricted privileges, as if you were in a restricted user account. Before starting the local policies manager, there is a registry modification to do, in order to have the “Basic User” (means “restricted user”) option available. To start the registry editor, go to Start -> Run, and enter “regedit” without the quotes, OK, then go to : HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\
and add a DWORD value :“Levels” (right click on the right pane, select “New”, then “DWORD”). Set it's hexadecimal value to 20000 (should appear as 0x20000).
Securing Microsoft Windows
11/18
Guillaume Kaddouch
Close the registry. Now go to Start -> Run, and enter “secpol.msc” without the quotes, this will run the local policies manager. Click on the left side on Software Restriction Policies. Theoretically, Windows should say “No Software Restriction Policies Defined”. Right-click on "Software Restriction Policies", and then click on "Create New Policies" :
Finally click on the Additional Rules folder.
Securing Microsoft Windows
12/18
Guillaume Kaddouch
We are at it finally, you can right click on the right pane, and select “New Path Rule”. In the Path text box enter your application path (e.g. Your browser). In the Security Level list, select “Basic User”, then click OK, that's all. Create as many rule as applications you want to restrict.
From now on, every time the restricted application will run, either ran manually or automatically, it will not have the administrator privileges.
Be aware that you may have to revert it's rights to “Unrestricted” in order to update your application.
Securing Microsoft Windows
13/18
Guillaume Kaddouch
4.3. Setting restricted rights for a given program (WinXP Home/Win2K) For Windows XP Home and Windows 2000: In Windows XP Home Edition and Windows 2000, as an alternative you can use the DropMyRights tool from Michael Howard, available at this page : http://msdn.microsoft.com/library/default.asp?url=/library/enus/dncode/html/secure11152004.asp
(original screenshot from Michael Howard) As explained on the page, you have to create a shortcut which calls DropMyRights executable, and passing it as parameter the executable path you want to restrict. It is a little less user-friendly as you have to click this shortcut every time, because if by mistake you run the application directly it will not be restricted, same if the application is ran automatically by a script for instance. Anyway, this great tool enables you to run critical programs with restricted privileges, when your OS does not provide such feature.
Securing Microsoft Windows
14/18
Guillaume Kaddouch
V - CONFIGURING FILES AND EXTENSIONS DISPLAY Since a long time, malware try to fool the user by making him to believe he runs something, whereas it is something else. For instance you can see many files with a double extension, such as virus.txt.exe. The reason for this, is that by default Windows hides known file extensions, such as .exe, .txt, .dll, etc... By naming a malicious file “malware.txt.exe”, Windows will hide the real extension part, the “.exe”, and will display “malware.txt”. The file having as icon a text icon (as if it was a text file), the illusion is perfect. Also, some trojans will simply set the “hidden” attribute on their files. Since Windows is also not showing hidden files by default, a trojan could hide easily from the user, and trick it with no effort. Granted, if hidden files are not showed by default, it's because critical system files are hidden, and that the user cannot mistakenly delete what he cannot see or select. However, if you are not a system file serial killer, this feature fights back against you in favour of malware. There is also trojan using the super hidden file attribute, which corresponds to files having system attribute + hidden attribute (very critical files). In what follows, you will be able to see them all. Launch the explorer (Start -> Run -> explorer). In the Tools menu, select Folder Options. Go to the second tab, Display. Under “files and folders”, check everything. Under “hidden files and folders”, check the first one “Show hidden files and folders”. Then below, uncheck everything (except, if you want, “remember folder settings”).
