Approaches to security - do you have one to share?

[Kees1958]

My mother asked me to help setup an XP machine for the daughter of a neighbour of her, the machine was not very powerfull. Just 2 GB RAM and a harddisk with hardly 50 MB/sec read throughput.

This is what I did

Deny execute on user space
a) Installed XP FSE (http://www.fajo.de/main/)
This gets the security tab on XP Home. Created a data partition, moved the My Documents and added a deny execute to the data partition for every one (take away the travese folder and execute right). Added a deny execute to Chrome's download directory for everyone also.

b) Installed your PGS
Put all internet facing aps and open office aps (both paths and and execute name also just to be sure) running as basic user. Also put the rest of the User Space running as basic user, except temp and a special installation directory. Also added USB drives as basic user.

c) Installed Chrome
Added McFee site advisor and set the wireles client to use Clearcloud DNS (they have a server in Amsterdam also, so pretty fast in NL too)

d) Installed the PrevX Safe On-linefacebook freebie
This protects them doing on-line shopping and banking activities, set heuristics to high after age/popularity (so it only checks the latest entries and does not consume a lot of CPU)

e) Installed Avast free
Only install the File Shield, Behavioral and Script shield, enable sandbox (on auto). The sandbox analysis the executable's profile (unsigned and unknown publishers are sandboxed). When you track CPU sage and disk access, the fileshield gives the lowest amount of overhead of all free av's to my knowledge. The script shield filters out coding techniques to obscufate intrusions. You can add the nice Avast feature to send you an e-mail when it detects something (in their case the mother of the girl). Protected Avast with password.

f) Added the 1806 trick
Showed them how to unblock and did not offer the switch back

g) Added NoAutorun to complete protection for USB infections
http://sourceforge.net/projects/noautorun/


Bottem line.
User is still in full control of their system. Can install everything when they unblock the executables downloaded from internet (in zipped files windows does not extract executables which are marked as originating from the internet when 1806 is set to block).

They are still master of their PC, Avast blocks out 98%, PrevX ensures safe internet transaction, drive by's are nearly impossible, only weak spot is user stupidity.

Regards Kees

[CloneRanger]

@ Kees1958

Was this a fresh format/install or did you clean it out etc first ?

Be interesting to see, how she likes it & if she gets any infections etc via the "weak spot"

[Konata Izumi]

I have always very similar setup to Kees1958 (I'm very inspired with his approach )
I just needed Returnil to make my system as static as possible.


Windows 7 Professional 32-bit

separate partitions for:

• SYSTEM
• PROGRAMS (portable)
• DATA

Setup:

1. Disabled Windows System Restore and Windows Defender
2. User Account Control set to Highest
3. Microsoft Security Compliance Manager (MSCM) for downloading Baseline Security Templates from Microsoft that will harden Group Policy settings.
4. LocalGPO (included in MSCM) this tool is used to apply Security Templates.
   
   • Templates used: Merged copy of Win7SSLFComputer, Win7SSLFUser and IE8SSLFComputer, IE8SSLFUser
     • Do not allow legacy apps to run
   • Modified GPO thru 'gpedit.msc' also added some Safe-Admin tweaks
     • allowed Administrators to debug programs
     • 1806 trick
5. Enhanced Mitigation Experience Toolkit (EMET) to apply the ff. and more:
   • Data Execution Prevention (DEP): Opt-out
   • Structured Exception Handling Overwrite Protection (SEHOP): Opt-out
   • Address Space Layout Randomization (ASLR): Opt-in
   
   
6. Privoxy for http filtering
7. Geswall for isolating programs
8. Returnil for system virtualization (disabled antivirus)
9. No Autorun
10. Prevx SafeOnline
11. TOR/Vidalia
12. ClearCloud DNS

Google Chrome --safe-plugins -incognito (XSS auditor,Click to Play,Block 3rd Party Cookies from being set and read and ignore exceptions)

