Securing Windows PART 2.pdf

Securing Microsoft

Windows

Part II

(2000/XP/2003/Vista)

by Guillaume Kaddouch, September 2007

TABLE OF CONTENTS

INTRODUCTION................................................................................................ 3

I – SECURE LEVEL 1 : BASIC.............................................................................. 4

1.1. Adding an hardware firewall/router :..................................................................... 4

1.2. Using alternate browser and email client :............................................................. 5

1.3. Installing an Antivirus :............................................................................................. 6

II – SECURE LEVEL 2 : MEDIUM (RECOMMENDED)....................................... 7

2.1. Running under a Restricted User Account :............................................................ 7

2.2. Enabling Data Execution Prevention :..................................................................... 9

2.3. Installing a software firewall :.................................................................................. 9

III – SECURE LEVEL 3 : HIGH...........................................................................11

3.1. Using encryption :................................................................................................... 11

3.2. Installing and using an Host Intrusion Prevention System :.............................. 13

IV – SECURE LEVEL 4 : DESTRUCTIVE SECURITY ?....................................... 15

4.1. Dedicated anti-trojan :........................................................................................... 15

4.2. Dedicated anti-spyware :....................................................................................... 15

4.3. Buffer-overflow protection :.................................................................................. 15

4.4. Dedicated anti-keylogger : ................................................................................... 16

CONCLUSION.................................................................................................. 17

Securing Microsoft Windows – Part II

2/18

Guillaume Kaddouch

INTRODUCTION

Following the publication of “Securing Windows” (Part I) in November 2006, I'm now providing Part II.

While Part I was focused on securing Windows without any additional security software, in other words

creating a strong native foundation, Part II will focus on adding security software or using advanced

Windows features to achieve that goal. Part I, to be clear, was to help you secure Windows from the

inside. If you haven't read it as yet, it will be useless to read Part II as this is a logical continuation of,

and based on, Part I. In the following, I will assume that you have read and applied the advice

developed in Part I.

Lately I have seen many discussions about the level of security that we should have on our computers,

how much security software we should install, and at what security level is there simply too much

security? Are we too protected or not protected enough ? Should we believe the hype about Internet

threats? I will try to address those questions in this document.

You are may be wondering why I took so long to write Part II and whether I had planned to write it. Yes

I had planned to do it, but didn't complete it quickly because it is a difficult document to assemble. I

believe that many people can agree about Part I, there is consensus about what has to be done to

secure the OS using it's native facilities. However, as soon as you speak about security software, what

type you should use and how many, everyone has their own opinion. In addition, discussions on this

subject have frequently developed as if this subject was, more than ever, a primary focal point. In the

following document, I will try to stay as objective as possible by providing various possibilities, but

attempt to maintain a clear and logical structure.

In this introduction, I must highlight the fact that security is inextricably linked and related to context : that

the computer, at home or in a bank, may or may not contain confidential data. Every context will require a

different “Security Level” (the term I will use below). Therefore, the security level required for a bank server

will be far higher than that for a home user computer that does not contain confidential information. It is

thus impossible to define a unique and best security setup for everyone. It is very important to understand

this point. This is why so many people disagree with each other, they often discuss the subject from a

different context. Moreover, but not least, for the same context two users may “feel” or sense that they

require different security levels, that's the human variable.

This document structured in a progressive format. It will start with an initial section about 'secure level

1', which is the minimum security that I can advise using while remaining effective. This will be followed

by 'secure level 2', which is a medium security level and should suit most users. Then comes 'secure

level 3' which provides a very high level of security, is harder to understand and manage, and is more

reliant on the user. This level is not advisable for beginners. Finally, there will be 'secure level 4' which is

not recommended. This level is given merely as a discussion exercise, to help assess the threshold at

which more security is too much, and examine the consequences.

With this basic structure, you can stop reading at any chapter that fits your needs and then jump

directly to the conclusion. For instance you can read only chapter I, or chapters I and II, etc.. The

chapters are cumulative. That means that chapter II relies on chapter I and assumes that chapter I is

read and applied. It would be a nonsense to apply only chapter II or III for instance. If you read and

decide to apply one chapter, you should have read and applied the previous chapters.

In the following I may speak of some subjects that were already very briefly covered in Part I (such as

using alternatives to Microsoft software). Below, I will develop these subjects in more detail. OK, enough

theory, let us move into the interesting part.

