Security Hardening Windows 7 64 bit install

[x942]

Quote:

Originally Posted by Serapis

Yeah I was curious about stopping EvilMaid, particularly the checksum hasher technique. But since there are ways around that then never mind. Could it be through hacking the BIOS itself? Probably since nearly all of them are proprietary. I guess that there is just no way that a device that has been out of sight could be trusted then.

There's no way around that. Hash the MBR with SHA-512 or RIPEMD-160 and store the known good hashes on a CD-R.There is no way to drop malware on that MBR as any attack on the MBR would alter the hash. There are also no collisions with either of those hash algorithms (not even SHA-256 or 128 ). The down side here is that you have to check it every boot, which can be a PITA. I have to do this in my work environment (even though we have other checks such as TPM's and EFI Trusted Boot in place).

BIOS/EFI can be (and have been) infected with malware. Is it likely? No. Not in the wild at least. I have seen tons of malware with these capabilities, the issue is that ~75-80% of the time they fail. Why? Because even if the brand of BIOS is the same more times then not there are differences in software/hardware that prevent the malware from infected that other computer. About a year ago I did some research into BIOS malware and did find, surprisingly, that even the sophisticated attacks were hit and miss. One example that comes to mind is Two Acer laptops I tested on with the exact same install (Win 7) and exact same hardware. One had and updates BIOS and the other didn't. The updated one was not infected (failed to write to the BIOS and no changes occured) while the other one was.

So unless you are targeted by some one with a lot (and I mean a LOT) of time and money you don't need to worry about BIOS attacks as much. Keeps out all malware from the system and maintain physical control and you are fine. My rule of thumb is: If the devices is MIA and "magically" reappears, Wipe the HDD and Sell the hardware just to be safe. Even if it was just stolen and the police retrieve it for you. Wipe the HDD and sell (or downgrade it to non-sensitive data) it.

[Pinga]

Quote:

Originally Posted by EncryptedBytes

Install and configure EMET

You can find and download EMET here

Thanks for that. Is there a reason why you prefer version 2.1? Microsoft Enhanced Mitigation Experience Toolkit 3.0 is here:

http://www.microsoft.com/en-us/downl....aspx?id=29851

[EncryptedBytes]

Quote:

Originally Posted by x942

There's no way around that. Hash the MBR with SHA-512 or RIPEMD-160 and store the known good hashes on a CD-R.There is no way to drop malware on that MBR as any attack on the MBR would alter the hash. There are also no collisions with either of those hash algorithms (not even SHA-256 or 128 ). The down side here is that you have to check it every boot, which can be a PITA. I have to do this in my work environment (even though we have other checks such as TPM's and EFI Trusted Boot in place).

BIOS/EFI can be (and have been) infected with malware. Is it likely? No. Not in the wild at least. I have seen tons of malware with these capabilities, the issue is that ~75-80% of the time they fail. Why? Because even if the brand of BIOS is the same more times then not there are differences in software/hardware that prevent the malware from infected that other computer. About a year ago I did some research into BIOS malware and did find, surprisingly, that even the sophisticated attacks were hit and miss. One example that comes to mind is Two Acer laptops I tested on with the exact same install (Win 7) and exact same hardware. One had and updates BIOS and the other didn't. The updated one was not infected (failed to write to the BIOS and no changes occured) while the other one was.

So unless you are targeted by some one with a lot (and I mean a LOT) of time and money you don't need to worry about BIOS attacks as much. Keeps out all malware from the system and maintain physical control and you are fine. My rule of thumb is: If the devices is MIA and "magically" reappears, Wipe the HDD and Sell the hardware just to be safe. Even if it was just stolen and the police retrieve it for you. Wipe the HDD and sell (or downgrade it to non-sensitive data) it.

Well put, to piggy back off x942's comment, you need to keep your risk matrix within the scope of reality. While it is good to know what is out there and what is possible, not everything will be applicable to someone or an organization. You need to take a step back and think what has the greatest chance of compromising your security and protect against that. Men in black descending from helicopters into your computer room to install stuxnet style BIOS virus' should be low on your threat scale.

Quote:

Originally Posted by Pinga

Thanks for that. Is there a reason why you prefer version 2.1?

This topic was created before 3.0 was released.

[Noob]

What are the differences in EMET 3.0?
Now i'll have to update my other PC's.

