A ridiculous simple and short listing of "keywords" you might consider for Hardening Windows.
Date : 21/12/2013
Version: 0.3
By: Albert van der Sel
Remarks: It's a ridiculous simple listing of keypoints you might consider in Hardening Windows.
Most points below are consisent with recommendations from others. However, you might be sceptical on a few, and some are difficult to realize.
Indeed, not everything applies to all situations. And hardening involves a lot of planning and effort.
Listing 1. More applicable for Servers in business environments:
- Spent effort to limit the "exposed surface area" like for example:
- minimize on exposed shares
- minimize on running services
- minimize on local accounts
- check those completely silly registry entries like "Run"/"RunOnce" and "startup folders" and many more. See specialized articles (refs follow).
- apply reasonable Policies and reasonable GPO's.
- install only those "features" and "roles" that are neccessary.
- limit rdp/mstsc
- limit protocols, only permit what is needed.
- apply Share and NTFS permissions at all times.
- check scheduled tasks etc.. for scripts with clear passwords, or too simple passwords, and accounts that run them.
- do not install MS office, MS development tools etc.. on Servers. They are hardly ever updated with MS security patches.
- do not install third party development tools, BI tools etc.. on Servers (unless absolutely neccessary). They are never updated with MS security patches.
- Find a "reasonable" way to audit specific events, like for example "invalid logons", "group changes", "act as part of the OS", and that sort of events.
- Use x64 systems as much as possible, instead of x86. More effort has been put in securing x64 compared to x86 32 bit.
If you are sceptical about that, do web search on the subject.
- If possible, always choose to EFI based boot instead of MBR/VBR.
- Try to replace XP/Win2K3 as soon as possible to x64 Win7/Win2K8/Win2K12 using EFI. Win8 is quite secure, but a bit "strange" in some ways.
- See section 2.4: Try using DEP and ASLR as much as possible.
- Put on the Firewall on, on all systems. Restrict Inbound Rules as much as possible (quite a lot of work, usually)
- Put some effort on studying "enummeration" and limit all "output" as much as possible. If you do not know what it is: study it.
- Never disclose IP's, network names etc... outside the IT department.
- Use switch rules to allow only certain MAC's (netcard addresses) on ports, or use a higher level Network appliance.
- Use a logical ring model: "outer" clients might access the Internet, but the "inner" Internal Servers never.
- Regularly, scan the network for e.g. open ports (e.g. using nmap).
- Try to "ban/limit" external/internal people running around with USB, DVD's, portable diskdrives (if that is practical... which sometimes is not)
- Try to apply "Role based" security, if possible. Or take a look at that subject.
- (in relation to the above) Apply "The principle of Least Privilege". Or take a look at that subject.
- For Clients: IE is a "not so great": It's leaking all the time. Minimize on add-ons etc... Or consider a safer browser.
- Insist on a good "version control" of OS'ses, and applications.
- Take a look at "MS Security Baseline Advisor". It might come up with some good points to check.
- COM/COM+/DCOM is difficult, and uses an almost incomprehensible security settings. If you must use it, and if you are not sure.., get advice.
- Some apps use config files, xml files etc... with clear text passwords ! Demand a better solution.
- For home PC's: use a regular account for daily work, AND NEVER AN ADMIN account !!!.
- For home PC's: study stuff called "Drive-by Install".
- (also in relation to the above) Do not disable or weaken UAC.
- Trivial: Put AV software on all Servers and Clients, and make sure that a appropriate update mechanism is in place.
- Check with DBA's if measures are taken to prevent SQL injection. And if master accounts are secure (sys, system, sa, sysdamin etc..)
- Check with DBA's if accounts accessing remote resources (dblink, linked server, heterogeneous services, queues etc..) are secured.
- Survey with "Technical Application managers" how authentication of applications takes place. Usually service accounts are used, and not user accounts.
Try to investigate the permissions and strenght of password policies.
- Websites are sometimes notorious for clear text user/password in "config.xml" files, or similar files. Check it out.
- Sometimes Active Directory (ldap) based systems, exchange data with non AD systems (not using LDAP). In such cases, often configured "account/password" are used
for authentication. Maybe even in clear text. Try to determine the strenght of such setups.
Note: what is called "EFI" in upper listing, should be understood to be the "EFI implementation on x64 systems with Windows".
Listing 2. Simple rules applicable for Home PC's:
- Use a regular account for daily work, AND NEVER AN ADMIN account. If you do work as an Admin, you REALLY make it much more EASY for Malware.
- Your regular account (normal account) must have a complex password, like for example using a few Capital letters,
one or more numbers, maybe special characters like "!", a minimum lenght of 9, and still easy to remember for you. E.g.: "1LoveB33r!"
- Do not disable or weaken UAC (User Access Control). If you disable it, you REALLY make it much more EASY for Malware.
- Make sure Automatic Updates is "on", or update regularly. Vulnerabilities that were discoverd, MUST be patched.
- Keep the Firewall ON. If you disable it, you make it much more EASY for Malware.
- Have AV software installed, and keep it up to date.
- Treat any truly unknown USB media, or DVD etc.. with some healthy suspicion.
- Occasionally, you might receive mails from criminals. It's really quite easy to see that they are fake. Get rid of it.
- Be carefull of letting websites "check your machine" and all that. It might simply activate malware.
- XP, even with SP3 + recent updates, is too weak and too old. Step over to Win7 x64, or Win8x.
- Keep the original media safe. If you don't have it, get or create a bootable DVD for your OS.
- Make a "system state backup" once in a while.
- Backup your data frequently (e.g. to usb disk, another PC etc..).
- If you are interrested: do a web search on DEP, ASLR, EFI boot, UAC, Trusted Installer. These are all features that enhance security.
Let them work for you as much as possible.
- Surf anywhere you want, but "certain catagories of sites"..., well.., they are simply somewhat more risky...