Securing Microsoft Windows – Part II

3/18

Guillaume Kaddouch

I – SECURE LEVEL 1 : BASIC

This first secure level is the bare minimum to have. Some people will often not want more than this for a

variety of reasons : a slow computer (cannot handle additional software), slow Internet connection

(cannot afford the slow down from filtering traffic), not enough money (cannot afford to buy more

software). Furthermore, there is a general principle which states that security should be kept simple. It

should be understood by the user. If the security configuration is too complicated, you cannot

guarantee security.

Using less security than described below is not advised. Indeed, even if you have nothing confidential

and/or valuable on your computer, if it is infected it can join a botnet and be used for illegal activities,

such as launching network attacks of other sites.

1.1. Adding an hardware firewall/router :

The first thing that impacts your computer as soon as it is connected to the Internet are malicious

network probes. These automated probes are most likely trying to find vulnerable unpatched computers

(see document part I) in order to infect them via a direct network based attack. You do not need to click

on anything or even open your browser to be infected.

An important point is that even if you are patched and Windows is updated with all the available

security patches, you are still exposed to any 0-day exploit. A 0-day exploit is an exploit that is based on

an existing undisclosed vulnerability. Being undisclosed, the vulnerability is not publicly known.

Therefore, not only is a fix unavailable, but there is often no warning of the exploit's existence. Massively

exploited 0-day vulnerabilities are seen from time to time, but no one knows how many people will be

infected before an alarm is raised.

A hardware modem/router will serve as a barrier against unsolicited Internet traffic and common

probes and attacks that challenge a computer. The primary advantage of a router is that being a

separate piece of hardware, there is less possibility of software bugs or a crash. It cannot be disabled by

software running on your computer. Naturally, you should disable remote access of the administrative

interface from the Internet. The other advantage of a router is that it is fully automatic. Once it's set up,

you can leave it as is from that point on. While a Linux OS is often running on the router, some brands

employ a proprietary OS (Cisco for example). In any event, for the most part, a router can be easily

configured through a web interface accessible from the internal (i.e. local) side of the device.

To configure it, the minimum is to insert your own Internet Service Provider logon credentials (your

connection) : identifier/login, and your password, which differ from the default router login credentials.

That should generally be enough to connect. Do not forget, as noted above, to disable remote access of

the administrative interface and change the router password (to access it, not your connection

password) to something strong and secure (see document part I). Also, if you bought a router with

Ethernet + WIFI even though you do not presently use WIFI, disable the WIFI radio. If you use the WIFI,

select at least WPA2 + AES encryption and set a strong password as well.

Securing Microsoft Windows – Part II

4/18

Guillaume Kaddouch

1 : set a strong password, disable remote access

As for the brand, I personally like the “Linksys” series, which is good for home use. However, there is

many other equally suited brands available such as D-link, Netgear, etc...

1.2. Using alternate browser and email client :

The most used OS available is Windows. Consequently, the most used browser and email clients are

Internet Explorer and Outlook (which comes in various flavours : Outlook Express, Outlook, Windows

Mail). Since malware writers want to exploit as many people as possible, they will target the most used

applications: Internet Explorer and Outlook.

Using alternative application software will allow you dodge the most common exploit attempts.

Mozilla Firefox is a good alternative browser. It is open source, and vulnerabilities are quickly fixed. A

very interesting plugin/add-on for Firefox is NoScript (from Giorgio Maone). NoScript enables you to

prevent execution of Javascript and Java by default for unapproved (by the user) websites. As long as

you do not add a website to the white list, it cannot execute any Javascript provided by that website.

This is often a vector for web-based attacks. NoScript can also block Flash content if you wish to, and

has built-in anti-Cross Site Scripting (XSS) protection. From NoScript website : “ Cross-Site Scripting

(XSS) vulnerabilities are usually programming errors made by web developers, which allow an attacker to

inject his own malicious code from a certain site into a different site. They can be used, for instance, to

steal your authentication credentials and, more in general, to impersonate you on the victim site (e.g. your

online banking or your web mail).”.

2 : you can allow JavaScript per website

NoScript is really a must have add-on if you use Firefox . Regularly, it blocks 0-day exploits for which, by

definition, no patches are available. When you go to a trusted site, just add it once to the white list and

then forget about it. I use it personally and like the additional security that it provides.

Securing Microsoft Windows – Part II

5/18

Guillaume Kaddouch

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: