Jump to content

Foolproof Basic Security


Glenn9999

Recommended Posts

I've thought on things I've read and just tried to search for some more on this topic and didn't find anything. So I'll ask...what suggestions would you make for changes to an XP install to be secure, both from external problems, and from a foolproof user standpoint. More or less, stuff that is non-intrusive (less dialogs and steps the better), keeps malware from running as well as possible, and keeps the user from doing something that might screw up the system? More or less settings that gives the computer the highest chance of running for a long time without required intervention or problems.

My initial thought was to set up the main account so it's not an administrator, and do the usual stuff like disable autorun and disable saving of executable attachments, but is there anything else that would be good? I'll admit that I don't know the effect on most software of running as a standard user, so I don't know if that would present a problem? Also, I'm looking at how to automate certain tasks, like disk checks and cleaning up temp files and the like.

Also as a side question, what do you do if you need to delineate a specific web site to not be cleaned up and secured against (cookies allowed, popups allowed, most active content allowed), and not sacrifice having those things secured against for other sites?

Link to comment
Share on other sites


A lot of what I am about to say will probably be shunned, but that's because the vast majority of people out there greatly misunderstand security and the first thing many will say is 'ZOMG, you needz to installz antivirus!!!!11'

Well, let's get a few things clear -- a secure system is one which is only able to carry out its intended purpose, nothing more, nothing less. Principle of least privilege is one of the most basic and easy to grasp concepts of computer security and is also one of the most important. Simply put, any extra ability a computer system has beyond its intended purpose is unecessary and gives potential for exploitation. Therefore all extra functionality beyond the scope of the task should be eliminated.

My views of how to implement security have changed somewhat over the last few years, partly due to what I have learned and partly due to the fact that the way computers are being breached is changing. There is a school of thought which says 'install Windows on an NTFS volume, lock it down to the ground with permissions and you'll be sorted'. The other school of thought is to install on a permission-free volume such as FAT32 and have no permissions at all. Why you ask? Well, it's simple. Permissions are a 'double edged sword' and can be used against us just as easily as to defend us. All it takes is for one poorly configured ACL to potentially allow a piece of malware (or even a person) to get in and then lock the owner of the system right out. We are seeing this more and more with malware these days, locking us out of our OWN systems, using a mechanism that is designed to actually keep the bad guys away. The main problem with permissions is the users: Most people (even IT people) don't give a rats a** about permissions and leave most of them at the default values. If the system is installed on a volume which can not work with permissions, this flaw is eliminated right away. Another problem with NTFS volumes is Alternate Data Streams (ADS), a feature which can also be abused maliciously, and that is also not present on a FAT32 volume.

But without permissions, how can we keep malware at bay? Well, most malware comes from the Internet, so security starts with the web browser. Again, there are two main schools of thought on this... the first being to simply ditch Internet Explorer and take the 'security through obscurity' route, the second being to strengthen IE and/or your choice of browser. Internet Zones in IE is a clumsy and flawed concept but for the most part it does work. IE 7 and 8 greatly improve the security of the browser and system particularly in Vista where it is isolated from the system and can not arbitrarily interact with it. Somewhat similar to the permissions/no permissions argument, the vast majority of the work here is done (or not done) by the end user. If the end user does not give a monkeys about what they visit on the Internet, they WILL end up with a spyware infested system. This is why antivirus companies make so much money - Antivirus products actually do very little if anything to increase the security of any given system - some would argue they in fact decrease the security by running services at system level and hooking the kernel - but people buy them on the false premise that they will 'be protected'. I don't run any Antivirus software or a third party firewall on my home system and haven't now for nearly 2 years - and there's not been a drop of malware in sight.