• Geswall
• Privoxy settings:
  1. change-x-forwarded-for{block}
  2. client-header-tagger{image-requests}
  3. client-header-tagger{css-requests}
  4. crunch-if-none-match
  5. fast-redirects{simple-check}
  6. filter{js-annoyances}
  7. filter{html-annoyances}
  8. filter{unsolicited-popups}
  9. filter{content-cookies}
  10. filter{refresh-tags}
  11. filter{img-reorder}
  12. filter{banners-by-size}
  13. filter{banners-by-link}
  14. filter{jumping-windows}
  15. filter{frameset-borders}
  16. filter{quicktime-kioskmode}
  17. filter{ie-exploits}
  18. hide-from-header{block}
  19. hide-if-modified-since{-60}
  20. hide-referrer{conditional-block}
  21. limit-connect{,}
  22. overwrite-last-modified{randomize}
  23. session-cookies-only
  24. set-image-blocker{pattern}
• sometimes used with TOR/Vidalia/Polipo to anonymize session (installed only when Returnil Virtual System is ON)
• Prevx SafeOnline on Maximum settings.
• Clearcloud DNS
• 1806 Trick

[Kees1958]

Quote:

Originally Posted by CloneRanger

@ Kees1958

Was this a fresh format/install or did you clean it out etc first ?

Be interesting to see, how she likes it & if she gets any infections etc via the "weak spot"

The machine was terribly infected. The family is really traditional regarding IT. So there were no family pictures on, only teen age girls stuff. I asked her (the girl) when there is data out there you want to get back, I will have to go looking for it. That means I read and see things of you, so do you want that or shall I just re-format the harddisk.

She said: reformat please

[Kees1958]

Quote:

Originally Posted by Konata Izumi

I have always very similar setup to Kees1958 (I'm very inspired with his approach )

Konata,

What sites are you visiting that you need three levels of containment (safe-admin, returnil and GeSWall)

[Konata Izumi]

Quote:

Originally Posted by Kees1958

That means I read and see things of you, so do you want that or shall I just re-format the harddisk.

She said: reformat please

I got curious

Quote:

Originally Posted by Kees1958

Konata,

What sites are you visiting that you need three levels of containment (safe-admin, returnil and GeSWall)

shady sites, very,very shady

[moontan]

i am the only one using this machine so i have a little more latitude when it comes to security.

my first priority has always been to be able to either reformat/re-install or restore a clean image.
i knew nothing about imaging until a couple years ago.
before that, i was the King of Reformat.
i knew my 25 digits Windows serial number by heart.

since over 2 years ago i have tried many different types of security "solutions".

i am now a big fan of using what is already there in the OS.
no conflict, no BSOD, and a fast system.

what's in my signature is what i'm using.
i don't see that changing for a long time, now that my quest is over.
i have to thank the good folks here @ Wilders for helping out.

[Sully]

Quote:

Originally Posted by moontan

before that, i was the King of Reformat.

Sheesh, I thought I was the king. I used to reformat using my unattended dvd every few days sometimes, but at most every 2 months. Thankfully imaging is better today than it used to be. I remember when it became possible to image from within the OS, man that was a milestone in how fast I could do imaging.

Sul.

[lunarlander]

Over last Christmas and New Year I started a project on hardening Windows XP Home edition and documented it in a blog. I favored using features of the OS like ACLs and free tools.

I focused mainly on the concept of least privilege. And the target audience only uses the machine to surf, do MS Office things, and play games ( since I'm dealing with XP Home ).

http://xpsecurity.wordpress.com

All comments are welcome.

[J_L]

Isn't it quite late for that? XP will be practically obsolete in 2 years. I would be focusing on Windows 7.

[lunarlander]

Yes, I know XP is going to be unsupported soon. But it has the weakest security out of the box, so I addressed that first.

