Approaches to security - do you have one to share?

I have always very similar setup to Kees1958 (I'm very inspired with his approach )
I just needed Returnil to make my system as static as possible.


Windows 7 Professional 32-bit

separate partitions for:

• SYSTEM
• PROGRAMS (portable)
• DATA

Setup:

1. Disabled Windows System Restore and Windows Defender
2. User Account Control set to Highest
3. Microsoft Security Compliance Manager (MSCM) for downloading Baseline Security Templates from Microsoft that will harden Group Policy settings.
4. LocalGPO (included in MSCM) this tool is used to apply Security Templates.
   
   • Templates used: Merged copy of Win7SSLFComputer, Win7SSLFUser and IE8SSLFComputer, IE8SSLFUser
     • Do not allow legacy apps to run
   • Modified GPO thru 'gpedit.msc' also added some Safe-Admin tweaks
     • allowed Administrators to debug programs
     • 1806 trick
5. Enhanced Mitigation Experience Toolkit (EMET) to apply the ff. and more:
   • Data Execution Prevention (DEP): Opt-out
   • Structured Exception Handling Overwrite Protection (SEHOP): Opt-out
   • Address Space Layout Randomization (ASLR): Opt-in
   
   
6. Privoxy for http filtering
7. Geswall for isolating programs
8. Returnil for system virtualization (disabled antivirus)
9. No Autorun
10. Prevx SafeOnline
11. TOR/Vidalia
12. ClearCloud DNS

Google Chrome --safe-plugins -incognito (XSS auditor,Click to Play,Block 3rd Party Cookies from being set and read and ignore exceptions)

• Geswall
• Privoxy settings:
  1. change-x-forwarded-for{block}
  2. client-header-tagger{image-requests}
  3. client-header-tagger{css-requests}
  4. crunch-if-none-match
  5. fast-redirects{simple-check}
  6. filter{js-annoyances}
  7. filter{html-annoyances}
  8. filter{unsolicited-popups}
  9. filter{content-cookies}
  10. filter{refresh-tags}
  11. filter{img-reorder}
  12. filter{banners-by-size}
  13. filter{banners-by-link}
  14. filter{jumping-windows}
  15. filter{frameset-borders}
  16. filter{quicktime-kioskmode}
  17. filter{ie-exploits}
  18. hide-from-header{block}
  19. hide-if-modified-since{-60}
  20. hide-referrer{conditional-block}
  21. limit-connect{,}
  22. overwrite-last-modified{randomize}
  23. session-cookies-only
  24. set-image-blocker{pattern}
• sometimes used with TOR/Vidalia/Polipo to anonymize session (installed only when Returnil Virtual System is ON)
• Prevx SafeOnline on Maximum settings.
• Clearcloud DNS
• 1806 Trick

 

The machine was terribly infected. The family is really traditional regarding IT. So there were no family pictures on, only teen age girls stuff. I asked her (the girl) when there is data out there you want to get back, I will have to go looking for it. That means I read and see things of you, so do you want that or shall I just re-format the harddisk.

She said: reformat please

 

Konata,

What sites are you visiting that you need three levels of containment (safe-admin, returnil and GeSWall)

 

I got curious

shady sites, very,very shady

 

i am the only one using this machine so i have a little more latitude when it comes to security.

my first priority has always been to be able to either reformat/re-install or restore a clean image.
i knew nothing about imaging until a couple years ago.
before that, i was the King of Reformat.
i knew my 25 digits Windows serial number by heart.

since over 2 years ago i have tried many different types of security "solutions".

i am now a big fan of using what is already there in the OS.
no conflict, no BSOD, and a fast system.

what's in my signature is what i'm using.
i don't see that changing for a long time, now that my quest is over.
i have to thank the good folks here @ Wilders for helping out.

 

Sheesh, I thought I was the king. I used to reformat using my unattended dvd every few days sometimes, but at most every 2 months. Thankfully imaging is better today than it used to be. I remember when it became possible to image from within the OS, man that was a milestone in how fast I could do imaging.

Sul.

 

Over last Christmas and New Year I started a project on hardening Windows XP Home edition and documented it in a blog. I favored using features of the OS like ACLs and free tools.

I focused mainly on the concept of least privilege. And the target audience only uses the machine to surf, do MS Office things, and play games ( since I'm dealing with XP Home ).

http://xpsecurity.wordpress.com

All comments are welcome.