More ways to secure Windows include simple things like shutting off file and printer sharing for Microsoft networks, the Microsoft network client, disabling and adding a password to the guest account (plugs a massive network permissions flaw) and also protecting the administrator account. Running as a Limited User in Windows NT/2000/XP without doing some serious tweaking is not as effective against attack as many believe, and serves to cause more of a headache than anything else. Vista is in fact the first OS to properly implement a principle of least privelage environment as standard and do it in only a 'semi annoying' way - UAC. If you use a wireless network it should also be protected by a network key - but then again, if file and printer sharing and the microsoft network client is disabled, no-one will be able to access your system using UNC commands anyway, they'll just be free to steal your internet. Make sure things like telnet, remote registry and the messenger service are disabled, and turn on the Windows Firewall, or use IPSEC if on Windows 2000.

Using a strong password for any and all of your user accounts is also vital.

Link to comment
Share on other sites

A lot of what I am about to say will probably be shunned

If malware is using permissions against you - use a live CD, like ubcd4win. Using FAT because it's easier to clean up seems a bit defeatist.

And using an alternate browser is "security through obscurity" ? The main competing browsers are open source...

Link to comment
Share on other sites

How's this for almost foolproof security: get a 2nd computer.

Computer A ... Offline ... contains important stuff, spreadsheets, taxes, records, source code, family photos, etc. This computer requires no active antivirus running but should have the ability for manual on-demand scans, the definitions will need to be manually updated. Most importantly, this computer must have no wireless cards or ethernet cable attached and is not on a network. It does not touch the internet. The only points of entry for malware are the traditional avenues, USB, Floppy, CD/DVD etc. You manage those risks the same way I have been doing since around 1982 (don't leave media in during reboots, kill autoplay, manually scan all media before use). Offline boxes are very secure because only you yourself can get it infected. Note: this is the box that should have incremental backups kept offsite to insure against theft/fire/etc.

Computer B ... is the Online box and can be a laptop or anything. Of course it has whatever antivirus you prefer always running. This one should have a custom made Slipstream/Nlite disc or Image available for an easy OS reset when it gets clobbered (NOT System Restore!). Surf to your hearts content because you can easily revert to a known safe state, but taking common sense precautions will lengthen the uptime between virus attack resets. Note: Files that get transferred to the offline box must be scanned along with the transportation media.

Yeah its a little cumbersome, but it is time tested. This method makes sense if you have any data that you consider valuable. There is no good reason these days for important records to live on the same computer that is exposed to the internet.

A lot of what I am about to say will probably be shunned, but that's because the vast majority of people out there greatly misunderstand security...
I do agree with much of this, especially about ACL's and ADS's on NTFS. You only left out one thing: The good guys supposedly protecting the user (McAfee and Norton) to name two, often exploit ACL's in the name of security and create a tangled web of permissions that leave computers almost unuseable to the point that programs and even service packs will not install. I stopped counting the number of times I have had to wipe out ACL's on consumer PC's. Alternate Data Streams are a huge risk as well. I'm not sure Fat32 is the answer though because of its structural limitations. Maybe the holy grail would be NTFS with both ACL's and ADS's somehow disabled. Don't know if it can be done since they have been in NTFS under the NT kernel for a long time now.
... And using an alternate browser is "security through obscurity" ? The main competing browsers are open source...
Yeah but that is not what it really means. It is more like Security Through Scarcity because MSIE page requests present such a target rich environment. The status of the source code for Opera/Mozilla/Firefox/Safari does not figure into the equation (because if it did, MSIE which is proprietary would be the most secure browser on the planet!). The other browsers also benefit from the 20-20 hindsight of like a decade of MSIE exploitation. This coming from a longtime Opera user.
Link to comment
Share on other sites

Well, my current home system has three partitions on a 160GB drive.

The system partition at the beginning, a 16GB partition, FAT32.

The file partition in the middle, around 130GB, NTFS.

The swap partition at the end, 4GB, FAT32.

I am not really bothered whether or not the file partition is FAT32 or NTFS, it is forced to NTFS because of its size, but since it is not a system partition it won't get interfered with. If it did, I have backups.

The system partition is the most important obviously and being in FAT32 software can't screw around with the ACLs. Since all the software I run is only that which I trust, I conclude there is little chance of my system being messed with. Given I have taken many steps to secure myself on the network as mentioned above, even stealthing myself from the computer browser, I would be happy to ask someone on the local network to try and 'hack in' to my computer - I would place bets that they wouldn't be able to do it.