[Critter2]

Windows 7 is bloatware but as far as that goes
so is XP, I thought many times of going back to
2000 Pro

It is not as pretty but it is far less bloat
so far I have just ripped a lot of CRAP out
of XP and it seems to be doing a fair job

I may just have to learn another system
and get away from Windows altogether

Maybe I need to get my scalpel out and start
on Windows 7 ugh, what a task

[MacQibble]

Hi,

Quote:

Originally Posted by Sully

...
3. set admins group to be the default owners of newly created objects rather than the object creator
4. give ownership of HKCU autostart/run regkeys to admins group, restrict users to read only

@Sully

How do number 3, sir? Presume there is a global setting to replace Creator Owner on all new objects rather than change exising ones? Also, the reg keys to change on Win7 system, is there a link to a list?

I remain paranoid ... don't believe any security setup on a home pc is gonna protect user if bad guys can crack government spooks' networks.

My 'umble Win 7 Home Premium doesn't give me SRP, so I use Parental Controls per Wilders with Comodo's HIPs and pretty exhaustive list of global rules in their firewall.

I use Avast AV with MBAM and SuperAntiSpyware on demand. Leave Windows Defender on as well! EMET is set to stop all it can and I've trawled through file and registry permissions as well as all the SDDL strings for services DACLs. Can't understand why Aunthenticated Users get Modify by default while Builtin\Users get the safer, lower rights. Too scared to reduce AU rights!

I only use LUA account specially online and keep financial folders limited to Admin. Would never use credit cards online either!

My non-geek brain swims with jargon but I don't feel any more secure. I used to trawl thru ethereal (now whiteshark?) logs but life is too short.

[Sully]

Quote:

Originally Posted by MacQibble

@Sully

How do number 3, sir? Also, the reg keys to change on Win7 system, is there a link to a list?

In winXP you could start secpol.msc (local security policy from administrative tools) and then navigate to Local Policies > Security Options. There was the option to make admins the default owner instead of the creator. I don't see this option in win7 ultimate though.

All of those values can also be triggered in the registry as well (and there are other ways ). I have not explored them yet.

If you can work with SACL/DACL stuff, you should be able to make yourself as secure as anyone. That is the really geeky stuff, and if you can wrap yourself around it, you can devise your own security that is going to be pretty hard to break, IMHO.

Sul.

[MacQibble]

@ Sully. Thanks for quick response.

Read somewhere that 70% of Microsoft's profit comes from home users not using Pro or Ultimate versions. Shame they don't see us worthy of secpol.msc. But that i guess is not for this thread...

[Sully]

I have been using LUA+SRP default deny for a bit now. I like some aspects of this approach, but I am (as always) finding there are drawbacks when the system is apt to change frequently. In this case I am creating custom tools for users of one form or another, for various reasons. I have been finding myself at the computers quite often figuring out why something is not working and creating exclusions. This is not such a big deal, except I have many other things to be doing. It allows me and my helper to be in full control over everything that happens, but is seemingly too much control

Here are some thoughts I have been contemplating. I don't know if I will change from the LUA/SRP or not. If most of the "pains" have been found, it offers really good protection from many angles, but there are always more than one way...

Quote:

ADMIN

Shadow Defender - keeps system in a static state. Reboots wipe all changes. Exclusions are created for directories. Allows any executable to run without fear of system becoming compromised.

SRP as Basic User (DropMyRights approach) - starts select applications with reduced rights (browsers, etc). Reduced rights inhibit the application from modifying system areas.

Sandboxie - environment to contain certain activities such as executing downloaded content.

Admin rights allows user the freedom to do as they please. Shadow Defender ensures there are no permanent changes made to the system.

Specific directories are used to store data. These directories are excluded from being shadowed, so that data is not wiped on reboots.

Specific directory is made for downloading files into from the internet. This directory is forced to open in a sandbox, thereby containing it to a controlled environment. The sandbox directory is excluded from being shadowed, so that the sandbox environment remains across reboots. This allows a controlled environment to install to that will remain until the sandbox is deleted.

