Harden Windows 10 - A Security Guide

Introduction

Harden Windows 10 - A Security Guide gives detailed instructions on how to secure Windows 10 machines and prevent it from being compromised. We will harden the system to eliminate lots of attack surface and impede attackers. Vulnerable services and unnecessary networking protocols will be disabled. Layers of security will be added to protect our system, private documents, browsers and other applications. Firewall rules, ACLs and Software Restriction Policy are some of the settings we will set up. Then, continuing the security process, we will set up patch monitoring to notify us of insecure applications which require patching. Then we will set up event monitoring to monitor admin account uses and all unusual events. And we will setup baselines so that we can regularly compare against the current running system to ensure it has not been modified. And finally we want to monitor the current threat landscape and be able to react to emerging security threats in time. Good security consists of deter, deny, delay and detection. Hardening covers the first 3. We will cover all 4 in this guide.

In today's environment, criminals attack vulnerable PCs to gain access personal data for id theft purposes, to steal your credit card data and to conduct business espionage. So any PC is game for intrusion and it is not an elaborate thing, attacking a PC only requires a few minutes.

The Windows 10 Hardening Guide is below and all of the hardening steps are contained in this document. There is an optional Configuration Pack which automates some of the configuration steps and also provides the ACLs to partition away hacker friendly admin command line tools. Some settings can only be reached with the Configuration Pack. Performing all the steps manually takes 3-4 hours and the Configuration Pack saves time by letting you import certain configs.

Due to technical difficulties, we are not able to offer instant download for the Configuration Packs, orders will be emailed out every day after 5am EST


Email: fortified dot windows -at- gmail dot com


Importance of Testing

It is important to note, that after hardening a system, one has to test to see if the applications that you run still runs as expected. The ideal candidate of this project is a user with no need for communications among PCs in the LAN. That is because the more network ports you open, the less secure you become.

Testing was done on Windows 10 Pro 64 bit and Windows 10 64 bit machines.

After hardening, all control panel items are tested working, with the following exceptions:

 

Before you begin

If your system has already been compromised, the best course of action is to re-install Windows. Because there is no telling what backdoors and botnets clients have been installed on your system. You cannot fight back at someone who already has administrator control of your system. You can implement something and they will just disable it. You best chance of survival is to re-install Windows and then hardening it to prevent further attacks from happening.

For details of the Automated Configuration files, see the Automated Configuration section near the bottom of this document. They will also be mentioned  as when applicable in each section though out the document.



Lets Begin

 

Things you need downloaded beforehand

 

Critical Windows Updates

Since the release of Windows 10 on Windows Insider, there has been critical updates that could stop you from performing Windows Check for Updates.  If you have attackers on your tail, you may very well be stopped from obtaining critical updates. Or that you may be compromised when you go online to fetch updates.

There is a free tool called WSUS Offline Update, which can download updates for all Windows platforms and create a ISO image file. Just burn this image file to DVD and slip it into your PC and it will commence installing the updates. 

Note that it will only download KB's that are in MS Security Bulletins, which are all the critical and important downloads; so you will still have to do a Windows Update afterwards to fetch the ordinary non-critical updates. This tool eliminates a critical gap in Windows installation. That is when you only have services packs installed but are missing all post service pack updates. An attacker can attack you while you are updating online and vulnerable. The tool is available from here: http://www.wsusoffline.net/. The site is in German and English.  

So the plan is to run this tool on another PC to fetch the updates, and take the updates disc to the machine you are installing.

On the main screen, select the platforms which you want updates for, and checkmark Create ISO images 'per selected product and language', then click the Start button.

After it finishes, check the iso sub folder to locate the ISO image file. Note that this is a DVD image file. You need to right click on it and select 'Burn disc image'. Or you can use the free ImgBurn utility if you are not on Win 7 or Win 8.




Installation Settings

As per normal, to securely install an OS, one should install it disconnected from the network..If you are using an ethernet cable,  disconnect the cable. If you are on WiFi, Right click on Start button > go to Control Panel > Network and Sharing Center >  Change Adapter Settings and right click disable the WiFi interface.

To perform an upgrade from a previous version of Windows, boot that version of Windows and run 'setup' from the DVD drive/USB memory stick. Do not boot with the ISO and do a clean install, as you won't be able to Activate your Windows 10 afterwards.

After you have done 1 upgrade and activated that, then you can  boot the DVD created with MS Media Creation Tool, and perform a 'clean install'. MS will remember your PC from your last activation.


During the install of Windows 10, there are options that you have to choose from.
After a few reboots, it will start with the installation questions:
  1. Choose your language
  2. Choose the keyboard
  3. Add a second keyboard layout SKIP
  4. Connect to a network SKIP
  5. Who's going to use this PC: enter username
  6. Enter password
  7. Enter password again
  8. Add a hint for your password
  9. Make Cortana your personal assistant NO
  10. Location OFF
  11. Diagnostics BASICS
  12. Relevant Ads OFF
  13. Speech Recognition OFF
  14. Taiored Experience with Diagnostic Data OFF
    click Accept button




Install Critical and Important Updates

Use the updates disc create by WSUS Offline Update and install the patches.

 



Create a Virgin Windows Disk Image

Before we go on to hardening, it would be wise to create a drive image using Macrium at this point to capture a clean virgin Windows install. That way, if you want to undo all the hardening in one swoop, you can reimage the machine using this image file




Least Privilege and Reducing Attack Surface

One of the main concepts underlying hardening is least privilege. It means to configure your system so that it is only capable of doing things you normally do, and nothing else. So, that means that if a feature in Windows is not used, it is to be turned off, or disabled.

The reason behind it, is that the more features you enable, the larger your attack surface is. It means you have more to defend.  And one vulnerable spot is all it takes to get hacked. The more features you have, the more potential bugs ( some security related ) you have. Now attackers know a lot about the security bugs in the system – that’s how they attack. If you go live on the internet with all features turned on, the attacker would have a lot of choices. If you disable unused features, then he’d have less to play with.

One of the first things you should do in line with least privilege is to create a Standard user account, and use that account for your daily work. Only login to the administrative account to install programs, configure networking, or do system maintenance tasks. Because when you are working in a Standard account, any malware or hacker that makes it onto your system will inherit your privilege and not have admin privileges to make system wide modifications. And that’s a win for you.

Remember that an attacker will have all the access that you have at the that moment of attack. So if you have important data stored in that account's Document folder, they will have the same access. ( more on that later ) So, if you have secret level data, it is best to store them in an account which you don't surf with. 

From a different perspective, a Standard account is a barrier to other accounts, and is also a container for attacks. If you have your services set up correctly and don't allow the command RunAs, ( it is the Seondary Logon service ), then automated attacks and hackers cannot gain access to your other accounts.  If you notice different behaviour of your browser or something that looks like virus activity, you can rebuild your account and delete the old one as part of a recovery procedure. 

 

 

Display all Control Panel settings

Control Panel, select 'View by: Small Icons'. This shows all the configurations choices available.

 

 

Turn UAC to the max

When MS released Vista, there were some complaints about UAC asking for confirmation to do this, that and the other. So MS made a compromise in Windows 7 and allow customers to choose what level of prompting they want. Know that turning completely off UAC also means turning off Protected Mode in Internet Explorer, and not too many people realize that a major piece of protection is now turned off. UAC pops up mostly during the setup phase, once you have finished setting up your computer, you will rarely encounter it.

Control Panel\All Control Panel Items\User Accounts\Change User Account Control Settings

Move slider to top

 

 

Set up Firewall Profile

Windows network has 3 network types, domain, private and public. Work and home are similar and are labeled as 'private' under it's firewall tool. The private setting is set to allow 'network discovery', so that Windows is allowed to talk to other PCs. The public setting is the most secure and is meant to be used at cafe hotspots, airports etc. If your network contains insecure PCs, then you should set the network profile to public. The domain setting cannot be chosen by the user, and is used after the PC has joined a domain. Since we are hardening the PC, we want the most secure setting, and only allow Windows to talk when it is called for. So for those that intend to join a domain, choose the private profile; and if not, choose the public profile.

Control Panel \ Network and Sharing Center

  When you plug in the ethernet cable after hardening, set network to Public, which is the most restrictive and secure.

Note: if you selected Private and later want to change it to Public, the only method for Windows 10 that I am aware of involves using PowerShell.

Right click on PowerShell and then click Run as Admin, then type in this:

            Get-NetConnectionProfile

and you will get something similar to this:

            Name :  Network
             InterfaceAlias : Ethernet            
            InterfaceIndex : 3
            NetworkCategory : Public            
            IPv4Connectivity : Internet            
            IPv6Connectivity : Internet

note the Name, and then type this, replacing the word Network with the name found above:

            Set-NetConnectionProfile -name "Network" -NetworkCategory public

 

 

Use only Bare Essential Network protocols

In order for a attacker to hack you remotely, he needs to interact with a network facing program running on your PC. Some networking components implement protocols. Networking protocols are grammar rules for bits and bytes to communicate with other PCs. And each has weaknesses. So unless your environment requires that a protocol must be used, we will want to disable all except the bare essentials. More protocols mean a larger attack surface.

The only protocol you really need is IPv4. And most networking equipment requires IPv4 in order to function. IPv6 will be increasingly necessary as we have run out of IPv4 addresses, but as of this writing, IPv6 is still not very popular.

If you have a IPv6 router, then you can skip over all configurations in this guide that mention v6. as it is turned on by default by Microsoft. Some routers do not understand IPv6, and some ISPs don't support it either. So MS made several tunnel components that tunnels IPv6 inside IPv4 to the outside. This in effect bypasses the security offered by your NAT-router and hardware firewall. Tunnelled traffic can't be seen by IPv4 hardware firewalls and all such traffic will be allowed to pass unhindered.

NetBIOS over TCP/IP is not required because NetBIOS is already active without this option. Disabling NetBIOS over TCP/IP should limit NetBIOS traffic to the local subnet.

The Discovery protocols are used to provide a nice graphical map of your network. For home users, this is not needed, as there is only one router. You would only get to see a picture depicting your PCs connected to your router. For Domain users, this feature is automatically turned off once you join the domain.

File and Printer Sharing should only be enabled if you plan to share some of your folders on the network or if you want to share your locally connected printer over the network. If printer sharing is desired, it is better to get a printer that has networking built in, so that when attacked, they only gain access to a printer instead of your PC. Disable this feature unless absolutely required.

Control Panel\Network and Sharing Center\Change Adapter Settings

Right click on Local Area Connection, choose Properties\

uncheckmark the following:

In line with layers of security, besides deactivating security protocols, we will be disabling services that serve these protocols. (see 'disabling vulnerable services' section below)

 

Disable IPV6 Totally

As mentioned previously, IPv6 tunneling bypasses the security of your IPv4 router and hardware firewall. If you have an IPv6 router, then skip this section.

See this page: http://support.microsoft.com/kb/9298522  ( Note that the FixIts do not work on Windows 8 ))

You want to do it manually:

Run 'Regedit',

Under the registry key “HKLM\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters”,

right click on the right pane, create an New entry of type DWORD(32bit) called DisabledComponents,

Then double click on it and enter one of the following:

Note that the value "0" is the default setting.

 

 

Disable unused tcpipv6 Devices

Control Panel / Device Manager, View menu / Show Hidden Devices

Reboot.

 

Disable IGMP

I have never seen this protocol used. When something is unused, least privilege says it should be disabled.

Start button\All Programs\Accessories\command prompt, right click, click on "run as administrator" at the bottom of the screen and paste in this command:

Netsh interface ipv4 set global mldlevel=none

 

Disable port 1900 UPnP

The intention of UPnP is ease of configuration, so such things as games can auto-configure the firewall to let other players from the internet join in. However, with users each poking holes into your firewall with UPnP, pretty soon it will be Swiss cheese and cease to function as a firewall. It is better to configure firewall rules manually so that each firewall rule is known and accounted for. If your hardware firewall or router has an option to disable UPnP, do so.

Regedit

HKLM\Software\Microsoft\DirectplayNATHelp\DPNHUPnP

right click on right pane, new dword:32 bit,named UPnPMode

Double click on that and set the value to 2.

 

Disable SMB v1 protocol

SMB is the file sharing protocol used for File and Printer Sharing and inter-process communication. It has 3 versions. MS does not recommend disabling v2 or v3. Version 2 was released with Vista. Version 3 is new to Windows 8 and Server 2012 and has a encryption feature. There has been worms which attack SMB shares, and depending on the payload, could gain complete control of the machine. For further information on disabling all versions of SMB, read this: http://support.microsoft.com/kb/2696547

Go to Control Panel > Programs and Features > Turn Windows Features on or off. Uncheckmark SMB 1.0/CIFS File Sharing Support

 

Disabling Listening Ports

When you run the command 'netstat -abn', it will show you which ports are open and listening to the network. Normally, you would want to close those ports unless you really need them. Windows 10's listening processes and their port numbers are RPCss ( 135 ), eventlog service ( 49409 ), Spoolsv ( 49410 ), schedule ( 49411 ), lsass.exe ( 49414 ). (The port numbers above 49152 can change between reboots), However, the default firewall policy for inbound traffic is to 'block' for all network profiles ( domain, private, public ). That means nobody can touch those listening ports unless the firewall is off, or you have made inbound 'allow' rules to pass traffic onto those processes. This has been verified by connecting to them with telnet and all attempts failed, unless one turns off the firewall or makes 'allow' rules. Also, as far as I can determine, all of those processes are essential to Windows, and they cannot be stopped without crippling the PC.