[Page42]

Quote:

Originally Posted by No_script

Just wondering what are some tips to harden a windows 7 ultimate install. Disable superfetch and hibernation? Disable anonymous login? Encrypt the page file?
Tell me.

Good thread, No_script.

Quote:

Originally Posted by EncryptedBytes

I would be more than happy to help. Though I want to make sure I give you relevant information.. I can lock your machine down to NSA specifications, or give you some simple tips. How far down the rabbit hole are you willing to go?

Hi EB. What about something between simple tips and all the way down the rabbit hole? Forex, No_script's suggestions... "Disable superfetch and hibernation? Disable anonymous login? Encrypt the page file?".
Good place to start?
Thanks for all the details!

[Serapis]

It is a very informative thread with many experts, we are lucky to have such people here with us.

@ x942

Lets say that an advanced adversary is out of the picture, how do you hash your MBR?

Do you know if setting BIOS passwords uses encryption to protect its settings?

Thats good practice to learn for most common cases. But for all purposes this confirms that MIA devices are a liability that cannot be trusted any more.


@ EncryptedBytes

I understand that such scenarios are very far fetched but its definitely interesting and cool to go all the way down the rabbit hole with usage guidelines, just like the big boys.

Thank you for chipping in this topic.

Quote:

Originally Posted by EncryptedBytes

After you install Linux and tor, update the OS then take a clean snapshot. You should revert back to this snapshot after each use. Additionally update the image as upgrades become available.

You've mentioned that the guest OS should be kept updated, but why should you bother if you're inside a vm? I understand if you're using them for secure uses you would need to have them patched so they don't become compromised, just like with a regular machine. But otherwise what's the benefit of keeping guests updated if the host is all I am concerned about?

[No_script]

Quote:

Originally Posted by EncryptedBytes

You need to take a step back and think what has the greatest chance of compromising your security and protect against that. Men in black descending from helicopters into your computer room to install stuxnet style BIOS virus' should be low on your threat scale.

you wont know if your infected with the next stuxnet, not for a good 2-3 years. Anti virus/malware/firewalls are just plain rubbish in protecting your system. Look at all the botnets, ZeuSS is 3 years old and still infecting people.


I got fully r00ted on the weekend searching for hosting in russia (serves me right , yeah i know) I hit something I shouldn't, haven't something like that before . I Think it was loading from RAM chips, tell me how we are meant to deal with that?

[Serapis]

If its a RAM resident virus, it should be gone with a simple reboot provided that nothing was written to the disk in anyway. Please don't derail this thread asking about specific virus cleanup help.

in your case you'd be better off nuking the drive and reinstalling everything since there is no way to be sure that you are clean otherwise.

[EncryptedBytes]

Quote:

Originally Posted by Serapis

You've mentioned that the guest OS should be kept updated, but why should you bother if you're inside a vm? I understand if you're using them for secure uses you would need to have them patched so they don't become compromised, just like with a regular machine. But otherwise what's the benefit of keeping guests updated if the host is all I am concerned about?

Yes, even though you are going to wipe and restore the guest after each use, the image can still get compromised during a browsing session as a normal host would. This would put any other computers on your LAN at potential risk of infection, given their own patching history and the type of infection the guest has. While the guest is a black hole so to speak for malware, keeping it updated and also establishing quick firewall rules mitigates this risk.

[No_script]

Sorry for derailing the thread.

Is it ok to delete file write permissions? delete firmware update for administrators? block anonymous access?

[nuphorce]

Quote:

Originally Posted by EncryptedBytes

I can write one up. Will post it in a day or two.

Are you still able post the XP guide?

[lodore]

Quote:

Originally Posted by No_script

you wont know if your infected with the next stuxnet, not for a good 2-3 years. Anti virus/malware/firewalls are just plain rubbish in protecting your system. Look at all the botnets, ZeuSS is 3 years old and still infecting people.


I got fully r00ted on the weekend searching for hosting in russia (serves me right , yeah i know) I hit something I shouldn't, haven't something like that before . I Think it was loading from RAM chips, tell me how we are meant to deal with that?

since all the antivirus companies have detected ZeuSS for such a long time I hardly think its their fault people still havent removed it from their systems. You also cant blame microsoft for people not applying patches they created years ago to sort out vulnerabilities. how many people still have java 5, acrobat reader 7, flash player 9, and run with admin rights on windows xp along with norton 2005 without an active subscription? the problem with oems shipping 6 month trials of security software is that not everyone knows its only 6 months and think they are protected.