Using SRP gives protection to those applications such as browsers that are the most likely to introduce problems. Shadow Defender will still wipe changes on reboot, so SRP is not the last line of defense, but rather a pre-emptive strike.

USER

Mode 1
LUA or SUA - log in as a restricted user rather than Admin. Some form of elevation must then occur for a user process to be allowed access to a restricted area. Provides good separation of standard everyday uses versus administrative tasks. Down side occurs when the user is wishing to perform administrative tasks often. In Vista/7 the inclusion of UAC helps with this scenario, and in Win XP SuRun helps as well.

Mode 2
LUA or SUA with Default Deny - login as restricted user and also include SRP or AppLocker to provide a default deny scenario. In this situation, not only is the user restricted to needing elevation of rights to modify restricted areas, but the default deny policy restricts executables from running unless an exclusion exists. This provides a very solid protection, but at the cost of needing to have exclusions in place. The down side is that on systems where users change things often, more work is needed to allow execution.

Sul.

[AlexC]

Quote:

Originally Posted by Sully

Sheesh, I thought I was the king. I used to reformat using my unattended dvd every few days sometimes, but at most every 2 months. Thankfully imaging is better today than it used to be. I remember when it became possible to image from within the OS, man that was a milestone in how fast I could do imaging.

Sul.

Re-imaging is the best... In 7,5 min/8 min Keriver completely restore my system partition!

[x942]

My security approach (Thanks to people in these forums ) is DENY DENY DENY! I treat EVERYTHING from software on my PC's, apps on my phone to computers on my network as a threat until proven otherwise! My entire setup is in the other thread but the basics of it is:

1) Deny execution
2) Sandbox
3) LAU/UAC
4) FW - MAX
5) DEP/ASLR etc.


and before anything is ran or connects to my WiFi:
1) Scan with sophos AV (or Avast!)
2) hitman pro scan
3) PrevX
4) run in Vbox
5) run sandboxed for 24 hours
6) Keep or delete


For devices I just issue a full scan and have Isolated devices enabled on my network so nothing can see or connect to anything else (This really annoys my friends when I make them scan before connecting :p )

[AlexC]

I´ve read several times something like: "if it cannot execute, it cannot infect".

So wouldn´t be the case of the implemantation of "UAC @ max + SUA + SRP (via Parental Controls)" - whitelisting - (moontan´s setup) be almost "bulletproof"?

What are the remaining attack vectors, if any?

Thanks!

[m00nbl00d]

Quote:

Originally Posted by AlexC

I´ve read several times something like: "if it cannot execute, it cannot infect".

So wouldn´t be the case of the implemantation of "UAC @ max + SUA + SRP (via Parental Controls)" - whitelisting - (moontan´s setup) be almost "bulletproof"?

What are the remaining attack vectors, if any?

Thanks!

There are holes in AppLocker and SRP.

http://www.wilderssecurity.com/showthread.php?t=291593
http://www.wilderssecurity.com/showthread.php?t=291467

But, these would be targeted attacks, considering SRP and AppLocker are not used by the majority of Windows users.

[moontan]

tnx moonblood.

i'm gonna try learning the icalcs stuff so i can run Firefox in Low Integrity level.

that should help a little more.

[Sully]

icacls can do a lot, but with integrity it is pretty basic

you start with a command to a file or folder

icacls.exe "c:\program files\myApp"
icacls.exe "c:\users\sul\myFolder\some_file.exe"

You need to make sure to enclose the path in double quotes if there are any spaces. It is a good idea to get used to using quotes even without spaces, but it is a preference thing.