 

Router and Hardware Firewalls

Buy a router that has Stateful Packet Inspection ( SPI ) firewall. This kind of firewall will monitor outbound  traffic and only allow matching return traffic. Like when you surf to a web site, your browser initiate a request to the site, and the site returns the web page. Buy one even if you have only 1 PC. And if you are using a cable modem which only has 1 Ethernet port, you definitely need one.

More expensive hardware firewall routers will have more tools, like configurable rules, sending logs to remote syslog servers, and fancier protection like spotting syntactical illegal ip packets. For an example of small/medium size business product, take a look at the www.sonicwall.com site. They have products which integrates a firewall, gateway antivirus and antispyware, and VPN. These usually costs $400 and up.

As an alternative, there are free Linux distributions that offer almost the same features, like IPFire and pfSense. See the section Intrusion Detection part 4 below.

 

Windows Advanced Firewall, turn on outbound blocking and logging

The basic principle for configuring firewalls is 'default deny'. That means all traffic is to be blocked unless you have made a rule to allow it. Those rules are your 'whitelist' of known good applications and protocols.

Window's firewall's default policy is set to inbound deny and outbound allow all. 'Outbound allow all' eases configuration, doesn't follow the default deny principle, and is not ideal. We don’t want malware to be able to call back to their master servers.

Most people don't know that you have to turn outbound blocking on. When outbound blocking is turned on, it only allows the programs and services you specify to talk to the net. Malware will have a hard time reporting back to their servers. However, it is missing a feature that tells you what programs it has blocked outbound. So after installing a program that needs to connect to the net, like your antivirus program, you have test those exe files one by one to see which is responsible for talking and allow that exe to talk with a outbound rule.

Control Panel/Administrative Tools/Windows Firewall with Advanced Security

/"Windows Firewall Properties" link

Click on each Profile (Domain, Private, Public) tab

·         change Outbound connection = Block

·         Specify Logging settings for Troubleshooting > Customize

·         Size Limit = 32767 KB (which is the max size allowed)

·         Log Dropped packets = Yes

·         Specify Settings that control Windows Firewall Behavior > Customize

·         Allow Unicast Response: No

If you have the Automated Configuration Pack, you can right click on "netsh-advfirewall - if using TCPIPV6.bat" or "netsh-advfirewall - if not using TCPIPV6.bat" and choose Run as admin. This will set up all firewall rules and profile settings.

----- Firewall Rules ------

HowTo allow a windows service outbound: Click on Outbound Rules on the left, click on 'New Rule', select 'Custom', next to 'Services' click customize, select 'Apply to this service', scroll and find 'Windows Update', next, ports and protocol -(no change), next, IP addresses ( no change ), next, select 'Allow The Connection'. Checkmark all profiles,next. Give the rule a name, eg "Allow service X".

HowTo Allow a program outbound: Click on Outbound Rules on the left, click on 'New Rule', Select "Program", next, select "This program Path" and click on "Browse" button, Navigate to program folder and select the EXE, next, select "Allow the connection", Checkmark all profiles,next. Give the rule a name, eg "Allow Program X".

HowTo Allow communication to a destination port # and IP address: Click on Outbound rules on the left. Click on 'New Rule'. Select 'Custom'. next. Select 'All Programs'. next. For 'Protocol Type' select 'TCP' or 'UDP' as the case may be. For 'Remote Port', select 'Specific Ports'. Then type in the port number(s) below. next. For 'Remote address this rule applies to' select 'These ip addresses'. Click 'Add' button, and in the following dialog box, type in an ip address into 'This ip address or subnet'. ok. next. Select 'Allow the connection'. next. Checkmark all profiles, next. Give the rule a name, eg "Allow out to port ### on server YYY.

 

The following rules applies to all 3 profiles: Domain, Private and Public


For me, all Inbound rules can be Disabled except Core-Networking ... DHCP-In. I don't use any of the Win Apps, and all LiveTiles have been turned off on the Start menu.

The rules makred with "**" are noticed to send traffic, but after testing found unnecessary for Activation and Windows Update. So those rules are created in the automated configuration but marked as disabled. The goal of the sub-project Quiet Lights is to have as little background traffic as possible unless some internet application is running in the foreground.


Some apps install Inbound allow rules to itself. When you install an app, you should check the Inbound rules to see if any new rules have appeared, and disable those if you don't want inbound traffic to that app. Note that an inbound rule to an app essentially makes that application a server. That is, it will accept any transmission to the PC and can be exploited

 
-----------------------------------------------------
FIPS and Windows Advanced Firewall
-----------------------------------------------------
Do NOT enable FIPS in Local Security Policy > Local Policies > Security Options, or else you will not be able to Import Firewall Policy.
Local Security Policy > Local Policies > Security Options > System cryptography: Use FIPS compliant algorithms .."

 

 

Setting up a Microsoft Account

Setting up the system to use a MS Account for login is needed if you plan to do purchases through the Windows app Store.

However, it is not recommended that your admin account be an MS account, because it is exposed on the net on Outlook.com and allows attackers to crack your password before even touching your network or your computer.

You can use gmail or yahoo mail or outlook.com or hotmail.com addresses for this "MS Account". If you use a gmail or yahoo mail account, Windows will create a mirror account on outlook.com that uses the same name and password. It will also migrate your phone number over to this account. The phone number is used for 2nd factor authentication when you go do Billing things.


You should do everything possible to protect this MS account, because it is used to hold your credit card number. When you first use Win Store to purchasing anything, Windows asks you for your credit card number and stores it online in this MS account. Also Cortana uses your MS account to store notes about your past queries and other personal information. So don’t use it for email or instant messaging. (so that the account name is not circulated) And don’t enable Onedrive. A compromised MS account will give the attacker access to all these things. Secure it with a complex and long passphrase. ( see how to create a strong passphrase below ). Although MS uses 2nd factor authentication when you go to outlook.com and check your Billings and credit card details, it does not use 2nd factor authentication when you use the credit card to buy stuff, it only asks for your passphrase. So once your passphrase is cracked, the hacker can go on a shopping spree, in addition to being able to log on to your PC.

A workaround for this is to pay for the WinApps you want to install and immediately go to outlook.com to remove the credit card info from the account.

WARNING: an MS account is a semi-admin. She can install Win Apps from the Store even if she is not an admin account. And depending on the Win App, the installation could open inbound 'allow' firewall rules which will make your PC vulnerable. Modifying firewall rules used to require admin rights but MS has apparently decided to bypass this. So, create an MS account only for an admin person and never for a user, as a user cannot be trusted to treat security as important. All a user wants at the moment is to try out that new software.


If you have to use MS accounts for your users, you can put a ban on the Windows Store.

Open Regedit, and navigate to

           HKLM\Software\Policies\Microsoft\WindowsStore

Make a Dword32 named RemoveWindowsStore


          And set the value to 1.

Setting RemoveWindowsStore to 0 will reactivate the Store.

 

Installing a 3rd Party Firewall

If you want, you can install another software firewall, although the Windows 10 firewall is quite good. Note that installing a third party firewall will automatically disable the Windows 10 one, because having 2 firewalls will cause conflicts. For example, currently, the Comodo firewall is top rated, However, the part which I don't like is that it has an internal list of programs which it designates as "safe". I prefer my own white list, containing programs that I know of and approve, like in the rules list above. It also has to do with Least Privilege, because one doesn't want rules to allow programs connecting out to the internet if one never uses them.

If you do want to use Comodo, then set the Comodo firewall to use "Custom Policy". In this mode, the firewall will prompt and tell you about both "safe" and unknown applications that try to connect to the internet, giving you the authority to decide. The good thing about using a third party firewall like Comodo is that it tells you what applications are trying to connect outbound, whereas Windows Firewall doesn't. And it does make for easier operation.

 

 

Software Restriction Policy

When activated, Software Restriction Policy will prevent any program from running except if it is residing in \Program Files or \Windows. That means any downloaded malware in Temporary Internet Files or elsewhere will not be able to run. ( browsers and plug-ins sometimes have vulnerabilities to let infected web sites to force them to download ) Since you will be running as a standard user daily, that malware cannot install itself to the above 2 locations, because you need admin rights to do so. So you are covered against unwanted Desktop programs running.

Feature only available in Windows 10 Pro.

 

Simple Software Restriction Policy 1.2 by IWR Consultancy

Simple SRP1.2 is a free tool that provides the majority of the functionality of Windows’ own SRP in a small program that sits in the systray. And it works on Windows 10 64bit.

This program provides crucial protection to Windows 10 . After installation, only programs in \Program Files and \Windows will execute. So in order to run the BAT files of this guide’s automated configuration, you need to choose the tool’s UnLock from the right click menu, which will give you 30 mins of unlocked time.

The program installs into \Windows\SoftwarePolicy. Configuration is done via an .ini file that can be accessed and edited from its menu. There are some configuration items that need modification. Right click on the program’s systray icon and choose Configure. Notepad will start.

Edit this following item and change the value from 0 to 2, like below::

AdminMenuPasswordLevel=2

Locate [CustomPolicies] and add the following lines:
"C:\ProgramData\Microsoft\Windows Defender\Definition Updates"=1
GapaEngine.dll=1
MpEngine.dll=1

Locate "includeDLLs" and set it to 0. This is a change from previous builds of Windows. As of Creators Update, the dll feature is broken and MS Edge won't work if this is set to 1.

Next, add the following lines underneath [Disallowed]
C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files=1
C:\WINDOWS\Registration\CRMLog=1
C:\WINDOWS\Tasks=1
C:\Windows\Temp=1
c:\windows\Registration\CRMLog=1
c:\windows\System32\com\dmp=1
c:\windows\System32\FxsTmp=1
c:\windows\System32\spool\PRINTERS=1
c:\windows\System32\spool\drivers\color=1
c:\windows\System32\Tasks=1
c:\windows\SysWOW64\com\dmp=1
c:\windows\SysWOW64\FxsTmp=1
c:\windows\SysWOW64\Tasks=1
c:\windows\tracing=1
wscript.*=1
cscript.exe=1
mshta.exe=1
powershell.exe=1
powershell_ise.exe=1
cmd.exe=1

In recent months (Apr 2017) there have been attacks that do not utilize malware but uses Windows' built-in scripting engines to execute script lines. As such, there are no files in the payload for antiviruses or anti-exe's to detect and block. (The anti-exe Voodoo Shield is an exception in that in it's locked mode it prompts the user if Powershell is run) Nevertheless, it is sound protection to use SRP to block the execution of script engines until you temporarily unlock to run a script.

Now extract the AccessChk.zip file that was downloaded. Then create a 'find SRP block paths.bat' with the following lines:
accesschk -w -s -q -u Users "C:\Program Files"
accesschk -w -s -q -u Users "C:\Program Files (x86)"
accesschk -w -s -q -u Users "C:\Windows"
accesschk -w -s -q -u Everyone "C:\Program Files"
accesschk -w -s -q -u Everyone "C:\Program Files (x86)"
accesschk -w -s -q -u Everyone "C:\Windows"
accesschk -w -s -q -u "Authenticated Users" "C:\Program Files"
accesschk -w -s -q -u "Authenticated Users" "C:\Program Files (x86)"
accesschk -w -s -q -u "Authenticated Users" "C:\Windows"
accesschk -w -s -q -u Interactive "C:\Program Files"
accesschk -w -s -q -u Interactive "C:\Program Files (x86)"
accesschk -w -s -q -u Interactive "C:\Windows"

Place the bat file into the folder where you extracted Accesschk.exe, and run it file to find out which folders on your system you need to add to the Disallowed section.

Lastly, if you use the Opera browser, find in the [LimitedApps] section the line 'Opera=...' and place a semicolon (;) in front of the line to exclude Opera from protection, because Opera v30 (the latest version as of this writing) will not function with this enabled.

Save the file, exit Notepad and apply the policy.

The above configures the program to require a Windows admin account password. And it secures the mentioned paths under \Windows which can be modified by users to prevent malware from executing from in there.

Also, you can add a “;” in front of these lines to remove extra menu items, as they add clutter to the right click menu:

;(C:\)=explorer.exe C:\
;Control Panel=control.exe
;Printers and Faxes=control printers
;Network Connections=ncpa.cpl
;Computer Management=compmgmt.msc
;Disk Management=diskmgmt.msc
;Registry Editor=regedit.exe
;Task Manager=taskmgr.exe
;Windows Firewall=firewall.cpl
;Command Prompt=cmd.exe
;Salamander=salamand.exe

 

 

Disabling Vulnerable Services

Most people are aware that services can be security problems, and that some should be disabled. The culprits are partially network services that listen to the net. Anything that takes input from the net is candidate for manipulation by attackers. When one looks at the list of services that are disabled below, one might say that there are no known exploits for such and such a service. But the principle again is least privilege. Only those services that are needed should be active. And we don't want to wait until an exploit hits the security news sites and then take action. Least privilege is a pro-active, preventative concept.

There are various servers in the list of services which listens 24x7 to everybody sending them stuff.( which includes exploits ) Like the simply named 'Server' service that is responsible for File and Printer sharing. Another server is UPnP Device Host, which lets other PCs interact with devices on this PC. Components that allow remote management are also turned off - like Remote Registry and Windows Remote Management. The first allow other PCs to change your registry; and the second allows remote shell access. The Secondary Logon service is turned off, because it let command line users run programs as admin. It requires the admin's password, but then attackers have all day to figure that out. DNS Client is turned off because it only caches previous DNS request results, and does not fetch results, and is the target of attacks which poisons the cache with fake DNS entries. HomeGroup is a file sharing mechanism and the whole network's shared stuff (all material from all PCs) is secured via 1 password. With the File and Printer Sharing way, at least you can have different logons for different PCs. I have left 6 services on Automatic/Manual start which do react to inputs from the net, These services tell other windows programs about your network and allows you to choose your firewall profile (public or private). One of them is related to Direct Access, which only can be used in an environment that has Windows Servers, but I found that disabling it causes networking to malfunction. 