 

Isn't it quite late for that? XP will be practically obsolete in 2 years. I would be focusing on Windows 7.

 

Yes, I know XP is going to be unsupported soon. But it has the weakest security out of the box, so I addressed that first.

 

Windows 7 is bloatware but as far as that goes
so is XP, I thought many times of going back to
2000 Pro

It is not as pretty but it is far less bloat
so far I have just ripped a lot of CRAP out
of XP and it seems to be doing a fair job

I may just have to learn another system
and get away from Windows altogether

Maybe I need to get my scalpel out and start
on Windows 7 ugh, what a task

 

Hi,

@Sully

How do number 3, sir? Presume there is a global setting to replace Creator Owner on all new objects rather than change exising ones? Also, the reg keys to change on Win7 system, is there a link to a list?

I remain paranoid ... don't believe any security setup on a home pc is gonna protect user if bad guys can crack government spooks' networks.

My 'umble Win 7 Home Premium doesn't give me SRP, so I use Parental Controls per Wilders with Comodo's HIPs and pretty exhaustive list of global rules in their firewall.

I use Avast AV with MBAM and SuperAntiSpyware on demand. Leave Windows Defender on as well! EMET is set to stop all it can and I've trawled through file and registry permissions as well as all the SDDL strings for services DACLs. Can't understand why Aunthenticated Users get Modify by default while Builtin\Users get the safer, lower rights. Too scared to reduce AU rights!

I only use LUA account specially online and keep financial folders limited to Admin. Would never use credit cards online either!

My non-geek brain swims with jargon but I don't feel any more secure. I used to trawl thru ethereal (now whiteshark?) logs but life is too short.

 

In winXP you could start secpol.msc (local security policy from administrative tools) and then navigate to Local Policies > Security Options. There was the option to make admins the default owner instead of the creator. I don't see this option in win7 ultimate though.

All of those values can also be triggered in the registry as well (and there are other ways ). I have not explored them yet.

If you can work with SACL/DACL stuff, you should be able to make yourself as secure as anyone. That is the really geeky stuff, and if you can wrap yourself around it, you can devise your own security that is going to be pretty hard to break, IMHO.

Sul.

 

@ Sully. Thanks for quick response.

Read somewhere that 70% of Microsoft's profit comes from home users not using Pro or Ultimate versions. Shame they don't see us worthy of secpol.msc. But that i guess is not for this thread...

 

I have been using LUA+SRP default deny for a bit now. I like some aspects of this approach, but I am (as always) finding there are drawbacks when the system is apt to change frequently. In this case I am creating custom tools for users of one form or another, for various reasons. I have been finding myself at the computers quite often figuring out why something is not working and creating exclusions. This is not such a big deal, except I have many other things to be doing. It allows me and my helper to be in full control over everything that happens, but is seemingly too much control

Here are some thoughts I have been contemplating. I don't know if I will change from the LUA/SRP or not. If most of the "pains" have been found, it offers really good protection from many angles, but there are always more than one way...

Sul.

 

Re-imaging is the best... In 7,5 min/8 min Keriver completely restore my system partition!

 

My security approach (Thanks to people in these forums ) is DENY DENY DENY! I treat EVERYTHING from software on my PC's, apps on my phone to computers on my network as a threat until proven otherwise! My entire setup is in the other thread but the basics of it is:

1) Deny execution
2) Sandbox
3) LAU/UAC
4) FW - MAX
5) DEP/ASLR etc.


and before anything is ran or connects to my WiFi:
1) Scan with sophos AV (or Avast!)
2) hitman pro scan
3) PrevX
4) run in Vbox
5) run sandboxed for 24 hours
6) Keep or delete


For devices I just issue a full scan and have Isolated devices enabled on my network so nothing can see or connect to anything else (This really annoys my friends when I make them scan before connecting )

 

I´ve read several times something like: "if it cannot execute, it cannot infect".

So wouldn´t be the case of the implemantation of "UAC @ max + SUA + SRP (via Parental Controls)" - whitelisting - (moontan´s setup) be almost "bulletproof"?

What are the remaining attack vectors, if any?

Thanks!

 

There are holes in AppLocker and SRP.

https://www.wilderssecurity.com/showthread.php?t=291593
https://www.wilderssecurity.com/showthread.php?t=291467

But, these would be targeted attacks, considering SRP and AppLocker are not used by the majority of Windows users.