I think I fiddled with group policy as well and told the computer to lock any user out after trying to log in 3 times.

Of course, one of the best ways to secure the computer against tampering is to lock it when you're done. Those **** cats and keyboards...

Link to comment
Share on other sites

... Of course, one of the best ways to secure the computer against tampering is to lock it when you're done. Those **** cats and keyboards...

:thumbup Yup, this is an exceedingly important tip. Never leave your File Manager (Explorer, PowerDesk, XYplorer, Total Commander, etc) as the visible active Window on an unattended computer. Never!

Because if there are cats around, they will merrily trot onto the keyboard somehow avoiding every key except for ENTER and DELETE. If the focus was on a folder/directory ... you're in a world of hurt.

Link to comment
Share on other sites

Our cat usually just sits on the keyboard and makes my computer go 'beep beep beep beeeeeeeeeeeeeep!'

Anyway, back on topic, I've decided to compile a short and sharp list of apps and tweaks that I've used to help bolster my security. Any third party apps are mainly thrown in there just to help audit the situation, and not actually do anything.

On a Windows XP SP3 installation...

Disable the following services:

Remote Registry

Messenger - disabled by default

DNS Client

Task Scheduler (leaves TCP Ports 135-139 wide open, used for DCOM exploits)

Telnet - disabled by default

There are many others that can be disabled to a varying degree of your preferences - but the above are mainly the ones I can see that will affect sceurity.

Then there are things that can be done in the command prompt, using net user.

Give the Guest account and Administrator account a password by typing net user administrator andyourpasswordhere. Press return, wait for confirmation, and do the same for guest. Then if it isn't already, disable Guest through control userpasswords2. No more abusing of the network with that one.

It is also a good idea to do the net config server /hidden:yes trick, which hides your machine from the local computer browser (network neighborhood). This isn't really a security increase per-se, as it only 'hides' your machine from the network, it doesn't change the fact that it is still there and if unsecured can be just as vulnerable.

Disabling and adding a password to the Guest account will substantially bolster security, but if you want to stamp out all chances of anyone being able to browse your hard drive using UNC commands (this becomes a problem when using, say, an unsecured wireless network in a coffee shop where anyone can join and try to hack into computers) then disable the following two options in your Local Area Network, and Wireless Network Connection:

Client for Microsoft Networks

File and Printer Sharing for Microsoft Networks

by removing the checkmark from the box and clicking OK.

Now, even if someone manages to grab your IP, they won't be able to:

Spam your computer with Messenger alerts,

Browse its hard drive contents

But, the chances of them even getting your IP are limited given the trick mentioned earlier to hide yourself from the computer browser.

There are a few final utilities I reccommend to double check how we are doing for security, all from grc.com

XPDite

DCOMbobulator

Unplug n' Pray

Mousetrap

Shoot The Messenger

And I think that's it. Bear in mind, a lot of the major Windows holes that affected SP1 have either been removed in SP2 and 3, or patched by the tips mentioned above. Make sure Windows Firewall is on, and run a ShieldsUp!! test also from grc.com to verify your computer is essentially invisible from the Internet.

You can now be confident that the system is hardened to attack. Just in case I contract any sh1t from the Internet, I have installed Spybot Search and Destroy (without any of the realtime components) and malwarebytes, since it's just such an awesome program. But, I repeat, I haven't run with any realtime protection for around 2 years now and have not suffered. I also check the system with hijackthis and there is nothing bad there.

There are, of course, tweaks beyond these that will further harden a system to attack but for most home users and even many business users the scope of this article is enough, and will stop the majority of badness from even getting in - or being able to find your computer in the first place - without compromising usability. Beyond this we delve into Group Policies and suchlike that could begin to hamper the usability of the system, something which home users do not want, and I certainly don't want.

Link to comment
Share on other sites

@Glen9999:

By far the best mitigation you have already mentioned - running as a standard user rather than Administrator.