There is another angle to services that makes some more desirable targets, and that is the account that runs them. The System account is all powerful and is equal in power to administrators. A network facing service which use this account, like the WMI Performance Adapter or the Printer Extensions and Notifications, will be prized, A service running as System will also be targeted by attackers who gained entry into a Standard account, they will try to take over the service to gain System rights. (This is called "escalation of privilege").

There are some services which activate if you have the right equipment, like Microsoft iSCSI initiator service, Bluetooth support service, Fax, SmartCard, SmartCard removal policy and WWAN autoconfig are all dependent on specific hardware. In my personal configuration, they are all disabled, because I don't have them. In particular, Bluetooth support service is one that ought to be disabled if one doesn't have any bluetooth peripherals; it is a networking component  that can be abused by attackers, and there are free hacking tools available. It is not disabled in the default configuration file because I don't want someone to apply the config and suddently find that their keyboard or mouse doesn't work. 

When you configure services, clicking on each will display a description. If that is not enough for you, you can check outt http://blackviper.comm, sometimes they have additional information.

If you have the Automated Configuration Pack, you can set up the services by right clicking on "Harden Win 10 Services.bat" and choosing "Run as Administrator"

Items in <angle brackets> are optional and not set up in the Automated Configuration file.

Right click on Start button/Control Panel/Administrative Tools/Services

Right click on the following services, choose Properties and set Startup Type to Disable.

Name            (Original Mode),  what it does

---------------------------------------------------

  • Connected User Experience and Telemetry (automatic) turns off some telemetry sent to MS
  • Distributed link tracking client:(automatic) maintains shortcuts to files on network share if source file is renamed
  • DNS client automatic) only functions as a cache, does not fetch ip addresses
  • function discovery provider host: (manual) no need to do network discovery on small lans
  • function discovery resource publication. no need to publish this computer's services
  • homegroup listener: (manual) dont use homegroup
  • homegroup provider: (manual)
  • Interactive service detection: (manual) only old services do interaction with desktop. practice not encouraged by MS
  • Infrared monitor service (manual) starts a file transfer automatically when it connects
  • Internet connection sharing: (disabled by default)
  • IP Helper:(automatic) enables IPv6 tunnels over IPv4. We dont want tunnels; non-inspectable by firewalls.
  • KTMRM for distributed transaction coordinator (manual) disabled because it is not used.
  • Link layer topology discovery mapper: (manual) draws a map of your network. not needed
  • Net.Tcp Port sharing service:(disabled by default)
  • NetLogon: (manual) used by domain servers. disabled because no network logons allowed.
  • Network connected devices auto setup:(manual) devices can still be manually setup
  • Peer name resolution protocol:(manual) disabled because no peers on lan
  • Peer networking grouping:(manual) home group. not used
  • Peer networking identity manager:(manual) peer to peer networking. not used
  • Performance counter DLL host:(manual) allows remote query to performance data
  • Phone service: (manual) this is not a phone.
  • PNRP machine name publication service:(manual) publishes peer name. disabled because no peers on lan
  • Quality windows audio video experience:(manual) QOS. not used
  • Remote access auto connection manager:(manual) remote access. not used
  • Remote desktop configuration:(manual) remote desktop. not used
  • Remote desktop services (manual) remote desktop. Not used
  • Remote Desktop Services UserMode Port Redirector (manual) remote desktop. Not used
  • Remote registry:(disabled by default)
  • Retail demo service:(manual) for demo mode. not used
  • Routing and remote access:(disabled by default)
  • Secondary logon:(manual) the runas feature. not used
  • Secure socket tunneling protocol service:(manual) disabled because no tunnels to remote points allowed.
  • Server:(automatic) disabled because no file printer sharing allowed
  • Smart card:(disabled by default)
  • SNMP trap:(manual) disabled because SNMP responds to queries over the network
  • SSDP discovery:(manual) disabled because SSDP not allowed
  • TCP/IP netbios helper:(manual) disabled because netbios not allowed
  • UPnP device host:(manual) disabled becuase no hosting of devices allowed for other pc's
  • Webclient:(manual) not used
  • Windows Camera Frame Server (manual) enables sending camera video to multiple apps simultaneously, what if for example a spyware app is running in the background.
  • Windows media player network sharing service:(manual) disabled because no sharing allowed
  • Windows mobile hotspot service:(manual) disabled because no sharing allowed
  • Windows remote management:(manual) disabled becuase this allows remote management
  • Work folders:(manual) disabled because no domain servers in standalone config
  • Workstation:(automatic) disabled because no file and print sharing is allowed in network
  • Xbox live auth manager:(manual). disabled because no connection to exterior devices allowed
  • Xbox live game save:(manual) disabled because no connection to exterior devices allowed
  • Xbox live networking service:(manual) disabled because no connection to exterior devices allowed 

    WARNING: Geolocation service:(manual) used by cortana, If you disable this one, you won't be able to reset it back to normal again. Current Windows bug as of 2015-Aug-19 

     
    ----------------------------
    My Service Settings
    ----------------------------
    Below are additional Service settings that I use on my machine. They are not suitable for everyone; most of the services listed are disabled because I don't have the equipment parts for that service to function, like smart card reader, iSCSI or bluetooth.  Also I rarely print anything, so printing is disabled 

    If you have the Automated Configuration Pack, my personal additional settings are in "My Personal Win 10 Disabled Services.BAT".

    • AllJoyn router service (manual) not used by me
    • bluetooth handsfree service:(manual) not used by me.
    • bluetooth support service:(manual) not used by me.
    • Certificate propagation (manual) smart card related. not used by me.
    • Data collection publishing service:(manual) uploads to cloud. don't trust cloud.
    • dmwappushsvc? (automatic) possibly related to dmcfghost.exe. Which is about Open Mobile Alliance client
    • fax:(manual) not used by me
    • Internet explorer ETW collector service: (manual) could be disabled if you don't use IE.
    • Microsoft Account Sign in Assistant (manual) MS Accounts not used by me, you decide
    • Microsoft iSCSI initiator service:(manual) not used by me
    • Printer spooler:(automatic) not used by me
    • Printer extensions and notifications:(manual) not used by me
    • Sensor monitoring service:(manual) not used by me. don't have screen briteness control.
    • Sensor service:(manual) no orientation device on my pc
    • Smart card device enumeration service:(manual). dont have smartcard devices
    • Smart card removal policy:(manual) dont have smartcard device. if hacked will lock pc.
    • Telephony: (manual) dont have telephony devices
    • Touch keyboard and handwriting panel service:(manual) dont have such device
    • Windows biometric service:(manual) dont have such device
    • Windows connect now - config registrar:(manual) dont have wireless on pc
    • Windows Insider Service (manual) I don't run pre-public-release versions
    • WLAN autoconfig:(manual) dont have wireless on pc
    • WWAN autoconfig:(manual) dont have GSM or CDMA device



    Stop Distributed COM


    Distributed COM ( or DCOM ) was invented by MS to answer the perceived need to enable distributed computing. At one time, this was all the rage. But it turned out not popular. Imagine running code from some source on the internet on your PC. We want to disable this.

    Start button > All apps > Windows Administrative tools > Component Services. Computer Servies > Computers > right click on My Computer; choose Properties. Go to Default Protocols tab. Under DCOM protocols, remove Connection oriented TCP/IP.

    Stop Logins from the Network.

    There should be limited logins available from the network. The 2 local security policies are set also in the Harden Win 10 Services BAT file if you have the Autpmated Configuration Pack. 

    However, if we stop user and admin accounts from login through the network, then Simple Software Restriction Policy 1.2 will stop working. However we are still protected by Windows Firewall. So the accounts that are denied are: Guests, Anonymous Logon, NETWORK SERVICE, SERVICE, and LOCAL SERVICE.

     

     

    Install MalwareBytes Anti-Exploit

    This is a very important part of safe guarding your PC from exploits..

    This guide used to recomment EMET 5.2 for other versions of Windows, but MS has pronounced that it is not compatible with Windows 10. EMET 5.5 has been released. However, the new version requires the Secondary Logon service active. And by having access to Secondary Logon service, attackers can use the runas command line tool to invoke administrative rights. One of the core design goals of the guides's hardening approach is to deny attacks even if the attacker knows your admin password. This could be result of shoulder surfing - simply noting your password as you type it by looking over your shoulder. Or it can be that a keylogger has been installed on your system. The necessity of having the Secondary Logon service active is unacceptable, and that is why this guide now recommends MalwareBytes Anti-Exploit.

    MalwareBytes Anti-Exploit Free has fewer protection mechanisms than EMET, but it protects most browsers and java by default. The paid version protects MS Office and Adobe Reader plus some other apps also. Since browsers are a primary attack vector nowadays, this is a good tool to have. The program needs no configuration.

     

    Install Antivirus

    The last thing you need to do in preparation for connecting online to do Check for Updates is to install your antivirus program. You would also need to specify a outbound firewall rule to allow the antivirus to fetch signature updates. Windows 10 comes with Windows Defender antivirus. If you want to use this default antivirus, then nothing needs to be done except allowing it outbound in the firewall (already listed in above firewall rules configuration) Some antivirus products also require other files added to the firewall outbound rules - like ESET antivirus, which has a file called "ekrn.exe" that intercepts web browsing and inspects traffic.

     

     

    Disable Live Tiles

    A LiveTile on the Start Menu accepts input from the Internet. It has been said if the attacker can make her way onto the desktop, then all is lost. To be safe, Right click on each LiveTile and choose Turn LiveTile off. You can always click on a tile to run that app.

     

    Activate Windows

    At this point, you have hardened networking components. Switch to your Standard account..Connect now to internet. There are 3 things you need to check before you can perform activation.

    1. Open Start > All apps > Windows Administrative Tools > Services. And start these 2 services:
      Microsoft Sign-in assistant
      Windows Update
      If they are not running, then set them to Manual start, and Start the service.
    2. Check your Date & Time, and your Time Zone is correct. You may have to disable automatic time zone.

    Then Right click on This PC, choose Properties, click on Activate

    Or,you can open an elevated command prompt and run the following:

               slmgr.vbs /ato

    Check for Updates

    Next, immediately do Check for Updates.

    Settings > Update &  Security > Windows Update. .

    DO NOT SURF the net while updates are going on, as Edge and Internet Explorer are still unpatched and vulnerable.

    Note also that you have to check for updates more than once, as MS prepares updates in batches, and another batch may follow the current one.

    If you wish, you may want to defer Windows Update until we reach the end of this guide, when all attack venues are covered.

     

    Install All Software, Update Firewall Rules

    Install antispyware and antimalware Then install Secunia's PSI, Adobe PDF Reader, your browser, your Office suite, your printer driver and all other applications.

    If you use MS Office, then go do Microsoft Update now. 

    Settings > Update & Security > Windows Update >Advanced  Options > checkmark Give me updates for additional Microsoft Products.

    Remember to update your firewall outbound rules to allow the programs that need the internet, like Adobe Reader which now have their own update service, so add allow outbound rules for those services. Also your browser, antivirus and Secunia PSI (see below) need to reach outbound to the internet.

     

     

    Patching

    One of the most important things to do is to update EVERYTHING on your computer, constantly, that means Windows Update and updating all programs and plug-ins. It is very important to know that security patches closes the holes that malware/hackers need to get onto your computer.  Patching the security holes is the ultimate preventative measure that treats the source of the problem.

    It is known that attackers reverse engineer MS patches to exploit the vulnerabilities. It only takes a few days for them to do so, so be sure to patch on time. MS's patch schedule is on the second Tuesday of each month. Calendar a repeating entry on your cellphone.

    Windows Update supplies security fixes to Windows and its programs like Edge and Internet Explorer. If you use a buggy Edge, then hacked websites can install viruses/malware unbeknown to you.

    Adobe Flash is another component that lots of people forget about. Luckily, two browsers, Internet Explorer and Google Chrome, will fetch Flash updates automatically, so you don't have to do a thing. If you use Firefox, Opera or another browser, then you need to download the Flash plugin for them. Adobe Flash has an automatic update feature for Flash, if you install Flash, you must make an outbound allow firewall rule for the service. An alternative to Flash is HTLM 5. Many sites are supporting this now, and you may find that you don't need Flash anymore.

    Secunia offers a free program called PSI (http://secunia.com/vulnerability_scanning/personal/ )that detects which of your installed programs are missing security patches. This is a lifesaver. After installing, it will scan your pc on a schedule. It will tell you about insecure programs, and link you to patch downloads. If a patch for a security hole does not yet exist, it will tell you, so that at least you can stop using that program for a while.. This is a very important part of maintaining security of your machine.

     

     

    Turn off AutoPlay

    AutoPlay is a problem when it comes to removable devices like USB memory sticks and CDs. Because it will run whatever program it is set for whenever you insert it. Hackers are known to casually leave CDs around in public washrooms and label it something like 'layoff positions for next quarter', Once inserted, their hacking tools will run in the background and call back to its master server. AutoPlay is the successor to AutoRun, and can be disabled in Windows.

    Go to Settings > Devices > AutoPlay, set AutoPlay to off.