 

tnx moonblood.

i'm gonna try learning the icalcs stuff so i can run Firefox in Low Integrity level.

that should help a little more.

 

icacls can do a lot, but with integrity it is pretty basic

you start with a command to a file or folder

icacls.exe "c:\program files\myApp"
icacls.exe "c:\users\sul\myFolder\some_file.exe"

You need to make sure to enclose the path in double quotes if there are any spaces. It is a good idea to get used to using quotes even without spaces, but it is a preference thing.

After you know the object you want to do something to, you need to pass the command parameter to icacls that tells it you want to work with IntegreityLevels, like this

icacls.exe "c:\program files\myApp" /SetIntegrityLevel

After that parameter, you then need to tell icacls what IL you want to apply, like this

icacls.exe "c:\program files\myApp" /SetIntegrityLevel L

You can use the first letter (L,M,H) if you like rather than the whole word

Now, here is what you must understand. By default, only a few files/folders will have an Integrity Level applied to them. When an IL is put on an item by you or the system, it is called an EXPLICIT IL. It has been explicitly set. Most all objects do NOT have an IL applied to them. What happens that is that when you start a process, and no IL is applied to it, it gets by default a MEDIUM IL. If you run as Admin, then that gets raised to HIGH IL. But, if you use icacls to apply an IL (low, med or high), that process will now start at that IL level.

So, suppose you used icacls to give that folder called myApp a Low IL, it now has an EXPLICIT IL. To remove that IL, using icacls, you have to set it to Medium. icacls does not simply "remove" an IL, it cannot do that. You can use the tool chml instead to apply the IL and remove the IL, or you can copy the file/folder, and the copy will have no IL, but icacls can only set it, not remove it. Usually this is no problem, as the system will give everything medium IL anyway, so just set it to medium.

OK, also realize that when you apply an Low IL with my example above, you are applying it ONLY to the object you used in the command. If you applied it to a directory, that directory itself would have a Low IL, but NOTHING inside it would, because you did not tell it to. It does not matter when you apply it to a file, as files don't have anything that lives within them that need to inherit anything, they are stand alone objects.

If you wanted to apply a Low IL to a directory, and you wanted all FILES within that directory to inherit that Low IL, you would use the Object Inherit option. It is expressed as (OI) and the command would look like this

icacls.exe "c:\program files\myApp" /SetIntegrityLevel (OI)L

Using that will cause all files within that myApp folder to get the Low IL through inheritance. If you had a subfolder which had files, and you wanted all subfolders/files to also inherit the Low IL of the myApp folder, you would include the Container Inherit option as well, like this

icacls.exe "c:\program files\myApp" /SetIntegrityLevel (OI)(CI)L

Understanding inheritance is important because if you use a Low IL for something like a downloads directory, you obviously want everything you download into that directory to have a Low IL, so you must make sure the directory passes the Low IL onto everything that lives inside of it.

HTH.

Sul.

 

ah! that's probably why i couldn't get it to work yesterday.

tnx for the tutorial Sully.
it's much appreciated!

i'm going to give it another try this afternoon.

 

Thanks for the reading m00nbl00d. So, SRP and AppLocker have intentional design flaws (what for, by the way?) but those shouldn´t be a problem to the regular home user, since most real world malware haven´t be designed to abuse them (very few people use SRP and AppLocker). However, those flaws can be easily explored in a targeted attack taken care by a skilled hacker. Seems that SUA+SRP (or a commercial Anti-Executable) is a excelent defensive layer in any setup, especially if used together with a light virtualization program.

@moontan, or anyone else, did you had the opportunity to test SUA+SRP (via parental control) against the execution of some malware? Do you know any Anti-executable outhere, Windows 7 compatible, that (maybe) would be more effective than SRP and Applocker?

Thanks!

 

hi alex,

no i have not tested SRP vs malwares.
i think the best way to find out would be to find a site that has drive-by attacks.

there does not seem to be that many alternatives to SRP.

the only ones i have heard of is Faronics Anti-Executable and Horizon Datasys
Executable Lockdown.
i have not tested them as i am not keen of paying for things that are free and included in Windows.

 

You´re right...

I´ll read more about SUA and SRP.
Thanks

 

Hi Everyone,

I was reading this thread and noticed that in hardening their systems, nobody talks about disabling services or disabling listening ports. Have all the hackers in the world just disappeared or what? If someone sucessfully hacks a listening service running as System, then they can gain all powerful privileges and can disable whatever protection you put in place.