The vast majority of malicious activity in my experience has been through social engineering and users not understanding the implications of clicking flashy things on the screen - reduce the user's power and the system becomes more secure implicitly.

This has much more value when NTFS is used as the file system, otherwise there is no way to protect the OS files from any user able to log on (I've not seen first-hand any malware employing alternate data streams or locking down ACLs that the user could not unlock that would warrant using no form of protection on the file system).

Deploying a client behind a NAT router (basically any home broadband router on the market these days) should provide protection against drive-by scans, but it's still worth having the Windows Firewall service running as it's so lightweight.

Reading between the lines it looks like you may be setting up a PC for a not-so-IT-literate person and want to keep the system ticking over by itself - I would enable Automatic Updates to install hotfixes as it detects them, and have an AV product with realtime scanning and automatic updates (set up for a weekly full system scan too).

"Security is the enemy of useability" a colleague of mine loves to cite frequently, so it depends on how far you want to go protect the system from the user - if there are USB ports present and there will never be any USB devices connected, you can consider disabling them in the BIOS to cover another potential back door, for example.

Automating cleaning of temp files can be dangerous, due to how they may be present during the lifetime of an application, or until they are cleaned up after a reboot - if you clean out *.TMP, for example, on a scheduled basis then you may run into a problem only after restarting (typically this can be seen for anything doing a self update).

Teaching the user how to make backups could be useful too - a system restore to a known good point in time can be much quicker than a reinstall of the OS and all the apps (though this is more a "reactive recovery" point in the event the system has been compromised or become unstable).

@JustinStacey:

The DNS Client service is the DNS name resolution cache, it's not a listening service - just curious as to what security hardening this achieves?

Also, the Client for Microsoft Networks is the plumbing of the Workstation service on a per-interface basis, so it's necessary for outbound SMB and disabling this would break the machine's ability to browse other machines, if there are any.

The File and Printer Sharing setting is the per-interface SMB plumbing for the Server service, so I agree it can be useful to disable this if you don't share resources on the LAN.

Link to comment
Share on other sites

... Of course, one of the best ways to secure the computer against tampering is to lock it when you're done. Those **** cats and keyboards...

:thumbup Yup, this is an exceedingly important tip. Never leave your File Manager (Explorer, PowerDesk, XYplorer, Total Commander, etc) as the visible active Window on an unattended computer. Never!

Because if there are cats around, they will merrily trot onto the keyboard somehow avoiding every key except for ENTER and DELETE. If the focus was on a folder/directory ... you're in a world of hurt.

JFYI:

http://tk.ms11.net/

and of course:

http://www.bitboost.com/pawsense/

;)

jaclaz

Link to comment
Share on other sites

@JustinStacey:

The DNS Client service is the DNS name resolution cache, it's not a listening service - just curious as to what security hardening this achieves?

Having thought about it, it probably doesn't do very much if anything to increase security... I just don't see any point in it being there, much like the fact that I have IE set to empty its cache on exit, not to cache encrypted pages at all, and have similar settings in other browsers. I only allow Opera to have a memory cache.

Also, the Client for Microsoft Networks is the plumbing of the Workstation service on a per-interface basis, so it's necessary for outbound SMB and disabling this would break the machine's ability to browse other machines, if there are any.

I am not sure if I made this clear in my post but I was advocating disabling the above if there are no other machines in the equation. If any untrusted machines found their way into the network then having this service off means they won't be able to browse your machine. If inside a workgroup or a domain, passwording the guest account will allow only those with the password to browse the machine, also. This is one of the great weaknesses of trust relationships between networked computers; and Windows default settings - anyone who can find their way into the internal network can gain that trust unless each machine is secured; trust is bad for security.

The File and Printer Sharing setting is the per-interface SMB plumbing for the Server service, so I agree it can be useful to disable this if you don't share resources on the LAN.

See above. Obviously, if on a LAN/workgroup, sharing functionalities are needed. If not, and they are unneeded, they should be disabled, as should any other unneeded service. If it's unneeded, ditch it. Principle of least privilege.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...