After you know the object you want to do something to, you need to pass the command parameter to icacls that tells it you want to work with IntegreityLevels, like this

icacls.exe "c:\program files\myApp" /SetIntegrityLevel

After that parameter, you then need to tell icacls what IL you want to apply, like this

icacls.exe "c:\program files\myApp" /SetIntegrityLevel L

You can use the first letter (L,M,H) if you like rather than the whole word

Now, here is what you must understand. By default, only a few files/folders will have an Integrity Level applied to them. When an IL is put on an item by you or the system, it is called an EXPLICIT IL. It has been explicitly set. Most all objects do NOT have an IL applied to them. What happens that is that when you start a process, and no IL is applied to it, it gets by default a MEDIUM IL. If you run as Admin, then that gets raised to HIGH IL. But, if you use icacls to apply an IL (low, med or high), that process will now start at that IL level.

So, suppose you used icacls to give that folder called myApp a Low IL, it now has an EXPLICIT IL. To remove that IL, using icacls, you have to set it to Medium. icacls does not simply "remove" an IL, it cannot do that. You can use the tool chml instead to apply the IL and remove the IL, or you can copy the file/folder, and the copy will have no IL, but icacls can only set it, not remove it. Usually this is no problem, as the system will give everything medium IL anyway, so just set it to medium.

OK, also realize that when you apply an Low IL with my example above, you are applying it ONLY to the object you used in the command. If you applied it to a directory, that directory itself would have a Low IL, but NOTHING inside it would, because you did not tell it to. It does not matter when you apply it to a file, as files don't have anything that lives within them that need to inherit anything, they are stand alone objects.

If you wanted to apply a Low IL to a directory, and you wanted all FILES within that directory to inherit that Low IL, you would use the Object Inherit option. It is expressed as (OI) and the command would look like this

icacls.exe "c:\program files\myApp" /SetIntegrityLevel (OI)L

Using that will cause all files within that myApp folder to get the Low IL through inheritance. If you had a subfolder which had files, and you wanted all subfolders/files to also inherit the Low IL of the myApp folder, you would include the Container Inherit option as well, like this

icacls.exe "c:\program files\myApp" /SetIntegrityLevel (OI)(CI)L

Understanding inheritance is important because if you use a Low IL for something like a downloads directory, you obviously want everything you download into that directory to have a Low IL, so you must make sure the directory passes the Low IL onto everything that lives inside of it.

HTH.

Sul.

[moontan]

Quote:

You need to make sure to enclose the path in double quotes if there are any spaces.

ah! that's probably why i couldn't get it to work yesterday.

tnx for the tutorial Sully.
it's much appreciated!

i'm going to give it another try this afternoon.

[AlexC]

Quote:

Originally Posted by m00nbl00d

There are holes in AppLocker and SRP.

http://www.wilderssecurity.com/showthread.php?t=291593
http://www.wilderssecurity.com/showthread.php?t=291467

But, these would be targeted attacks, considering SRP and AppLocker are not used by the majority of Windows users.

Thanks for the reading m00nbl00d. So, SRP and AppLocker have intentional design flaws (what for, by the way?) but those shouldn´t be a problem to the regular home user, since most real world malware haven´t be designed to abuse them (very few people use SRP and AppLocker). However, those flaws can be easily explored in a targeted attack taken care by a skilled hacker. Seems that SUA+SRP (or a commercial Anti-Executable) is a excelent defensive layer in any setup, especially if used together with a light virtualization program.

@moontan, or anyone else, did you had the opportunity to test SUA+SRP (via parental control) against the execution of some malware? Do you know any Anti-executable outhere, Windows 7 compatible, that (maybe) would be more effective than SRP and Applocker?

Thanks!

[moontan]

Quote:

Originally Posted by AlexC

@moontan, or anyone else, did you had the opportunity to test SUA+SRP (via parental control) against the execution of some malware? Do you know any Anti-executable outhere, Windows 7 compatible, that (maybe) would be more effective than SRP and Applocker?

Thanks!

hi alex,

no i have not tested SRP vs malwares.
i think the best way to find out would be to find a site that has drive-by attacks.

there does not seem to be that many alternatives to SRP.

the only ones i have heard of is Faronics Anti-Executable and Horizon Datasys
Executable Lockdown.
i have not tested them as i am not keen of paying for things that are free and included in Windows.