    Sign on Security

    It is very important to guard your sign on passphrases, espcially your admin account one. attackers will try to trick you into giving out the passphrase by installing a tojan  that looks like the Windows sign on screen and upon seeing this most users will key in their passphrase without question. Microsoft has made a feature whereby you need to press CTRL-ALT-DEL in order to reach the sign on screen, because the special key sequence CTRL-ALT-DEL can only be trapped by the operating system. This feature is normally only active when a PC is part of a corporate network that has Windows Servers. However it can be enabled without Windows servers. To do so, go to Start, type in 'netplwiz' and go to the advanced tab. There you will see the option to turn on CTRL-ALT-DEL sign in screen;

    Another MS security feature is not displaying the account name in the sign on screen, even when the user is currently signed on and has locked the system by pressing WinKey-L. This means the attacker needs to get both the account name and the passphrase right and significantly enhances security. 

    If you have the >Automated Configuration Pack, you can right click on Harden Win 10 Security options.bat and choose Run as admin to enable the do not display last user feature. Further down the document, all the settings in Security options are given.



    Privacy


    Under Start > Settings > Privacy is a whole lot of apps that uses your private info. Some of them are used by Cortana, the new artificial intelligence personal assistant, like Speech, inking & typing, and Location. The privacy settings are per account, except Location, which is a system wide setting which can only be enabled by admins. So you can use a particular MS account to experiment with Cortana. (Cortana needs an MS account) 


     

    OneDrive

     

    Onedrive lets you keep your documents, pictures and PC settings on the net, ready for syncing to all of your PCs. However, your personal files are sitting there on the internet 24x7x365 waiting for someone to crack your password. This is not secure to say the least.

    Another issue is that OneDrive currently breaks Software Restriction Policy (including SSRP). The executable is located in \Users\<yourAccountName>\AppData\Local\Microsoft\OneDrive\, the folder is user writable. The problem is that if we extend SRP to allow programs to execute from this folder, then an attacker can place his tools in this folder and they will get the same permissions, all because the folder is under \Users\, and is user writable. If we make the SRP rule mention the executable, the attacker can overwrite the exe with his own program. So, do NOT create a rule in SSRP to allow OneDrive to execute. Sign-in to to those MS Account accounts and run Task Manager, go to the startup tab, and disable OneDrive from starting up upon sign-in. 

     

     

    Enable DEP

    Data Execution Prevention is a technology that foils some types of attacks when they are coded in a certain way. By default, this feature is enabled but protects only Windows executables. You want to enable it to protect all programs, like your Firefox, Opera, Acrobat Reader and others.

    Right Click Computer/ Properties/ Advanced System Settings /Performance Settings button/ Data Execution Prevention Tab

    Select Turn on DEP for all programs ..."

     

     

    Disable dump file creation

    Dump files are memory dumps, and everything in memory are saved to a file. This is used for debugging problems when your system crashes. However, passwords and all confidential stuff that are running currently are also saved to this file. You should enable this feature only when you are experiencing problems and need to debug.

    Computer > Properties > Advanced System Settings > Startup and Recovery Settings - settings button

    Write debugging info: None.

     

    .

    Disallow Remote Assistance

    Remote assistance allow a helper to control your PC with complete desktop, keyboard and mouse access. This is not a attacker favorite as there is built in protection that allow only the invited to take control. However, there are phone scams that lure users into giving them remote access, and you will want to protect your users and prevent them from compromising your computer.

    Computer/Properties/Advanced System settings/Remote tab

    Un-checkmark allow remote assistance

     

     

    Let Windows make more Restore Points available

    System Restore can be a life saver when you encounter system errors. Setting it to use more disk space and making more restore points is good policy

    Right click Computer/Properties/Advanced Systems Settings/System Protection tab

    Configure button/create bigger system restore cache

     

    .

    Enable Visibility into Windows hidden files

    You want to be able to see all files and folders in Windows. If you do not do this step, hackers can hide their installed tools from you. Although the attacker can also install a rootkit which also hides their files, they may not be able to get that far into your system to do so.

    Windows Explorer/ View pull down menu / Options button / Change Folders and Search options / View tab

    CHECKMARK items below

    ・  Always show menus

    ・  Display the full path in the title bar

    ・  Show hidden files, folders and drives

    UNCHECK items below

    ・  hide empty drives

    ・ hide folder merge conflicts

    ・  hide extensions for known file types

    ・  hide protected operating system files

    Windows Explorer/ View pull down menu /

    ·         checkmark File Name Extensions

    ·         checkmark Hidden Items

     

     

    Configure Screen Saver

    Unattended PCs are obvious security risks. But many people fail to take care of this via this simple setting. Most larger companies that are security aware have strict rules to enable this and not to leave PCs logged in and unattended.

    Go to Settings > Personalize > Lock Screen > Screen Saver settings, configure it to wait 10 minutes, and check mark "On resume, display Logon screen"

     

     

    Least Privilege part 2

    If you look at \Windows\System32 folder, you will see a lot of exe programs. Some of them are Windows' GUI components and needed by the system. And some are command line programs used to administrate Windows. A Standard user account doing daily work has little use for these command line programs, as they are intended for IT administrators. In accordance with Least Privilege, these command line admin tools should be partitioned away from the User group. See the following RBAC section.

    Attackers aim to get use of three accounts, the admin account, the "Administrator" account, and the System account. The admin account is needed for configuring the system, so it needs full access to command line tools and we cannot avoid this. The 'Administrator' account is by default disabled. And the System account is used by some services. In testing, it is revealed that the System account cannot be constricted or else our Restore BAT wouldn't work. So in the provided configuration file, command line tools are set so that only members of the administrators group and 'TrustedInstaller' can invoke them. (The System acount gets inheritied rights)  Also, in line with layers of security, the command line admin programs are denied execution by low integrity processes. 

    As an example, few people are aware that there is a command line FTP program, as most people use their browsers to download. This program is used mainly by attackers who need to bring over their tools once they gained command prompt access.

     

     

    Role Based Access Control (RBAC)

    Role Based Access Control means setting up accounts to do what it is only necessary for the job role. Hence an accountant would be set up so that he can run the accounting program, and not others like our hardening scripts. This is in accordance to the Least Privilege principle.

    When we analyse our security posture, the weakest point of defense is when we are using our admin account. Sometimes, a program installer needs Software Restriction Policy turned off; because it writes to and then executes a temporary exe from within the temp folder. And it might also need Outbound firewall access set back to allow; because that temporary exe needs to download components from the internet. If we are using a full administrative account, which houses our hardening scripts as well as other important documents, there is a lot to lose. And installing a new program usually takes time, may be a good half hour or more to configure, test and so on. So in this hour we are essentially running an insecure semi-hardened box. This calls for a role called the Installation Admin.

    In the Configuration Pack, the Dual Admin BAT creates an installation admin (you choose the actual account name) and restricts it from running admin command line tools, and administration GUI apps. In addition, it removes oridnary user accounts from accessing admin command line tools. After configuration, the command line administrative tools ( plus regedit, regedt32 and tasksched ) can only be accessed from a full admin account using an elevated command prompt. Also, only the full admin account has take ownership right. Right click on the BAT file and choose Run as Admin.

    Note: the dual admin BAT script does not assign a password to the Install Admin. Sign on into the Install Admin account and give it a passphrase.

    In effect, the only special rights this installation admin account possess are the right to write anywhere in the hard drive, (like the Program Files folder, which only an admin can write to). and to write to any registry key. This seems very generous, but the fact is we are not able to restrict it further. This account would then be used when you install a program, which is a very common task for an admin role.

    Very often, an attacker will install a Remote Access Tool/Trojan (RAT) to monitor the victim. This program is just like an ordinary program that provides remote access like Window's own Remote Desktop or the commercial program TeamViewer. It can view our screens, see what we type and control the PC by running any program. They are very hard to detect, especially if the attack does not make any changes to your system and just watches you. The goal is to hamper this RAT. The RAT will get all the permissions of the account that you sign into and require an online connection. So here is the second step; we will make our full privilege admin account go offline when used. This will buy us time to find and eliminate the RAT.

    To test the Install Admin account's ability to properly run install programs, the following programs were tested:

    • Avast antivirus free
    • AVG antivirus free
    • Avira antivirus free
    • BitDefender antivirus free
    • Voodoo Shield free
    • Zone Alarm free
    • Libre Office
    • VLC media player
    • FireFox

    It is known that security programs requires additional rights to set themselves up, that is why security programs were tested among other programs. Avira, BitDefender, Voodoo Shield failed to install. And WSUS Offline fails to run. They require the usage of the full privilege admin account. Ordinary installation programs like VLC typically don't require as many rights. The aim is to reduce usage of the full admin account and lessen the risk. For normal programs, use the install admin account first, then if it fails, use the full admin account. To enable your full admin account's internet access, right click on the internet icon in the systray, select 'open network and sharing center', click on 'Change adapter settings'. Then right click on the adpater and choose Enable.



    For Windows Home version users, there is no gpedit.msc. And Task Scheduler doesn't have a logoff trigger. But there is another method. Task Scheduler has a login trigger, so we use that to disconnect the network when the full admin signs in. Task Scheduler can also use an Event ID as a trigger, and the logoff event is Security 4647.

    In the previous version of this document, cmd.exe was left to run because the TaskScheduler login script bat files requries it. This actually is a pretty big security hole. And so it is now disabled via Simple Software Restriction Policy. The new TaskScheduler tasks now do not require cmd.exe, but it leaves us without any option for detecting the current logged in account. It is decided that the Full Admin account should always sign out, instead of Switching Users. This is because a signed in and switched out account is still accessible to our attackers. This is a minor inconvenience in that you can not leave programs running in the Full Admin account and switch to another account to do something else like going online but it is more secure.

    Now we create 5 scheduled tasks. The first one is for the full admin sign in to disconnect the network adpater and create a marker file. Ensure that you are signed in as the full admin.

    Note: the Schedule Task Action reference the network adpater name. In the majority of cases, they are called Ethernet and Wi-Fi. But if you have multiple network adapters, then the names will be different and the network adapter name needs to be changed, and you have to edit the BAT files and look for the words 'Ethernet' and 'Wi-Fi' and replace them. The adapter names you currently have is shown at Control Panel > Network and Sharing Center > Change Adapter Settings.

    • Sign in to the account you want to make offline.
    • Go to Start > Windows Administrative Tools > Task Scheduler.
    • Right click on Task Scheduler Library, select Create Task
    • Name the task 'Full Admin logon no network', click Next
    • Checkmark Run with highest privileges
    • For Trigger tab, click New button, select Begin the Task 'At Logon', click Next
    • Settings: Specific User; Full Admin account
    • For Action, click New button
    • select 'Start a program', click Next
    • Paste in "netsh interface set interface name="Ethernet" admin=disabled" , click OK
    • Yes
    • click New button
    • select 'Start a program', click Next
    • Paste in "netsh interface set interface name="Wi-Fi" admin=disabled" , click OK
    • Yes
    • Click Finish
    • Click OK

    Next, we make a scheduled task for full admin switch out, re-enables the network.

    • Right click on Task Scheduler Library,
    • Create New Task
    • Name the task: 'Full Admin SwitchOut'
    • Checkmark Run with highest privileges
    • Triggers tab
    • New button
    • Begin a task: On disconnect from user session
    • Settings: Specific user: full-admin
    • Select Connection from local computer
    • OK
    • Actions tab
    • New button
    • Paste in "Shutdown -L", click OK
    • Yes
    • New button
    • Paste in "netsh interface set interface name="Ethernet" admin=enabled" click OK
    • Yes
    • New button
    • Paste in "netsh interface set interface name="Wi-Fi" admin=enabled" click OK
    • Yes
    • Settings tab
    • If the task is already running: Queue a new instance
    • OK
    • OK

    Next, we make a scheduled task for switching to full admin . (Fast user switching) disconnects the network adapter.

    • Right click on Task Scheduler Library,
    • Create New Task
    • Name the task: 'Admin SwitchIn'
    • Checkmark Run with highest privileges
    • Triggers tab
    • New button
    • Begin a task: On connection to a user session
    • Settings: Specific user: full-admin
    • Select Connection from local computer
    • OK
    • Actions tab
    • New button
    • Paste in "netsh interface set interface name="Ethernet" admin=disabled" click OK
    • Yes
    • New button
    • Paste in "netsh interface set interface name="Wi-Fi" admin=disabled" click OK
    • Yes
    • Settings tab
    • If the task is already running: Queue a new instance
    • OK
    • OK

    Next we create a scheduled task for full admin signing out. re-connect the network adapter

    • Create New Task
    • Name the task 'Admin SignOut'
    • When running the task, use the following user account: full admin account
    • Select 'Run whether user is logged on or not'
    • Checkmark 'Do not store password'
    • Checkmark Run with highest privileges
    • Triggers tab
    • click New button
    • Begin the task 'On an event'
    • select 'Basic'
    • Log: Security
    • Source: Microsoft Windows security auditing
    • Event ID: 4647
    • OK
    • Action tab
    • New button
    • Paste in "netsh interface set interface name="Ethernet" admin=enabled" click OK
    • Yes
    • New button
    • Paste in "netsh interface set interface name="Wi-Fi" admin=enabled" click OK
    • Yes
    • Settings tab
    • If the task is already running: Queue a new instance
    • OK

    Lastly we create a scheduled task for system startup, say if you restart the system while signed on as full admin. So we want to always startup the system on a connected state.