Securing Microsoft Windows
15/18
Guillaume Kaddouch
VI - SETTING UP STRONG PASSWORDS Once you have reduced the number of doors, the remaining ones should be well locked. A password may help preventing classical physical accesses (e.g. Your child typing randomly on the keyboard), it will restrict shared files access to authorised users only, and will cause a password prompt if administrator rights are needed from a restricted account. Having a blank password for the default administrator account is absolutely not advised. If we have a wider view, considering all of your software installed, you should set up a password everywhere you can (e.g. antivirus, firewall), especially to open up your email client or browser settings. Once you have your security installed and configured, you should ensure it's integrity won't be compromised by password protecting it. If you cannot disable your security without answering prompts, neither a malware can. 6.1. Password complexity A good password should not mean anything. Do not use as password words such as your kids name, your mother's name, your preferred song, or anything being in the dictionary. Example : ypldsi A password should be at least 8 characters long, the more there is, the stronger your password is. Example : apsldjsbch A password should be composed of alphanumeric characters, in upper and lower cases, as well as special characters. Example : 0)@fZ+”%KL5o Passwords such as “admin”, “Donovan”, or “admin123”, etc... can be easily cracked.
6.2. Password diversity Once you know how to create strong passwords, the last thing to (not) do is to use the same password everywhere... If your password is leaked, no matter how, everything falls down with it. You should have as many different passwords as your number of accesses. If for instance you need 10 passwords, create 10 different ones, do not use ten times the same. “Great in theory... but not very practical” you might say, and you will be right. It's not easy to remember 10 passwords (or more) which have purposefully no meaning and are hence inherently difficult to remember. One way to achieve it anyway, is to use a third party software which will store your passwords in an encrypted local database. Thus, you just need to remember one password to open your encrypted passwords database, then you can see them all. You can use for instance “Keepass password safe” which is a free open source software : http://keepass.sourceforge.net/
Securing Microsoft Windows
16/18
Guillaume Kaddouch
Securing Microsoft Windows
17/18
Guillaume Kaddouch
CONCLUSION When you keep your Windows up to date, every known vulnerability cannot hurt you in any way, and cannot be used against you. Thus all of these lame browser exploits using one year old patched vulnerabilities won't affect you at all. By closing unneeded Windows services, especially the network ones (DCOM RPC, Messenger, etc...), you prevent them from being exploited by 0-day exploits using unknown vulnerabilities, or not yet patched. By reducing the number of programs being ran at startup, you potentially reduce your exposure (e.g. IM or P2P software not automatically starting). Running critical applications with restricted rights cut off most of the malware in the wild (trojan, spyware, worms, etc...) as they cannot modify critical system files, nor alter your security applications. Displaying all files and extensions regardless of their attribute gives you slightly more control on what is happening on your system, as some malware try to fool you by using double extensions and super hidden files. Having strong passwords to lock down all of your security applications and settings, achieves to seal your system. Then, and only then, you may think to add security software Too often, people loads an incredible list of security software without knowing how they work, how they interact each others, without configuring them, and keeps being infected. Theoretically, if your computer is well configured and locked, and that you are practising safe hex (safe habits), you should not need any applications to secure your system. That shows how important it is to configure your system first. I do not advise to follow this way nevertheless, as unknown exploits could past your defence anyway. A layered approach is always safer (securing Windows + adding security software). However, it's pointless to install an incredible load of security software. Security is not quantified by the number of security applications installed Security must be based on strong foundations, your OS, but also your knowledge of it, and your safe habits. Then, you can improve it by adding, for instance, one antivirus and one personal firewall. If you wish to learn or want more control you may think about HIPS software (Host Intrusion Prevention System). However keep in mind that it comes afterwards. Trying to build a building by beginning from the roof, without any foundations, will result in the inevitable outcome of a collapse.
Securing Microsoft Windows
18/18
Guillaume Kaddouch
Related Documents
Securing Microsoft Windows
June 2020 4
Securing-windows-2003-server
June 2020 12
Microsoft Windows
December 2019 20
Securing Your Windows Server Systems
November 2019 6
Microsoft Windows Nt
November 2019 9
Microsoft Windows Server Troble
December 2019 29More Documents from "kartheek"
Securing Microsoft Windows
June 2020 4
15688083 Introduction To Organizational Behavior
May 2020 11
6481961 16 Personality Factor Test
May 2020 7
02togoeva
May 2020 5
12920169 Beyond You And Me
May 2020 6