Questions: Hardening 101 for *Beginners :)

Discussion in 'other security issues & news' started by connect4, Jun 10, 2008.

Thread Status:
Not open for further replies.
  1. connect4

    connect4 Registered Member

    Joined:
    May 20, 2008
    Posts:
    101
    Ok, I've been mapping out security strategies for the past week or so and *Hardening seems like it can be one of the basic things to cover your computer from damn malware...


    I've been looking into these websites:

    http://www.markusjansson.net/exp.html
    http://www.dyingsun.net/hardening.htm

    Its kinda complex material. The first thing I have noticed is that there are many tools and programs that make Hardening more simplified. However, it seems that these programs will only turn on or off Hardening Settings without elaboration on what it is exactly doing. There seems to be no guide that elaborates on these Hardening techniques and applications


    Which leads me to the following question:


    Is there a more comprehensive, yet simple to understand guide?


    Here's a better question:


    I am using LUA / SuRun and SRP as my main strategy against mal-ware (In addition to other key security layers).

    This setup protects all my vital administrative folders and files:
    C:\Windows C:\Programs + Registry

    Would I even need to Harden my applications? And if so, can you elaborate why? (Besides to protect my data *outside of my administration files)
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Hello,

    You need to understand what you want to accomplish. Every disabled function will ALSO affect legit software. And the more you tweak the more difficult it will be to go back to the pristine state.

    Tweaks can be useful, but they are dangerous.

    Most guides do not elaborate what hardening this or that does - because most people writing those guides do not really know the full extent of coverage, impact and conflict.

    Most hardening guides are good for single machines that practically do nothing. Add router, printer, LAN, multi-OS sharing, games, VPN etc, you get into a mess you'll never be able to get out.

    I think it's more important to understand how you can get compromised. And how to recover.

    Once you assess the threat / risk / solution, then you'll know what you want or need to do.

    I don't think hardening justifies its means, especially since it's so easy to avoid getting infected - or recover in case it happens.

    Mrk
     
  3. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Maybe you can read this website also as additional info.
    http://tweakhound.com/
    What do you have in mind regarding hardening Applications ?
    Do you have everything on one single partition [C:] ?
     
    Last edited: Jun 10, 2008
  4. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Hi , this is my additional info : look to Advanced WindowsCare V2 Personal - free , nice : one - click hardening 100 % safe (also the possibility to tick off ) ... + SEEM ... Wow ! Kind regards PS. ... and look to my configuration : Page 103 of thread : What is your security setup these days ? Thanks , PROROOTECT
     
  5. wat0114

    wat0114 Guest

    I completely agree! Some people want to lock down their computers to the point of being ridiculous, and so often end up breaking something legit in the process. Basic limited account settings are perfectly fine when combined with other basic security approaches, including the all-too-often-forgotten common sense.
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I still don't know what hardening of applications means ? Hardening Notepad ?
     
  7. connect4

    connect4 Registered Member

    Joined:
    May 20, 2008
    Posts:
    101
    I've kinda figured LUA / SuRun / KAFU / SRP would kind of be enough protection. Although I guess I wanted to find out more about Hardening *Common vulnerabilities (Like turning off script in Windows Media Player or Auto Play USB and DVD drives, or Turning off script in Microsoft Word Document etc etc)

    VS the more advance hardening techniques not for the beginner as Mrkvonic pointed out



    Hardening programs to me means turning off vulnerable configurations. For example, Microsoft Word has vulnerabilities because it uses scripts and sometimes plain .DOC files can contain malicious script or something to that effect.

    What I mean by hardening applications is *Turning off these program vulnerabilities etc
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Hello,
    Then the simplest way is to use alternative applications...
    Mrk
     
  9. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I hope you can turn off scripts per .DOC/.XLS-file, otherwise it doesn't make sense.
    You can't cripple your own applications, otherwise they aren't fully functional.
    At work we have .XLS-files with macros to load and place data from other files in spreadsheets to avoid manual input and typos.

    Only .DOC/.XLS-files from an unknown source are a problem, not the ones you created yourself.
    Hardening applications sounds more like handicap applications.
     
  10. connect4

    connect4 Registered Member

    Joined:
    May 20, 2008
    Posts:
    101

    Not neccessarily. Many programs are by default, vulnerable in their configurations. For example Internet Explorer, Many people change their IE Setting to make it more secure.

    Whether this is called hardening applications or not, is not the issue, but this technique can be applied across the board, and not limited to web browsers.

    Maybe I gave a bad example about the Microsoft Word because I have limited knowledge on the subject of scripts regarding Microsoft Word...

    Nevertheless, the concept does exist. Whether you want to call it handicapping applications or hardening application, it doesn't matter. It is a technique that is useful under the right circumstance or situation.
     
    Last edited: Jun 10, 2008
  11. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    What kind of hardening did you have in mind? More to the point, what are you trying to accomplish?
     
  12. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Security softwares have to protect applications and if they can't something is wrong with the security, not with the applications.
    Applications only want to do their job in a safe environment and its upto security softwares to make that possible.
    I will never blame my browser when I'm infected, I blame my security softwares.
     
  13. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    First I blame the bad guys then I blame the softwares and operating systems for being badly coded. Those are the two main reasons that security software exists in the first place. This also means that we constantly have to keep updating our softwares and operating systems to fix vulnerabilities.

    connect4,

    As far as hardening, it's not a one size fits all solution. I mainly disable unneeded services and when I install a program, I go through the settings and un-tick/tick anything that doesn't seem like I want such as automatic updates. I also don't like things listening on ports and try to avoid that as much as possible with what little knowledge I have. Also, as I've already mentioned, keep everything important up to date. See the link in my sig. for help with that. No need to harden an application that has a vulnerability patched. The bad guys are going after the "low hanging fruit" or the easy targets.

    Here are a few services information links. Some sites also have other great info.

    http://www.theeldergeek.com/index.htm
    http://www.tweakhound.com/ (Erik has already mentioned this one)
    http://www.blackviper.com/
    https://www.wilderssecurity.com/showpost.php?p=896115&postcount=44
    http://www.firewallleaktester.com/wwdc.htm (This is the WWDC hardening tool)
     
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I agree with this point of view. It's easy to make a tweak that breaks something three months from now, and you have no idea why....
     
  15. connect4

    connect4 Registered Member

    Joined:
    May 20, 2008
    Posts:
    101
    Thanks for all the responses everyone. Lots of good posts and information.


    You couldn't have said it any better.

    These links were very helpful and is exactly what I am looking for. Thanks Innerpeace.
     
  16. connect4

    connect4 Registered Member

    Joined:
    May 20, 2008
    Posts:
    101



    I was basically trying to find a "big picture map" of software default configuration vulnerability (Such as turning off Auto-Play USB or DVD drives).


    Since I only knew of a few example, I wanted a guide that would illustrate *most of the key OS and common applications vulnerability default options.

    But I think most of those links shared by Innerpeace and other would cover it
     
  17. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  18. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Your welcome! If you do disable any services or other tweaks, I suggest taking good notes and only do one thing at a time so you fix anything that may get broken.
     
  19. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    351
    Re: Questions: Hardening 101 for *Beginners

    You could always add an anagram decoder to your arsenal :)
     
Loading...
Thread Status:
Not open for further replies.