    • Create New Task
    • Name the task 'Enable network on Startup'
    • When running the task, use the following user account: System account
    • Checkmark Run with highest privileges
    • Triggers tab
    • click New button
    • Begin the task 'At strartup'
    • Action tab
    • New button
    • Paste in "netsh interface set interface name="Ethernet" admin=enabled" click OK
    • Yes
    • New button
    • Paste in "netsh interface set interface name="Wi-Fi" admin=enabled" click OK
    • Yes
    • OK

    The whole set of scheduled tasks is designed to disconnect the network adapter for the full admin, when he signs in, or when his account is switched to. And we reconnect the network adapter when he switches to another account or signs out. You can verify this when you sign on to the full admin account by looking at the Internet icon in the systray - it will have the red X when you logon to the account.

    New to ver 4 of Dual Admin, it is now possible to run the following networking commands in the Install Admin account:

    • netstat
    • nslookup
    • ipconfig
    • ping
    • tracert
    • pathping

    This in essence makes the Install Admin also the Network Admin. The commands allow one to do some network diagnosis and has only one security feature: netstat's '-b' command option. The '-b' option allows one to see which program is doing the network connection. To an attacker who ia already on your PC, this offers little value as they can see what networking programs you have in the folder Program Files already. This netstat option also allows you to see if there are any foreign programs that is connecting out, and maybe you might be able to catch the attacker's tool in action. Note that the firewall rules for these commands have not been created yet, and the commands will still fail initially in the Network Admin account. You have to create the allow rules for these program to do outbound connection. AND you have to also allow the ICMPv4 protocol outbound in order for ping, tracert, and pathping to work.



    Further Protecting your Data

    The Documents folder has 3 ACL rules allowing access for System, YOU, and the Administrators group. If you right click on the Documents folder and choose Properties > Security tab, you will see this.

    The System account is present in almost all files and folders, but it doesn't need to be as far it can be determined. Attackers also can use escalation of privilege attacks to get to use the System account because it is as powerful as an admin. You can choose Edit and Remove to take the right away.

    However, the Configuration Pack BAT files need System to work, that is, if you unzipped the Configuration Pack into Documents. To work around this, you can create a Security folder under your Users\<YourAccount>\ folder and extract the files there. Just remember to move the contents back to the Documents folder when you're done.

    The Administrators group is present so that any admin can access your files in an emergency. This can be removed to ensure that the Install Admin can't get at your files. Because the Install Admin has internet access, a RAT (Remote Access Trojan) can use that account to get your files if access is granted for the Administrators group. Removing the ACL entry will ensure that your data stays private. The downside of this is when you need to remove this account using Start > Settings > Accounts > Family and Other People, the Documents folder can not be deleted and will be orphaned. If the account will never be removed, or if you can remember to re-instate the Administrators group, then this rule can be deleted.




    Block Low Integrity Programs from Accessing Your Documents

    There is also an option where low integrity programs can be made so that they can't even read medium integrity locations. That’s what the commands below do. When you execute the commands, your desktop, document, pictures, videos and music folders will be unreadable to any programs marked as low integrity. The last command above makes the Downloads folder a low integrity folder. This is necessary because you need a place to save your downloads.( Low can't write to Medium) You will also want to create an Upload directory, and copy the file which you want to upload there. Because this Upload folder has not been processed by chml, the low integrity browser can read this folder.

    Since you also have a Standard User account, run the commands below stating your Standard User account too. Note: this measure only protects you against attacks to your low integrity programs like Internet Explorer. (and Firefox or Opera, if you followed the above instructions) But since browsers are primary vectors of attack, this security measure is important. You can also experiment and set other internet facing programs to low integrity, like your chat program.

    Visit http://www.minasi.com/apps// to download chml.exee

    Then right click on command prompt and choose 'run as administrator".

    Then execute the following commands for Each user.

     

    cd "\user\<yourAccName>\downloads\chml"  ( or wherever you saved chml )
    chml "c:\users\<yourAccName>\desktop" -i:m -nr -nw -nx
    chml "c:\users\<yourAccName>\documents"  -i:m -nr -nw -nx
    chml "c:\users\<yourAccName>\pictures"  -i:m -nr -nw -nx
    chml "c:\users\<yourAccName>\videos" -i:m -nr -nw -nx
    chml "c:\users\<yourAccName>\music"  -i:m -nr -nw -nx
    chml "c:\users\<yourAccName>\downloads" -i:l

     



    Turn on File History

    File History saves your documents, pictures, music, contacts and IE favorites every hour to a removable drive ( or USB key ). It does it every hour by default and keeps versions of the files as they change. This is a very convenient method of performing backups and should be used. Just remember to unplug& the USB key when you shut down the computer and carry it with you, or else your attackers will gain access to all your files.

    Go to Settings > Update & Security >Backup  and click on "Add a drive"

     

     

    Browsers and Security

    Edge is the default web browser of Windows 10, and is pinned to the task bar. Edge has some new security features, like removing support for AciveX, VBScript, Browner Helper Objects (BHO) and VML. It also is a Windows app, and lives within a sandbox, which contains attacks. It also has Smart Screen Filter, like IE. It supports the W3C standard 'Content Security Policy', and also has HTTP Strict Transport Security. It is also a 64 bit browser, and uses ASLR (address space layout randomization) fully. There is also a new feature caled 'Control Flow Guard' which controls coding jumps in memory (in most attacks, attackers injects code to some place in memory and try to make the browser code execution jump to his own code). In accordance with good security practice, MS has also offered a handsome bounty to security bug reporters.

    Open Edge, click on settings (the "..." button. Click on Settings, then 'View advanced settings'.

    .Turn off 'Use Adobe Flash'. Many sites now use HTML 5, which also does videos. And so you no longer need Flash to view videos any more. Flash has had many security vulnerabilities discovered and currently (2015-08-07) has a few vulnerbilities unpatched, and you need to constantly baby sit it and update it.

    .Turn on 'Help protect me from malicious sites and downloads with SmartScreen Filter'

    Because browsers are the primary interface to the web, and used by everyone, they are a PRIMARY vector of attack. attackers will attack a website and modify it to deliver malware, using security holes in the browser. Or they can send attacks forging the address of a web page you are on. ( If you have a tab of your favorite web site always open, they can forge that web site's address and send attacks).

    Internet Explorer was the most popular browser because it is installed by default. Edge may soon surpass it in popularity because it is pinned to the task bar.

    Internet Explorer has an important defense mechanism, called Protected Mode. It is another name for Integrity Levels. Basically, the entire system is marked as Medium integrity. While frequently attacked programs like Internet Explorer is marked as Low integrity. Low integrity cannot modify Medium. So even if someone compromises IE and gains access to your PC, they cannot modify your system. You can set the integrity level of a program yourself, so you can make Firefox or other browsers use Protected Mode as well.

    Popular alternatives to IE are Firefox, Opera and Chrome. There have been security holes discovered in them just like IE, but they are reputed to be more secure, primarily because they don’t use ActiveX. There are ActiveX code libraries strewn about in Windows, and many are not safe for web use. Attackers often make IE call to these ActiveX code modules as a means of attack.

     

    Set IE to use Protected Mode Always

    Control Panel/Internet Options/Security Tab

    Checkmark Protected Mode for all zones

    Login to EACH user account and repeat.

    Set IE to use ActiveX Filtering

    Open Internet Explorer, Gear icon / Safety / checkmark ActiveX Filtering

    Login to EACH user account and repeat.

    IE has this stupid distinction about the source of a web page. By default, if a web server is within your network (like a company internal web server), then Protected mode is disabled. Well, if a attacker wants to attack your network, they would just simply attack your web server first, and let his tools spread when internal visitors use the infected company web server.

    Set IE11 to use Enhanced Protected Mode

    Windows 8 has Enhanced Protected Mode that protects your private files and folders like the Document folder. However, to remain compatible to plugins like 3rd party toolbars etc, Enhanced Protected Mode has to be manually enabled. Go to Control Panel > Internet Options >  Advanced; scroll the Settings list to Security section 

    checkmark "Enable 64 bit Processes for Enhanced Protected Mode". 

    checkmark 'Enable Enhanced Protect Mode' 

    Note that by doing this, some plugins may not work. 

    Note: the above settings are a per user setting, so you have to enabled this individually for EACH account. I will remind you of this at the end of this document.

     

    Mozilla Firefox is open source software. Proponents of open source say because the code is open for all to inspect, it makes for a safer product. (as opposed to IE, which only a limited number of MS programmers work on). Mozilla has also once called on white hat hackers to help test attack Firefox. But whether or not this is an ongoing engagement is unclear.

    Firefox can be made more secure if you install certain plug-ins. The most popular one is NoScript, which blocks JavaScript from executing until you mark a site as trustworthy, or opt to temporarily allow scripting. IE can block JavaScript too, but the controls to do so is buried in Internet Options menu and not as quickly accessible as NoScript, and it can’t be automatically enabled per site. So security that is usable wins. JavaScript blocking is a feature because many browser security holes are activated by scripting, so again, when it is not needed, it should be disabled. Unfortunately some sites require JavaScript to operate correctly. However, there is a flaw in the thinking that a site can be marked as trustworthy forever. Because 1) even popular and trusted sites can be attacked and modified. 2) Some sites subscribe to ad banners which they have no control over, and sometimes the banners are made maliciously.

    To cover the angle of malicious ads, there is plug-in called AdBlock Plus. This plug-in removes all ads from sites. Its side benefit is that sites load faster without the ads.

    There is another Firefox plug-in call WOT (web of trust). This plug-in marks search engine results with ratings. If a site is known to deliver malware, you will see a red danger icon next to it. And you can click on the icon to see detailed ratings by threat category. The ratings are driven by community help. WOT is now also available for Internet Explorer.

    There is another free plug-in by Mcafee called SiteAdvisor. It also marks search engine results with a safety rating icon, and this product works with both IE and Firefox..

    Low Integrity Firefox

    As mentioned above, you can enhance Firefox's security by setting it to low integrity. Open an elevated command prompt and copy and paste in following commands, one line at a time, substituting <yourAccName> with your account name:

    icacls "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" /setintegritylevel low

    icacls "C:\Users\<yourAccName>\AppData\Local\Temp" /setintegritylevel(oi)(ci) low /t

    icacls "C:\Users\<yourAccName>\AppData\Local\Mozilla" /setintegritylevel(oi)(ci) low /t

    icacls "C:\Users\<yourAccName>\AppData\Roaming\Mozilla" /setintegritylevel(oi)(ci) low /t

    icacls "C:\Users\<yourAccName>\Downloads" /setintegritylevel(oi)(ci) low /t

     

    icacls "C:\Users\<nextAccName>\AppData\Local\Temp" /setintegritylevel(oi)(ci) low /t

    icacls "C:\Users\<nextAccName>\AppData\Local\Mozilla" /setintegritylevel(oi)(ci) low /t

    icacls "C:\Users\<nextAccName>\AppData\Roaming\Mozilla" /setintegritylevel(oi)(ci) low /t

    icacls "C:\Users\<nextAccName>\Downloads" /setintegritylevel(oi)(ci) low /t

     

    Note that in order for Firefox to run as low integrity, it required the setting of \AppData\Local\Temp folder also to low integrity, which was previously medium. This folder may contain sensitive temporary data from other applications. An intruder gaining access through Firefox may be locked into low integrity mode and can't change system settings, but he can glean data from this folder, which may be undesirable.

    Note: every time you update Firefox, you have to re-run the command that makes the exe a low integrity program. ( ... setintegritylevel low )

     

     

    Opera is another alternative browser. The thing that is good about them is that they patch up publicly disclosed vulnerabilities quite quickly. There is also a WOT plugin for this browser.

    Low integrity Opera

    If you run Opera using the desktop icon for launcher.exe, Opera is launched as integritylevel:Untrusted
    So there is no need to set integrity level with icacls.

     

     

    Chrome is Google’s browser, it is also open source, mostly. It’s architecture allocates high-risk components, such as the HTML parser, the JavaScript virtual machine, and the Document Object Model (DOM), to its sandboxed rendering engine. It prevents modifications to your Windows system. This sandbox is designed to protect one from unpatched security holes. It also uses IE’s Protected Mode in Vista, Windows 7, 8 and 10. Recently, Chrome has also added a sandbox around Adobe Flash, to prevent security bugs in Flash from compromising a system. Google also pays white hat hackers to test attack its product, and there has been numerous security flaws discovered this way. Google is doing this right. Chrome is also capable of automatically updating itself. And also, Google has a special deal with Adobe and gets Flash updates automatically. These two things save a lot of time.

    Chrome has 2 versions, one is for ordinary users and one is for business. The ordinary one installs itself into \users\...\appdata, thus allowing users to install the product without IT dept's blessing. That is, if software restriction policy has not been turned on. The business edition installs into \Program Files (x86), like what normal 32 bit programs usually do. You should use the business edition.

     

    Sandboxing your Browser

    There is a program called Sandboxie ( http://www.sandboxie.com/ which applies the sandbox security concept to protect any browser. Basically, the protected browser is made to look within a small directory, but it thinks that that directory is drive C. Sandboxie, and any sandbox in general, does not aim to prevent an attack, but instead contains the attack, within that directory. If the attack creates folders and files, it will be created in that directory. If it installs hacking tools and malware, they will all be confined to that directory. All your downloads will also arrive into that directory first, and Sandboxie will help move it back to the outside world. And everything in that directory can be wiped away with one click. This program is vital to securing your browser.

    Create a sandbox for each user. this is assuming that you have different user accounts for different uses. Like one for online banking, and one for your writing/posting your blog. This is so that anything that gets into one sandbox cannot lift data belonging to another sandbox.