[AlexC]

Quote:

Originally Posted by lodore

since all the antivirus companies have detected ZeuSS for such a long time I hardly think its their fault people still havent removed it from their systems. You also cant blame microsoft for people not applying patches they created years ago to sort out vulnerabilities. how many people still have java 5, acrobat reader 7, flash player 9, and run with admin rights on windows xp along with norton 2005 without an active subscription? the problem with oems shipping 6 month trials of security software is that not everyone knows its only 6 months and think they are protected.

That's totally true lodore.

About oems shipping 6 month trials of security software, fortunately seems that Windows 8 will have Windows Defender (formerly MSE) active by default (or maybe not? maybe Windows Defender will be deactivated to allow the 6 month trials of other security products?)

[Baserk]

Quote:

Originally Posted by EncryptedBytes

Section 4 Network Unless your network configuration requires it, disable IPv6.

Do you also disable Teredo?

[EncryptedBytes]

Quote:

Originally Posted by nuphorce

Are you still able post the XP guide?

I am slowly making it, my real job comes first and it has been a busy month.

Quote:

Originally Posted by Baserk

Do you also disable Teredo?

Yes you can and you should if you know for certain that tunneling 6over4 adapters/interfaces will never be used. That same rule should be applied to any services or features you know you will not need or require. If you feel you don't want to nuke such v6 services you can additionally opt to filter the v6 traffic through your Windows 7 firewall and control inbound/outbound there. Hope that helps

I realize I didn't go too deep into network configurations/services. Thanks for brining up the question.

[edit] To clarify on those firewall rules: You could block incoming and outgoing IPv6 protocol 41 (for ISATAP and 6to4) and UDP 3544 (for Teredo) traffic

[Tomwa]

I know this thread is a little old but I have information that may help those who have read this thread.

All the MSS entries are enabled in the Group Policy Editor by installing the Microsoft Security Compliance Manager. However, as this installs SQL Express (Which I didn't want as it was unnecessary and expanded the attack surface of my network) you may not want to install it. If you download the installer you can extract the LocalGPO.msi (Which is what adds the MSS entries to the Group Policy Editor).

1. Simply extract "Security_Compliance_Manager_Setup.exe" (7zip or winRAR work fine) to a new folder

2. Extract the "data.cab" to a new folder.

3. In the new folder (from data.cab) you will see a GPOMSI file. Rename this file to LocalGPO.msi (or just add the .msi extension).

4. Install the new MSI installer

5. Open a command prompt in the install directory for LocalGPO (Normally C:\Program Files\LocalGPO on 32-bit systems, C:\Program Files (x86)\LocalGPO on 64-bit systems).

6. Execute the following command: "cscript.exe LocalGPO.wsf /ConfigSCE" without the quotes.

7. Open the Group Policy Editor and enjoy your SQL free policy management.

[Baserk]

Perhaps a hint under Physical security regarding IPMI/'KVM via lan' can be useful, if only as a reminder for particular configs?

[chronomatic]

Quote:

Originally Posted by x942

There's no way around that. Hash the MBR with SHA-512 or RIPEMD-160 and store the known good hashes on a CD-R.There is no way to drop malware on that MBR as any attack on the MBR would alter the hash.

All of that is true, but the MBR is far from the only threat. You've got BIOS hacking, replacing the BIOS completely, tampering with the drives, keyboard, etc. You've go hardware keyloggers, cameras, and other nefarious tricks a well funded and sophisticated attacker could use (like the FBI -- who has used these tricks before to bring mafia bosses down).

It really depends on your threat model. If you are at a Fortune 100 CEO and have sophisticated industrial espianoge going on, you might want more protection. If you are a mafia kingpin, you probably want more protection. If you are an average user, using TPM or UEFI is probably good enough.

When the CEO of Symantec went to China, he blogged that the CIA/NSA told him to not carry his personal laptop. They told him to bring a disposable laptop with minimal information on it. And they told him to weigh the laptop before leaving so he could detect if anyone planted extra hardware on it (that's the first I had heard of weighing, but it's what they recommended).

But the bottom line is if the machine is out of your sight for any extended period of time, you cannot trust it. It depends on a lot of variables, such as how much physical security you have around the machine (do you lock it in a safe, and if so, how strong is that safe?) And, again, it depends on how sophisticated your potential adversaries are.