    Right click on the sandbox and choose Sandbox Settings. 
    • delete->delete invocation> checkmark automatically delete contents of sandbox so that anything that gets into sandbox does not persist on your system
    • program stop->leader programs> chrome <or your preferred browser>
      so that anything that gets into this sandbox get terminated when chrome exits
    • restrictions->Internet access> only chrome <or your preferred browser>
      so that anything that gets into this sandbox cannot acccess the web
    • restrictions->start/run access> only chrome <or your preferred browser>
    • restrictions->drop rights> checkmark 'drop rights ...'
    Tip, if you have a favorite site that requires login, and you allow the site to remember your login, you can start the browser outside of Sandboxie to quickly login and let the site save a cookie. Then restart the browser using Sandboxie. Sandboxie will copy the cookies from outside to the sandbox when initiating.


    Turn off 16 bit apps

    Run 'gpedit.msc'

    Computer config/administrative templates/windows components/app compatability/prevent access to 16 bit applications=enable

    Feature only available in Windows 10 Pro.

     

     

    Passwords

    You should have strong passwords to safe guard your accounts, particularly the admin accounts. The first account created when you install Windows is an administrative account. So you need to protect that. There is also a hidden account called “Administrator” which you should also protect with a password, but it first has to be enabled, as it is disabled by default. This is done with the following command at an elevated command prompt:

                net user Administrator <password>

    Your passwords should be long ( 15+ characters ) and also use upper and lower case, numbers and symbols. The best way is to create passphrases. For example, take the sentence “James T Kirk is the captain of the USS Enterprise 1701″. That would form the password “JTKitcotUSSE1701″. Throw in symbols and it becomes “JTK$itcot%USSE1701′. This password is now long and complex enough to foil attacks.

    It is not secure to use the same password everywhere. Some people think it is OK to use the same password for email, banking, Facebook, windows login and so on. If your password is discovered, ( say by a keylogger ) the next logical thing is to try that on your email account. Once they get access to your email, they can use the ‘forgot my password’ feature of many web sites to have them email over your access password for that site. And very shortly everything will be compromised. Password attack programs either use a brute force approach or a dictionary approach. The brute force method tries every combination of numbers and letters. The dictionary approach tries out known words. These password attack programs are fast and can test thousands of passwords per minute. A short password is crackable in no time. A secure site would have safety features like locking your account after several failed tries or making you answer the security questions. But not every site is secure like that. And those weak sites are the primary target of password attack programs.

     

    Enforce long password/passphrase

    See Automated Configuration section.

     

    —————————-

    BIOS Password


    It is also prudent to password protect your BIOS, so that people cannot boot your PC. Also, you should change the boot order in the BIOS so that it boots the hard drive first, rather than the CD/DVD. If an attacker can insert a Linux Live CD and start up your PC, then they will be able to mount your hard drive and read all data from it, and all Windows security will be bypassed.

     


     

    Physical Security

    Physical security is very important and should not be overlooked. If someone has physical access to your PC, then they could bypass a lot of the hardening that was done.

    For example, if a attacker could access your PC and boot up a Linux Live CD, he could then read and copy off all files from the Windows disk partition. Or he could remove your hard drive and put it into another PC as a secondary drive and get data off that way. Either way, Window's password security will be of no use, because the hard drive's copy of Windows was never started.

    Therefore, you should keep your office/study room under lock and key

     

    BitLocker Drive Encryption

    BitLocker is a full disk encryption feature of Windows 10 Pro, When that is active, the whole drive is encrypted and will not be readable with other copies of Windows or Linux. This eliminates the offline attacks as mentioned above.

     

    Syskey

    For those who don't have Windows Pro, you can use a different form of semi 2 factor authentication, but it doesn't protect you from offline attacks. Windows has a feature called syskey, which can store the decryption key to your login passwords on a USB key. The login passwords are not stored as plain text in Windows, they are encrypted. The key to decrypt those passwords can be stored onto drive A.

    A lot of computers now don't come with a floppy drive, and the label drive A is unused. First you insert your USB memory key, then right click on Computer and choose Manage. Then go to Disk Management, right click on the USB memory stick, (which is probably label as drive F), choose Change Drive Letter and Path. Then click the Change button and make it drive A.

    Now you run "syskey". Click on the Update button; choose Store Startup Key on Floppy Disk. Then insert the USB memory key, and the decryption key will be stored on the memory stick.

    Once that is done, when you boot Windows, it will prompt you to insert the 'floppy disk' in order to continue booting.

    The syskey method of 2 factor authentication is good, now anyone booting the computer will need the USB memory stick; as well as know your login password.

     

     

    Security Compliance Manager

    Security Compliance Manager is a MS tool that provides risk details that each group policy setting address. After all, the group policy settings are created for a reason. There is much in depth detail and it covers a lot of products including Windows 10, Windows Servers 2016, Office 2013 and more. For Windows 10 v1607 Annaversary Update, there are 774 items for configuration. (The baseline for v1703 Creators Update has not been released as of April 2017.)

    As it is group policy based, it has limited functionality on Windows 10 Home. The program runs, and the program goes through the motions, but there is no effect on Local Group Policy. A subset of Local Group Policy - Local Security Policy seems to work.

    The program lists the group policy setting, it's default setting, MS's recommended setting, and your chosen setting. And below them is the explanation, risk details and the setting for maximum security. MS's recommened setting and default setting frequently do no agree, probably because MS has to consider general compatibility. And the max security setting could be something else. Each setting is also rated by severity: none, optional, important and critical, but you may not agree with the rating.

    If you are going to use this tool, be very careful as it can modify the settings that this security guide recommends. The initial settings in bold are my modified items. But as you move along and modify some others, you may not be able to tell which modifications are yours as they will also be in bold.

    If you have the Configuration Pack, there is a cab file included that contains all the modified settings for Win 10 v1607. Just click on Import "SCM (.cab)" on the right and import "Strict4 - Win10-1607 Computer Security Compliance.cab" and "Strict4 - Win10-1607 Domain Security Compliance.cab" and you will see them appear on the list of baselines on the left side product listing.

    To use the imported baseline, you MUST change 2 settings. The 'take ownership right' account (search for 'ownership' in the top right search box); set this to your full admin account name. Then search for 'change system time' and also specifiy your full admin account name.

    There is one setting named "require trusted path" which makes you press CTRL-ALT-DEL everytime a normal UAC prompt comes up. In interest of security this is enabled. But you may wish to disable this because it is too troublesome.

    In order to put the settings in effect, you have to download the LGPO command line tool from MS. The SCM help file refers to "Local GPO", but that is defunct and is no longer included. LGPO is located here:

    http:/https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/

    Once you have a baseline ready, click on Export "GPO Backup (folder)" on the right. This will create a cryptically named folder whereever you choose. Choose a folder where the System account can access. ( Not your Documents folder, as this guide recommends you remove System account from it's ACL ) Windows Explorer will automatically open to your chosen folder. Click into the cryptically named folder, click on the address bar, and press CTRL-C to copy the path name with the slashes(\). Then open a administrative command prompt. CD to the LGPO program folder. Then type

    lgpo /g <press CTRL-V to paste in your cryptically named path >

    You can then type in

    gpupdate

    to make sure that the policy has been applied.


    Intrusion Detection – part 1

    Good security partly consists of deter, deny and delay. That is what hardening does. Good security is also about detection: Detection of unwanted changes like unauthorized account creations, running of malware and other unwanted apps, etc. Fortunately, a lot of things are tracked in the event logs. Windows’ Event Viewer holds a lot of information about your system (Control Panel > Administrative Tools > Event Viewer). One cannot claim to know what is going on in a system without examining the logs periodically.

    Microsoft created a Security Monitoring and Attack Detection Planning Guide.

    http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=218322    

    In the guide, it examines what security monitoring one should do and provides the relevant Event Is. In the section below, those Event IDs are placed into Custom filters, which allows you to monitor for signs of intrusion.

    Note that the guide gives Event ID's for Windows XP. With Vista, Windows 7, Windows 8 and Windows 10, you need to take the given Event ID and add 4096 to get the correct event under these 3 newer operating systems.

         

     

    Make Event Log files Bigger

    (also covered by automated configuration part 2)

    You may not discover an intrusion right on the first day when they get in. Very often, the discovery comes several weeks to months later. You will need to retain log entries, and the default log sizes allow for too short a period.

    Control Panel/Administrative Tools /Event Viewer

    Expand 'Windows Logs'. Right click on Application, Properties and set log size to 1000000. Do the same for 'Security' and 'System'.

     

     

    Security Events to Monitor for

    If you have the Automated Configuration Pack, the 'custom view' filters are in the folder "Event Viewer Custom Views". Simply choose 'Import Custom View' to import each xml file one by one.

    Create Custom Views for the following Event IDs

    HOWTO: click 'Create Custom View'. Select 'By Log', pull down 'Event Logs', Checkmark 'Windows Logs', Move to the field <All Event IDs> and copy and paste in the event id numbers, click OK and name the view.

    4723,4724 - Change Password
    4720,4726,4738,4781 - Delete, Change Accounts
    4608,4609 - Startup, Shutdown
    4613 - Clear Security Log
    4616 - Change System Time
    4617 - Unable to Log
    4714,4705 - Privilege assigned or removed
    4708,4714 - Change audit policy
    4717,4718 - System access granted or removed
    4739 - Change domain policy
    16390 - Administrator account lockout
    4727-4730,4731-4734,4735,4737,4784,4755-4758 - Group changes
    4624,4636,4803,4801 - Account logons
    4625,4626,4627,4628,4630,4635,4649,4740,4771,4772,4777 - Logon failures ( KEYWORD: Audit Failure )
    4672 - Admin account logons
    4698 - Schedule new job
    4656 - Access refused to object
    4664 - Create hard link to audited file
    865 - Software restriction triggered
    1000 - Application Error ( Event Level: CHECKMARK "Error" )
    1002 - Application Hang ( Event Level: CHECKMARK "Error" )
    1037 - Protected Mode violation
    7031 - Service terminated unexpectedly
    4697 - Install a Service
    4663 - Access audited file
    11707,11742 - Application Install or Uninstall
    By Log: Application and Services Log > Microsoft > Windows > Windows Defender - Windows defender


    The above items are important to review.

    Now that Windows is hardened, most of the vulnerabilities you face will come from applications. The concepts that underlie protecting apps are the same as protecting the OS. Be careful of apps that have high privileges, and scrutinise network facing apps. Patching is really important and upgrade the app when new versions are posted. Monitor Event Viewer's "application hang" and "application error" custom views - if something fishy is going on and it happened after an application hang/error then there is a chance that you have been attacked. Be aware of what is normal and what is not. Know the protection settings that have been applied and know when a change is made (by an attacker). For example, your full-admin's Documents folder has been set to only have 1 ACL which is full accesss by the full-admin; if you find that suddenly that another ACL has been added giving access to, for example, the administrators group then something is wrong.



     

     

    Intrusion Detection – part 2: Baselines

    Intrusion detection also has to do with seeing that things aren’t different from what is normal. Your PC was running perfectly on day 1 after hardening, is it doing anything different today? To answer that question, we need baselines.

    What we want to know is what programs are normally running when we first login. If we know that, then we can be sure that we aren’t contaminated with spyware or other hacking tools. There are 2 programs we want to get, all free. The first one is AutoRuns, available from here: http://technet.microsoft.com/en-us/sysinternals/bb9639022

    It doesn’t have a setup program, just download, unzip, create a folder under \Program Files (x86)  and copy the files there.

    AutoRuns lists all of the places in the registry where programs are set to auto launch. Right click on it, and choose Run as admin, and use File/Save to take a snapshot of each account's current settings. Later on during your regular system checkups, you can use the File/Compare feature to see if anything is different. New entries show up in green. If all green entries are good, then save the file again with today's date, and do the comparison with the new file in the next scheduled check.

    The second program is Process Explorer, available here: http://technet.microsoft.com/en-us/sysinternals/bb896653

    This program is like Task Manager, but it shows more info. Many malware name themselves with familiar Windows program names, trying to hide themselves. Login to your admin account, then right click on Process Manager and choose 'run as admin', go to View/Select Columns and checkmark ‘command line’. Then do a File/Save . The resulting text file is now a snapshot of what normally runs when you first login.

    When you do a comparison using Process Explorer, note that you cannot use a file comparison tool like ‘fc’ (file compare) to check for differences, that is because the PID (process identifier) for each program/process would be different on different boot-ups. You would have to do a visual check of the command line.

    Next, reboot your PC and open an elevated command prompt with 'run as admin', and type

    netstat -abn > netstat-baseline.txt

    The netstat program shows you a list of programs that are listening and connecting to the net. If a attacker connects to your PC, his program would have to connect back from your PC to his PC, and his program would show up here in this list.

    Driverquery is a command line tool in Windows, What it does is list all the drivers in use. Some virus and rootkits now come in the form of a driver. When you perform you routine checks, first run this:

    driverquery > out.txt

    If this is the first snapshot, then rename the out.txt to driverquery-out.txt.

    Next time, run these 2 lines;

    driverquery > out.txt
    fc out.txt driverquery-out.txt

    Fc will display the differences between out.txt and driverquery-out.txt. If there are lots of changes, fc will not be able to synchronize the sections in the files. Then you'll have to open up 2 notepads side by side and scroll through the files manually to see what has changed.

    In most cases, new drivers are caused by Windows Update. You will have to go online and read that month's MS Security Bulletin to see if the new patches would have deployed new drivers. If that doesn't reveal anything, you'll have to check to see if the new drivers are also present in another machine.

    If you have the Automated Configuration Pack, there is a 'baseline.bat'. It takes a snapshot of various configurations of the PC.

    Run this command in an elevated command prompt:                    

                     baseline.bat > baseline-2015-08-21.txt

    replacing the date portion of the file name with your current date.

    Now we have 5 baselines, save them onto a USB memory stick for use in comparisons later. One should also save the Autoruns, and Process Explorer files onto the memory stick as well. Because, after an attack, programs may get altered or rendered unusable You Have to keep the baselines on a USB memory stick because attackers will modify your baselines to make you think nothing has changed.

    Last thing when doing baseline comparisons is to run “sfc /scannow” to determine if any system files has been modified. SFC contains the correct windows files signatures and makes a comparison to the current setup. It will also fix the problem.

     

    There is a little known program called WinDiff. It is a good file and directory compare tool. It is provided in Windows XP Professional > Support Tools. If you run the Setup program in Support Tools folder, it will be installed. The files that you want are: 

        gutils.dll
        SysInspector-AHSDAFSA-081115-2248.xml
        windiff.exe
        windiff.hlp

    You can use WinDiff to compare 2 versions of baseline.bat output, and it will not be confused when it encounters big sections of differences, unlike the command line program 'fc'. 


    Intrusion Detection – part 3

    You should definitely install antivirus and antispyware programs. However note, you can only have one realtime antivirus program. The realtime capability monitors file access and file modifications as they happen. And having more than one realtime antivirus will cause problems. Having more than one anti-spyware program usually doesn’t cause problems. Windows 10 has Windows Defender installed by default, which is an antivirus program. It will also scan ActiveX components before use and does network behaviour monitoring.

    For a list of antivirus programs to consider, go too http://av-comparitives.orgor http://virusbtn.com. These 2 sites run test on antivirus programs to see how effective they are.

    There are also a lot of fake antivirus programs floating around, so make sure you find the reviews before installing one. The fake ones report of non-existent infections and just ask you for your money and do nothing. Some will even stop you from going to legitimate antivirus program sites, stop your programs from working and make you think you are infected with a virus. If you happen to have installed a fake antivirus, there is one anti-malware program that can remove it. It’s called MalwareBytes. (( https://www.malwarebytes.org)  MalwareBytes has a free version, which doesn't include real time detection and automatic signature updates. It is a very good tool to have, just remember to update the signatures before doing a scan..

    Bear in mind that no antivirus/anti-spyware program will catch everything you encounter. There has been a study that was done that found that the best detection rate is around 60%. Vendors can’t hope to have captured and analysed ALL the viruses out there, because lots of new ones are introduced every day.

    Yes, you can’t fully trust your antivirus program to do a perfect job. To be on the safe side, use online scanners once in a while to do a double check. There are quite a few of them: TrendMicro Housecall, BitDefender, Kapersky, Panda and ESET. Google for "online scan" and you will see them.

    If you download stuff from P2P and bittorents, beware. Lots of infected programs are floating around. And they would even work as expected, except that they will also get you infected. And those viruses tend to be new ones, so most likely your antivirus program will not even beep. You have been warned. The best that you could do is upload the file to virustotal.com and let them run your file against their 39 antivirus programs, and then decide if you want to keep the file or not. You have to remember that it is hackers who release pirated software, cracks and keygens, and they seed these files on P2P and bittorrent. And most likely, they also want to own your PC.

    Security suites are very popular. For example, Norton 360 includes antivirus, anti-spyware, anti-rootkit, smart firewall, network monitoring, parental controls, anti-spam and more. They certainly seem to be value for your money. But when weighing effectiveness, many choose a best of breed, mix and match, solution. For example: one can use ESET antivirus and anti-spyware, Webroot anti-spyware, Windows firewall, NetNanny parental control, Gmail’s anti-spam and Gmer anti-rootkit.

    If you are considering security suites, then you should also Google for "<brand> end point protection". End Point Protection is the name used for antivirus suites for businesses. And like MS's way of adding more security feaures for Windows Enterprise, the business products of major antivirus brands offer more security features. Most will also offer a trial version, so you can test them before making the leap.

    Another program you must have is an anti-executable. This class of protection stops any program from running unless you have clicked on it or that it resides in a small whitelist. So if you clicked on it, then it runs; if you didn't, then it gets blocked. This stops drive by downloads where web sites get hacked to deliver malware. Also, many exploits download a malware of their choosing (mostly RATs) and executes it. Anti-executables is a great class of protection to have. There are several on the market, like Anti-Executable, AppGuard, No Virus Thanks, and Voodoo Shield. The last one is free. Note: you have to allow Voodoo Shield outbound in the firewall

    For your maintenance routine. You should do 2 more things. 

    1.Check that your antivirus is still alive and active.  Go to http://www.eicar.org/86-0-Intended-use.html . And copy that test virus line of text, paste it into notepad, save it and try to open it again. Your antivirus should detect it.

    2.Do an antivirus scan.

     

    Intrusion Detection - part 4



    Many people rely on their antivirus and antimalware to detect intrusions. Both are necessary, but when you are dealing with hackers, they will not identify everything. That is because a careful hacker tries to avoid detection and will not use tools that can be picked up by common security protection.

    One thing you can do is to employ a hardware firewall that has network intrusion detection system and network intrusion prevention system. Commercial tools costs $400 and up. But there are several Linux distributions that plays the role of a firewall and IDS/IPS. All you need is an older computer and an extra network card to deploy them. The ones I prefer are IPFire and pfSense. Both are straight forward to install and does not require Linux experience. You simply download the ISO file and burn image to disk, then boot with it and follow the prompts. 


    IPFire calls the external internet connection RED, and the internal network GREEN. And if you use 3 ethernet cards, a DMZ can be created labeled ORANGE. You have to assign a network card to each RED, ORANGE and GREEN zone. You can make the lights on the card light up and find out which card is which. After install, go to the web ip address you assigned during install and start configuration, just like configuring a router.

    In IPFire the built in intrusion detection is called snort and their intrusion prevention is an add-on called Guardian. Guardian takes the ip addresses found by snort and blocks them. Add-ons are available for install from the PakFire pull down menu. Once installed, go to Services > Intrusion detection and download the free signatures from EmergingThreats. Then you review  the rulesets and disable those rule groups that give alerts for services that you don't have in your LAN. Then checkmark Guardian and save. The ET rules update approximately once a month, the update is not automatic. Create an reoccuring appointment in your smartphone

    Note: only enable Guardian intrutsion prevention if you are using IPFire as the main router. If IPFire is behind another router, then it will only see that router as the source of intrusion and block that.


    Intrusion Detection - part 5



    There is Linux program called TCPDUMP which is a favorite incident response tool. It can capture all network traffic and can tell you almost absolutely if you have been attacked. (The attackers can perform dns poinsoning for normal Windows communications to confuse you)

    It is a command line program that is included in many Linux distros. To use this program you need a ethernet switch which has a mirror port. These managed swtiches use to cost a bit more, but have come down in price. One example is the TrendNet Solo TL-SG105E 5-port smart switch which costs $40. Simply designate a port as a mirror port and plug the Linux machine into it. Then you can start capturing packets from the network with this command:
        sudo tcpdump -A -i eth0 -tttt -w <anyFileName>
    The command will run and you won't see the command prompt again until you press CTRL-C to stop the program

    Open a new Tab, and you can then read in the capture file with this command:
        sudo tcpdump -A -tttt -r <yourFileName> | less
    Explanation, the 'sudo' part runs the command as admin, the 'A' parameter specifies showing packets in ascii. The 'i' parameter is the interface, and eth0 is the default ethernet port on a Linux machine. The 'tttt' parameter shows the full date. The 'w' parameter is for writing to a file. And the 'r' parameter is for reading from a file. The '| less' part "pipes" the output to 'less', a program that lets you scroll down any long document (or else everything will just quickly scroll past and disappear). When you are finished viewing the output in 'less', typing 'q' will exit 'less'.

    You can see the source and destination of each packet, the ports used, and the network packet contents in ascii. Start tcpdump and then boot up the Windows machine without logging on. This will allow you to see what network traffic occurs at Windows boot time. Then login into Windows and restart the read command again.

    There would be quite a lot of packets to go thru. Open firefox and go to any web site that can do 'ip to domain' conversion, and type in an ip from tcpdump output. This will tell you the domain name that the packet is going to. Along with the domain name, it usually states the company which is managing that network/site. You can then lookup that company's web site. Then identify the harmless ones that belong to Microsoft and Alkamai (which I think is a server ISP that caters to coorparate clients like MS) and sites like your antivirus update site. Anything else would be suspicious, especically if the domain is a home user ISP, or the ip belongs to some company that is from another country which you don't go to, like 'ru' (Russia) and 'cn' (China)

    The beauty of tcpdump is that it can see ALL network packets from the outside of your Windows machine. So even if you have a rootkit infection, and Windows' netstat tells you nothing is wrong, tcpdump will reveal the rootkitted admin tool's traffic.

    Intrusion Detection - part 6


    A Honey Pot is usually a unused dummy system set up just to lure attackers. Once you notice traffic on it, then it is guarenteed that you have an attacker. You can setup auditing for a 'honey folder' which you never click on to act as an intrusion detector.

    First create a folder, called for example 'Plans for the New year', and then right click on it and choose Properties. Then go to Security tab > Advanced > Audit tab. First you set up which user account to watch for, then leave the settings for 'Read and Execute' which will generate an Event Viewer entry

    If you have the Configuration Pack, the Event Viewer custom views xml files allow you to import the custom views. Click on 'Access audited file' view to see the entries generated by the intruder. Also, you have to run the Harden Audit BAT and the Harden Security Options BAT to enable the auditing

    Take care not to audit folders and files you normally use, because each access generates 6 or more entries. And could fill up the log and cause old entries to be emptied away.




    Keyloggers and Screen Grabbers

    This class of spyware deserves mentioning on their own. Unlike other hacker attacks, these do not aim to penetrate and gain admin rights, but they are deployed by criminal hackers. They function in a standard account. Their aim is to capture credentials to your web accounts like banking account numbers and passwords, email account and others. Antivirus programs do not detect them. To counter these, I know of 2 programs, Zemana AntiLogger. (http://www.zemana.com) which has anti-keylogger as well as anti-screen grabber functions. The other one is KeyScrambler (http://www.qfxsoftware.comm) which is only a anti-keylogger. ( Both programs now have free editions.)



    Security as a Process

    Security is a process, that is ongoing after we perform hardening. Your hardened Windows Windows 10 is good and now has multiple layers of security, but new vulnerabilities will be discovered in various software that you use and weaken your stance. Take the case of the browser; attackers target browsers all the time, and new security holes will be revealed. One has to know when these holes are discovered, and take steps to mitigate.

     

    The first step is to know about the new vulnerabilities. The following websites report on security matters ::

    http://threatpost.comm

    http://www.theregister.co.uk/security//

    http://www.sans.org/newsletters/risk/http://www.sans.org/newsletters/risk/

    http://www.microsoft.com/technet/security/advisory/default.mspx

    http://www.exploit-db.com

    You should visit them once a week to learn of new security vulnerabilities. The articles will tell you about new security holes in applications or OS, which version it applies to, and give a brief description of the weakness. Sometimes, the software vendor will inform us of some configuration change for you to apply for the time being, until they make a patch ready. Also, the articles may tell us if attacks using the vulnerability has been spotted in use..

    This information are of great help for you to maintain security. To continue on our browser example, lets say the new vulnerability involves an ActiveX component that is called via Internet Explorer. Then you might mitigate that by using another browser for the time being, and monitor the vendor’s site for a new version release. Or Microsoft may issue an advisory informing us to how to disable an ActiveX through settings in the registry. Or you may decide that using that browser together with Sandboxie would contain the threat. Or you may decide to disable scripting features of the browser. (Secunia’s PSI program will also tell you when new security patches or program versions have been made, as mentioned previously). The main thing is that you get to know about potential problems from these web sites and takes steps to mitigate..

    ********

    Next,as part of the security process, you have to monitor your system and detect attacks. You have to perform those log checks, baseline comparisons, and virus scans (as mentioned earlier) on a regular basis, like every 1 or 2 weeks. We are being lax here already, for in a secure environment, they use tools to monitor logs on a real time basis. Monitoring is crucial, as even the most hardened systems will have holes in its defenses. We cannot think that our hardened system is impervious..

    ********

    After a few months of use, computer settings change invariably: new software installed, new devices added, etc. We now have to check that all security settings are still in place. For example, are the user accounts still standard accounts, or has one been changed to admin for temporary problem troubleshooting? Has the firewall been set to OutBound Allow during installation of a program and left forgotten?? So, after you put those locks on the doors, are they still locked??Or has there been tampering? We have to revisit the hardening process and check everything. This is to ensure that the system is still as secure as day one.

     

    Automated Configuration

    Contents:

    • The hardening document specific to Windows 10 or Windows 10 Pro.
    • Harden Win 10 Services,bat - reduce attack surface of services, specific to Windows 10 or Windows 10 Pro.
    • Dual Admin.bat, specific to Windows 10 or Windows 10 Pro
    • (and optionally) My Personal Win10 Disabled Services.bat, specific to Windows 10 or Windows 10 Pro

    Note that 32 bit Windows is not covered by the Dual Admin ( which is a set of ACL configs ) file. There are many more executables on a 32bit machine

    If you wish to revert the changes to out of box defaults, use::

    • Restore Win 10 Services.bat, specific to Windows 10 or Windows 10 Pro
    • Restore Win 10 ACLs_GUI.bat, specific to Windows 10 or Windows 10 Pro

    To configure, right click on the bat files and choose 'Run as Administrator'..

    To configure manually, open a elevated command prompt ( right click on Command Prompt and choose 'run as admin' ) Type in the following command::

                SecEdit /configure /db <any_name>.sdb /cfg <template.inf>>

    The <any_name>.sdb will hold the configured results, you make up the filename, but the file extension must be .sdb. The <template,inf> is either one of the templates named above..

    Also provided in the package are Event Viewer 'custom view' xml files. These xml files setup filters for select event IDs, so that you get to see, for example, all login failures, in one screen,,

    Use this bat file to setup what events to audit. It also sets up the event log file maximum file sizes for Application, Security and System..

    • Harden Win 10 Audit.bat

    It sets up the following::

    • Have Event Viewer show success and failure events for Account Logons, Account Management, Policy Change and System events..
    • System, Application and Security Event Log size: 1000000 kb            

    Use this bat file to setup the password and account lockout settings..

    • Harden Win 10 Password and Lockout.bat

    Use of this file requires that you understand what the settings do. The numbers are:

    • Enforce password history: 24 passwords
    • Maximum password age: 60 days
    • Minimum password age; 1 day
    • Minimum password length: 14 characters
    • Password must meet complexity requirements

    Password history means that the system will remember 24 previous passwords so that they cannot be reused so that they are unique..

    Password age means that the system will prompt you 14 days before 60 days is up to change your password. Minimum password age of 1 day means you cannot change your password again until 1 day have passed. This is so that users cannot rotate 24 times rapidly and reuse an old password..

    Minimum password length is 14 characters. If you use a passphrase, then this shouldn't be a problem. Complexity requirement means that the passphrase must include upper and lower case, numbers and symbols.

    The lockout settings are as follows:

    • Account lockout threshold: 50 password attemptss<
    • Account lockout duration: 15 minutess
    • Reset lockout counter after: 15 minutess

    What these numbers mean is that you are allowed 50 tries to get the right password. After that, the system locks up for 15 minutes. So, when you realize you have forgotten a password, write down the various passwords that you want to try and try to find the right one within 50 tries. After 50 tries, the system will not respond until 15 minutes have passed..

    Unfortunately this can give rise to a denial of service (DoS) attack, where the attacker randomly tries out 50 passwords and her aim isn't to get in but to lock you out of the system. If we don't define a threshold number for password attempts, then an attacker can use a program to bruteforce or dictionary attack the system because they can do so an infinite number of times. If you realize that such a DoS attack is taking place, all you can do is unplug the ethernet cable and go for a 15 minute break.

    Use the 'Dual Admin.bat' to remove the standard users accounts from accesssing command line admin tools. This script also sets up a heavily restricted admin account for installing non-security software. Together with this, you should set up the included login scripts that takes the full admin account offline automatically upon login. This aids in combating attacks where the attacker has remote access to your machine.

    Some of these settings default to 'undefined'. And due to the fact that SecEdit does not handle settings that specify 'undefined', no restore bat file is offered to reverse these password and lockout settings..

    Lastly, there is a security options file:

    • Harden Win 10 Security Options.bat

    This file includes a group of security settings, as follows::

    • Accounts: Administrator account status: disabled
    • Accounts: Block Microsoft accounts: disabled..
    • Accounts: Guest account status: disabled **
    • Accounts: Limit local account use of blank passwords to console logon only: enabled
    • Audit: Audit access of global system objects: disabled
    • Audit: Audit the use of Backup and Restore privilge: disabledd
    • Audit: Force audit policy subcategory settings (Windows Vista of later) to override audit policy category settings: enabled
    • Audit: Shutdown system immediately if unable to log security audits: disabled
    • DCOM: Machine access restrictions: no remote access for all accounts
    • DCOM; Machine launch restrictions: no remote launch and remote activation for all accounts
    • Devices: Allow undock without having to log on: disabled
    • Devices: Allowed to format and eject removable media: administrators and interactive users
    • Devices: Prevent users from installing printer drivers: enabled
    • Domain member: Digitally encrypt or sign secure channel data (always): enabled
    • Domain member: Digitally encrypt secure channel data (when possible): enabled
    • Domain member: Digitally sign secure channel data (when possible); enabled
    • Domain member: Disable machine account password changes: disabled
    • Domain member: Maximum machine account password age: 30 days
    • Domain member: Require strong (Windows 2000 or later) session key: enabled
    • Domain member: Display user information when session is locked: do not display user information
    • Interactive logon: Do not display last user name: enabled
    • Interactive logon: Do not requrie CTRL+ALT+DEL: disabled
    • Interactive logon; Machine account lockout threshold: 10 invalid logon attempts
    • Interactive logon: Machine inactivity limit: 900 seconds
    • Interactive logon: Number of previous logons to cache (in case domain controller is not available: 4 logons
    • Interactive logon: Prompt user to change password before expiration: 14 days
    • Interactive logon; Require Domain Controller authentication to unlock workstation; Disabled
    • Interactive logon: Require smart card: disabled..
    • Interactive logon: Smart card removal behavior: Lock workstation
    • MS network client: Digitally sign communications (always): disabled
    • MS network client: Digitally sign communications (if server agrees): enabled
    • MS network client: Send unencrypted password to thrid-party SMB servers: disabled
    • MS network server; Amount of idle time required before syspending session: 15 minutes
    • MS network server: Digitally sign communications (always): disabled  
    • MS network server; Digitally sign communications (if client agrees); enabled
    • MS network server: Disconnect clients when logon hours expire: enabled
    • MS network server: Server SPN target name validation level: Required from client
    • Network access: Allow anonymous SID/Name translation: disabled
    • Network access: Do not allow anonymous enumeration of SAM accounts: enabled
    • Network access: Do not allow anonymous enumberation of SAM accounts and shares: enabled
    • Network access: Do not allow storage of passwords and credentials for network authentication: disabled
    • Network access: Let Everyone permissions apply to anonymous users: disabled
    • Network access: Named Pipes that can be accessed anonymously: blank
    • Network access: Remotely accessible registry paths: blank
    • Network access; Remotely accessible registry paths and sub-paths: blank
    • Network access: Restrict anonymous access to Named Pipes and Shares: enabled
    • Network access: Shares that can be accessed anonymously: blank
    • Network access: Sharing and security model for local accounts: Classic - local users authenticate as themselves
    • Network security: Allow Local System to use computer identity for NTLM: : enabled
    • Network security: Allow LocalSystem NULL session fallbasck: disabled
    • Network security: Allow PKU2U authentication requests to this computer to use online identifies: disabled
    • Network security: Configure encryption types allowed for Kerberos: RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types
    • Network security: Do not store LAN Manager hash value on next password change: enabled
    • Network security: Force logoff when logon hours expire: disabled
    • Network security; LAN MAnager authentication level: Send NTLMv2 response only, Refuse LM & NTLM
    • Network security: LDAP client signing requirements: Require signing
    • Network security: Minimum session security for NTLM SSP based (including secure RPC) clients: Require NTLMv2 session security, Require 128 bit encryption
    • Network security: Minimum session security for NTLM SSP based (including secure RPC) server: Require NTLMv2 session security, Require 128 bit encryption
    • Network security: Restrict NTLM: Incoming NTLM traffic: Deny all accounts
    • Network security: Restrict NTLM: NTLM authentication in this domain: Deny all
    • Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers: Deny all
    • Recovery console: Allow automatic administrative logon: disabled
    • Recovery console: Allow floppy copy and access to all drives and all folders: disabled
    • Shutdown: Allow system to be shut down without having to logon: enabled
    • Shutdown: Clear virtual memory pagefile: disabled
    • System cryptography: Use FIPS compliant algorithms for encryption, hasing and signing: disabled
    • System objects: Require case insensitivity for non-Windows subsystems: enabled
    • System objects: Strengthen default permissions of internal system objects (e.g. Symbolic links) : enabled
    • System settings: Optional subsystems: blank
    • System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies: disabled
    • UAC: Admin Appoval Mode for Built-in Administrator account: enabled
    • UAC: Allow UIAccess applications to prompt for elevation without using the secure desktop; disabled
    • UAC: Behavior of elevation prompt for administrators in Admin Approval Mode; Prompt for consent on the secure desktop
    • UAC: Behavior of the elevation prompt for standard users: Automatically deny elevation requests
    • UAC: Detect application installations and prompt for elevation: enabled
    • UAC: Only elevate executables that are signed and validated: disabled
    • UAC; Only elevate UIAccess applications that are installed in secure locations: enabled
    • UAC: Run all administrators in Admin Approval Mode: enabled
    • UAC: Switch to the secure desktop when prompting for elevation: enabled
    • UAC: Virtualize file and registry write failures to per-user locations: enabled

     

    The 'security options' settings, audit, and 'password and lockout' settings are taken from MS Security Compliance Manager tool.

     

     

    Last things to do

    Disable flash in your admin account. Internet Explorer > Gear > Manage Addons > Toolbars and Extensions > Show All Addons > Shockwave Flash Object > Disable button..


    Disable flash in Edge for each account..

    Disable Autoplay for all user accounts: Control Panel > AutoPlay. Choose 'Take No Action' for everything

    Turn off "Use AutoPlay for all media and devices" in Settings < AutoPlay.

    Set IE to turn on ActiveX Filtering for each account. Gear icon > Safety > ActiveX Filtering..

    Set IE to use Protected Mode for all zones. Gear icon > Internet options >Security tab > click each icon ( Internet, Local Intranet, Trusted sites, Restricted sites ),check mark Enable Protected Mode for each. Do this for all user accounts..

    Set IE to use Enhanced Potected Mode for all users. Control Panel > Internet Options >  Advanced; scroll the Settings list to Security section, checkmark "Enable 64 bit Processes for Enhanced Protected Mode" and  'Enable Enhanced Protect Mode''

    Run Acrobat Reader ( if you have installed it ) to setup security.for each accountt

    Edit > Preferencess

    > Javascript, uncheckmark "Enable Acrobat Javascript"..

    > Security Enhanced. Protected View : All Filess

    > Security Enhanced: Create Protected Mode Log File..

    > Security Enhanced: Uncheckmark Automatically Trust Sites from my Win OS Security Zones..

    > Trust Manager: Uncheckmark Allow Opening of Non-PDF file attachmentss

    > Trust Manager:  Internet Access from PDF outside the web browser  Change Settings button, select Block PDF file access to all web sites.> This one is optional, some times you need to click on an internet link inside a PDF document.

    Run Java in Control Panel (if you have installed it). Go to Security tab, uncheckmark 'enable Java content in browser'.

     

    Create a System Restore Point

    This PC > Properties > Advanced System Settings > System Protection tab > Create button.

     

     

    Do an image backup of the hard drive

    This is important, your last line of defense is restoring from backup. This backup saves all of the settings you have done so far so you don't have to repeat them when you need to reinstall Windows. There is a free image backup tool called Macrium Reflect, available from here: http://www.macrium.com/reflectfree.aspx. Use the tool to create a drive image and store it in an external USB hard drive. Don't forget to create the rescue CD. 

     

     

    Before Installing Applications

    Whenever you choose to install a new application, you need to consider it's security ramifications. For example an older app which needs admin rights and accesses the internet is bad. That's because one successful attack will give the attackers admin rights over your machine. Another thing is listening apps. Technically they are servers, likr a FTP server. As revealed by doing 'netstat -abn' from an admin command prompt, and any such apps listens 24x7 to anyone who cares to connect. While you may sleep, servers do not, and you won't be around to monitor it's security. One may point out that FTP servers have username and password protection. But attackers don't usually attack the main entrance. If you are deploying a server, it would be a good idea to restrict connections to your friends' ip address in the firewall rules (bearing in mind that home ISP's change residential ip's frequently, and you'd have to update those ip addresses frequently)

    It's a good idea to checkout www.exploit-db.com to look for existance of any attack exploits before installing any app. Some exploits only work in certain versions of the software. So if you find an old exploiit, there is a chance it won't work against newer versions. But to be really sure, you would have to complile the exploit and test it, which if you aren't a programmer, can be difficult. Be aware of the risk and decide.

    Installation of New Software

    When installing new software, sometimes the setup program needs to connect to the internet to download components. And also, it may create a exe inside a temp folder to do the downloading, and the exe is automatically removed when install finishes. On such occasions, it may not be possible to create an outbound allow rule for that exe. So the only solution would be to go to Windows Firewall with Advanced Security and temporarily set Outbound to allow for the Public profile. Just remember to set Outbound back to block when you have finished setting up that new program..

    Also when Simple Software Restriction Policy is installed, remember that programs will not run when they are located outside of \Windows or \Program Files. To enable your install program to run, lets say from your Downloads folder, you have to Right Click on SSRP in the systray and choose Unlock.



    Trying out Cortana

    Most people will want to try out Cortana, the artificial intelligence personal assistant. If you don't have the settings set as per below, the Cortana bar will only say "Search the web and Windows" instead of "Ask me anything"..

    There are several settings needed to run Cortana::

    • Ensure that Local Seucrity Policy > Security Options > Accounts: Block Microsoft Accounts is disabled or 'not configured'. It is set to 'not configured' in the Configuration Pack, which is the default..
    • Ensure that Control Panel > Administrative Tools > Services > Microsoft Account Sign-in Assistant is set to manual. Note, this services setting is set to disabled in My Personal Win 10 Disabled Services in the Automated Confiuration Pack, you can reverse this setting to manual to allow Cortana to work..
    • Ensure that Settings > Privacy > Location > Location is set to ON. (can only be done by an admin account))
    • Settings > Privacy > Speech, inking, & typing > 'Get to know me' is turned on (for each account that wants Cortana))

    Then when you click on the Cortana search bar at the bottom left of the screen, Cortana will proceed to ask you to configure things to get started.